Release Notes - Juniper Networks

Add to My manuals
182 Pages

advertisement

JUNOS 9.5 Software Release Notes | Manualzz

JUNOS® 9.5 Software Release Notes

Release 9.5R4

19 February 2010

Part Number: 530-029328-01

Revision R4

These release notes accompany Release 9.5R4 of the JUNOS software. They describe device documentation and known problems with the software. JUNOS software runs on all Juniper Networks M-series, MX-series, and T-series routing platforms, SRX-series

Services Gateways, J-series Services Routers, and EX-series switches.

You can also find these release notes on the Juniper Networks JUNOS Software

Documentation Web page, which is located at http://www.juniper.net/techpubs/software/junos/

.

Contents

JUNOS Software Release Notes for M-series, MX-series, and T-series Routing

Platforms ..................................................................................................6

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms ...........................................................6

Class of Service ..................................................................................6

Hardware ...........................................................................................8

High Availability .................................................................................8

Interfaces and Chassis ........................................................................9

Layer 2 Ethernet Services .................................................................14

MPLS Applications ............................................................................15

Multicast ...........................................................................................16

Platform and Infrastructure ..............................................................17

Routing Policy and Firewall Filters ....................................................17

Routing Protocols .............................................................................20

Services Applications ........................................................................22

Software Installation and Upgrade ....................................................27

Subscriber Access Management .......................................................27

System Logging ................................................................................31

User Interface and Configuration ......................................................31

VPNs ................................................................................................33

■ 1

JUNOS 9.5 Software Release Notes

JUNOS XML API and Scripting ..........................................................37

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5

for M-series, MX-series, and T-series Routing Platforms ...................41

Class of Service ................................................................................41

Layer 2 Ethernet Services .................................................................41

High Availability ...............................................................................41

Multicast ...........................................................................................41

MPLS Applications ............................................................................41

Routing Protocols .............................................................................42

Routing Policy and Firewall Filters ....................................................43

Platform and Infrastructure ..............................................................44

Services ............................................................................................44

Subscriber Access .............................................................................44

User Interface and Configuration ......................................................44

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and

T-series Routing Platforms ................................................................45

Current Software Release .................................................................45

Previous Releases .............................................................................60

Errata and Changes in Documentation for JUNOS Software Release 9.5

for M-series, MX-series, and T-series Routing Platforms ...................75

Changes to the JUNOS Documentation Set .......................................75

Errata ...............................................................................................76

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5

for M-series, MX-series, and T-series Routing Platforms ...................80

Basic Procedure for Upgrading to Release 9.5 ..................................81

Upgrading a Router with Redundant Routing Engines ......................83

Upgrading to Release 9.5 in a Routing Matrix ...................................83

Upgrading Using ISSU .......................................................................84

Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR ................................................................85

Downgrade from Release 9.5 ...........................................................86

JUNOS Software Release Notes for SRX-series Services Gateways .................87

JUNOS for SRX-Series Services Gateways Product Overview ...................87

Application Layer Gateways (ALGs) ..................................................87

Chassis Clustering ............................................................................87

Flow and Processing .........................................................................88

Interfaces and Routing .....................................................................89

Security ............................................................................................91

Intrusion Detection and Prevention (IDP) .........................................93

J-Web ...............................................................................................95

Management and Administration .....................................................95

New Features in JUNOS Software Release 9.5 for SRX-series Services

Gateways ..........................................................................................98

Software Features .............................................................................98

Hardware Features—SRX 210 Services Gateways ..........................109

Hardware Features—SRX 240 Services Gateways ..........................114

Hardware Features—SRX650 Services Gateways ...........................117

Hardware Features—SRX 5600 and SRX 5800 Services

Gateways .................................................................................121

2 ■

Changes In Default Behavior and Syntax ..............................................122

CLI ..................................................................................................122

Flow and Processing .......................................................................122

Interfaces and Routing ...................................................................123

Intrusion Detection and Prevention (IDP) .......................................123

J-Web .............................................................................................123

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services

Gateways ........................................................................................124

Accounting-Options Hierarchy ........................................................124

Chassis Cluster ...............................................................................124

CLI ..................................................................................................125

Flow and Processing .......................................................................125

Hardware .......................................................................................126

Interfaces and Routing ...................................................................127

Intrusion Detection and Prevention (IDP) .......................................127

NetScreen-Remote ..........................................................................128

System ...........................................................................................128

Unsupported CLI Statements and Commands in JUNOS Software Release

9.5 for SRX-series Services Gateways .............................................128

Issues in JUNOS Software Release 9.5 for SRX-series Services

Gateways ........................................................................................129

Outstanding Issues in JUNOS Software Release 9.5 for SRX-series

Services Gateways ...................................................................129

Resolved Issues in JUNOS Software Release 9.5 for SRX-series

Services Gateways ...................................................................139

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series

Services Gateways ..........................................................................140

Attack Detection and Prevention ....................................................140

Chassis Clustering ..........................................................................141

CLI ..................................................................................................141

CompactFlash Card Support ...........................................................142

Device Support ...............................................................................142

DLSw ..............................................................................................142

Flow ...............................................................................................142

Installing Software Packages ..........................................................143

Intrusion Detection and Prevention (IDP) .......................................143

J-Web .............................................................................................143

Screens ...........................................................................................143

JUNOS Software Release Notes for J-series Services Routers ........................145

New Features in JUNOS Software Release 9.5 for J-series Services

Routers ...........................................................................................145

JUNOS Software .............................................................................145

Known Limitations in JUNOS Software Release 9.5 for J-series Services

Routers ...........................................................................................150

Chassis Cluster ...............................................................................150

Intrusion Detection and Prevention (IDP) .......................................151

J-Web .............................................................................................151

Simple Network Management Protocol (SNMP) ..............................151

Unified Threat Management (UTM) ................................................151

■ 3

JUNOS 9.5 Software Release Notes

Changes in Default Behavior and Syntax ..............................................151

CLI ..................................................................................................152

Configuration .................................................................................152

Network Address Translation (NAT) ................................................152

Security ..........................................................................................152

Issues in JUNOS Software Release 9.5 for J-series Services Routers .......152

Outstanding Issues in JUNOS Software Release 9.5 for J-series

Services Routers ......................................................................153

Resolved Issues in JUNOS Software Release 9.5 for J-series Services

Routers ....................................................................................157

Errata in Documentation for JUNOS Software Release 9.5 for J-series

Services Routers .............................................................................158

Chassis Clustering ..........................................................................158

CLI ..................................................................................................158

DLSw ..............................................................................................159

Intrusion Detection and Prevention (IDP) .......................................159

J-Web .............................................................................................159

PIM .................................................................................................159

Screens ...........................................................................................159

Hardware Requirements for JUNOS Software Release 9.5 for J-series

Services Routers .............................................................................160

Power and Heat Dissipation Requirements for J Series PIMs ..........160

Supported Third-Party Hardware for J Series Services Routers .......160

J Series CompactFlash and Memory Requirements ........................161

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5

for J-series Services Routers ............................................................162

JUNOS Software Release Notes for EX-series Switches ................................162

New Features in JUNOS Software for EX-series Switches, Release

9.5 ..................................................................................................162

Hardware .......................................................................................163

Access Control and Port Security ....................................................164

Bridging, VLANs, and Spanning Trees ............................................164

Class of Service (CoS) .....................................................................164

Layer 3 Protocols ............................................................................164

Management and RMON ................................................................165

MPLS ..............................................................................................166

Virtual Chassis ................................................................................166

Changes in Default Behavior and Syntax ..............................................166

Class of Service ..............................................................................167

Interfaces .......................................................................................167

Virtual Chassis ................................................................................167

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in

JUNOS Release 9.5 for EX-series Switches ......................................167

Outstanding Issues .........................................................................167

Resolved Issues ..............................................................................170

Upgrading or Downgrading from JUNOS Release 9.4R1 for EX-series

Switches ..................................................................................176

Upgrading from JUNOS Release 9.3R1 to Release 9.5 for EX-series

Switches ..................................................................................176

Upgrading from JUNOS Release 9.2 to Release 9.5 for EX-series

Switches ..................................................................................176

4 ■

Downgrading from JUNOS Release 9.5 to Release 9.2 for EX 4200

Switches ..................................................................................178

Errata in Documentation for JUNOS Software Release 9.5 for EX-series

Switches .........................................................................................178

Hardware .......................................................................................178

Infrastructure .................................................................................178

Virtual Chassis ................................................................................179

JUNOS Documentation and Release Notes ..................................................180

Documentation Feedback ............................................................................180

Requesting Technical Support .....................................................................180

Revision History ..........................................................................................182

■ 5

JUNOS 9.5 Software Release Notes

JUNOS Software Release Notes for M-series, MX-series, and T-series Routing

Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series

Routing Platforms on page 6

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 41

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms on page 45

Errata and Changes in Documentation for JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 75

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,

MX-series, and T-series Routing Platforms on page 80

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms

The following features have been added to JUNOS Release 9.5. Following the description is the title of the manual or manuals to consult for further information.

Class of Service

Enhanced IQ PIC for the M320, M120, T-series, and M40e—Allows the user to apply a hierarchical policer for the premium and aggregate (premium plus normal) traffic levels to an interface. To configure the hierarchical policer, apply the policing-priority

statement to the proper forwarding class and configure a hierarchical policer for the aggregate and premium level. [Class of Service]

Allocating extra CIR bandwidth equally amongst all PVCs—By default, all logical ( lsq-

) interfaces on a MultiServices (MS) PIC share bandwidth equally in the excess region (that is, bandwidth available once these interfaces have exhausted their committed information rate (CIR).

However, you can configure the excess-rate

statement to control an independent set of parameters for bandwidth sharing in the excess region of a Frame Relay data-link connection identifier (DLCI) on an MS PIC. You configure the excess-rate statement at the

[edit class-of-service traffic-control-profile]

hierarchy level.

[Network Interfaces, Class of Service]

Customizing type-of-service bits—By default, all logical ( lsq-

) interfaces on a

MultiServices (MS) PIC preserve the type-of-service (ToS) bits in an incoming packet header.

However, you can configure the translation-tables

statement to replace the arriving

ToS bit pattern to a user-defined value. You configure the translation-tables statement at the [edit class-of-service] hierarchy level.

6 ■

JUNOS Software Release Notes for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

This feature follows exactly the same configuration rules as the Enhanced IQ

PIC. [Class of Service]

Rate-limit and excess rate/excess priority option—You can configure bandwidth sharing rate limits, excess rate, and excess priority at the queue level on the following routers:

M120 (rate limit and excess priority only; excess rate is handled by the hardware.)

MX-series (rate limit, excess rate, and excess priority)

T-series (rate limit, excess rate, and excess priority)

Some Packet Forwarding Engine chipsets support rate limits by enabling rate control and keeping the queue length small. The Enhanced Type II FPCs support configuration of excess priority but do not support configuration of excess rate.

The Enhanced Type III FPCs support configuration of excess rate and excess priority.

You configure rate limits when you have a concern that low latency packets

(such as high or strict-high priority packets for voice) might starve low-priority and medium-priority packets. In the JUNOS software, the low latency queue is implemented by rate-limiting packets to the transmit bandwidth. The rate limiting is performed immediately before queueing the packet for transmission. All packets which exceed the rate limit are dropped, not queued.

By default, if the excess priority is not configured for a queue, the excess priority will be the same as the normal queue priority. If none of the queues have an excess rate configured, then the excess rate will be the same as the transmit rate percentage. If at least one of the queues has an excess rate configured, then the excess rate for the queues which do not have an excess rate configured will be set to zero.

When the physical interface is on queuing hardware such as the IQ, IQ2, IQE

PICs, or MX-series DPCs, these features are not supported.

You cannot configure both rate limits and buffer sizes on these Packet Forwarding

Engines.

Four levels of excess priorities are supported: low, medium-low, medium-high, and high.

All queues can be rate limited, whether eight or four queues are configured. The queue is shaped by limiting the queue to the transmit rate and reducing the queue buffer size to 1 millisecond. For example, a rate-limited queue (scheduler) with a configured transmit rate of 100 Mbps has a delay buffer of 1 millisecond of 100 megabytes, and the queue is shaped (rate controlled) to 100 Mbps. The queue output will be exactly 100 Mbps and the 1-millisecond buffer is available to absorb any transmission bursts. Any traffic above and beyond this limit is tail-dropped and in statistics this traffic is counted as rate-limited drops.

To configure rate limits for non-queuing Packet Forwarding Engines, include the shaping rate statement at the [edit class-of-service schedulers scheduler-name] hierarchy level.

To configure the excess rate for non-queuing Packet Forwarding Engines, include the excess-rate statement at the [edit class-of-service schedulers scheduler-name] hierarchy level.

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 7

JUNOS 9.5 Software Release Notes

Hardware

High Availability

To configure the excess priority for non-queuing Packet Forwarding Engines, include the excess-priority at the [edit class-of-service schedulers scheduler-name] hierarchy level.

The relationship among the configured guaranteed rate, excess rate, guaranteed priority, excess priority, and offered load is not always obvious. [Class of Service]

New 10-port Channelized E1/T1 Enhanced IQ (IQE) PIC with RJ-48 connector

(M40e, M120, M320, and T series)—The IQE PICs support the same features as existing IQ PICs. In addition, they support enhanced CoS and diagnostic features. The valid configuration statements are also the same; for some options, limits and ranges of values are different to support augmented capabilities. Model number PB-10CHE1-T1-IQE-RJ48. [PIC Guides, Class of Service, Network Interfaces]

New Flexible PIC Concentrators (FPCs) (T640 and T1600)—The T640 and

T1600 core routers support a new Type 2 FPC (T640-FPC2-ES) and a new Type

4 FPC (T640-FPC4-1P-ES).

NOTE: Before you install the T640-FPC2-ES or the T640-FPC4-1P-ES in a T640 routing node, all SIBs must be SIB version B, or T640–SIBs for T640 nodes connected to a

TX matrix. [PIC Guides]

New Flexible PIC Concentrators (FPCs) MX-FPC2 (MX-series)—JUNOS Release

9.5 supports the MX-FPC2 on MX-series platforms. The MX-FPC2 supports up to two PICs per FPC. For a list of supported PICs, see the MX-series PIC Guide.

[MX-series PIC Guide, MX240 Hardware Guide, MX480 Hardware Guide, MX960

Hardware Guide]

Nonstop active routing support for RSVP-TE LSPs—Starting with Release 9.5, the JUNOS software extends nonstop active routing support to transit label-switching routers (LSR) that are part of an RSVP-TE LSP. Nonstop active routing support on transit LSRs ensures that the master to backup Routing Engine switchover on an LSR remains transparent to the network neighbors and that the path and LSP information remains unaltered during and after the switchover.

You can use the show rsvp version command to find out the nonstop active routing mode and state on a label-switching router.

However, the JUNOS software does not support the following features for nonstop active routing on RSVP-TE LSRs:

Point-to-multipoint (P2MP) LSPs

Generalized Multiprotocol Label Switching (GMPLS) and LSP hierarchy

Inter-domain or loose hop expansion LSPs

[High Availability]

8 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Unified ISSU support on additional hardware—Extends the unified ISSU support to the following routing platforms and PICs:

M10i routing platforms with Enhanced Compact Forwarding Engine Board

(CFEB-E)

Enhanced IQ2 PICs (IQ2-E):

PC-8GE-TYPE3-SFP-IQ2E

PB-8GE-TYPE2-SFP-IQ2E

PB-4GE-TYPE1-SFP-IQ2E

PC-1XGE-TYPE3-XFP-IQ2E

[High Availability]

Interfaces and Chassis

New 10-port Channelized E1/T1 IQE PIC (M320, M120, T-series

platforms)—Provides 10 E1/T1 ports with increased channelization and enhanced

COS features. To configure, use the same interface configuration syntax as for the existing Channelized E1 IQ PIC and Channelized T1 IQ PIC. The configuration limits have changed to match its augmented capabilities. [Network Interfaces,

Class of Service]

Ethernet Local Management Interface (E-LMI) (MX-series)—Enables you to configure an MX-series router with ge

, xe

, or ae

interfaces, operating on the provider edge (PE), to send connectivity status and configuration parameters of

Ethernet services available on the customer edge (CE) port. The E-LMI procedures and protocols are used for enabling autoconfiguration of the CE to support Metro

Ethernet services.

E-LMI interoperates with an Operations, Administration, and Management (OAM) protocol, such as Connectivity Fault Management (CFM), that runs within the provider network to collect OAM status. CFM runs at the provider maintenance level (User Network Interface [UNI] UNI-N to UNI-N with up Management End

Points [MEPs] at the UNI). E-LMI relies on the CFM for end-to-end status of

Ethernet virtual connections (EVCs) across CFM domains (SVLAN domain or

VPLS).

To configure E-LMI, include the connectivity-fault-management , evcs , and lmi statements at the [ edit protocols oam ethernet

] hierarchy level. [Network Interfaces]

Ethernet Delay Measurement (ETH-DM) (MX-series)—Enables you to configure on-demand Operations, Administration, and Maintenance (OAM) for measurement of frame delay and frame delay variation (jitter) in either one-way or two-way mode, gathering frame delay statistics, and is capable of simultaneous statistics collection from multiple sessions. ETH-DM provides fine control to operators for triggering delay measurement on a given service and can be used to monitor SLAs. ETH-DM also collects other useful information, such as worst and best case delays, average delay, and average delay variation. ETH-DM supports hardware-based timestamping in the receive direction for delay measurements. Provides run-time display of delay statistics when two-way delay measurement is triggered. ETH-DM records the last 100 samples collected per

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 9

JUNOS 9.5 Software Release Notes

■ session. You can retrieve the history at any time. JUNOS software maintains various counters for ETH-DM PDUs which can be retrieved at any time. You can clear all the ETH-DM statistics and PDU counters. ETH-DM is fully compliant with

ITU-T Y.1731.

To trigger ETH-DM, use the monitor ethernet delay-measurement (one-way | two-way)

(remote-mac-address | mep identifier) maintenance-domain name maintenance-association ma-id [count count] [wait time] operational command.

To enable hardware assisted time stamping in reception path, use the performance-monitoring hardware-assisted-timestamping statement at the [ edit protocols oam ethernet connectivity-fault-management

] hierarchy level.

To retrieve the last 100 ETH-DM statistics per session, two show commands are provided; one for all (all OAM frame counters and ETH-DM) statistics and one for ETH-DM statistics only.

To retrieve all statistics for given session, use the show oam ethernet connectivity-fault-management mep-statistics maintenance-domain name maintenance-association name [local-mep identifier] [remote-mep identifier] [count

count]

command.

To retrieve only ETH-DM stats for given session, use the show oam ethernet connectivity-fault-management delay-statistics maintenance-domain name maintenance-association name [local-mep identifier] [remote-mep identifier] [count

count]

command.

[Network Interfaces]

Unidirectional link support on 10-Gigabit Ethernet IQ2 PIC interfaces (T-series

routing platforms)—Enables 10-Gigabit Ethernet IQ2 PIC interfaces on T-series routing platforms to operate in unidirectional mode. Unidirectional links reduce the number of ports required for broadcast video traffic applications, where most of the traffic flow is in only one direction. [Multiplay Solutions, Network Interfaces]

Support for new Flexible PIC Concentrator with enhanced scalability (T640,

T1600)—Supports four Type 2 PICs per FPC2. For PIC compatibility, see the

T640 Routing Node PIC Guide and T1600 Routing Node PIC Guide.

[Network Interfaces, PIC Guide]

Support for new Flexible PIC Concentrator FPC4-1 with enhanced scalability

(T640, T1600)—Supports one Type 4 PIC per FPC4-1. For PIC compatibility, see the T640 Routing Node PIC Guide and T1600 Routing Node PIC Guide.

[Network Interfaces, PIC Guide]

New auto-negotiation of speed and disable Auto MDI/MDIX features

(MX-series)—Support for auto-negotiation of speed on MX-series platforms with

10/100/1000 capable DPCs and Tri-Rate Copper SFPs. The auto-negotiation specified interface speed is propagated to other CoS, routing protocols, and other system components. Half duplex mode is not supported.

To specify the auto-negotiation speed, use the speed

<(auto | 1 Gbps | 100 Mbps

| 10 Mbps)>

statement in the

[edit interface ge-/fpc/pic/port]

hierarchy level.

To set port speed negotiation to a specific rate, set the port speed to either 1

Gbps, 100 Mbps, or 10 Mbps. If the negotiated speed and the interface-speed do not match, the link will not be brought up.

10 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

If you set the auto-negotiation speed auto

option, then the port speed is negotiated.

You can disable Auto MDI/MDIX using the no-auto-mdix

statement under the

[edit interface ge-/fpc/pic/port gigether-options] hierarchy level.

Use the show interfaces ge-fpc/pic/port brief command to display the auto negotiation of speed and Auto MDI/MDIX states.

[Network Interfaces]

Extended period for T1 and E1 bit error rate test (BERT) (M-series,

T-series)—Supports running BERT for a period of up to 24 hours (previous

4–minute maximum) on the following T1 and E1 interfaces, and includes channelized PICs which can be channelized down to T1 or E1 interfaces:

IQ PICs:

10-port CT1 IQ PIC

10-port CE1 IQ PIC

1-port OC3 Channelized down to T1/DS0 IQ PIC

1-port Channelized STM1 IQ PIC

2-port Channelized STM1 IQ PIC

1-port Channelized 0C12 IQ PIC

IQE PICs:

4-port DS3/E3 Channelized IQE PIC (Type 1)

10-port CHT1/E1 Channelized IQE PIC (Type 1)

2-port COC3/STM1 Channelized IQE PIC (Type 1)

1-port COC12/STM4 Channelized IQE PIC (Type 1)

4-port CHOC12/STM4 Channelized IQE PIC (Type 2)

1-port CHOC48/STM16 Channelized IQE PIC (Type 2)

Standard PICs:

2-port T1 PIC

4-port T1 PIC

2-port E1 PIC

4-port E1 PIC

10-port CE1 704 PIC

1-port OC3 Channelized down to T1 PIC

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 11

JUNOS 9.5 Software Release Notes

1-port STM1 Channelized down to E1 PIC

1-port OC12 Channelized PIC

To configure the BERT period on T1 interfaces, use the bert-period seconds statement at the [edit interfaces t1-fpc/pic/port t1-options] hierarchy level. The range is from 1 through 86,400 seconds. The default value is 240 seconds.

To configure the BERT period on E1 interfaces, use the bert-period seconds statement at the [ edit interfaces e1-fpc/pic/port e1-options

] hierarchy level. The range is from 1 through 86,400 seconds. The default period is 10 seconds.

You can use the show interfaces t1-fpc/pic/port extensive | find BERT

command to display T1 PIC BERT results.

You can use the show interfaces e1-fpc/pic/port extensive | find BERT

command to display E1 PIC BERT results.

[Network Interfaces]

New Flexible PIC Concentrator (FPC) MX-FPC2 (MX-series)—Supports non-Ethernet PICs on MX-series platforms. For a list of supported PICs, see the

MX-series PIC Guide. [Network Interfaces, PIC Guide]

JUNOS software Layer 3 datapath support for Type 2 FPC (MX-series)—Supports two PICs per FPC. For PIC compatibility, see the MX-series PIC Guide. [Network

Interfaces]

VPLS support on new Flexible PIC Concentrator MX-FPC2

(MX-series)—Supports non-Ethernet PICs on MX-series platforms. For a complete list of supported PICs, see the MX-series Hardware Guide.

[Network Interfaces, MX-series Hardware Guide]

Support for inter-PSD forwarding (JCS 1200)—Enables communication between

PSDs without requiring dedicated physical links. Instead, PSD communication is achieved by using internal tunnel PICs that reside on the PSD. The PSDs communicate over logical interfaces (ifls) configured on the tunnel PICs. Multiple logical interfaces can be configured on the tunnel PIC, allowing the PSD to communicate with multiple PSDs over the same tunnel PIC.

For inter-PSD forwarding, each PSD that needs to communicate with another

PSD must have a Tunnel PIC attached. To configure inter-PSD forwarding on a

PSD, include the following statements at the [ edit interfaces ] hierarchy level of the associated PSDs:

} xt-fpc/pic/port { unit unit-number { peer-psd psdn; peer-interface logical-interface-name; encapsulation frame-relay; point-to-point; dlci dlci-value;

}

Currently, only Frame Relay encapsulation is supported for inter-PSD forwarding.

[JUNOS PSD Configuration Guide].

12 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

VLAN rewrite operations on incoming and outgoing frames (M320, M120,

and MX platforms)—Supports adding a new VLAN tag in front of the existing one, removing a VLAN tag or replacing the existing tag with a new user-configured tag, on tagged frames only, on a per logical interface basis in both the ingress and egress directions. Encapsulation on the logical interface must be vlan-ccc

, vlan-vpls , extended-vlan-ccc , or extended-vlan-vpls . This enhancement also supports rewrite operations on untagged frames under ethernet-ccc and ethernet-vpls encapsulations.

The JUNOS software supports the following rewrite operations under ethernet-ccc and ethernet-vpls encapsulations:

■ push— A VLAN tag will be added to the incoming untagged frame.

pop— VLAN tag is removed from the outgoing frame.

■ push-push— An outer and inner VLAN tag will be added to the incoming untagged frame.

pop-pop— Both the outer and inner VLAN tags of the outgoing frame are removed.

push-push and pop-pop operations are not supported on Ethernet IQ PICs.

Ethernet IQ2 PICs support all the above mentioned rewrite operations.

M320 and M120 platforms with the following PICs, support this feature:

Ethernet IQ PICs:

Gigabit Ethernet IQ, 1-port SFP

Gigabit Ethernet IQ, 2-port SFP

Ethernet IQ2 PICs:

1-Gigabit Ethernet IQ2, 4-port SFP oversubscription

1-Gigabit Ethernet IQ2, 8-port SFP oversubscription

1-Gigabit Ethernet IQ2, 8-port SFP line rate

10-Gigabit Ethernet IQ2, 1-port XFP line rate

Enhanced Ethernet IQ2E PICs:

1-Gigabit Ethernet IQ2E, 4-port

1-Gigabit Ethernet IQ2E, 8-port

10-Gigabit Ethernet IQ2E, 1-port

MX platforms with the following DPCs support this feature:

Gigabit Ethernet R, 40-port SFP

Gigabit Ethernet R EQ, 40-port SFP

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 13

JUNOS 9.5 Software Release Notes

10-Gigabit Ethernet R, 1-port XFP

10-Gigabit Ethernet R EQ, 1-port XFP

In the input-vlan-map , only the push and push-push operations are permitted.

Similarly, only pop and pop-pop operations are permitted in the output-vlan-map .

For push and push-push operations, the tag parameters must be explicitly specified. All other rules for configuring

input-vlan-map

and output-vlan-map

remain the unchanged.

To configure an input VLAN map, use the input-vlan-map

statement and options at the [ edit interfaces interface-name fpc/pic/port unit number

] hierarchy level.

To configure an output VLAN map, use the output-vlan-map statement and options at the [ edit interfaces interface-name fpc/pic/port unit number ] hierarchy level.

NOTE: Unit encapsulation must be set to ethernet-ccc

or ethernet-vpls

, otherwise input VLAN map and output VLAN map settings will not be valid.

You can use the show interface interface-name dpc/pic/port

command to display the Index , SNMP ifIndex , flags , In(push) , Out(pop) , and Encapsulation parameters.

[Network Interfaces]

1–port 10–Gigabit XENPAK PIC as a shared interface PIC (JCS 1200)—Support for the 1-port 10 Gigabit XENPAK PIC (PC-1XGE-XENPAK) as a shared interface

PIC on the JCS 1200 platform. This shared interface supports VLAN tag IP routing

(Ethernet or ENET2) encapsulation. [JUNOS PSD Configuration Guide]

TX-series supports unnumbered Ethernet interfaces (TX-series)—Removes

TX-series restriction on configuring unnumbered Ethernet interfaces. [Network

Interfaces]

Layer 2 Ethernet Services

Next-hop groups (MX-series)—You can configure next-hop groups for the

MX-series routers using either IP addresses or Layer 2 addresses for the next hops. Use the group-type [ inet | layer-2 ] statement at [ edit forwarding-options next-hop-group group-name ] to establish the next-hop groups. You can also reference more than one port-mirroring instance in a filter on MX-series routers.

Use the port-mirror-instance instance-name statement at the [ edit firewall family

family-name filter filter-name term term-name]

to refer to one of several port-mirroring instances. [Layer 2 Configuration Guide, Policy Framework]

DHCP support for integrated routing and bridging (MX-series routers)—DHCP is now supported in integrated routing and bridging (IRB) configurations. When you configure IRB in a network that is using DHCP, the DHCP information (for example, authentication, address assignment, and so on) is propagated in the associated bridge domain. This enables the DHCP server to configure client IP addresses residing within the bridge domain. This feature currently works only for static configurations. The show dhcp server binding detail command has been enhanced to show both the Layer 2 interface and the IRB interface when applicable. [Subscriber Access]

14 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

MPLS Applications

Hash key load balancing support for Layer 3 and Layer 4 fields—By default, the hash key mechanism to load-balance frames across LAG interfaces is based on Layer 2 fields (such as frame source and destination address) as well as the input logical interface (unit). No Layer 3 or Layer 4 fields are examined and are part of the default hash process, so the default is not optimized for Layer 2 switching (the frame source and destination MAC addresses are the same). One link is overutilized and other links are underutilized.

You can configure the load-balancing hash key for Layer 2 traffic to use fields in the Layer 3 and Layer 4 headers inside the frame payload for load-balancing purposes using the payload statement. You can configure the statement to look at layer-3

(and source-address-only

or destination-address-only

packet header fields) or layer-4 fields. You configure this statement at the [edit forwarding-options hash-key family multiservice] hierarchy level. [Layer 2 Configuration Guide, Policy,

Network Interfaces]

GRES for MPLS ingress and egress P2MP LSPs—Graceful Routing Engine switchover (GRES) and graceful restart are now supported for point-to-multipoint

(P2MP) LSPs at ingress and egress routers. The P2MP LSPs must be configured using static routes or CCC. GRES and graceful restart are not supported on P2MP

LSPs configured for VPLS or next-generation multicast VPNs (MVPNs). GRES and graceful restart allow the traffic to be forwarded at the Packet Forwarding Engine

(PFE) based on the old state while the control plane recovers using the standard graceful restart procedures. This functionality is enabled automatically whenever you enable GRES and graceful restart on the router. [MPLS Applications]

Statistics for P2MP LSPs—A number of commands have been enhanced to allow you to display statistics related to point-to-multipoint (P2MP) LSPs.

The revised commands are:

■ show mpls lsp statistics p2mp show mpls lsp statistics p2mp ingress

■ show mpls lsp statistics p2mp transit monitor label-switched-path sub-LSP-name

You can now display information on P2MP LSPs by issuing these commands on either the ingress router of the P2MP LSP or from any of the routers along any of the sub-LSP paths. [Routing Protocols Reference]

Automatic policers for P2MP LSPs—You can now configure automatic policers for point-to-multipoint (P2MP) LSPs. P2MP LSPs allow you to establish LSPs with a single origin and multiple destinations. Automatic policers allow you to automatically limit the amount of traffic sent over the P2MP LSP, providing a strict service guarantee for network traffic. You configure automatic policers on the trunk routing node for the P2MP LSP using the auto-policing statement configured at the [ edit protocols mpls

] hierarchy level. [MPLS Configuration Guide]

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 15

JUNOS 9.5 Software Release Notes

Multicast

Hierarchical bandwidth adjustment and reverse OIF mapping—Enables you to disable hierarchical bandwidth adjustment for all subscriber interfaces that are reverse OIF mapped from a specified multicast interface. Reverse OIF mapping is used to determine the subscriber VLAN interface and the multicast traffic bandwidth on the interface.

To disable hierarchical bandwidth adjustment for all subscribers on a multicast interface, include the no-qos-adjust statement at the [edit routing-options multicast interface [interface-names] reverse-oif-mapping] hierarchy level.

To display the multicast bandwidth consumed on the subscriber interfaces, issue the show multicast interfaces

command. [Multicast, Subscriber Access]

Turn off spanning-tree interface state (MX-series)—By default, the IGMP snooping process on an MX-series router is aware of topology changes made by any of the spanning-tree protocols (STPs).

The default behavior for the IGMP snooping process on an MX-series router can be changed to ignore the spanning-tree topology change messages. To ignore the spanning-tree topology change messages, include the ignore-stp-topology-change statement at the [ edit routing-instances

routing-instance-name bridge-domains bridge-domain-name multicast-snooping-options

] hierarchy level.

[Multicast, MX-series Layer 2 Configuration Guide]

Full support for IGMPv3 snooping on Layer 2 interfaces (MX-series)—The

JUNOS software provides full support for IGMPv3 snooping on Layer 2 interfaces for VPLS instances and IRB bridging. Only Include mode and Internet Standard

Multicast (ISM) version of Exclude Mode are supported for this release. This support gives the hosts the flexibility to choose the source from which they want to receive the traffic. No additional configuration is required. [Multicast, Routing

Protocols and Policies Command Reference]

Dynamic reuse of data multicast distribution tree group addresses —A limited number of multicast group addresses are available for use in data multicast distribution tree (MDT) tunnels. By default when the available multicast group addresses are all used, no new data MDTs can be created.

You can enable dynamic reuse of data MDT group addresses. Dynamic reuse of data MDT group addresses allows multiple multicast streams to share a single

MDT and multicast provider group address. For example, three streams can use the same provider group address and MDT tunnel. When the feature is enabled, new streams are assigned to a particular MDT in a round-robin fashion. Note that if the provider tunnel is being used by multiple customer streams, it might result in egress routers receiving customer traffic that is not requested by the attached customer sites. This is similar to what happens if multiple customer streams are sent on the default MDT tunnel.

To enable dynamic reuse of data MDT group addresses, include the data-mdt-reuse statement. The data-mdt-reuse

statement can be configured at the [ edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim mdt ] and [ edit routing-instances routing-instance-name protocols pim mdt ] hierarchy levels. [Multicast, Routing Protocols and Policies Command Reference]

16 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Platform and Infrastructure

Enhancements to Juniper Networks enterprise-specific MPLS MIB —The following objects of the enterprise-specific MPLS MIB ( jnx-mpls.mib

) have been modified to support and store information about manual bypass tunnels through the entire life cycle of a bypass tunnel. Both mplsLspState and mplsLspInfoState objects now have two additional values: notInService

(integer value: 4) and backupActive (5). The notInService state indicates that the LSP has been torn down or never been signaled due to the lack of demand for its protection. The backupActive state indicates that the LSP is up and carrying user traffic for at least one protected LSP due to the failure of the LSP, which has caused the creation of a backup LSP. Similarly, the mplsPathType and mplsPathInfoType objects now have a new value, bypass (5), to denote that the path is a manually-configured bypass tunnel. In the previous releases, the information about bypass tunnels was stored in the standard mplsTunnelTable

that uses a combination of mplsTunnelIndex , mplsTunnelInstance , mplsTunnelIngressLSRId

, and mplsTunnelEgressLSRId as index. Because the value for mplsTunnelInstance changes when an LSP is signaled or resignaled, new entries are created each time an LSP is signaled or resignaled. This has been causing problems in tracking the state of bypass tunnels. The latest enhancements to the enterprise-specific

MIB, which uses the LSP name as index, enable the MIB to store information about bypass tunnels in a single entry and users to access information about bypass tunnels through its life cycle using a single index. The show mpls lsp bypass

command returns information about bypass tunnels of all states. [Network

Management]

Routing Policy and Firewall Filters

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 17

JUNOS 9.5 Software Release Notes

Dynamic configuration support for routing policies—Enables you to configure routing policies in a dynamic database that is not subject to the same verification required to commit configuration changes to the standard configuration database.

As a result, you can quickly commit routing policies that can be referenced and applied in the standard configuration as needed. The dynamic database is stored in the /var/run/db/juniper.dyn

directory.

To configure a dynamic database, enter the configure dynamic

command to be placed in the [edit dynamic] hierarchy. At the [edit dynamic policy-options] hierarchy level, you can configure the following statements: as-path as-path-name , as-path-group group-name

, community community-name

, condition condition-name

, prefix-list prefix-list-name

, and policy-statement policy-statement-name

. No other configuration is supported at the [edit dynamic] hierarchy level.

All the policies that you configure in the dynamic database can be referred to in policies configured in the standard configuration under the [edit policy-options] hierarchy level. To define a routing policy based on the dynamic database configuration, include the dynamic-db statement at the [edit policy-options policy-statement policy-statement-name] hierarchy level in the standard configuration mode. You can also include the dyanmic-db

statement at the following hierarchy levels:

[edit policy-options as-path as-path-name

,

[edit policy-options as-path-group group-ame] , [edit policy-options community

community-name

, [edit policy-options condition condition-name] , and [edit policy-options prefix-list prefix-list-name

]. In this way, you can define any of these policy objects using the dynamic database configuration. You can then apply any of these policies that reference the dynamic database configuration to a routing policy configured in the standard configuration. For example, include the dynamic-db statement at the [edit policy-options prefix-list p11] hierarchy level to create a prefix list, p11

, that references the dynamic database configuration.

You can then include the prefix-list p11

statement at the

[edit policy-options policy-statement policy-statement-name from] hierarchy level in the standard configuration to define a routing policy that matches on a prefix list configured in the dynamic database.

Currently, BGP is the only protocol to which you can apply routing policies configured in the dynamic database. You must use the standard configuration mode to apply routing policies configured in the dynamic database. For example, you configure policy-statement dyn-policy1 at the [edit dynamic] hierarchy level.

You then define a routing policy based on the dynamic database configuration by including the dynamic-db statement at the [edit policy-options policy-statement dyn-policy1] hierarchy level. You can then apply the dyn-policy-1 routing policy at the

[edit protocols bgp group group-name neighbor address export]

or

[edit protocols bgp group group-name neighbor address import]

hierarchy level in the standard configuration mode. [Policy]

IEEE 802.1p priority match conditions for Layer 2 VPN firewall filters

(MX-series routers)—Enables you to configure firewall filters for Layer 2 VPN traffic that match on learned and user IEEE 802.1p priority fields. To match on a learned 802.1p priority field, include the learn-vlan-1p-priority value statement at the [edit firewall family ccc filter filter-name term term-name from] hierarchy level.

To match on a user 802.1p priority field, include the user-vlan-1p-priority value statement at the [edit firewall family ccc filter filter-name term term-name from] hierarchy level. These match conditions were previously supported with VPLS and Layer 2 bridging only. [Policy, Layer 2 Configuration Guide]

18 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Port mirroring for VPLS traffic and multiple port-mirroring instances for IPv4,

IPv6, and VPLS traffic (M7i, M10i, M120, M320 routers)—Extends port-mirroring support for VPLS traffic to M7i, M10i, M120, and M320 routers. Previously, only the MX-series routers supported port mirroring for VPLS traffic. The M7i or M10i router must include the Enhanced CFEB (CFEB-E) to use this feature. In addition, on the M320, VPLS port mirroring is supported only on Enhanced III FPCs. Include the family vpls statement at the [edit forwarding-options port-mirroring] hierarchy level.

You can also configure multiple port-mirroring instances for VPLS, IPv6, and

VPLS traffic with each instance specifying different input sampling properties and output mirror destination properties. Multiple port-mirroring instances were previously supported only on the MX-series routers. To configure a port-mirroring instance, include the instance port-mirroring-instance-name statement at the [edit forwarding-options port-mirroring]

hierarchy level. To configure a family address type for a port-mirroring instance, include the family (inet | inet6 | vpls)

statement at the [edit forwarding-options port-mirroring instance port-mirror-instance-name] hierarchy level. To configure input properties for a port-mirroring instance, include the input statement at the [edit forwarding-options port-mirroring instance

port-mirroring-instance-name] hierarchy level. To configure output properties for a port-mirroring instance, include the output

statement at the

[edit forwarding-options port-mirroring family (inet | inet6 | vpls)]

hierarchy level. You can also associate a port-mirroring instance with a specific FPC on an M320 router and with a specific FEB on an M120 router. To associate a port-mirroring instance with a specific FPC on an M320 router, include the port-mirror-instance

instance-name

statement at the

[edit chassis fpc number]

hierarchy level. To associate a port-mirroring instance with a specific FEB on an M120 router, include the port-mirror-instance instance-name

statement at the

[edit chassis feb slot

number]

hierarchy level. You can associate only one port mirroring instance with each FPC on an M320 router and with each FEB on an M120 router. In addition, on an M120 router, you cannot configure a port mirroring instance on a FEB configured as a backup FEB. [Policy, System Basics]

Packet loss priority match condition for firewall filters extended to M120

and M320 routers—Enables you to configure a firewall filter that matches on a specific packet loss priority (PLP) level. To configure a PLP match condition, include the loss-priority level statement at the [edit firewall filter filter-name term

term-name from] hierarchy level. For the

level

, you can include one or more of the following values: high

, low

, medium-high

, or medium-low

. All protocol families are supported with the loss-priority

match condition. To configure a family type for a firewall filter, include the family (any | ccc | inet | inet6 | mpls | vpls) statement at the [edit firewall] hierarchy level. The loss-priority level was previously supported only on the MX-series routers and on the M7i and M10i routers that use the new

Enhanced CFEB (CFEB-E). [Policy]

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 19

JUNOS 9.5 Software Release Notes

Routing Protocols

Routing Engines as BGP route reflectors (JCS 1200)—To decrease BGP control traffic and minimize the number of update messages, a BGP route reflector is used in many networks to distribute BGP routes within the AS. This feature leverages the large memory and 64-bit processor capacity of the JCS routing engine, making it an ideal candidate for route reflection.

To configure this option, the blade bay data includes support for a new routing platform type: Standalone Control Element (PRDSCE). The SCE platform does not have forwarding plane (PFE) support and does not require RSD connectivity.

The platform has network connectivity by fxp0 and fxp1 interfaces only. [JUNOS

PSD Configuration Guide]

Support for alternate loop-free routes for IS-IS —Adds fast reroute capability for IS-IS. The JUNOS software precomputes loop-free backup routes for all IS-IS routes. These backup routes are preinstalled in the Packet Forwarding Engine, which performs a local repair and implements the backup path when the link for a primary next hop for a particular route is no longer available. A loop-free path is one that does not return traffic through the router to reach a given destination. That is, a neighbor that already forwards traffic to the router is not used as a backup route to that destination.

You can enable support for alternate loop-free routes on any IS-IS interface.

Because it is common practice to enable LDP on an interface for which IS-IS is already enabled, this feature also provides support for LDP label-switched paths

(LSPs).

The level of backup coverage available through IS-IS routes depends on the actual network topology and is typically less than 100 percent for all destinations on any given router. You can extend backup coverage to include RSVP LSP paths.

The JUNOS software provides two mechanisms to enable fast reroute for IS-IS using alternate loop-free routes: link protection and node-link protection. When you enable link protection or node-link protection on an IS-IS interface, the JUNOS software creates an alternate path to the primary next hop for all destination routes that traverse a protected interface. Link protection offers per-link traffic protection. Use link protection when you assume that only one link might become unavailable but that the neighboring node on the primary path would still be available through another interface. Node-link protection establishes an alternate path through a different router altogether. Use node-link protection when you assume that access to a node is lost when a link is no longer available.

To enable link protection for all destination routes that traverse a specific interface, include the link-protection

statement at the

[edit protocols isis interface

interface-name]

hierarchy level. To enable node-link protection for all destination routes that traverse a specific interface, include the node-link-protection statement at the

[edit protocols isis interface interface-name]

hierarchy level. By default, all the interfaces in a routing instance can function as backup interfaces for a protected interface. To exclude a specific interface from functioning as a backup for a protected interface, include the no-eligible-backup statement at the [edit protocols isis interface interface-name]

hierarchy level. You can enhance backup coverage for IS-IS routes and LDP LSP paths by configuring RSVP LSPs as additional backup paths. Include the backup

statement at the

[edit mpls label-switched-path lsp-name]

. You must also specify the address of the egress

20 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ router for the LSP by including the to address

statement at the [ edit mpls label-switched-path lsp-name] hierarchy level.

Several new commands are available to support this new feature. Use the show isis backup label-switched-path

command to display which MPLS LSPs have been designated as backup paths. To display shortest-path-first (SPF) calculations for each neighbor, use the show isis backup spf results

command. Use the show isis backup coverage

command to display how many nodes and prefixes for each address family are protected. In addition, the show isis detail command has been enhanced to display the type of protection, link or link-node , applied to each interface. [Routing Protocols, Routing Protocols and Policies Command Reference]

Support for the BGP Monitoring Protocol—Enables you to collect data from the

BGP Adjacency-RIB-In routing tables and to periodically have that data sent to a monitoring station. The JUNOS software implementation of the BGP Monitoring

Protocol (BMP) is based on Internet draft BGP Monitoring Protocol

draft-scudder-bmp-01.txt. To configure BMP, include the bmp station- address

bmp-station-address

statements at the [edit routing-options] hierarchy level. For

bmp-station-address

, include the IP address of the monitoring station. You must also configure the port number of the monitoring station. Include the station-port

station-port-number

statement at the [edit routing-options bmp] hierarchy level.

You can also configure BMP for individual logical systems.

Optionally, you can configure how often to send data to the monitoring station with the statistics-timeout seconds

statement. The default is 1 hour. You can also configure a memory threshold to stop collecting BMP data when it is exceeded as well as a time interval to wait before reestablishing a BMP session that has ended after exceeding the memory threshold. Use the memory-lmit bytes

statement to configure the memory threshold. The default is 10 MB. To configure the interval to wait before reestablishing the BMP session, include the memory-connect-timeout

seconds

statement. The default is 10 minutes. [Routing Protocols]

Alias support for local autonomous system number for BGP—Enables you to configure a local autonomous system (AS) number assigned to a BGP group or neighbor as an alias to the system AS. As a result, a BGP peer considers any local

AS to which it is assigned as equivalent to the primary AS number configured for the router. When you configure a local AS number as an alias, that number is no longer prepended in the BGP path when a BGP peer sends route updates to an external peer. Only the primary AS number is prepended in the BGP path.

To configure a local AS as an alias to the system AS, include the alias

statement at the

[edit protocols bgp group group-name local-as number] or

[edit protocols bgp group group-name neighbor address local-as number] hierarchy level. You configure the AS for the router with the autonomous-system number statement at the [edit routing-options]

hierarchy level. [Routing Protocols]

Support to hold down BGP peering sessions after a nonstop active routing

switchover—Enables you to configure the router not to reestablish a BGP peering session after a nonstop active routing (NSR) switchover either for a specified period of time or until you manually reestablish the session. Include the idle-after-switch-over (seconds | forever)

statement at the

[edit protocols bgp] hierarchy level. For

seconds

, you can configure a value from 1 through

4294967295. After an NSR switchover, the BGP peering session is not reestablished until after the specified period of time. If you specify the forever option, the BGP peering session is not reestablished until you issue the clear bgp neighbor

command from the master Routing Engine. The idle-after-switch-over

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 21

JUNOS 9.5 Software Release Notes statement is also supported at the BGP group and BGP neighbor hierarchy levels.

[Routing Protocols]

Services Applications

Support for TCP maximum segment size (MSS) adjustment on M-series routers

and T-series routing platforms—The TCP protocol negotiates an MSS value during session connection establishment between two peers. The MSS value negotiated is primarily based on the MTU of the interfaces to which the communicating peers are directly connected to. However in the network, due to variation in link MTU on the path taken by the TCP packets, some packets which are still well within the MSS value may be fragmented when the concerned packet's size exceeds the link's MTU.

To reduce the possibility of fragmentation and to protect against packet loss, include the tcp-mss mss-value

statement to specify an appropriate TCP MSS value.

If the router receives a TCP packet with the SYN bit and MSS option set and the

MSS option specified in the packet is larger than the MSS value specified by the tcp-mss

statement, the router replaces the MSS value in the packet with the lower value specified by the tcp-mss statement.

To configure a TCP MSS value, include the tcp-mss statement at the [edit services service-set service-set-name]

hierarchy level:

}

[edit services service-set service-set-name { tcp-mss mss-value;

The range for the tcp-mss mss-value parameter is from 536 to 65,535.

To view statistics of SYN packets received and SYN packets whose MSS value is modified, issue the show services service-sets statistics tcp-mss operational mode command. [Services Interfaces, System Basics]

Flow-tap support on additional platforms—Adds support for a version of the flow-tap application on MX-series platforms and on M120 and M320 routers.

Unlike the previously released flow-tap application, this functionality resides in the Packet Forwarding Engine rather than in a service PIC. You must configure a service PIC or DPC or a regular tunnel port to provide tunneling.

To configure the new feature, include the flow-tap-lite

statement at the [ edit services ] hierarchy level and assign the designated tunnel interface for use by the dynamic flow capture process (dfcd). The original flow-tap feature and the new version share the same Dynamic Tasking Control Protocol (DTCP) SSH architecture to install the DTCP filters and authenticate users. [Services Interfaces,

Feature Guide]

Border gateway function (BGF) and Integrated Multi-Service Gateway (IMSG)

support on MX platform—Adds support for BGF and IMSG features on

MultiServices DPCs on MX-series routers. This functionality was previously released on services PICs running on M-series and T-series routing platforms.

[Services Interfaces, Multiplay Solutions, DPC Guide, System Basics and Services

Command References]

Call admission control (CAC) for Border Signaling Gateway (BSG)—Enables you to configure a policy action to prevent voice traffic congestion and to ensure

22 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms that there is enough bandwidth for authorized flows. CAC is applied during the call setup phase. You configure admission control rules in named objects called controllers. For each controller you configure, you can specify:

Maximum number of concurrent dialogs and out-of-dialog transactions

Maximum rate of dialog and out-of-dialog transaction attempts per second

Committed burst size (number of dialogs and out-dialog-transactions)

When a call cannot be admitted due to a CAC violation, the call request is rejected with a code 403.

To configure a controller file, enter the controller-name

statement at the

[edit services border-signaling-gateway gateway gateway-name admission-control] hierarchy level.

To enforce the admission control on dialogs, enter the following statements at the

[edit services border-signaling-gateway gateway gateway-name admission-control

controller-name dialogs]

hierarchy level: maximum-concurrent , committed-attempts-rate , committed-burst-size .

To enforce admission control on transactions, enter the following statements at the [edit services border-signaling-gateway gateway gateway-name admission-control

controller-name transactions]

hierarchy level: maximum-concurrent

, committed-attempts-rate

, committed-burst-size

.

To assign a CAC controller to a policy action, enter the admission-control statement at the [edit services border-signaling gateway gateway-name new-transaction-policy policy-name term term-name then]

hierarchy level.

You can use the following show commands to display information about call admission control:

■ show services border-signaling-gateway by-contact contact detailed gateway

gateway-name

■ show services border-signaling-gateway by-request–uri request–uri detailed gateway gateway-name

■ show services border-signaling-gateway admission-control gateway gateway-name

[Multiplay Solutions, Services Interfaces, System Basics Command Reference]

MultiServices PICs support on the JCS 1200—MultiServices 500 PICs running

Layer 3 services packages are now supported on the JCS 1200. [JUNOS PSD

Configuration Guide]

TWAMP support extension—Support has been added for existing RPM Two-Way

Active Measurement Protocol (TWAMP) functionality on MX-series routers that do not have MultiServices DPCs installed.

To configure TWAMP, include the twamp statement at the [ edit services rpm ] hierarchy as previously documented, but do not specify the twamp-server statement for any interface. There are no new CLI statements associated with this feature and the existing operational commands function as documented.

[Services Interfaces]

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 23

JUNOS 9.5 Software Release Notes

RPM TWAMP enhancements—Adds support for TWAMP functionality on

MultiServices PICs configured in Layer 3 mode. Also adds support for encryption and authentication mode, based on RFC 4656.

To configure the mode, include the authentication-mode

statement at the [ edit services twamp serve r] hierarchy level and specify the value authenticated or encrypted. [Services Interfaces]

Flow aggregation template enhancements—Adds the following new fields to the flow record templates used for version 9 flow aggregation:

IPv4 template—Adds IPv4 next-hop address

IPv6 template—Adds IPv6 next-hop address, OIF egress interface, and BGP source and destination AS numbers

MPLS template—Adds MPLS EXP information

[Services Interfaces, Feature Guide]

Integrated Multi-Service Gateway (IMSG) support for BGF state changes and

load balancing (M120, M320, and T640 platforms)—A virtual border gateway function (BGF) that is controlled by the BSG supports the full set of virtual BGF state changes (in-service and out-of-service). To display the current state of the virtual BGF, check the status field that is displayed using the show services pgcp active-configuration

command. The BGF also supports distributed virtual BGF load balancing using a round-robin algorithm. [Multiplay Solutions, CR:System Basics

and Services]

Border Gateway Function (BGF) user interface enhancements—Enhanced formats for operational commands and trace options configuration statements provide greater flexibility for monitoring the status of virtual BGFs.

Operational Commands

For ease of operation the CLI now enables the user to present each vBGF separately. The new syntax is show services pgcp xxxxx gateway gw-name, where xxxxx represents the desired display. For example, to display vBGF-5 statistics use show services pgcp statistics gateway vBGF-5 .

Similarly, to display all existing vBGFs use the wildcard “*” to replace the gateway name: for example, show services pgcp statistics gateway * .

Trace Options

You can now configure trace options for extraction and storage of log information for the H.248 stack, the BGF core, and SBC utilities. To configure, include one or more of the following statements at the [edit services pgcp traceoptions flag] hierarchy level: session-trace , h.248-stack , bgf-core , sbc-util .

[Multiplay Solutions, Services Interfaces, System Basics Command Reference]

Border Gateway Function (BGF) preferential handling of emergency calls

during overload (M120, M320, and T640 platforms)—Enables the gateway controller and the administrator to provide preferred processing for emergency calls when the BGF is at an overload processing state. The BGF processing queue is divided into three watermarks that you enable and provision. To configure, include the queue-limit-percentage , reject-new-calls-threshold , and reject-all-commands-threshold

statements at the

[edit services pgcp gateway

24 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ overload-control]

hierarchy level. To display the current enforcement and transaction queue states, issue the show services pgcp active-configuration gateway

gateway-name

command and review the Usage Counters. [Multiplay Solutions,

Services Interfaces, System Basics Command Reference]

New application-aware access list (AACL) service (MX-series platforms)—Adds support for a new service that uses application names and groups as matching criteria for filtering traffic. AACL is a stateless, rules-based service that can be combined with application identification to enable policies to be applied to flows based on application and application group membership in addition to traditional packet matching rules.

In JUNOS Release 9.5, AACL is supported only on MultiServices DPCs running on MX-series platforms. It is configured in a similar way to other rules-based services such as NAT, CoS, and stateful firewall. To configure AACL, include rule specifications for match criteria and actions at the [ edit services application-aware-access-list ] hierarchy level. You can chain AACL rules along with other service rules by including them in a service-set definition at the [ edit services service-set ] hierarchy level, as previously documented. There are no new operational commands associated specifically with AACL. [Services Interfaces]

New service for identifying applications—Application identification (APPID) is a component of a larger project to provide Deep Packet Inspection (DPI) functionality on MX-series platforms. The two main features are per-subscriber, per-application group bandwidth control and Intrusion Detection and Prevention

(IDP). The APPID feature is used to identify applications as constituents of application groups in TCP/UDP traffic. To configure APPID, include statements at the [ edit services application-identification

] hierarchy level to specify parameter values for identifying applications, enable or disable application rules, and gather the applications and rules into groups. A new operational command, show/clear application-identification application-system-cache

, allows you to view and delete stored cache entries. [Services Interfaces, System Basics, and Services Command

Reference]

IDP functionality extended to MX-series platforms—Adds support for Intrusion

Detection and Prevention (IDP) functionality using Deep Packet Inspection (DPI) technology on MX-series platforms equipped with MultiServices DPCs. This feature set is already supported on J-series platforms and is described in J-series

Services Router documentation. To configure IDP properties, include statements at the [edit security idp] hierarchy level. You configure IDP processes by including the idp-policy

statement at the

[edit system processes]

hierarchy level. To specify an IDP profile, include the new idp-profile

statement at the

[edit services service-set] hierarchy level. To configure SNMP IDP objects, include the idp statement at the [edit snmp health-monitor] hierarchy level. Operational commands for monitoring and regulating IDP activity use the clear/request/show security idp

command syntax. [J-series Services Router Guides, Services Interfaces]

Local policy decision functionality for application-related services (MX-series

platforms)—Adds support for a new process that regulates collection of statistics related to applications and application groups and tracking of information about dynamic subscribers. This functionality is collectively named the local policy decision function (L-PDF); in JUNOS Release 9.5 it is supported only on MX-series platforms equipped with MultiServices DPCs. The application identification

(APPID) service defines the applications and how they are grouped. The application-aware access list (AACL) service defines the applications and

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 25

JUNOS 9.5 Software Release Notes application groups for which statistics are collected for a specific user or interface.

The L-PDF configuration defines the way in which the statistics are output.

To configure properties for statistics output, include the policy-decision-statistics-profile

statement at the

[edit accounting-options]

hierarchy level. A new traceoptions configuration is available at the [edit services local-policy-decision-function]

hierarchy level. To configure a dynamic profile to attach a specified service-set to an interface, include the service

statement at the

[edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number family inet] hierarchy level. The following new operational commands are supported:

■ show services statistics

■ show services application-aware-access-list statistics

■ show services flows

[Services Interfaces, System Basics and Services Command Reference]

26 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Software Installation and Upgrade

Subscriber interface creation licensing support (MX-series routers)—To enable some router scaling levels, you must purchase, install, and manage separate software license packs. This release supports subscriber interface creation limits.

The presence on the router of the appropriate software license keys (passwords) determines how many subscriber interfaces you can configure for use with the

JUNOS Subscriber Access Feature Pack.

For information about how to purchase JUNOS software licenses, contact your

Juniper Networks sales representative. [Software Installation and Upgrade Guide]

Subscriber Access Management

Extended DHCP relay proxy (MX-series routers)—The extended DHCP relay proxy mode feature supports subscriber access management. The DHCP relay proxy supports all features of the DHCP relay. However, while the extended

DHCP relay is virtually transparent, DHCP clients see the DHCP relay proxy as the DHCP server, and the actual DHCP server sees the DHCP relay proxy as a

DHCP relay that communicates with clients.

DHCP relay proxy helps improve security for service providers by hiding internal

DHCP servers from the view of the attached DHCP clients and providing denial of service (DOS) protection. Also, in a network with multiple DHCP servers, DHCP relay proxy reduces access network traffic by forwarding a single lease to a client.

In contrast to the extended DHCP relay, the extended DHCP relay proxy can be used in a logical router.

To configure DHCP relay proxy support, include the proxy-mode

statement at the

[edit forwarding-options dhcp-relay overrides] hierarchy level or the [edit forwarding-options dhcp-relay group overrides] hierarchy level.

The extended DHCP relay proxy is not compatible with the J-series DHCP server.

Also, you cannot configure both the extended DHCP relay proxy and the extended

DHCP local server on the same interface. [Subscriber Access]

JUNOS subscriber access scaling values—The following subscriber access scaling values are supported in this release:

Number of subscriber VLANs per DPC: 16,000

Number of subscriber VLANs per chassis for MX-240 routing platform, which accommodates 2 DPCs: 32,000

Number of subscriber VLANs per chassis for MX-480 and MX-960 routing platforms: 64,000

Number of DHCP bindings: 120,000

Mobile IP supports multiple logical routers and routing instances (MX-series

routers)—You can now configure the Mobile IP home agent feature independently in any named routing instance in any configured logical router. Previously, Mobile

IP supported only the default routing instance and default logical router.

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 27

JUNOS 9.5 Software Release Notes

The CLI has been enhanced to add the services hierarchy to the following additional hierarchies:

[edit logical-systems logical-system-name]

[edit routing-instances routing-instances-name]

[edit logical-systems logical-system-name routing-instances

routing-instances-name]

This feature enables you to configure a Mobile IP subscriber in a routing instance in a specific logical router based on the vendor-specific attributes (VSAs) returned from the RADIUS server during authentication of the subscriber.

Multiple logical router and routing instance support is available only when you configure local authentication for Mobile IP. When you instead configure RADIUS authentication, only the default logical router and routing instance are supported.

Only the local

option is available for the order

statement; the aaa

option is not supported for nondefault logical routers and routing instances. Otherwise, all previously supported Mobile IP configuration statements are available at the new hierarchy levels. [Subscriber Access]

Support for RADIUS framed-route attribute [22] (M120, M320, and MX-series

Routers)—Enables you to configure the RADIUS Framed-Route Attribute [22] for Access-Accept and CoA-Request messages. The Framed-Route attribute enables you to provide routing information to be configured for the subscriber on the NAS.

The format for the string is:

addr [/maskLen] [nexthop [cost]] [tag tagValue] [distance distValue]

[Subscriber Access]

Support for dynamic configuration of framed routes and addresses (M120,

M320, and MX-series routers)—Enables you to configure framed routes and addresses in a dynamic profile. The values for the framed route and addresses are dynamically supplied to subscriber interfaces using RADIUS attributes.

Framed routes are used so traffic from the subsets can traverse the subscriber interface. By applying framed routes, you can extend the per-subscriber interface management to any subnetworks behind the dynamic subscriber interface.

To dynamically configure framed routes using values specified in Framed-Route

Attribute [22], include the new junos-framed-route-ip-address-prefix

variable with the route statement at the [edit dynamic profiles profile-name routing-options access] hierarchy level. For each route, you can configure variables for the next-hop IP address ( junos-framed-route-nexthop ), the cost metric ( junos-framed-route-cost ), and the preference value ( junos-framed-route-distance ).

Configuring support for access-internal variables is optional, but it ensures that if the next-hop value is missing in the Framed-Routes Attribute [22], values from the access-internal variables are used instead. To configure access-internal variables, include the new junos-subscriber-ip-address

variable with the route statement at the [edit dynamic profiles profile-name routing-options access-internal] hierarchy level. For each access-internal variable, you can configure variables for the qualified next-hop ( junos-underlying-interface ) and the MAC address

( junos-mac-address ).

28 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

To monitor framed routes, issue the show route protocol access

command. To monitor access-internal variables, issue the show route protocol access-internal command.

[Subscriber Access]

Enhancement of client firewall filter and CoS attribute aggregation (MX-series

routers)—Using the aggregate-clients statement in DHCP local server and DHCP relay agent dynamic profile configurations enable multiple DHCP clients to share the same VLAN logical interface (for example, multiple clients belonging to the same household). By default, the aggregate-clients feature is disabled and a single

DHCP client is allowed per VLAN when a dynamic profile is associated with the

VLAN logical interface.

In this release the aggregate-clients statement enables you to either merge (the default action; available in a previous release) or replace the firewall filters, CoS schedulers, and IGMP configuration of multiple DHCP clients that share the same

VLAN logical interface. When you choose to merge software components, the behavior is as follows:

Firewall filters—The filters are chained together using the precedence as the order of execution. If the same firewall filter is attached multiple times, the filter is executed only once.

CoS schedulers—The different CoS schedulers are merged as if the scheduler map has multiple schedulers. The merge operation for the individual traffic-control-profiles parameters (shaping-rate, delay-buffer-rate, guaranteed-rate) preserves the maximum value for each parameter.

IGMP configuration—The current IGMP configuration is replaced with the configuration of the newest DHCP client.

When you choose to replace software components, each new client session replaces the previous session.

You can configure the aggregate-clients attribute for all interfaces or for groups of interfaces. This feature supports static VLANs. [Subscriber Access]

ANCP individual VLAN support and neighbor configuration enhancements

(MX-series routers)—ANCP is now supported on individual VLANs. Previously,

ANCP was supported only on groups of VLANs (interface sets) carrying services to a subscriber. Now you can configure ANCP on individual logical interfaces for single VLANs that carry services to a subscriber.

To configure ANCP for an individual VLAN, include the access-identifier

statement at the [edit protocols ancp interfaces interface-name] hierarchy level. The access identifier no longer has to be unique across the router. Now it must only be unique for individual ANCP neighbors. You must specify neighbor ip-address in the access-identifier statement when the access identifier is unique only for a neighbor.

You can now configure the maximum number of discovery table entries accepted from neighbors. To configure this limit globally for all ANCP neighbors, include the maximum-discovery-table-entries

statement at the

[edit protocols ancp]

hierarchy level.

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 29

JUNOS 9.5 Software Release Notes

You can now specify several ANCP parameters for individual neighbors in addition to setting global parameters for all neighbors. Individual neighbor configurations take precedence over the global configuration.

To configure individual neighbor parameters, you can include any of the following statements at the [edit protocols ancp neighbor ip-address] hierarchy level:

■ adjacency-timer —Specify the interval between adjacency messages sent to this ANCP neighbor.

discovery-mode

—This statement currently has no effect. By default, topology discovery is enabled globally for all neighbors and cannot be disabled.

■ ietf —Specify that the neighbor is running in IETF mode. This statement is not available at the [edit protocols ancp] hierarchy level for global configuration. By default, ANCP neighbors run in IETF mode. This statement is useful when you configure pre-IETF mode globally but want to negate that mode for individual neighbors.

■ maximum-discovery-table-entries —Configure the maximum number of discovery table entries accepted from this neighbor.

pre-ietf

—Specify that the neighbor is running in pre-IETF mode.

The output for the show ancp cos

and show ancp subscriber

commands has been enhanced to support this feature. For access identifers that are not unique across the network, you can issue the show ancp subscriber identifier identifier-string neighbor ip-address

command to display subscriber information for a particular neighbor associated with the access identifier. [Subscriber Access, Protocols

Command Reference]

Mobile IP home agent support for WiMAX (MX-series routers)—The Mobile

IP home agent can now receive, process, and send Worldwide Interoperability for Microwave Access (WiMAX) vendor-specific RADIUS attributes (VSAs). This feature enables Mobile IP home agent to work in a WiMAX home connectivity services network (HCSN), to provide for mobility management at the IP layer.

To enable the WiMAX feature for Mobile IP, include the wimax statement at the new

[edit services mobile-ip access-type]

hierarchy level. To disable the WiMAX feature, include the generic

statement at the

[edit services mobile-ip access-type] hierarchy level.

To determine which release and version number of the WiMAX Forum Network

Architecture is supported by the current Mobile IP implementation, enter the show mobile-ip wimax release command.

Reauthentication of WiMAX subscribers is not currently supported. [Subscriber

Access, System Basics and Services Command Reference]

GRES support for dynamically-created IP DEMUX interfaces—GRES now supports IP DEMUX interfaces in a DHCP subscriber access configuration.

30 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

System Logging

New and deprecated system log tags—The following system log message is new in this release:

HNCACHED—This describes messages with the HNCACHED prefix. They are generated by the hostname-caching process.

The following system log messages are new in this release:

DFWD_POLICER_LIMIT_EXCEEDED

ESWD_BPDU_BLOCK_ERROR_DISABLED

ESWD_ST_CTL_BW_INFO

ESWD_ST_CTL_INVALID_LEVEL

ESWD_ST_CTL_INVALID_NO_BR

ESWD_ST_CTL_INVALID_NO_UNKNUNI

EVENTD_SCRIPT_CHECKSUM_MISMATCH

LLDPD_PARSE_ARGS

LLDPD_PARSE_BAD_SWITCH

LLDPD_PARSE_CMD_ARG

LLDPD_PARSE_CMD_EXTRA

LLDPD_PARSE_USAGE

MIB2D_IF_FLAPPING_MISSING

PFE_FW_SYSLOG_ETH

RPD_DYN_CFG_GET_SES_TYPE_FAILED

RPD_MC_COSD_WRITE_ERROR

RPD_MPLS_INTERFACE_ROUTE_ERROR

RPD_MPLS_TABLE_ROUTE_ERROR

RPD_TASK_DYN_REINIT

The following system log messages are no longer documented:

RDD_TRACE_FILE_OPEN_FAILED

RPD_DYN_CFG_BAD_REQ_OPCODE

User Interface and Configuration

New directory structure and file system access for logical systems—Beginning with JUNOS Release 9.5, logical systems have their own individual directory structure created in the /var/logical-system/logical-system-name directory. This directory contains the following subdirectories:

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 31

JUNOS 9.5 Software Release Notes

/config

—Contains the current operational router configuration specific to the logical system.

/log

—Contains system log and tracing files specific to the logical system.

/tmp

—Contains temporary files specific to the logical system.

Backward compatibility is maintained by creating software links from

/var/logs/logical-system-name to /var/logical-systems/logical-system-name .

The new file system access for each logical system enables logical system users to view trace logs and modify logical system files. Logical system administrators have full access to view and modify all files specific to the logical system.

[System Basics]

Support for optionally configuring checksum values to check the integrity

of scripts—Enables you to configure checksum values to validate the integrity of commit, operations, and events scripts. The supported hash algorithms for calculating checksum are md5

, sha-256

, and sha1

. You can configure one or more hash algorithms for the checksum values.

To configure checksum values for commit scripts, include the appropriate hash algorithms at the [edit system scripts commit file file-name checksum] hierarchy level. To configure checksum values for operations scripts, include the appropriate hash algorithms at the [edit system scripts op file file-name checksum] hierarchy level. To configure checksum values for events scripts, include the appropriate hash algorithms at the [edit event-options event-script file file-name checksum] hierarchy level.

To view the calculated checksum value, issue the file checksum (md5 | sha-256

| sha1)

operational mode command. [Automation, System Basics and Services

Command Reference]

Dynamic auto-sensed VLAN support—This release supports the automatic configuration of VLANs and stacked VLANs on static Ethernet interfaces. You can configure a single set of up to 32 ranges per VLAN or stacked VLAN type.

When using mixed VLAN tagging, you can configure up to 64 VLANs per port

(32 VLANs and 32 stacked VLANs). This feature supports vlan-tagging

, stacked-vlan-tagging

, and flexible-vlan-tagging

(both VLAN tagging and stacked

VLAN tagging and on the same port) encapsulations.

You enable automatic configuration of VLANs by including the vlan-id

statement in a dynamic profile at the [edit dynamic-profiles profile-name] hierarchy level and by referencing the dynamic profile in the auto-configure

statement at the

[edit interfaces interface-name]

hierarchy level.

Using the vlan-id statement, you specify the junos-vlan-id variable for the VLAN

ID. This statement and variable combination obtains an actual VLAN ID from a range of VLAN IDs that you specify at the [edit interfaces interface-name ] hierarchy level.

You enable automatic configuration of stacked VLANS by defining a dynamic stacked VLAN profile and using the vlan-tags

statement at the

[edit dynamic-profiles] hierarchy level. In the vlan-tags statement, you specify the junos-stacked-vlan-id variable for the outer VLAN ID and the junos-vlan-id variable for the inner VLAN

ID. This statement and variable combination obtains an actual outer and inner stacked VLAN ID from a range of VLAN IDs that you specify.

32 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

VPNs

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

You define VLAN or stacked VLAN ranges with the auto-configure

statement at the [edit interfaces interface-name] hierarchy level. To define VLAN ranges, include the vlan-ranges statement at the [edit interfaces interface-name auto-configure] hierarchy level. You must then specify the dynamic VLAN profile using the dynamic-profile statement at the [edit interfaces interface-name auto-configure vlan-ranges]

or

[edit interfaces interface-name auto-configure vlan-ranges]

hierarchy level, the VLAN interface type (inet) by using the accept

statement at the

[edit interfaces interface-name auto-configure vlan-ranges dynamic-profile] or [edit interfaces interface-name auto-configure vlan-ranges dynamic-profile] hierarchy level, and finally specify the VLAN ranges that you want accessing clients to use with the ranges statement at the [edit interfaces interface-name auto-configure vlan-ranges dynamic-profile]

or

[edit interfaces interface-name auto-configure vlan-ranges dynamic-profile]

hierarchy level.

When specifying values for the low-tag and high-tag variables for the vlan-ranges or stacked-vlan-ranges statement, you can define tag ranges from 1 to 4094 or use the any

option to specify the use of the entire VLAN range. You can use the clear auto-configuration interfaces interface-name command to manually remove a dynamically-created VLAN or stacked VLAN interface.

NOTE: You can only remove dynamically-created VLANs or stacked VLANs when no subscribers are using the interface either directly on that VLAN interface or on a separate IP DEMUX interface using that VLAN as its underlying interface.

[Network Interfaces, Subscriber Access]

Layer 3 VPN BGP routes and labels—You can now configure Juniper Networks routers to accept larger numbers of Layer 3 VPN BGP updates with unique inner

VPN labels by including the l3vpn-composite-nexthop statement at the [edit routing-options]

hierarchy level. This feature is available on M120, M320, and

MX-series routers. The neighboring PE routers are typically non-Juniper Networks routers configured to assign a unique inner label to each Layer 3 VPN BGP route.

The l3vpn-composite-nexthop statement is disabled by default.

When you configure the l3vpn-composite-nexthop

statement and issue the commit command, the BGP session is immediately restarted. For more information, see

PR 292173. [VPNs]

VPLS routing instance prioritization—When a path is rerouted using fast reroute, the Packet Forwarding Engine (PFE) collects all the affected next-hops and changes them to the backup link one after another in no particular order. When a fast reroute event occurs, the time needed to restore connectivity depends on the number of affected next-hops which can lead to longer fast reroute times for all affected traffic. You can now prioritize specific VPLS routing instances for faster fast reroute convergence. The next-hops for a higher priority VPLS routing instance are modified first and therefore the traffic traversing the higher priority

VPLS routing instance is restored faster.

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 33

JUNOS 9.5 Software Release Notes

To prioritize a VPLS routing instance, configure the fast-reroute-priority

statement at the [edit routing-instances routing-instance-name forwarding-options] hierarchy level. You can configure a priority of high , medium , or low . [VPNs]

Extranet next-generation MVPN—The extranet next-generation multicast VPN

(MVPN) functionality (also known as overlapping MVPNs) allows multicast receivers in a given VRF routing instance to receive traffic from multicast sources in another VRF routing instance. Extranet MVPNs support

PIM-ASM

or

PIM-SSM in customer instances. PIM-DM in customer instances is not supported. Extranet

MVPNs require the use of RSVP-TE P2MP LSPs for provider tunnels. Extranet

MVPNs also support both inclusive and selective tunnels.

The following extranet MVPN topologies are supported:

The source and receiver are in different VPNs attached to different PE routers.

The source and receiver are in different VPNs but attached to the same PE router.

Multiple receivers are attached to one PE router but in different VPNs.

Prefix-based extranets, where a few selected sources are exported from one

VPN to another, are also supported.

The configuration for extranet next-generation MVPNs relies on existing configuration statements.

If there is more than one MVPN routing instance on a PE router, extranet next-generation MVPNs require VT interfaces to be configured on all MVPN routing instances on a PE router that is designated to receive traffic from the same source. If there is only one MVPN routing instance on a PE router that has receivers for a particular source, the MVPN routing instance does not need to have a VT interface configured. VT interfaces are not required for unicast routing instances which can still rely upon label-switching interfaces (LSIs).

PIM-DM is not supported in the MVPN SP core for Draft-Rosen. [VPNs]

LDP BGP interworking additional platform support—LDP BGP interworking is now supported on the M10i, M40e, M120, and T-series routers and the TX Matrix platform. [VPNs]

VLAN range for L2 VPN (MX-series)—Supports bundling a list of VLAN IDs on a logical interface and using it for a cross-connect, to enhance existing functionality, dramatically reduce usage of system resources such as logical interfaces and next-hops, and simplify configuration.

To configure a VLAN ID list, use the vlan-id-list list

statement at the

[edit interfaces

interface-name-fpc/pic/portunit unit-number]

hierarchy level.

To configure a group of VLAN tags, use the vlan-tags

<(inner | inner-list list)> statement at the [ edit interfaces interface-name-fpc/pic/port

] hierarchy level.

NOTE: TPID is not supported with inner-list .

An example configuration for this feature follows:

34 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

} interfaces { ge-1/1/0 { vlan-tagging; encapsulation flexible-ethernet-services; unit 10 { encapsulation vlan-ccc; vlan-id-list [20 30-40 45];

}

}

} ge-1/1/1 { flexible-vlan-tagging;

} encapsulation flexible-ethernet-services; unit 10 { encapsulation vlan-ccc; vlan-tags outer 200 inner-list [50-60 80 90-100];

[Network Interfaces]

Static pseudowires (M-series and T-series routers)—You can now configure static pseudowires. Static pseudowires are designed for networks that do not support or have not enabled LDP. Without LDP, Layer 2 circuits could not be signaled in previous JUNOS software releases. You enable static pseudowires by configuring static values for the in and out labels needed to bring up a pseudowire connection. You must configure unique labels for the static pseudowire configuration to commit. The ignore-mtu-mismatch

, ignore-vlan-id

, and ignore-encaps-mismatch statements are not relevant for static pseudowire configurations since there is no way for the peer router to forward this information.

To configure a static pseudowire, include the static statement at the [edit protocols l2circuit neighbor address interface interface-name] hierarchy level. You must also configure the incoming-label label

statement and outgoing-label label

statement at the

[edit protocols l2circuit neighbor address interface interface-name static] hierarchy level. You can also configure the static statement and sub-statements at the [edit protocols l2circuit neighbor address interface interface-name backup-neighbor neighbor]

hierarchy level. If you configure the neighbor as static, you must configure the backup neighbor as static as well.

Note that when you configure static pseudowires, you need to manually compare the encapsulation, TDM bit rate, and control word of the router with the remote peer router and ensure that they match, otherwise the data path can be affected.

For example, data would be forwarded from one end of the pseudowire, but would be dropped at the other end as there is a mismatch in the encapsulation,

TDM bit rate, or control word.

You can also make it possible to ping a static pseudowire by configuring the send-oam

statement at the

[edit protocols l2circuit neighbor address interface

interface-name static]

hierarchy level. If you configure the send-oam statement, it applies to the backup neighbor as well. Once you have enabled this statement, you can ping the static pseudowire by issuing the ping mpls l2circuit command.

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 35

JUNOS 9.5 Software Release Notes

The command output of the show l2circuit connection

command has been modified to indicate if a pseudowire on a router is static. The Layer 2 circuit interface is labeled with SP (meaning static pseudowire). [VPNs]

36 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

JUNOS XML API and Scripting

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 37

JUNOS 9.5 Software Release Notes

New JUNOS XML API operational request tag elements—Table 1 on page 38

lists the JUNOS Extensible Markup Language (XML) operational request tag elements that are new in JUNOS Release 9.5, along with the corresponding CLI command and response tag element for each one.

Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 9.5

Request Tag Element CLI Command

<clear-ancp-subscriber-identifier-information> clear ancp subscriber identifier

Response Tag Element

<ancp-subscriber-identifier-information>

<clear-mpls-lsp-information>

<clear-elmi-statistics>

<clear-ospf-database-information>

<clear-ospf-io-statistics-information>

<clear-ospf3-neighbor-information>

<clear-ospf3-overload-information>

<clear-ospf3-statistics-information>

<clear-rsvp-session-information> clear mpls lsp clear oam ethernet lmi statistics clear ospf database clear ospf io-statistics

<clear-ospf-neighbor-information>

<clear-ospf-overload-information> clear ospf neighbor clear ospf overload

<clear-ospf3-database-information> clear ospf3 database

<clear-ospf3-io-statistics-information> clear ospf3 io-statistics clear ospf3 neighbor clear ospf3 overload clear ospf3 statistics clear rsvp session

NONE

NONE

NONE

NONE

NONE

NONE

NONE

NONE

NONE

NONE

NONE

NONE

<clear-rsvp-counters-information> clear rsvp statistics NONE

<clear-idp-application-system-cache> clear security idp application-identification application-system-cache

<idp-applications-information>

<clear-service-msp-flow-table-information> clear services flows

<clear-service-pgcp-gates-gateway> clear services pgcp gates gateway

<clear-service-pgcp-statistics-gateway>

<request-ping-l2circuit-interface>

<request-ping-l2circuit-virtual-circuit> clear services pgcp statistics gateway ping mpls l2circuit interface ping mpls l2circuit virtual-circuit

<service-msp-flow-drain-information>

<service-pgcp-gates-gateway-drain-information>

<service-pgcp-statistics-gateway-drain-information>

NONE

<request-ping-l2vpn-instance>

<request-ping-l2vpn-interface>

<request-ping-l3vpn> ping mpls l2vpn instance ping mpls l2vpn interface ping mpls l3vpn

NONE

NONE

NONE

NONE

38 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 9.5 (continued)

Request Tag Element

<request-ping-ldp-lsp>

<request-ping-lsp-end-point>

<request-ping-rsvp-lsp>

CLI Command ping mpls ldp ping mpls lsp-end-point ping mpls rsvp

<request-ping-vpls-instance>

<request-appid-applicationpackage-uninstall>

<check-in-service-upgrade> ping vpls instance request services application-identification uninstall request system software validate in-service-upgrade show chassis environment cip <get-environment-cip-information>

<get-cos-multi-destination-information> show class-of-service multi-destination

<get-isis-backup-coverage-information> show isis backup coverage

<get-isis-backup-lsp-information> show isis backup label-switched-path

Response Tag Element

NONE

NONE

NONE

NONE

<appid-apppack-uinstall>

NONE

<get-isis-backup-spf-results-information> show isis backup spf results

<get-mip-wimax-release-information> show mobile-ip wimax release

<get-evc-infromation>

<get-elmi-information>

<get-elmi-statistics>

<get-idp-applications-information> show oam ethernet evc show oam ethernet lmi show oam ethernet lmi statistics show security idp application-statistics

<get-service-border-signalinggateway-statistics-admission-control> show services border-signaling-gateway admission-control

<environment-component-information>

<cos-multi-destination-information>

<isis-backup-coverage-information>

<isis-backup-lsp-information>

<isis-backup-spf-results-information>

<mip-wimax-release-information>

<elmi-evc-information>

<elmi-interface-information>

<elmi-interface-statistics>

<idp-applications-information>

<bsg-statistics-admission-control>

<get-service-border-signalinggateway-information-by-contact>

<get-service-border-signalinggateway-information-by-request-uri>

<get-service-border-signalinggateway-statistics-calls> show services border-signaling-gateway by-contact show services border-signaling-gateway by-request-uri show services border-signaling-gateway calls <bsg-statistics-calls-details>

<get-service-border-signalinggateway-statistics-calls-failed> show services border-signaling-gateway calls-failed

<get-service-msp-flow-table-information> show services flows

<get-service-pgcp-activeconfiguration-gateway> show services pgcp active-configuration gateway

<bsg-information-details>

<bsg-information-details>

<bsg-statistics-calls-failed-details>

<service-sfw-flow-table-information>

<service-pgcp-active-configuration-gateway>

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 39

JUNOS 9.5 Software Release Notes

Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 9.5 (continued)

Request Tag Element

<get-service-pgcpconversation-information-gateway>

<get-service-pgcp-flowtable-information-gateway>

CLI Command show services pgcp conversations gateway show services pgcp flows gateway

Response Tag Element

<service-pgcp-conversation-gateway-information>

<service-pgcp-flow-table-gateway-information>

<get-service-pgcp-gate>

<get-service-pgcp-gate-gateway> show services pgcp gate show services pgcp gate gateway

<service-pgcp-gate>

<service-pgcp-gate-gateway>

<get-services-pgcpd-roottermination-gateway>

<get-service-pgcp-terminations-gateway> show services pgcp terminations gateway

<get-service-set-pluginsummary> show services pgcp root-termination gateway show services service-sets plug-ins

<services-pgcpd-root-termination-gateway>

<service-pgcp-terminations-gateway>

<service-set-plugin-summary>

<get-service-set-tcp-mss-statistics>

<get-name-resolution-info> show services service-sets statistics tcp-mss <service-set-tcp-mss-statistics> show system name-resolution <name-resolution-info>

[JUNOS XML API Operational Reference]

Related Topics

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 41

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms on page 45

Errata and Changes in Documentation for JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 75

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,

MX-series, and T-series Routing Platforms on page 80

40 ■

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series,

MX-series, and T-series Routing Platforms

Class of Service

The [ edit firewall hierachical-policer ] stanza documented in Chapter 21,

“Configuring CoS on Enhanced IQ PICs,” of the CoS Configuration Guide is new to JUNOS Release 9.5. [Class of Service]

Layer 2 Ethernet Services

Change in dhcp command (MX-series)—The output format of the show dhcp relay bindings detail command has changed from a tabular display to a line-by-line display. In addition, a new field, interface-name

, was added to the output of this command. The interface-name

field provides the MAC address of a client that is part of a DHCP relay/DHCP snooping configuration. [Command Reference: Protocols

and Policies]

High Availability

New priority hold time—With the priority-hold-time

statement at the [ edit protocols vrrp

] hierarchy level, you can configure asymmetric behavior for VRRP routers.

When a primary router loses a route, the standby router will become the primary router. After the formerly primary router (now the standby router) receives the route, it must wait for the configured time before declaring itself as the primary router again. [High Availability]

Multicast

PIM restriction with nonforwarding instances—You cannot configure PIM within a nonforwarding instance. If you try to do so, the router displays a commit check error and does not complete the configuration commit process. [Multicast]

MPLS Applications

Hello and hold time intervals for LDP targeted hellos—You can now configure hello and hold time intervals for LDP targeted hellos. To configure the targeted hello interval, include the hello-interval seconds

statement at the

[edit protocols ldp targeted-hello] hierarchy level. To configure the targeted hello hold time interval, include the hold-time seconds statement at the [edit protocols ldp targeted-hello]

hierarchy level. For both statements, you can configure an interval of between 1 through 65,535 seconds. [MPLS Applications]

IGP LDP synchronization holddown interval—You can now configure the time

LDP waits before informing the IGP that the LDP neighbor and session for an interface are operational. For large networks with numerous FECs, it might be necessary to configure a longer value to allow enough time for the LDP label databases to be exchanged for the session. Specify the time in seconds by configuring the holddown-interval statement at the [edit ldp igp-synchronization]

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 41

JUNOS 9.5 Software Release Notes

Routing Protocols hierarchy level. You can configure a value of 10 through 60 seconds. The default value is 10 seconds. [MPLS]

Bandwidth-based metric values for OSPF interfaces—Enables you to specify a set of bandwidth threshold values and associated metric values for an OSPF interface or for a topology on an OSPF interface. When the bandwidth of an interface changes, the JUNOS software automatically sets the interface metric to the value associated with the appropriate bandwidth threshold value. The

JUNOS software uses the smallest configured bandwidth threshold value that is equal to or higher than the actual interface bandwidth to determine the metric value. If the interface bandwidth is higher than any of the configured bandwidth threshold values, the metric value configured for the interface is used instead of any of the bandwidth-based metric values configured. The ability to recalculate the metric for an interface when its bandwidth changes is especially useful for aggregate interfaces.

To configure bandwidth-based metric values, include the bandwidth-based-metrics bandwidth value metric value statements at the [edit protocols (ospf| ospf3) area

area-id interface interface-name]

,

[edit protocols ospf3 realm (ipv4-multicast | ipv4-unicast | ipv6-multicast) area area-id interface interface-name] , or [edit protocols ospf area area-id interface interface-name topology topology-name] hierarchy levels.

You must also configure the metric number

statement at the

[edit protocols (ospf

| ospf3) area area-id interface interface-name]

,

[edit protocols ospf3 realm

(ipv4-multicast | ipv4-unicast | ipv6-multicast) area area-id interface interface-name] , or [edit protocols ospf area area-id interface interface-name topology topology-name] hierarchy levels.

When configuring bandwidth-based metrics, you would typically configure multiple bandwidth and metric values as in the example below:

}

[edit protocols] ospf { area 0.0.0.0 { interface ae0.0 { metric5; bandwidth-based metrics { bandwidth 2g metric 70; bandwidth 1g metric 80; bandwidth 3g metric 60; bandwidth 4g metric 50; bandwidth 5g metric 40; bandwidth 6g metric 30; bandwidth 7g metric 20; bandwidth 8g metric 10;

}

}

}

In addition, the show ospf interface detail

command has been enhanced so that the output for the Cost field displays the metric calculated when it is based on

42 ■

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ the bandwidth-based metric configuration. [Routing Protocols, Routing Protocols

and Policies Command Reference]

Enhancement to

show (ospf | ospf3) database advertising-router

and

clear (ospf

| ospf3) database advertising-router commands—You can now use the self option with the show (ospf | ospf3) database advertising-router

command to display link-state advertisements (LSAs) generated by the router. You can also use the self

option to discard entries for the LSAs advertised by the router. Execute the clear (ospf| ospf3) database advertising-router self purge command. Previously, you can to specify the router identifier of the router to display or discard self-generated LSAs. [Routing Protocols CR]

Limit Bidirectional Forwarding Detection Protocol sessions for OSPF to

neighbors in the full state—Enables you to configure the Bidirectional

Forwarding Detection (BFD) Protocol to establish BFD sessions only for OSPF neighbors in the full state. By default, BFD sessions are established for all OSPF neighbors, Include the full-neighbors-only

statement at the

[edit protocols (ospf | ospf3) area area-id interface interface-name bfd-liveness-detection] or the [edit protocols ospf3 realm (ipv4-multicast | ipv4-unicast | ipv6-multicast) area area-id interface interface-name bfd-liveness-detection]

hierarchy level. Logical systems and routing instances are also supported. [Routing Protocols]

Enhancement to

show bfd session extensive

command—The output of the show bfd session extensive

command displays the TTL value only when the minimum-receive-ttl number statement for the Bidirectional Forwarding Protocol

(BFD) is configured. The minimum-receive-ttl statement is configured only for BFD sessions over multihop static routes. If this statement is not configured, the TTL value is no longer displayed. In addition, the Multi-hop field continues to be displayed in all cases. [Routing Protocols CR]

Routing Policy and Firewall Filters

IPv6 support for the Ethernet type match condition for VPLS and Layer 2

bridging firewall filters—You can now specify ipv6 as a value for the ether-type statement at the

[edit firewall family vpls filter filter-name term term-name from]

or

[edit firewall family bridge filter filter-name term term-name from]

hierarchy level.

Deprecated statements for VPLS and Layer 2 bridging firewall filters—For

VPLS and Layer 2 bridging firewall filters, the vlan

variable for the vlan-ether-type and ether-type match conditions has been deprecated. You can no longer configure vlan as a value at the [edit firewall family vpls filter filter-name term term-name from vlan-ether-type]

,

[edit firewall family vpls filter filter-name term term-name from ether-type]

,

[edit firewall family bridge filter filter-name term term-name from vlan-ether-type] , and [edit firewall family bridge filter filter-name term term-name from ether-type ] hierarchy levels.

NOTE: Only the MX-series routers support the family bridge

statement.

[Policy, Layer 2]

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 43

JUNOS 9.5 Software Release Notes

Enhancement to the show firewall command—The show firewall

command now supports a terse option that enables you to display only the names of firewall filters. This option displays no other information about the firewall filters configured on your system. Use the show firewall terse command to verify that all the correct filters are installed. [Routing Protocols and Policies CR]

Platform and Infrastructure

On the M7i Multiservice Edge Router and M10i Multiservice Edge Router platforms, the Enhanced Compact Forwarding Engine Board (CFEB-E) introduced in release 9.4 supports the 4-port Gigabit Ethernet Enhanced IQ2 (IQ2E) PIC with

SFP, model number PE-4GE-TYPE1-SFP-IQ2E.

Increase in limit to external paths accepted for BGP route target filtering—You can now specify for BGP to accept up to 256 external paths for route target filtering. Previously, the maximum number that you could configure was 16.

The default value remains one. To specify the maximum number of external paths for BGP to accept for route target filtering, include the external-paths number statement at the [edit protocols bgp family route-target] hierarchy level. This statement is also supported for BGP groups and neighbors. [Routing Protocols]

Services

The show services l2tp radius commands now displays when a server belongs to a profile that is the same for statistics.

Subscriber Access

Enabling and disabling DHCP snooping support—You can now explicitly enable or disable DHCP snooping support on the router. If you disable DHCP snooping support, the router drops snooped DHCP discover and request messages.

To enable DHCP snooping support, include the allow-snooped-clients

statement at the

[edit forwarding-options dhcp-relay overrides]

hierarchy level. To disable

DHCP snooping support, include the no-allow-snooped-clients statement at the

[edit forwarding-options dhcp-relay overrides] hierarchy level. Both statements are also supported at the named group level and per-interface level.

In JUNOS releases 10.0 and earlier, DHCP snooping is enabled by default. In releases 10.1 and later, DHCP snooping is disabled by default.

[Subscriber Access]

User Interface and Configuration

Option added to the

file-copy

operational request tag element—The source-address

option has been added to the file-copy

operational request tag element. This can be used by a JUNOScript client application to request information from a routing platform about the local address used in originating a connection for file copy. [JUNOS XML API Operational Reference]

LSP ping interval—You can now specify the time interval for LSP ping messages when OAM is also configured. To specify the LSP ping interval time, include the

44 ■

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ lsp-ping-interval

statement at the

[edit protocols ldp oam]

hierarchy level for

LDP-signaled LSPs and at the [edit protocols mpls oam] hierarchy level for RSVP

LSPs. [MPLS, System Basics Command Reference]

The maximum number of aggregated Ethernet interfaces (LAG bundles) is 480 on all MX-series routers. [Network Interfaces, Layer 2 Configuration Guide]

Configuration statements for disabling the reporting of ping record route

and timestamp—Two new statements, no-ping-record-route and no-ping-time-stamp , have been introduced at the

[edit system]

hierarchy level. Include the no-ping-record-route

statement in the configuration to prevent the Routing Engine from recording and displaying the route of the ping request packet in the response. Include the no-ping-time-stamp

statement in the configuration to disable the Routing Engine from recording and displaying the timestamp in the ping response. By configuring these statements, you can prevent unauthorized users from discovering information about the PE router and its loopback address.

[System Basics].

Limitations to loopback configurations on 10–port Channelized E1/T1 IQE

PICs—While configuring loopback on a 10-port Channelized E1/T1 IQE PIC, it is possible to simultaneously configure local/remote loopback at the CT1 partition and payload loopback at the T1 partition. Such a configuration will result in unpredictable PIC behavior and should not be used. [Network Interfaces]

Related Topics

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series

Routing Platforms on page 6

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms on page 45

Errata and Changes in Documentation for JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 75

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,

MX-series, and T-series Routing Platforms on page 80

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms

The current software release is Release 9.5R4. For information about obtaining the

software packages, see “Upgrade and Downgrade Instructions for JUNOS Software

Release 9.5 for M-series, MX-series, and T-series Routing Platforms” on page 80.

Current Software Release on page 45

Previous Releases on page 60

Current Software Release

The current software release is Release 9.5R4. For information about obtaining the

software packages, see “Upgrade and Downgrade Instructions for JUNOS Software

Release 9.5 for M-series, MX-series, and T-series Routing Platforms” on page 80.

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 45

JUNOS 9.5 Software Release Notes

Outstanding Issues

Class of Service

If you try to configure a scheduler map containing two forwarding classes that are mapped to the same queue, the class-of-service scheduler is not applied to the Packet Forwarding Engine. As a workaround, configure a single forwarding class for each available queue. [PR/57907]

On the MX960, bandwidth sharing across high priority and strict-high priority schedulers might not be as expected. This issue occurs when the schedulers are configured on logical interfaces. [PR/265603]

On M Series routers (except M120 and M320), packet classification will not work on aggregated Ethernet bundles that have LACP enabled. [PR/492057]

Forwarding and Sampling

On M320 and T-series routers, when you configure interface output sampling, packets might travel through the output firewall. As a workaround, configure a firewall filter on the output interface with then sample and then next-term statements. The workaround provides the same functionality as the other configuration, but avoids the problem behavior. [PR/70473]

On T-series routers, if an ingress firewall is configured to drop all incoming multicast packets the discarded multicast packets, are incorrectly sent to the

Routing Engine. This causes a high utilization of the CPU (50 percent) on the

FPC. [PR/239268]

The output firewall filter counter doesn’t count packets when a firewall is configured on the discard interface of an M120 router. [PR/404645]

When configuring a routing-instance in a firewall filter on the MX480, the router might give a warning message "Warning: statement ignored: unsupported platform.". [PR/421765]

Under rare circumstances, if the filter is changed while a counter query is in progress and the system is under heavy load, the system may crash. [PR/447033]

Using the ipv4-template to collect flow monitoring version 9 statistics on ingress

L3VPN PE devices results in BGP IP next–hop address not being included in the report. [PR/467403]

On rare occasions, the firewall compiler can discard a prefix configured for accept. This issue depends on the set of prefixes configured for matching across the various terms. [PR/486633]

The blocked-hosts-src term being used before the anti-spoof term in a firewall filter can cause incorrect firewall filter evaluation. [PR/493356]

46 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

High Availability

The primary Routing Engine might lose CM/CP information if it looses connectivity with the redundant Routing Engine (i.e. through disabling GRES or halting/rebooting the redundant Routing Engine). This can cause small packet drop on multicast traffic upon a multicast distribution tree change. [PR/278882]

When a static route created using the passive retain option is pointing to a private interface such as fxp0, the backup router during a GRES might not behave as expected. As a workaround, do not use the passive retain option to create a static route to a private interface. [PR/412746]

When a Routing Engine switchover occurs at the same time that FRUs are reconnecting to the Routing Engine, kernel panic may occur. [PR/419966]

On a TX Matrix router that has an aggregate sonet (AS) or container interfaces

(CI) configured, the AS won't come up after an ISSU. All traffic passing through

AS will be lost after ISSU. As a workaround, restart the interface or activate/deactivate the AS/CI after ISSU. [PR/446984]

Interfaces and Chassis

On aggregated SONET/SDH interfaces, the counter for drops and errors in the show interfaces

command output does not display the correct value, because the counter does not collect data from the constituent interfaces within the aggregate.

[PR/23577]

On a 2-port OC12 ATM2 IQ interface, the total virtual path (VP) downtime might not display correctly in the show interfaces command output. [PR/27128]

On M20 and M40 routers, when a physical layer problem affects a SONET/SDH interface, carrier transition statistics might not increment correctly in the output of the show interfaces extensive command. [PR/33325]

When you configure both the bundle link and constituent links at the

[edit

(logical-routers logical-router-name | logical-systems logical-system-name) interfaces] hierarchy level, the constituent links do not come up. As a workaround, configure the constituent links at the

[edit interfaces]

hierarchy level. [PR/35578]

On the Channelized STM-1 with QPP PIC, error monitoring for CRC and frame errors might not work as expected. [PR/39440]

When you apply an IPsec firewall filter to match traffic sent across a generic routing encapsulation (GRE) tunnel and originating from the local routing platform, the local traffic is dropped. Transient traffic is not affected. [PR/44871]

If you configure IS-IS, MPLS, and graceful Routing Engine switchover (GRES) and a switchover event occurs, the routing platform might end the PPP IP Control

Protocol (IPCP) sessions and renegotiate them if the remote side has changed interface MTU settings prior to the switchover event. [PR/61121]

If you configure graceful Routing Engine switchover and issue the request chassis routing-engine master acquire command, in rare cases the master Routing Engine might fail to relinquish mastership, or the switchover to the backup Routing

Engine might take up to 360 seconds. [PR/61821]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 47

JUNOS 9.5 Software Release Notes

For Automatic Protection Switching (APS) on SONET/SDH interfaces, there are no operational mode commands that display the presence of APS mode mismatches. An APS mode mismatch occurs when one side is configured to use bidirectional mode, and the other side is configured to use unidirectional mode.

[PR/65800]

When the ATM scheduler map is configured, the code does not check if the early packet discard (EPD) configured on the forwarding class exceeds the maximum

EPD that the hardware supports. [PR/70336]

The output of the show interfaces diagnostics optics

command includes the "Laser rx power low alarm" field even if the transceiver is a type (such as XENPAK) that does not support this alarm. [PR/103444]

Hot swapping the M120 router fan tray might cause the Check CB alarm to activate. [PR/268735]

On the JCS 1200, when you issue the clear -config -T switch[1]

command using the management module, the switch module returns to its factory default setting instead of the Juniper Networks default setting. As a workaround, do not issue the command. [PR/274399]

When the ilmi statement is included at the [ edit interfaces interface-name atm-options ] hierarchy level and than a graceful Routing Engine switchover (GRES) or unified in-service software upgrade (ISSU) event occurs, the show ilmi

command no longer returns any output even though ILMI is configured on the interface.

[PR/282051]

On a router with Frame Relay multilink configured on an MS400 PIC or on a

Channelized DS3 PIC, when the minimum links value for the Frame Relay interface is set to 8 and a link is deactivated from the configuration, the link remains up. [PR/285244]

On the Juniper Control System (JCS) platform, the control and management traffic for all Routing Engines share the same physical link on the same switch module. In rare cases, the physical link might become oversubscribed, causing the management connection to Protected System Domains (PSDs) to be dropped.

[PR/293126]

On a Protected System Domain (PSD) configured with a large number of BGP peers and routes (for example, 5000 peers and a million routes), FPCs might restart during a graceful Routing Engine switchover. [PR/295464]

When two routers are connected via SONET/SDH interfaces that are configured as container interfaces and the Routing Engine on one router reboots, the container interfaces on the other router might go down and come up again.

[PR/302757]

When forwarding-options is configured without route accounting, a commit will be successful but will display the following error message: “Could not retrieve the route-accounting.” This message does not affect any functionality.

[PR/312933]

On MX-series routers, MAC address accounting in the egress direction might not work if traffic is unidirectional and no traffic flows in the reverse direction for a duration longer than the aging interval. [PR/415146]

Under some conditions, if an interface flaps for an interval less than the hold-down time value configured, the interface might stop forwarding even

48 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ though it appears as UP. As a workaround, monitor traffic on the interface or disable and then enable the interface. {PR/423065]

When a backup Routing Engine is replaced after a graceful Routing Engine switchover (GRES), the device control process (dcd) generates a new link local address on non-MAC interfaces (such as SONET). [PR/429078]

When the show interfaces extensive command is used, some interfaces may not display the correct value for the Oversized Frames counter. [PR/437176]

When you configure the payload port-data statement at the [ edit family mpls hash-key

] hierarchy level on M120, MX, or M320 routers with E3 FPCs, the hashing algorithm might not take the port-data values into account. [PR/442223]

When configured for WAN-PHY framing, the ports on the 4-port 10-Gigabit

Ethernet PIC always report zero for path level errors (BIP-B3) in the output of the show interfaces extensive command. [PR/447653]

The primary routing engine might fail to connect with the backup routing engine due to an autonegotiation issue with an em1 interface. [PR/461469]

Certain Gigabit Ethernet SFPs on MX-series routers may periodically show the wrong diagnostic information even though they are operating correctly.

[PR/463837]

The APS process is fixed to handle the SONET defects when it is in the middle of switching over correctly. [PR/466649]

On an M320 router, the Channelized OC12/STM4 Enhanced IQ PIC supports 2 ports (0 and 2) when configured for eight queues per port. [PR/475008]

In some cases during periodic error statistics monitoring, you might see error messages on adjacent streams. These messages are cosmetic and can be ignored.

[PR/481344]

Under certain circumstances, the E3 IQ PIC might give incorrect CCV, CES, and

CSES alarms. [PR/505921]

Layer 2 Ethernet Services

Multicast packets received on an AE interface that is part of an IRB will be counted twice, once for the bridged packet and a second time for the routed packet.

[PR/461923]

When inserting a DPC into the chassis, the chassid log might display an incorrect error message: "FPC X temperature is -60 degrees C, which is outside operating range." This message does not impact any functionality. [PR/470512]

MPLS Applications

The output of the show mpls lsp route

and the show mpls lsp extensive 'Active

Route

' counter is incorrect when per-packet load balancing is configured.

[PR/22376]

If a cross-connected circuit (CCC) traverses a forwarding-adjacency label-switched path (LSP), traffic forwarding might be affected. [PR/60088]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 49

JUNOS 9.5 Software Release Notes

When you modify the primary path for an MPLS LSP by using the delete protocols mpls label-switched-path lsp-path-name primary path-name command in configuration mode, followed by the set protocols mpls label-switched-path

lsp-path-name primary path-name

command, and then commit, the entire LSP

(both primary and secondary) is torn down and then rebuilt from scratch. As a workaround, issue the delete protocols mpls label-switched-path lsp-path-name

primary path-name

command in configuration mode followed by the commit.

Then issue the set protocols mpls label-switched-path lsp-path-name primary

path-name

command followed by the commit. [PR/62365]

When you enable per-packet load balancing on parallel label-switched paths

(LSPs), the output of the show mpls lsp ingress

command might display all the routes on only one of the LSPs even when traffic is evenly balanced across the

LSP. [PR/70487]

No p2mp LSPs are reported with the show mpls lsp p2mp

command. As a workaround enter the show mpls lsp

command before you enter the show mpls lsp p2mp .[PR/266343]

For point-to-multipoint LSPs configured for VPLS, the ping mpls command reports

100 percent packet loss even though the VPLS connection is active. [PR/287990]

P2MP LSP branches undergoing make-before-break perform double bandwidth reservation on the same link while rerouting. [PR/454692]

A race condition between MVPN and RSVP p2mp signaling can lead to the creation of stale flood next hops. [PR/491586]

Network Management

■ tcpdump might crash when receiving malformed IPv6 packets. This has no impact on actual traffic. [PR/399073]

After changes are made to the firewall, and the counters are cleared and commited, SNMP sends the wrong value for 5 seconds. This creates a discrepancy between the CLI output and the get snmp output. [PR/459583]

The SNMP MIB on jnxFWCounterDisplayName might miss certain policer counters of firewall filters applied with respect to IFL. [PR/485477]

Platform and Infrastructure

If a tunnel destination is in a VPN, with GRE encapsulation the traffic might get black-holed due to a lookup in the wrong forwarding table. [PR/45035]

On T-series platforms, a Layer 2 maximum transmission unit (MTU) check is not supported for MPLS packets exiting the routing platform. [PR/46238]

When you configure a source class usage (SCU) name with an integer (for example, 100) and use this source class as a firewall filter match condition, the class identifier might be misinterpreted as an integer, which might cause the filter to disregard the match. [PR/50247]

If you configure 11 or more logical interfaces in a single VPLS instance, VPLS statistics might not be reported correctly. [PR/65496]

50 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

When a large number of kernel system log messages are generated, the log information might become garbled and the severity level could change. This behavior has no operational impact. [PR/71427]

When a Link Services (LS) interface to a CE router appears in the VPN routing and forwarding table (VRF table) and fragmentation is required, Internet Control

Message Protocol (ICMP) cannot be forwarded out of the LS interface from a remote PE router that is in the VRF table. As a workaround, include the vrf-table-label

statement in the configuration. [PR/75361]

On T-series routing platforms, the commit operation succeeds when you include the no-labels statement at the [ edit forwarding-options hash-key family mpls ] hierarchy level, but MPLS labels are still included in the hash key. [PR/80334]

Traceroute does not work when ICMP tunneling is configured. [PR/94310]

When the configuration present in 'init.conf' includes values in a nonstandard order, the init parser returns a syntax error. [PR/94576]

If you ping a nonexistent IPv6 address that belongs to the same subnet as an existing point-to-point link, the packet loops between the two point-to-point interfaces until the time-to-live expires. [PR/94954]

On T-series and M320 routers, multicast traffic with the "do not fragment" bit set is being dropped due to a low MTU value. The router might stop forwarding all traffic transiting this interface if the clear pim join command is executed.

[PR/95272]

A firewall filter that matches the forwarding class of incoming packets (that is, includes the forwarding-class statement at the

[edit firewall filter filter-name term

term-name from]

hierarchy level) might incorrectly discard traffic destined for the

Routing Engine. Transit traffic is handled correctly. [PR/97722]

The JUNOS software does not support dynamic ARP resolution on Ethernet interfaces that are designated for port mirroring. This causes the Packet

Forwarding Engine to drop mirrored packets. As a workaround, configure the next-hop address as a static ARP entry by including the arp ip-address statement at the

[edit interfaces interface-name]

hierarchy level. [PR/237107]

Currently, the JUNOS cannot build an outbound serial connections through the

AUX port. [PR/256818]

When Periodic Packet Management (PPM) delegation for Bidirectional Forwarding

Detection (BFD) sessions is disabled (the delegate-processing statement is removed at the [edit routing-options ppm] hierarchy level), the BFD sessions might be terminated (because a "state is down" message is sent) and reestablished.

[PR/280233]

When you perform an in-service software upgrade (ISSU) on a routing platform with an FPC3 or an Enhanced FPC3 with 256 MB of memory and the number of routes in the routing table exceeds 750,000, route loss might occur. If route loss occurs, as a workaround, perform either of the following tasks: (a) replace the FPC3 or Enhanced FPC3 with another FPC that has more memory, or (b) after the ISSU is complete, reboot only the FPC3 or Enhanced FPC3. [PR/282146]

For Routing Engines rated at 850 MHz (which appear as

RE-850

in the output from the show chassis hardware

command), messages like the following might be written to the system log when you insert a PC Card: “bad Vcc request” and

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 51

JUNOS 9.5 Software Release Notes

“Device does not support APM.” Despite the messages, operations that involve the PC Card work properly. [PR/293301]

On a Protected System Domain, under the following conditions an FPC might generate a core file and stop operating:

A firewall policer with a large number of counters (for example, 20,000) is applied to a shared uplink interface.

The FPC that houses the interface does not have a sufficiently powerful CPU

As a workaround, reduce the number of counters or install a more powerful FPC.

[PR/311906]

When a CFEB failover occurs on an M10i or M7i router that has 4000 or more

IFLs, the following message will display:

IFRT: 'IFD ioctl' (opcode 10) failed ifd 153; does not exist

IFRT: 'IFD Ether autonegotiation config' (opcode 163) failed

The message has no operational impact. When the backup CFEB becomes the active CFEB, the message will not display. [PR/400774]

For tunnel PICs, the following messages may display in /var/log/messages: /kernel: if_tunnel_cookie_remove no callback!!! This message is harmless and not valid.

[PR/422715]

On M320, M120, T-series, and MX-series routers, a traceroute egressing an LSP, configured for explicit-null and no-decrement-ttl or no-propagate-ttl, might not show the transit IP hop router immediately after the LSP egress router.

[PR/438735]

If the subinterface on an aggregate interface goes down, the GRE traffic egressing that interface might not use the backup subinterface. This will result in GRE traffic being dropped. [PR/454751]

An overloaded strict-high priority queue might result in loss of high-priority traffic.

[PR/455152]

DHCP-related configurations (such as delete bootp server address) under some rare conditions might generate an FUD core. [PR/458132]

On T640 routers, an interface might report LSIF errors/ Cell mismatched errors after it receives an IPv6 packet that has an invalid payload. The interface still accepts traffic, but discards all outgoing packets. To recover, reboot the FPC on

T640 and TX-series router. If the IPv6 packets invalid payload are still transmitted, the problem will occur again. [PR/470219]

When an aggregated SONET interface is configured with cisco-hdlc encapsulation, a member link may not be marked link down if remote end of the link is disabled.

[PR/472677]

Payload corruption and packet drops might occur for packets bigger than 3000 bytes when MPLS over GRE is configured on a service PIC. [PR/478563]

If a duplicate IPv6 address has been configured, every icmp6 packet received ( icmp request, icmp neighbor solicitation, or icmp neighbor advertisement ) will trigger an mbuf leak. Such a duplicate address configuration might not get noticed at the VRRP backup router, which is not used for data forwarding. Correcting

52 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Routing Protocols

■ the configuration and deactivating/activating the interface will stop the mbuf leak. [PR/481071]

Statistics might be updated twice, which causes an inconsistency between ifd and ifl stats. [PR/486200]

Swapping out eight FPCs and replacing them with a different FPC types, might cause the kernel to crash when the last FPC is powered on. [PR/502075]

When you configure damping globally and use the import policy to prevent damping for specific routes, and a new route is received from a peer with the local interface address as the next hop, the route is added to the routing table with default damping parameters, even though the import policy has a nondefault setting. As a result, damping settings do not change appropriately when the route attributes change. [PR/51975]

If a BGP group is created without any defined peers, a warning message no longer appears when the configuration is committed. [PR/63279]

When you issue the show ldp traffic-statistics command, the following system log message might be generated for all forwarding equivalence classes (FECs) with an ingress counter set to zero: "send rnhstats GET: error: ENOENT -- Item not found." [PR/67647]

If ICMP tunneling is enabled on the router and you configure a new logical system that does not have ICMP tunneling enabled, the feature is globally disabled.

[PR/81884]

When the flow of multicast traffic changes because an OSPFv3 link goes down, the output from the show multicast statistics inet6

command reports incorrect values in the In kbytes and In packets fields for the new ingress interface.

[PR/234969]

When you commit a new configuration for nonstop routing (NSR) on a primary

Routing Engine that differs from the configuration for NSR that is already running on the backup Routing Engine, the routing protocol process stops functioning on the backup Routing Engine only. Traffic forwarding is not affected.

[PR/254379]

RPD may restart if PIM is configured to run on unnumbered interfaces.

[PR/295319]

On routers running OSPF and advertising LSA for a DC-incapable neighbor, the

RPD might crash when the LSA is purged. [PR/406276].

OSPF and IS-IS differ in how they handle the addition of a better internal or external route (smaller IGP metric) into the protocol internal routing table. IS-IS flushes all next-hop information (including LSP next hops) when learning a better prefix, despite equal cost LSP tunnels, whereas OSPF does not. However, this does not cause any issues with respect to load balancing. [PR/408702]

The "Keepalive timeout" counter for multicast sessions is not displayed after the

PIM protocol is deactivated and activated. This is a cosmetic issue and there is no interruption to multicast traffic flow, even though the "Keepalive timeout" counter is not displayed after the PIM protocol is activated. [PR/419509]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 53

JUNOS 9.5 Software Release Notes

Setting the advertise-high-metric

option when using IS-IS overload also suppresses route leaking. [PR/419624]

In a router with VPNs configured, modifying or adding to the configuration could reset the 'age' of the secondary routes to 0. For example, secondary routes are

BGP routes in the .inet.0 table that are learned from the remote PE routers through BGP and imported into this table. Although the age is reset, these routes downloaded again to PFEs and there is no impact to traffic forwarding.

[PR/447802]

The rpd sporadically dumps the core due to a soft assertion failure. [PR/451021]

All local generated type 5 LSAs will be purged and regenerated when an NSSA area is deleted from an ABR. [PR/457579]

The RPD might crash, which causes BGP sessions to flap. [PR/465624]

When an FPC reboots or an interface is temporarily deactivated, two

RPD_PIM_NBRDOWN messages are logged for every PIM neighbor affected; however, only one RPD_PIM_NBRUP message is logged when the service is restored. This might lead to inconsistencies in management software.

[PR/472873]

When PIM is configured on an interface, it might not process interface mismatch.

This causes mpvn c-multicast traffic to be duplicated. As a workaround, configure

PIM under the main instance. [PR/481476]

When PIM is configured on an interface, the router can send the first PIM hello shortly before the interface comes up. This causes the router to drop the first outgoing PIM hello message. [PR/482903]

During transient periods where both the secondary and primary LSPs exist in the route table and the number of LSP next hops is greater than 16 in a multigateway scenario, IS-IS is unaware of the preference. Because of this, it might remove the preferred LSP next hop. [PR/485748]

Services Applications

The show services accounting flow-detail extensive command sometimes displays incorrect information about input and output interfaces. [PR/40446]

On Adaptive Services PICs configured for IPsec tunnel redundancy, if there are a large number of tunnels, sometimes a few of the tunnels might switch over to the backup tunnel. [PR/46733]

When a routing platform is configured for graceful Routing Engine switchover and Adaptive Services (AS) PIC redundancy, and a switchover to the backup

Routing Engine occurs, the redundant services interface ( rsp) always activates the primary services interface ( sp-

), even if the secondary interface was active before the switchover. [PR/59070]

For Adaptive Services II PICs, even if you do not configure flow collector services, a temporary file might be created every 15 minutes in the /var/log/flowc/ directory. The file is deleted if there are no clients, and re-created only when a client connects and attempts to write to the file. [PR/75515]

When the PGCP configuration contains values for RTCP traffic management for sustained-data-rate

or peak-data-rate

(at the

[edit pgcp gateway gateway-name

54 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ h248-properties traffic-management sustained-data-rate rtcp]

hierarchy level), SIP calls may fail with error code 500 (Internal Server Error). The default values of the RTCP SDR and PDR are 5% of RTP's SDR and PDR. If the configuration overrides these values and sets RTCP's SDR to be higher than the PDR, media gates for calls will not be created, and the call is rejected with error code 500.

[PR/400618]

When you configure L2TP with link fragmentation and interleaving (LFI), the

MultiServices PIC drops a significant number of MLPPP fragments. [PR/401247]

With E-CFEB on M7i and M10i routers, when a firewall filter is configured with an action of sampling and then applied to the filter to the interface, all the packets received on the PIC are corrupt and packets are dropped. [{R408802]

When you configure overload control for the BGF, you must set the reject-new-calls-threshold to a value greater than the queue-limit-percentage, and you must set the reject-all-commands-threshold to a value greater than the reject-new-calls-threshold. If you do not set these values correctly, the software resets the values so that they conform to these rules. To view the actual values enforced by the system, use the show pgcp active-configuration command.

[{R415614]

On a services interface, the mlppp reassembly logic will not do a strict out-of-order check. In a multi-CPU packet handling environment, packets could be processed before the first packet. [PR/430296]

The clear services stateful-firewall flows

command can cause the MSDPC to fail.

This command should be avoided. There is no workaround. [PR/472386]

A static route pointing to destination is incorrectly added for source NAT when a next-hop style service set is used. [PR/476165]

The show services nat pool pool-name command does not work. [PR/493820]

When you configure different autonomous-system-types (origin and peer ) toward two v5 servers, the router incorrectly counts the origin as the autonomous system type for both flow servers. [PR/496954]

Subscriber Access Management

RADIUS subscribers with framed-protocol attributes on the server will fail to authenticate. [PR/424323]

Wimax testing with SBR must be done with transposable IP for HA. Otherwise,

FA-HA authentication will fail with return code 132. [PR/431969]

When the Acct-Interim-Interval attribute is sent from RADIUS and the value is set to 600 seconds, the MX-serues router starts sending duplicate records every

2 seconds instead of every 600 seconds. [PR/448456]

The router always uses the revert-interval value that is configured at the [ edit access ] hierarchy level, and ignores any revert-interval valueconfigured at the

[ edit access profile ] hierarchy level. If no value is configured, the router uses the default value of 600 seconds. [PR/454040]

RADIUS authentication must be configured in order to use RADIUS accounting.

[PR/488627]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 55

JUNOS 9.5 Software Release Notes

User Interface and Configuration

Setting allow-commands show interfaces $ will disable the use of the show interface command. [PR/55413]

The router will not give a warning if the same UID is configured for multiple users. [PR/55774]

The router will allow without warning the deletion of configuration groups with the allow-configuration and deny-configuration statements. [PR/59187]

Performance is considerably slower for users who have permissions controlled by Juniper-Allow-Cmmands and/or Juniper-Deny-Commands expressions and have complex regular expressions configured under these same commands. To help avoid this problem, define the expressions in the allow-configuration and deny-configuration commands in a restrictive manner. [PR/63248]

When the get-configuration

or load-configuration

commands are run via JUNOScript, these events are not recorded in the syslog. [PR/64544]

On M20 routers, after a Routing Engine mastership switchover, it might not be possible to enter CLI configuration mode on the new master Routing Engine.

Also, the request system reboot and request system halt commands do not clearly fail but do not return the CLI prompt either. [PR/64899]

JUNOScript does not support the configuration-text statement. [PR/82004]

The logical system administrator can modify and delete master administrator-only configurations by performing local operations such as issuing the load override , load replace , and load update commands. [PR/238991]

The “'replace:” tag is missing from the output when entering the save terminal command from inside a configuration object. [PR/269736]

The primary Routing Engine validates the configuration. During commit synchronize, the backup Routing Engine will not validate the configuration as it was already validated by primary Routing Engine. [PR/282896]

A user belonging to a login class with limited rights to modify a specific firewall filter cannot use the insert

command to reorder firewall terms. [PR/310872]

Users with superuser privileges will sometimes have their access restricted to view permission only when they log in through TACACS. [PR/388053]

Double logging does not occur during load upate and commit (load update occurs on backup Routing Engine). [PR/395716]

On the TX Matrix routing platform, automatic rollback might not work as expected on the backup Routing Engine. [PR/425617]

Using the filter config-text in the get-config command results in a syntax error and the router configuration cannot be returned in ASCII format. [PR/430799]

Help page Information is not available for the Monitor->Alarms page.

[PR/437377]

Core files cannot be deleted when logged in with superuser access privileges unless the Routing Engine name is included in the path. Core files can, however, be deleted when logged in as root without specifying the Routing Engine name.

[PR/469168]

56 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

VPNs

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

When commit scripts are used and the configuration contains a policy that uses an apply-group with a then action of “then community + EXPORT”', the commit fails. [PR/501876]

The load replace

command does not consider the allow-configuration

configuration.

When you modify the frame-relay-tcc statement at the [edit interfaces

interface-name unit logical-unit-number]

hierarchy level of a Layer 2 VPN, the connection for the second logical interface might not come up. As a workaround, restart the chassis process (chassisd) or reboot the router. [PR/32763]

Traffic might not flow when an ATM interface is used as the access circuit on an

M120 router. [PR/255160]

For a VRF instance configured for PIM, MVPN, and provider tunnels (the pim

and mvpn statements are included at the [edit routing-instances vpn-name protocols] hierarchy level and the provider-tunnel statement is included at the [edit routing-instances vpn-name]

hierarchy level), when PIM is deactivated and reactivated, it fails to install type-5 (source-active) routes in the

instance-name.mvpn.0

routing table. This issue arises only when remote

C-multicast joins are configured on the ingress PE router (as displayed by the show mvpn c-multicast

command). [PR/306983]

When you configure inter-AS VPLS with MAC processing at the autonomous system (AS) boundary router along with multihoming, and if a designated forwarding AS boundary router fails and then comes back up again, traffic flowing to the local AS from the other AS’s boundary router might be lost. The loss occurs in the time period (tenths of a second) during which the old designated forwarding

AS boundary router is taking back the role of designated forwarder. [PR/312730]

Under certain circumstances, if BGP is configured as the PE router to CE router protocol in a Layer 3 VPN routing instance, renaming the routing instance can cause the PE router to CE router session to stay down. [PR/399275]

In Layer 2 CCC scenarios where the packet size is less than 64 bytes, the packets may be erroneously padded when forwarded through an Ethernet uplink. As a result, the packet sizes arriving at the remote end will not correspond to the originally sent packet sizes. [PR/420037]

On a BGP L3VPN PE router, with a combination of (1) label-per-next-hop in the

VRFs, (2) configuration of the same IP addresses in different VRFs (3), need for an indirect next-hops within the VRFs, then label routes with an indirect next-nop might be created incorrectly in the master instance table "mpls.0." [PR/436404]

On MX-series, M120. and EIII FPCs on M320 routers, the ISO/Connectionless

Network Service (CLNS) packets over the translational cross-connect (TCC) are dropped in the case of Frame Relay, even though the family TCC has been configured to switch family iso on the Frame Relay interface. [PR/462052]

When different prefixes are advertised to the same source by different PE routers, an egress PE router can’t pick the lower prefix route for RPF when the PR advertising the higher prefix loses its route to the source. [PR/493835]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 57

JUNOS 9.5 Software Release Notes

Resolved Issues in JUNOS Release 9.5 for M-series, MX-series, and T-series Routers

Class of Service

When you configure a specific classifier for a logical unit, it does not override the fixed classifier configured using wildcards. [PR/68888]

Interfaces and Chassis

If you ping a nonexistent IPv6 address that belongs to the same subnet as an existing point-to-point link, the packet loops between the two point-to-point interfaces until the time-to-live expires. [PR/94954]

Bandwidth on any IFL configured on an IFD should always be less than or equal to that of the speed on the respective IFD. This fix addresses the issue only on ether devices. If bandwidth is not configured on the IFl, it will be set to the speed of the IFD. [PR/426469]

On an MX960 with a significant number of DPCs, even if unconfigured (more than 8), the output of the show interface extensive

command can be very slow if SCU/DCU is configured for some units. [PR/449034]

Layer 2 Ethernet Services

The show dhcp binding interface interace-name

command does not work properly when an MX-series Router is configured as a DHCP server.

MPLS Applications

If you configure a label-switched path (LSP) with the no-cspf

statement at the

[edit protocols mpls] hierarchy level, the LSP might cycle up and down several times before stabilizing. [PR/10415]

On M-series routers, if you disable and then enable IPv6 on an interface, routing on that interface will no longer work. [PR/459781]

Platforms and Infrastructure

On a Monitoring Services III PIC configured as a dynamic flow capture (DFC) interface ( dfc-fpc/pic/port ), when you configure the DFC interface as the next hop in a forwarding path, port-mirrored packets might become corrupted.

[PR/60799]

On M320 and T-series routing platforms, a process monitors FPCs while they transition to an online state. If an FPC is busy and cannot complete the transition within the time limit, the process might time out and prevent the FPC from coming online. [PR/72364]

On the Routing Engine on the line-card chassis of the TX Matrix router, sometimes the reboot will fail due to an incorrect ntp query. [PR/450217]

58 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

If you configure a lot of vrf prefixes with the l3vpn-composite-nexthop

statement and a lot of link flaps occur, the jtree might become corrupted. This corruption triggers traffic black-holing. Other symptoms of this include the router sending

VPN MPLS traffic with stale MPLS label information or running out of Layer 2 descriptors many flaps. [PR/468584]

An FPC may stop forwarding traffic when an aggregate interface flaps and the router is using per-prefix load balancing (default configuration) for some prefixes.

For this issue to occur the aggregate interface must flap. The more likely scenario can occur when aggregate interface is configured with just a single link (that flaps) AND per-prefix load balancing is used. This issue can be avoided by using a load-balancing per-packet policy for all prefixes (per-flow load balancing) and/or not having aggregate interfaces flap. The most likely aggregate interface to flap is one with a single member link. [PR/477326]

Routing Protocols

The CLI allows you to commit a configuration that specifies a value higher than

32 for the metric

statement at the

[edit protocols dvmrp interface all]

hierarchy level; however, values higher than 32 are invalid. [PR/33429]

If a router receives a Pragmatic General Multicast (PGM) Source Path Message

(SPM), it does not create a forwarding cache, nor does it forward the message to other routers as a heartbeat, as specified in RFC 3208. Also, the router’s multicast cache might time out if it does not receive actual PGM data (ODATA) for more than 6 minutes. As a workaround, configure the PGM source application to send PGM ODATA at least once every 6 minutes. The ODATA acts as the heartbeat message in lieu of the SPM messages and ensures that the multicast and forwarding caches are created and updated. [PR/37504]

When you configure the

l3vpn-composite-nexthop statement at the [ edit routing-options ] hierarchy level and issue the commit command, the BGP session is immediately restarted. [PR/292173]

When the state for an IGMP group is exclude and the source list is non-empty , the traffic for the excluded sources will still be received and sent as if it were in the exclude state. [PR/422190]

The router might crash if a nonexistent table is referenced when using the rib-groups

statement. [PR/467332]

If a reject route is present for the address of a Multicast Source Discovery Protocol

(MSDP) SA originator, the routing protocol process (RPD) might crash.

[PR/469142]

When a dampened route is restored, the accepted counter for the peer in the show bgp summary command output is not shown. [PR/473567]

Sometimes the closing tag for route-family is missing in the output of the show multicast route extensive | display xml statement.

Services Applications

Application layer gateways (ALGs) might cause memory corruption when certain flows in the session are closed ahead of the main initiator flow. [PR/475436]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 59

JUNOS 9.5 Software Release Notes

When a standard application is specified at the [ edit security idp idp-policy

policy-name rulebase-ips rule-name match application

] hierarchy. IDP doesn't detect the attack on the non-standard port (for example, junos:ftp on port 85). Whether it is a custom or predefined application, the application name does not matter.

IDP simply looks at the protocol/port from the application definition. Only when traffic matches the protocol/port, then IDP tries to match/detect against the attached attack. [PR/477747]

Subscriber Access Management

When dynamic IP address assignment is configured, if there is only one address left in the address allocation pool and an attempt to authenticate with a service fails (because, for example, the authentication request specifies an invalid service name), a subsequent authentication attempt for the service also fails. The following messages might appear in the log for the authentication process (authd):

"assigned address address in use, trying next available" and "Unable to assign an address." [PR/305516]

User Interface and Configuration

The message from jcs:syslog() is visible after the rest of the system log.

[PR/449778]

The J-Web interface will not display the USB option under

Maintain->Reboot->Reboot from Media. [PR/464774]

Previous Releases

Resolved Issues for JUNOS Release 9.5R3

Class of Service

In the cosd logs for JUNOS Release 9.4R1, "entries" is misspelled as "enteries."

[PR/439993]

When an Intelligent Queuing PIC is taken offline and back online again, the chassis scheduler map might change to [95,0,0,5]. As a workaround, deactivate the chassis scheduler map before taking the PIC offline and then activate the chassis scheduler map after the PIC comes online. [PR/444543]

When a classifier is applied on a services PIC logical interface, a commit warning is issued stating that the classifier is not supported on this interface. [PR/448913]

60 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Forwarding and Sampling

On M320 and T-series routing platforms, when you configure interface output sampling, packets sometimes might travel through the output firewall. As a workaround, configure a firewall filter on the output interface with then sample and then next-term statements. The workaround provides the same functionality as the other configuration, but avoids the problem behavior. [PR/70473]

On T-series routers, if an ingress firewall is configured to drop all incoming multicast packets, the discarded multicast packets are sent to the Routing Engine incorrectly. This causes a high utilization of the CPU (50%) on the FPC.

[PR/239268]

When configuring a routing instance in a firewall filter, the router will give the warning message “Warning: statement ignored: unsupported platform.”

[PR/421765]

Upon changing policers on an aggregated Ethernet interface, the DPC might reboot. [PR/431635]

High Availability

When you issue the show chassis ethernet-switch statistics command on a routing platform with graceful Routing Engine (GRES) switchover enabled, the two Routing

Engines might be unable to exchange information for about 2 seconds.

[PR/233779]

Interfaces and Chassis

On the Channelized STM-1 with QPP PIC, error monitoring for CRC and Frame

Errors might not work as expected. [PR/39440]

When you configure ILMI on an ATM interface (include the ilmi statement at the

[edit interfaces interface-name atm-options]

hierarchy level) and a graceful Routing

Engine switchover (GRES) or unified in-service software upgrade (ISSU) event occurs, the show ilmi

command no longer returns any output. [PR/282051]

On a router with Frame Relay multilink configured on a MultiServices 400 PIC or on a Channelized DS3 PIC, when the minimum links value for the Frame

Relay interface is set to 8 and a link is deactivated from the configuration, the link remains up. [PR/285244]

The XML output is not correct when the VRRP track interface is configured.

[PR/414734]

Under some conditions, if an interface flaps for an interval less than the hold down time value configured, an interface might stop forwarding even though it shows as being UP. As a workaround, enable traffic monitoring on the interface or enable and disable the interface. [PR/423065]

Upon changing policers on a Aggregate Ethernet interface, the DPC might reboot.

[PR/431635]

For some interfaces, when configured with the WAN-PHY framing mode, the monitor interface command might be missing some counters.. [PR/435775]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 61

JUNOS 9.5 Software Release Notes

Layer 2 Ethernet Services

When you configure graceful Routing Engine switchover (GRES) on MX-series routers, the Switch Interface Board (SIB) might not initialize if you reboot both

Routing Engines simultaneously or reboot a router with only one Routing Engine installed. [PR/408359]

MPLS Applications

Too many ATM2 error interrupts might cause the FPC to panic. [PR/438073]

When you configure the payload port-data statement at the [ edit family mpls hash-key

] hierarchy level on M120, MX-series, or M320 platforms with E3 FPCs, the hashing algorithm might not take the port-data values into account.

[PR/442223]

On M-series routers, BGP sessions flap when any configuration (even irrelevant) change happens. As a workaround, make the difference between the configured

MRRU and MTU to be greater than eight. [PR/442688]

If VRRP tracks a cloned route then the cloned route will always be treated as down. The reason is that the unicast cloned routes not added to the routing table.

[PR/446408]

When you modify the primary path for an MPLS LSP by using the delete protocols mpls label-switched-path lsp-path-name primary path-name command in configuration mode, followed by the set protocols mpls label-switched-path lsp-path-name primary path-name

command, and then issue the commit

command, the entire LSP (both primary and secondary) is torn down and then rebuilt from scratch. As a workaround, issue the delete protocols mpls label-switched-path lsp-path-name primary path-name command in configuration mode followed by the commit command. Then issue the set protocols mpls label-switched-path lsp-path-name primary path-name

command followed by the commit

command.

[PR/62365]

When there are more than five link-protected or node-link-protected LSPs to the same destination and per-packet load balancing is enabled, some bypass next hops might not be part of the active route. This can occur after a primary link goes down and comes back up. [PR/259219]

The mplsResourceTunnelTable

reports bandwidth in bps instead of kbps.

[PR/432716]

MPLS LSP auto-bandwidth adjustment may stop working while RSVP signals for the path; either optimization is initiated or the LSP goes down. [PR/438157]

Network Management

When the SNMP get response is larger than 9 KB, a "Message too long" log is reported but no SNMP gets a response failure with a code "tooBig" sent back to the source. [PR/389559] tcpdump might report a max-response-time within IGMP in seconds while it is presenting units of 1/10th of a second. [PR/424618]

62 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Platform and Infrastructure

On T-series routing platforms, the commit operation succeeds when you include the no-labels statement at the [edit forwarding-options hash-key family mpls] hierarchy level, but MPLS labels are still included in the hash key. [PR/80334]

After an ISSU software upgrade on the MX-series router, you might see a kernel database replication error, ISSU prepare timeout, and a core dump. These problems might be due to issues with allocated schedulers after the ISSU. This issue is seen only with Gigabit Ethernet Enhanced Queuing IP Services DPCs.

[PR/427694]

Routing Protocols

If a BGP group is created but without any defined peers, a warning message appears when the configuration is committed. [PR/63279]

Reverse OIF mappings are lost when you add or delete an interface set of multicast VLANs when subscriber VLANs are active. [PR/423376]

When reverse OIF mapping enabled is configured on multicast VLAN interfaces, reverse OIF mappings to DHCP subscriber interfaces are lost if the routing protocol process gracefully restarts. [PR/438930]

When the l3vpn-composite-nexthop statement and the multipath vpn-unequal-cost statement at the [ edit routing-options

] hierarchy, are configured together, the routing process may crash during the multipath calculation for destinations that contain both composite and non-composite eligible paths. [PR/448745]

Services Applications

The output of the show services nat pool

command displays duplicate entries for a single Network Address Translation (NAT) pool. [PR/34678]

Subscriber Access Management

Incorrect reverse OIF mappings can be created when a multicast VLAN interface with reverse-OIF mapping enabled receives a join request from a DHCP subscriber and both of the following are true: A valid route to the subscriber is not present and another route's subnet mask overlaps the address of the subscriber interface.

[PR/416774]

On MX routers, Wimax testing with SBR must be done with Non-Transposable

IP for high availability (HA). Otherwise FA-HA authentication will fail with return code 132. [PR/431969]

VPNs

On a BGP Layer 3 VPN provider edge router with a combination of (1) label per next hop in the VRFs, (2) configuration of the same IP addresses in different

VRFs, and (3) a need for an indirect next-hops within the VRFs, then label routes

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 63

JUNOS 9.5 Software Release Notes

Class of Service

■ with indirect next hop, may be created incorrectly in the master instance table

"mpls.0." [PR/436404]

After the ingress PE router for an NG MVPN instance performs a GRES event, the egress PE routers could fail to install a new forwarding state for the multicast traffic. Clearing the BGP session on the ingress router can restore traffic to all egress routers. [PR/441392]

The VPLS instance on the MX960 router does not learn the remote CE MAC address after issuing the clear vpls mac-address

command. [PR/476020]

Resolved Issues for JUNOS Release 9.5R2

In JUNOS Release 8.4 and later, the commit

or commit check

operation fails if a rewrite rule is defined both at the [ edit class-of-service interfaces interface-name unit logical-unit-number rewrite-rules ] hierarchy level and in a configuration group

(defined at the [ edit groups

] hierarchy level) that is applied to that interface. The correct behavior is for the directly applied rule to override the rule inherited from the configuration group. [PR/261229: This issue has been resolved.]

When you set the port speed of a Multi-Rate SONET Type 2 PIC to OC3, it does not correctly change the CoS speed value within the Packet Forwarding Engine.

The speed value remains OC12, which results in unexpected CoS behavior. There is no workaround. [PR/279617: This issue has been resolved.]

When a CoS classifier is applied to a logical unit with a wildcard (*), the default classifier is removed after the Routing Engine reboots. [PR/427848: This issue has been resolved.]

A packet drop is seen when a logical unit is configured with the per-unit-scheduler.

[PR/429961: This issue has been resolved.]

On M320 routers, when the Tunnel PIC is on a standard FPC, multicast traffic conforming to Internet draft-rosen-vpn-mcast-08.txt might be subject to incorrect

CoS queuing and rewrite. [PR/433142: This issue has been resolved.]

The CoS DSCP classifier might not work properly on a redundant LSQ interface.

[PR/435701: This issue has been resolved.]

After the aggregate chassis configuration is deactivated then activated, the classifier might not be properly applied on aggregate interfaces. [PR/442240:

This issue has been resolved.]

The OC3/12 Multi-Rate PIC may not be able to transmit any packet. [PR/444077:

This issue has been resolved.]

When an Intelligent Queuing PIC is taken offline and brought back online, the chassis scheduler map configured may be changed to [95,0,0,5]. The workaround is to deactivate the chassis scheduler map before taking the PIC offline and activate the configuration after the PIC comes online. [PR/444543: This issue has been resolved.]

64 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Forwarding and Sampling

When a filter term has "next term" as the action, the action may be shown in the firewall log as "unknown" for the matched outgoing packets. [PR/421810:

This issue has been resolved.]

If (1) an input-list or output-list is configured on an interface in a logical system,

(2) the filters in the list are defined under the firewall hierarchy of the main router, and (3) a prefix list defined under the policy-options of the main router is referenced by one of the filters in the list, the commit will fail with the error message "Referenced prefix-list xxx is not defined." [PR/427253: This issue has been resolved.]

General Routing

When attempting to use a framed route from a RADIUS client, rpd may core if there is no static route table. [PR/432447: This issue has been resolved.]

Interfaces and Chassis

In a TX Matrix router, the show chassis fpc fpc-number

command returns an error instead of showing FPC information when the FPC number is greater than 8.

[PR/387956: This issue has been resolved.]

When you reboot an FPC while it is coming online and if the FPC adding process is interrupted before it successfully completes, the chassis process does not operate properly. [PR/400676: This issue has been resolved.]

When traffic is passed at near maximum throughput to any queuing IQ2 or IQ2E

PICs or DPCs, the show interfaces xe-fpc-pic-port extensive command output for queue counters might be incorrect. [PR/401431: This issue has been resolved.]

Incorporating any changes in the interfaces configuration results in a small leak in the dcd process. The leak is at the rate of 16 bytes per interface configured per commit. [PR/411596: This issue has been resolved.]

When you configure LACP on an aggregated Ethernet interface, the counters displayed by the show interface extensive command might show unexpected values. This problem occurs for logical interfaces that have an incoming interface index value that matches the default index of the data stream. [PR/418054: This issue has been resolved.]

On the M320 router, clearing statistics with the clear interfaces statistics command might take up to 10 seconds. [PR/421520]

The PPP MTU value of an interface protocol on a peer might change as a result of an irrelevant configuration change and cause the PPP MTU negotiation to fail.

[PR/421706: This issue has been resolved.]

Using disable under an aggregate member can lead the interface to be flagged in the “HARDDOWN” state despite being physically up. Deactivate/activate the interface to fix the problem. [PR/422933: This issue has been resolved.]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 65

JUNOS 9.5 Software Release Notes

During the Switching and Forwarding Module (SFM) switchover process, the algorithm to switch over the SFM and take the FPC offline does not clear the hard and soft errors on each FPC. [PR/433616: This issue has been resolved.]

In the output of the show chassis pic fpc-pic-slot

command, the 40 port Gigabit

Ethernet DPC with SFP might be shown erroneously as 1000LH instead of

1000EX. [PR/438753: This issue has been resolved.]

When the same logical interface is deleted from the default system and added into the logical system, the Routing Engine might fail. [PR/441284: This issue has been resolved.]

When the sum of the shaping rate for the logical interfaces for a physical interface is greater than the physical interface's bandwidth and a rate limit is applied to one of the logical interface queues, the bandwidth limit for the queue will be based on a scaled down logical interface shaping rate value rather than the configured logical interface shaping rate. [PR/441413: This issue has been resolved.]

When the ingress router re-signals an RSVP session, traffic could egress a disabled

SONET interface that is part of an APS group using container interfaces. Switching the APS interfaces resolves the problem. [PR/443295: This issue has been resolved.]

Layer 2 Ethernet Services

Upon issuing the clear dhcp relay bindings all command, not all access-internal routes are deleted from the route table for DHCP subscribers being terminated on dynamic demux interfaces. The routes point to demux interfaces that are no longer present. Associated ARP entries and DHCP bindings appear to be properly cleared. [PR/425279: This issue has been resolved.]

The relay-option-60

configuration stops working under a configured group if something else is changed under that group. [PR/434373: This issue has been resolved.]

After the MX-series router reboots, no DHCP packets reach the JDHCPD log.

[PR/438269: This issue has been resolved.]

MPLS Applications

On an M-series or T-series router, when an MPLS label-switch path (LSP) re-optimizes or changes path and there is a signaling failure along that path, then the path change will not happen until the next LSP re-optimization event.

[PR/401343: This issue has been resolved.]

The load-balancing spread is affected when both the primary and the first secondary LSP are out of commission. [PR/422596: This issue has been resolved.]

For JUNOS Release 9.5 and later, when the show mpls lsp p2mp statistics egress command is entered, the Packets and Bytes fields should display as "NA" for egress LSP sessions. The statistics should display meaningful numbers only for ingress and transit LSP sessions. Instead, the fields display as 0 with the show mpls lsp p2mp statistics egress command. This is changed to NA after including

66 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ the no-tunnel-services

statement at the [ edit routing-instances vpls1 protocols vpls

] hierarchy level. [PR/429001: This issue has been resolved.]

If you have disabled the trap

statement at the [ edit protocols ldp log-updown

] hierarchy level, upgrading to JUNOS Release 9.2 and later from a release previous to 9.2 will fail. [PR/432003: This issue has been resolved.]

Network Management

When subagents are slow in responding to SNMP queries, the SNMP process continues to buffer the incoming SNMP requests. SNMP memory becomes exhausted after the buffer increases to a bigger value, which causes the SNMP process to dump core. [PR/430106: This issue has been resolved.]

When Routing Engine 1 (RE1) is reloaded, the Management Information Base II

(MIB II) process (mib2d) dumps core. [PR/436218: This issue has been resolved.]

When the master SNMP process (snmpd) restarts on a TX Matrix platform, the

SNMP subagent running on the line-card chassis (LCC) chassis process (chassisd) tries to register MIB objects with the master snmpd. If the registration progress enters in infinite loop, it causes the master snmpd to consume high CPU utilization. [PR/438085: This issue has been resolved.]

Platform and Infrastructure

On M320 and T-series routing platforms, when you configure the local gateway of an IPsec tunnel in a routing instance, IPsec might not function properly over a generic routing encapsulation (GRE) tunnel. [PR/73864: This issue has been resolved.]

On MX-series platforms using Routing Engine-based sampling, when samples are sent from the Packet Forwarding Engine to the Routing Engine over certain interfaces, the interface Input/Output index and next-hop address are set to 0.

The following interfaces are affected: ge-x/0/y, ge-x/1/y, xe-x/2/0, and xe-x/3/0.

It is not possible in this case to match on the interface index to retrieve data from the flow collector. [PR/286089: This issue has been resolved.]

If a duplicate address is detected for the IPv6 family on an Ethernet interface, the DAD is not restarted even after the interface goes down and comes back.

[PR/421241: This issue has been resolved.]

On the M320 router, clearing statistics with the clear interfaces statistics command might take up to 10 seconds. [PR/421520: This issue has been resolved.]

On M10i routers with I-chip based E-CFEBs, IQ2 PIC ISSU is not supported. Take the IQ2 PIC offline before initiating ISSU on M10i routers. [PR/421988: This issue has been resolved.]

When you configure an aggregate Ethernet interface as unnumbered, the router might fail. As a workaround, do not configure aggregate Ethernet interfaces with unnumbered addresses. [PR/428345: This issue has been resolved.]

On MX-series Ethernet Services routers, the FPC might reboot without a core dump when the DWDM is incorrectly configured, and that incorrect configuration causes many link flaps. As a workaround, either disconnect the offending link

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 67

JUNOS 9.5 Software Release Notes

■ or include the disable

statement at the [ edit interfaces

] hierarchy level to stop the FPC reboots. [PR/430703: This issue has been resolved.]

When configuring proxy-arp on unnumbered interfaces, the router can incorrectly answer address-collision-detection ARP requests, causing DHCP clients to decline the offered address. [PR/431192: This issue has been resolved.]

When you configure flow monitoring on a T1600 router with a T640 or T1600

Enhanced Scaled FPC4, if both input and output traffic are located on the same bottom Packet Forwarding Engine, the next-hop address and output interface are set to 0. [PR/431567: This issue has been resolved.]

On MX-series and M120 routers, and M320 routers with an Enhanced III FPC, if the VRF configuration includes the vrf-table-label

statement, a DPC or FPC might dump the core when an MPLS packet with time-to-live (TTL) equal to 0 (zero) or

1 (one) is processed at the egress provider edge (PE) router. [PR/436017: This issue has been resolved.]

The Address Resolution Protocol (ARP) retry count might be incorrect: instead of sending out the first five retries every second, the third and consequent retries might be sent out every 15 seconds. [PR/436580: This issue has been resolved.]

On an MX-series platform with a Combo DPC (20-port 1-Gigabit Ethernet 2-port

10-Gigabit Ethernet), if the family mpls statement is included at the [ edit interfaces

interface-name unit logical-unit-number

] hierarchy level for the 1-Gigabit Ethernet port of a DPC slot, the show interfaces statistics

command reports zero values for input traffic at all ports. This issue does not affect the input traffic statistics for the 10-Gigabit Ethernet ports. This is a cosmetic issue and does not affect functionality. [PR/436653: This issue has been resolved.]

SCU configuration causes the PFE to drop some host-bound packets on M320 and T-series routers. [PR/438261] [PR/438261: This issue has been resolved.]

Under certain circumstances Intelligent Queuing PICs might not be able to boot properly on E3-FPCs. [PR/438678: This issue has been resolved.]

When certain FPCs (T1600-FPC4-ES, T640-FPC4-1P-ES, T640-FPC1-ES,

T640-FPC2-ES, and T640-FPC3-ES) receive corrupted cells via high-speed links, they might unnecessarily reboot and report the following system log error message: “Unrecoverable Error: Flist gtop bit toggled !”. No reset is needed to recover from this condition. [PR/441844: This issue has been resolved.]

On T1600, TX Matrix, or T640 routers installed in JUNOS Release 9.3 or higher with one of the following Flexible PIC Concentrators (FPCs):

T1600-FPC4-ES

T640-FPC4-1P-ES

T640-FPC4-ES

T640-FPC1-ES

T640-FPC2-ES

T640-FPC3-ES jtree memory might get corrupted once routes are deleted while traffic is send to those prefixes. This can result in permanent or transient packet drops.

68 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Routing Protocols

One or more of following messages might get logged in the system log:

SRCHIP(1): 131072 Discards - stack underflow

SRCHIP(1): 129735 Discards - truncated key - next hop

SRCHIP(1): SOF (58) >= DMA length (46) (Read Channel

SRCHIP(1): RKME int_status 0x300

SRCHIP(1): 4670347 Multicast list discard route entries

SRCHIP(1): 14486 Discards - illegal BTT

SLCHIP(1): 1617082 new errors (illegal link) in DESRD last stream 0 last lout_key

0xabd0e o SLCHIP(1): 1622998 new errors (packet error) in HDRF, lout_hdrf_poll_stats

There is no workaround and an FPC reboot might be needed to recover. [PR/443171:

This issue has been resolved.]

Deactivation of routing instances might cause the routing protocol process (rpd) to create a soft assertion core dump. [PR/396122: This issue has been resolved.]

If a multiaccess interface is disabled, after a Routing Engine switchover this disabled link is advertised in the router link-state advertisement (LSA).

[PR/418559: This issue has been resolved.]

If OSPF is in overload mode on the standby Routing Engine but not in overload mode on the primary Routing Engine, it may take a long time to install OSPF routes on the standby Routing Engine. [PR/421636: This issue has been resolved.]

Community types are allocated at random to the members in the community list; as a result, sometimes extended communities are treated as simple and vice versa, which causes problems with the VRF import code. [PR/430728: This issue has been resolved.]

If static route pointing to discard is configured, a core happens when the router tries to collect the multicast statistic data. [PR/434298: This issue has been resolved.]

BGP in L3VPN will show “local-id 0.0.0.0” in output from the show bgp neighbor command when NSR is enabled [PR/434321: This issue has been resolved.]

When you configure support for alternate loop-free routes through the link-protection statement and you configure PIM join-load-balance, the backup paths will be used in load-balancing PIM joins along with the active path.

[PR/434996: This issue has been resolved.]

With BGP multipath configured, BGP traceoption flags may not be refreshed after a change in the traceoption flag configuration. [PR/436440: This issue has been resolved.]

Embedded RP is not created upon receiving a trigger from multicast traffic.

Deactivating and activating the configuration solves the issue. [PR/437893: This issue has been resolved.]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 69

JUNOS 9.5 Software Release Notes

If PIM is disabled, embedded rendezvous point (RP) configurations might cause continuous routing protocol process (rpd) cores. [PR/438159: This issue has been resolved.]

When you configure auto-rp, if the rendezvous point (RP) configuration is deactivated and then reactivated on the provider edge router, the router fails to rediscover the RP announced by the customer edge router. [PR/438356: This issue has been resolved.]

If a RIB is referenced within the from clause of a policy statement the statement, might be changed on every commit. This can lead to route flaps on every commit if the statement is used as the import policy for a RIB group, which in turn is referenced in OSPF. [PR/441557: This issue has been resolved.]

RPD may crash if a VRF routing instance is reconfigured in a single commit from

Draft-Rosen MVPN to Next-Gen MVPN with RSVP-TE inclusive provider tunnels.

[PR/442391: This issue has been resolved.]

When you configure the path-selection always-compare-med statement at the [ edit protocols bgp ] hierarchy level, BGP multipath might not find all the eligible paths.

[PR/444629: This issue has been resolved.]

TTL for BGP listen socket changed from 64 to 255 to give support for GTSM.

[PR/449160: This issue has been resolved.]

Services Applications

When using L2TP services on M-series routers, every session or tunnel connection and disconnection will leak memory. [PR/312961: This issue has been resolved.]

When the IDP config, service-sets, and interfaces are committed separately, the

IDP policy push will fail. [PR/434624: This issue has been resolved.]

User Interface and Configuration

When you set the time-zone statement at the [ edit system ] hierarchy level, it might cause the backup Routing Engine to lock the configuration. As a result, you would no longer be able to reboot the Routing Engine or perform any commits. To clear the issue, you must log on to the backup Routing Engine and issue the clear system commit

command. [PR/309100: This issue has been resolved.]

In JUNOS Release 9.5, the time it takes to commit a configuration is significantly improved when the configuration is very big (for example, for 250K firewall filters or 64K IFLs). With small or medium configurations; ;however, the improvement in commit time is not as noticeable or might even seem slower because of features added in JUNOS Release 9.5. [PR/417957] [PR/417957: This issue has been resolved.]

The dynamic-db policies feature works under logical systems but needs to restart the logical router after any changes or commits to the dynamic policy configuration under the [ edit logical-systems

] hierarchy level in the dynamic database. [PR/418969: This issue has been resolved.]

70 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

When you issue the commit confirmed

command on a TX Matrix platform, it might not roll back to the original configuration as expected when the commit is not confirmed. [PR/425642: This issue has been resolved.]

Trying to use the system-generated certificate is displayed in the J-Web interface, it will commit errors. [PR/432208: This issue has been resolved.]

When you configure trace options at the [ edit system scripts ] hierarchy level, the router sometimes produces commit errors. [PR/438289: This issue has been resolved.]

VPNs

Applying configuration changes that remove a static point-to-multipoint LSP and a static MVPN provider tunnel group configuration can cause the routing protocol process (rpd) to reset unexpectedly. To avoid this problem, first delete the provider-tunnel configuration, then the LSP configuration. [PR/288456: This issue has been resolved.]

When you delete a Layer 2 VPN routing instance and add a new VPLS routing instance using the same interface within the same commit, the routing protocol process (rpd) might dump core. [PR/291407: This issue has been resolved.]

Resolved Issues for JUNOS Release 9.5R1

This section lists issues that were fixed in JUNOS Release 9.5R1. The identifier following the description is the tracking number in our bug database.

Software Installation and Upgrade

The ARP aging time configuration in the system configuration stanza in JUNOS

Release 9.4R1 is incompatible with the ARP aging configuration in JUNOS Release

9.3R1 or earlier and JUNOS Release 9.4R2 or later. If you have configured system arp aging-timer aging-time on an M-series, MX-series, or T-series routing platform running JUNOS Release 9.4R1 and upgrade to JUNOS Release 9.4R2 or downgrade to JUNOS Release 9.3R1, the router will display configuration errors on booting up after the upgrade or downgrade. As a workaround, delete the arp aging-timer

aging-time

configuration in the system configuration stanza before you upgrade or downgrade from JUNOS Release 9.4R1, and reapply the configuration after you complete the upgrade or downgrade. [PR/ 425221: This issue has been resolved.]

Platform and Infrastructure

You might encounter output drops with the 10-Gigabit Ethernet PICs. The output drops occur because the software incorrectly calculates the number of queues for polling statistics in a 10-Gigabit Ethernet PIC, even though it is different from other PICs. [PR/277693: This issue has been resolved.]

The MX Tri-rate DPC does not support MAC accounting and returns the following message: "error: MAC accounting and policing not supported." [PR/387919: This issue has been resolved.]

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 71

JUNOS 9.5 Software Release Notes

When you have configured the vrf-table-label

statement at the

[edit routing-instances routing-instance-name] hierarchy level for a VRF routing instance,

IPv4 and IPv6 MTU error notification is not handled properly. On M320 routers with an incoming FPC as SFPC and an outgoing FPC as FFPC, large IPv6 packets are not being detected and discarded properly. [PR/397334: This issue has been resolved.]

When the Routing Engine requests numerous statistics that surpass a set boundary, "PFEMAN: Couldn't write..." messages might be logged and DPC core dumps might occur. [PR/398233: This issue has been resolved.]

When you configure per-packet load balancing, outgoing traffic is dropped on

T640 routers. The problem is exacerbated if you have configured two PFE instances. [PR/402031: This issue has been resolved.]

Aggregate bundle child interface statistics do not account for the packets sent to a demux interface using an AE bundle as the underlying interface. [PR/403570:

This issue has been resolved.]

When ifd channel mode is of type HYBRID, LSI statistics are counted every time ifl_stats are collected for each logical interface. This causes the LSI input counters to be incremented by a multiple of the logical interfaces. [PR/404857: This issue has been resolved.]

With the E-CFEB on the M10i router, the backup Routing Engine will go to the database prompt when GRES and NSR are enabled with a Layer 2 circuit configuration. [PR/409075]

The show pfe statistics command is not displaying the I-CHIP Ipktwr packet drop counts. [PR/416477: This issue has been resolved.]

Under rare circumstances, it is possible for the kernel to panic on the TX Matrix

LCC or on the SRX platform following a Routing Engine switchover or RDP connection timeout between the LCC and SCC. [PR/416973: This issue has been resolved.]

For multicast traffic, if the OIF is on an aggregated interface and its member link is on a different PFE (for example, 7/1/0 and 6/1/0), multicast traffic might be lost after the FPC, which has IIF for the multicast, is rebooted. [PR/418583: This issue has been resolved.]

Initial ARP packets are discarded by the default ARP policer because when a

T1600’s FPC restarts, the current credit is initialized to

JT_POL_SR_CURRENT_CREDIT_MAX, which is 0xFFFFF. This has a high negative value in SR, so packets are dropped until it goes down. As a workaround, you can initialize the current credit to max_credit_limit (which is equal to (credit_limit

/ Rate) * time_credit), approximately equal to TC. [PR/419909: This issue has been resolved.]

The SNMP remote operations process (rmopd) might fail after configuring a BGP neighbor with a local address. [PR/420504: This issue has been resolved.]

In JUNOS Release 9.3R1 or higher, on Juniper Networks routers with Type 4

FPCs or T1600 routers, multicast traffic is not counted within the interface statistics counters once class-of-service rewrite rules have been applied to the interface. [PR/420681: This issue has been resolved.]

On the MX-series router, when you configure MPLS and a tunnel configuration on the same Gigabit Ethernet DPC, the tunnel interface shows traffic as the sum

72 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Interfaces and Chassis

In OC768-over-OC192 mode on the 4-port OC192c PIC, when you change the clocking internal

statement to clocking external

at the

[edit interfaces interface-name] hierarch level, the clock may not come up. [PR/395847: This issue has been resolved.]

The AE bundle statistics (issue the monitor interface traffic

command) on T640 routers display a high value when the FPC is taken offline. There is no issue with the TX Matrix. [PR/399451: This issue has been resolved.]

Aggregate bundle child interface statistics do not account for the packets sent to a demux interface using an AE bundle as the underlying interface. [PR/403570:

This issue has been resolved.]

With the E-CFEB on M7i and M10i routers, total traffic loss might occur after a

CFEB switchover. [PR/407608: This issue has been resolved.]

With the IQ2 interface, the queue scheduler will not work as expected for shaped

L2TP sessions. Only the rate limit will work on a per queue basis. This problem does not occur for Enhanced IQ2 interfaces. [PR/409590:This issue has been resolved.]

When a 10-Gigabit Ethernet interface of a DPC is connected to a faulty optical card which is causing the link state to change at a very high rate, the DPC might fail. [PR/411072: This issue has been resolved.]

The valid range for timeslot

under e1-options

in channelized E1 (CE1) interfaces of Enhanced Intelligent Queuing (IQE) PICs is 2 through 32. This option is used to create fractional E1 interfaces. [PR/416800: This issue has been resolved.]

When a Layer 2 policer is applied to the egress interface of a router, the dropped frame statistics might show incorrect information. [PR/419181: This issue has been resolved.]

On an IQ2 PIC, the slow aging interval might be overwritten with a value of 202 seconds. This causes the MAC entry to be removed between 6 and 7 minutes.

[PR/419510: This issue has been resolved.]

Services Applications of the traffic of the other Gigabit Ethernet interfaces on the DPC. This is a cosmetic issue and does not affect functionality. [PR/422274: This issue has been resolved.]

With the E-CFEB on M7i and M10i routers, If you configure a firewall filter with an action of sampling and then apply the filter to the interface, all packets received on the PIC are corrupt and consequently dropped. [PR/408802: This issue has been resolved.]

On an M7i or M10i routers with the enhanced CFEB, if you issue the deactivate forwarding-options sampling command, sampling stops for both IPv4 and IPv6 traffic. If you then issue the activate forwarding-options sampling command, sampling resumes for only IPv4 traffic. [PR/415140: This issue has been resolved.]

If you are setting the option refresh rate using the flow monitoring feature supported in version 9 and you set the lowest rate to IPv6 and the highest rate

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 73

JUNOS 9.5 Software Release Notes to IPv4, the device will treat IPv6 as having the lowest rate. [PR/416788: This issue has been resolved.],

Layer 2 Ethernet Services

When you configure GRES on the MX-series router, the SIB might not initialize if you reboot both Routing Engines simultaneously, or reboot the router with only one Routing Engine installed. [PR/408359: This issue has been resolved.]

Integrated routing and bridging (IRB) configured over VPLS or multicast might not be reachable. As a workaround, clear the ARP table with the clear arp command. [PR/418438: This issue has been resolved.]

Subscriber Access Management

When a RADIUS initiated disconnect is attempted on a client session that does not have time-based accounting enabled, the generic authentication service process (authd) currently logs out the session and cleans up, but does not send an Ack message back to the requesting server. This may lead the RID server to retry even though the subscriber has already been successfully logged out. This problem occurs when volume-based accounting is configured or when no accounting is configured for the subscriber. It does not occur when time-based accounting is configured for that subscriber. [PR/417765: This issue has been resolved.]

General Routing

On a TX Matrix with JUNOS Release 9.1 and later, configuring the generate statement at the [edit routing-options] hierarchy level with a reference to a policy results in the commit not completing successfully. [PR/416380: This issue has been resolved.]

Routing Protocols

On a router with dual Routing Engines and NSR configured, the backup RPD may go down in rare instances while processing an indirect next-hop delete.

[PR/302731: This issue has been resolved.]

When you transition an MVPN configuration from sparse mode to dense mode, you might need to restart routing to ensure that dense mode (DM) is flooding properly over the core router's default multicast distribution tree (MDT).

[PR/398110: This issue has been resolved.]

If GRES is not enabled, on a Routing Engine switchover the routing protocol process (rpd) on the new backup Routing Engine quits before cleaning up the forwarding table. [PR/402372: This issue has been resolved.]

With JUNOS Release (9.3R1) or higher with a Type 4 FPC or T1600, multicast traffic is not counted in the interface statistics after the class-of-service (CoS) rewrite rules have been applied to the interface. [PR/420681: This issue has been resolved.]

74 ■

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

VPNs

If MAC addresses are learned within a VPLS instance, CE devices will communicate directly even though the no-local-switching statement is configured.

[PR/419976: This issue has been resolved.]

Multicast group addresses ending with .232 are classified as SSM groups when using multicast VPNs. These routes are note installed in the multicast VPN routing table and all traffic destined to these destinations is dropped. As a workaround, include the asm-override-ssm

statement at the

[edit routing-instances routing-options multicast] hierarchy level. [PR/426811: This issue has been resolved.]

Forwarding and Sampling

The policer value does not change dynamically on changing the shaping rate.

The policer keeps the initial value. As a workaround, deactivate and activate the filter. [PR/286663: This issue has been resolved.]

Related Topics

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series

Routing Platforms on page 6

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 41

Errata and Changes in Documentation for JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 75

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,

MX-series, and T-series Routing Platforms on page 80

Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series,

MX-series, and T-series Routing Platforms

Changes to the JUNOS Documentation Set

The following changes have been introduced to the JUNOS documentation set:

Technical documentation will no longer be available in iSilo/Palm OS and

Windows eBook formats. Documentation will still be available in HTML, TAR/ZIP, and PDF formats.

There is a new book, the SDK Applications Configuration Guide and Command

Reference.

Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 75

JUNOS 9.5 Software Release Notes

Class of Service

For JUNOS Release 9.5 only, documentation on the DVD-ROM will be available in PDF form only.

JUNOS Release 9.5 supports a new index page that consolidates subscriber management information ( http://www.juniper.net/techpubs/en_US/junos9.5/ information-products/pathway-pages/subscriber-access/index.html

). This index page provides top-level access to the Broadband Subscriber Management Solutions

Guide and topic categories that describe how to configure clients and services in a subscriber access network. The index page contains pathway page links categorized as follows:

Access Technologies

DHCP (Local and Relay)

Mobile IP Home Agent

Point-to-Point Protocol (PPP)

AAA Technologies

Authentication, authorization, and accounting (AAA)

Address Assignment Pools

Protocols

Access Node Control Protocol (ANCP)

Internet Group Management Protocol (IGMP)

Subscriber Management and Services

Dynamic Profiles

Class of Service (CoS)

Subscriber Secure Policy

Errata

This section lists outstanding issues with the documentation.

In JUNOS Release 8.0 and later, contrary to what is implied in the text, memory allocation dynamic (MAD) support is dependent on the FPC and PFE, not the PIC.

All M320 router, MX-series router , and T-series router FPCs and PFEs support MAD, except for the T-series router ES-FPC and Enhanced IV FPC. No IQ, IQ2, IQ2E, or

IQE PICs support MAD. [Class of Service]

The Class of Service Configuration Guidefor JUNOS Release 9.3 and 9.4 states that “If you configure more forwarding classes than the supported platform maximum, an error message is displayed.” This is not correct. You cannot configure more forwarding classes than supported in these releases. [Class of Service]

76 ■

Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms

Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Configuration and Diagnostic Automation

In the Introduction to Writing Event Scripts chapter of the JUNOS 9.5 Configuration

and Diagnostic Automation Guide the section "Using RPCs and Operational Mode

Commands" erroneously states that RPCs can be invoked from event scripts.

This feature is not supported in JUNOS Release 9.5.

In the Introduction to Writing Operation Scripts chapter and Introduction to Writing

Event Scripts chapter of the JUNOS 9.5 Configuration and Diagnostic Automation

Guide the section "Importing the junos.xsl File" includes the jcs:getsecret() extension function. This function is accessible only after JUNOS Release 9.5R1; it is not accessible in JUNOS Release 9.5R1 or earlier JUNOS releases.

[Configuration and Diagnostic Automation]

Network Interfaces

In the Network Interfaces Configuration Guide, Chapter 44 Configuring IEEE 802.1ag

OAM Connectivity-Fault Management section Configuring a CFM Interface Down

Action Profile Action states the following:

“Note: The action profile is supported only on the physical interface level, and not on the logical interface.”

This is incorrect, and was revised in the JUNOS Software 9.6R1 release of the same document. The note was replaced with the following text:

“The action profile is supported on the physical interface level and the logical interface.”

[Network Interfaces]

Configuring Protocol Family and Interface Address Properties chapter of the Network

Interfaces Configuration Guide sections “Configuring an Unnumbered Interface” and “Restrictions for Configuring Unnumbered Ethernet Interfaces” erroneously states that you cannot configure unnumbered Ethernet interfaces on the TX

Matrix platform. This restriction was removed starting in JUNOS 9.5 and unnumbered Ethernet interfaces are now supported on the TX Matrix platform.

[Network Interfaces]

The "Configuring an Unnumbered Interface" section in the JUNOS 9.5 Network

Interfaces Configuration Guide in Chapter 5: Configuring Protocol Family and

Interface Address Properties, erroneously included the following restriction on configuring unnumbered Ethernet interfaces:

The configuration of unnumbered Ethernet interfaces is not supported when graceful Routing Engine switchover (GRES) is enabled on the router.

Beginning with JUNOS Release 9.4, the configuration of unnumbered Ethernet interfaces is supported when GRES is enabled on the router.

Network Interfaces Configuration Guide in Chapter 5: Configuring Protocol Family

and Interface Address Properties, the section "Enabling Source Class and

Destination Class Usage" contains the following incorrect statement that can be ignored: "On T-series, M120, and M320 platforms, the destination-class and source-class

statements are not supported at the [ edit firewall family family-name filter filter-name term term-name from

] hierarchy level. On other M-series platforms, these statements are supported.”

Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 77

JUNOS 9.5 Software Release Notes

Routing Policy and Firewall Filters

The output of the show pim statistics command has been enhanced to show the number of join and prune messages that have been dropped. The information is displayed in the following format: “Rx Join/Prune messages dropped 0” [Routing

Protocols and Policies Command Reference]

In a routing policy, only standard and extended match conditions are evaluated according to a logical AND operation. Matching in prefix lists and route filters are handled differently. They are evaluated according to a logical OR operation.

If you configure a policy that includes some combination of route filters, prefix lists, and source address filters, they are evaluated according to a logical OR operation or a longest-route match lookup. [Policy]

Active flow monitoring using version 9 supports sampling of both IPv4 and MPLS traffic simultaneously. You configure traffic sampling for IPv4 and MPLS traffic using the family (inet | mpls) statement at the [edit forwarding-options sampling input] hierarchy level. For additional information about configuring active flow monitoring , see the JUNOS Services Interfaces Configuration Guide and the JUNOS

Feature Guide. [Policy]

The Routing Protocols Configuration Guide and the VPNs Configuration Guide both erroneously state that it is not possible to configure route reflectors and cluster

IDs for the same routing instance. This type of configuration is now possible.

[Protocols, VPNs]

78 ■

Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms

Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Subscriber Access

The "DHCP State Persistence" and "Graceful Routing Engine Switchover" sections in the JUNOS 9.5 Subscriber Access Configuration Guide and the JUNOS 9.5 Policy

Framework Configuration Guide contain erroneous information. The correct description, which applies to both the extended DHCP relay agent and the extended DHCP local server, is as follows:

The extended DHCP local server and the DHCP relay agent applications both maintain the state of active DHCP client leases in the session database. The extended DHCP application can recover this state if the DHCP process fails or is manually restarted, thus preventing the loss of active DHCP clients in either of these circumstances. However, the state of active DHCP client leases is lost if a power failure occurs or if the kernel stops operating (for example, when the router is reloaded) on a single Routing Engine.

The extended DHCP local server and the DHCP relay agent support graceful

Routing Engine switchover on all routing platforms that contain dual Routing

Engines. To support graceful Routing Engine switchover, the extended DHCP application automatically mirrors (replicates) information about the state of bound DHCP clients from the master Routing Engine to the backup Routing

Engine.

To enable graceful Routing Engine switchover support for the extended DHCP local server or DHCP relay agent, include the graceful-switchover

statement at the [ edit chassis redundancy ] hierarchy level. You cannot disable graceful Routing

Engine switchover support for the extended DHCP application when the router is configured to support graceful Routing Engine switchover.

For more information about using graceful Routing Engine switchover, see the

JUNOS High Availability Configuration Guide.

Subscriber Management

The Subscriber Access Configuration Guide contains the following dynamic variable errors:

The Configuring a Dynamic Profile for Client Access topic erroneously uses the

$junos-underlying-interface

variable when configuring an IGMP interface in the client access dynamic profile. The following example provides the appropriate use of the

$junos-interface-name

variable:

[edit dynamic-profiles access-profile] user@host# set protocols igmp interface $junos-interface-name

Table 25 in the Dynamic Variables Overview topic neglects to define the

$junos-igmp-version

predefined dynamic variable. This variable is defined as follows:

$junos-igmp-version

—IGMP version configured in a client access profile. The

JUNOS software obtains this information from the RADIUS server when a subscriber accesses the router. The version is applied to the accessing subscriber when the profile is instantiated. You specify this variable at the

[dynamic-profiles

profile-name protocols igmp]

hierarchy level for the interface

statement.

Errata and Changes in Documentation for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 79

JUNOS 9.5 Software Release Notes

In addition, the Subscriber Access Configuration Guide erroneously specifies the use of a colon (:) when configuring the dynamic profile to define the IGMP version for client interfaces. The following example provides the appropriate syntax for setting the IGMP interface to obtain the IGMP version from RADIUS:

[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name] user@host# set version $junos-igmp-version

You can configure dynamic 802.1Q VLANs on Gigabit Ethernet (GE) and 10-Gigabit

Ethernet (XE) interfaces only. Configuration on Aggregated Ethernet (AE) interfaces is currently not supported. For additional information about configuring dynamic VLANs, see the JUNOS Subscriber Access Configuration Guide.

VPNS

You can specify both Layer 3 and Layer 4 fields to be included while load-balancing Layer 2 traffic. This can be accomplished by including the layer-3 or the layer-4 statement at the [ edit forwarding-options hash-key family multiservice payload ip

] hierarchy level. The 9.5 JUNOS VPNs Configuration Guide does not include this information. For more information, see the JUNOS MX Series Ethernet

Services Routers Layer 2 Configuration Guide.

User Interface and Configuration

The show system statistics bridge

command displays system statistics on

MX-series routers. [System Basics Command Reference]

Related Topics

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series

Routing Platforms on page 6

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 41

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms on page 45

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,

MX-series, and T-series Routing Platforms on page 80

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series,

MX-series, and T-series Routing Platforms

This section discusses the following topics:

Basic Procedure for Upgrading to Release 9.5 on page 81

Upgrading a Router with Redundant Routing Engines on page 83

Upgrading to Release 9.5 in a Routing Matrix on page 83

Upgrading Using ISSU on page 84

80 ■

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR on page 85

Downgrade from Release 9.5 on page 86

Basic Procedure for Upgrading to Release 9.5

When upgrading or downgrading the JUNOS software, always use the jinstall

package.

Use other packages (such as the jbundle package) only when so instructed by a Juniper

Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the JUNOS Software Installation

and Upgrade Guide.

NOTE: You cannot upgrade by more than three releases at a time. For example, if your routing platform is running JUNOS Release 9.1 you can upgrade to JUNOS

Release 9.4 but not to JUNOS Release 9.5. As a workaround, first upgrade to JUNOS

Release 9.2 and then upgrade to JUNOS Release 9.5.

NOTE: With JUNOS Release 9.0 and later, the compact flash disk memory requirement for JUNOS software is 1 GB. For M7i and M10i routing platforms with only 256 MB memory, see the Customer Support Center JTAC Technical Bulletin PSN-2007-10-001 at https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001&actionBtn=Search .

NOTE: Before upgrading, back up the file system and the currently active JUNOS configuration so that you can recover to a known, stable environment in case the upgrade is unsuccessful. Issue the following command: user@host> request system snapshot

The installation process rebuilds the file system and completely reinstalls the JUNOS software. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the routing platform, such as configuration templates and shell scripts (the only exceptions are the juniper.conf

and ssh

files) may be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the JUNOS System Basics Configuration Guide.

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 81

JUNOS 9.5 Software Release Notes

The download and installation process for JUNOS Release 9.5 is the same as for previous JUNOS releases.

If you are not familiar with the download and installation process, follow these steps:

1.

Using a Web browser, follow the links to the download URL on the Juniper

Networks Web page. Choose either Canada and U.S. Version or Worldwide

Version:

■ https://www.juniper.net/support/csc/swdist-domestic/

(customers in the United

States and Canada) https://www.juniper.net/support/csc/swdist-ww/

(all other customers)

2.

3.

4.

5.

Log in to the Juniper Networks authentication system using the username

(generally your e-mail address) and password supplied by Juniper Networks representatives.

Download the software to a local host.

Copy the software to the routing platform or to your internal software distribution site.

Install the new jinstall

package on the routing platform.

NOTE: We recommend that you upgrade all software packages out-of-band using the console because in-band connections are lost during the upgrade process.

Customers in the United States and Canada use the following command: user@host> request system software add validate reboot

source/jinstall-9.5B1.3-domestic-signed.tgz

All other customers use the following command: user@host> request system software add validate reboot

source/jinstall-9.5B1.3-export-signed.tgz

Replace

source

with one of the following values:

/pathname —For a software package that is installed from a local directory on the router.

For software packages that are downloaded and installed from a remote location:

■ ftp://hostname/pathname http://hostname/pathname

■ scp://hostname/pathname

(available only for Canada and U.S. version)

The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release.

82 ■

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Adding the reboot

command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt.

The loading process can take 5 to 10 minutes.

Rebooting occurs only if the upgrade is successful.

NOTE: After you install a JUNOS 9.5 jinstall package, you cannot issue the request system software rollback

command to return to the previously installed software.

Instead you must issue the request system software add validate

command and specify the jinstall package that corresponds to the previously installed software.

NOTE: Before you upgrade a router that you are using for voice traffic, you should monitor call traffic on each virtual BGF. Confirm that no emergency calls are active.

When you have determined that no emergency calls are active, you can wait for non-emergency call traffic to drain as a result of graceful shutdown, or you can force a shutdown. For detailed information on how to monitor call traffic before upgrading, see the Multiplay Solutions Guide.

Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform a JUNOS software installation on each

Routing Engine separately to avoid disrupting network operation as follows:

1.

2.

Disable graceful Routing Engine switchover (GRES) on the master Routing Engine and save the configuration change to both Routing Engines.

Install the new JUNOS software release on the backup Routing Engine while keeping the currently running software version on the master Routing Engine.

3.

4.

After making sure that the new software version is running correctly on the backup Routing Engine, switch over to the backup Routing Engine to activate the new software.

Install the new software on the original master Routing Engine that is now active as the backup Routing Engine.

For the detailed procedure, see the JUNOS Software Installation and Upgrade Guide.

Upgrading to Release 9.5 in a Routing Matrix

By default, when you upgrade software on the TX Matrix platform, the new image is loaded onto the TX Matrix platform and distributed to all routing nodes in the routing matrix. To upgrade software for the entire routing matrix, issue the request system software add command. Customers in the United States and Canada use the following command: user@host> request system software add source/jinstall-9.5B1.5-domestic-signed.tgz

All other customers use the following command:

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 83

JUNOS 9.5 Software Release Notes user@host> request system software add source/jinstall-9.5B1.5-export-signed.tgz

Replace

source

with one of the following values:

/pathname

—For a software package that is installed from a local directory on the TX Matrix platform.

For software packages that are downloaded and installed from a remote location:

■ ftp://hostname/pathname

■ http://hostname/pathname

■ scp://hostname/pathname (available only for Canada and U.S. version)

When you complete the software installation and reboot the TX Matrix platform, all routing nodes also reboot and all hardware and software components in the routing matrix begin using the new software.

To upgrade the backup Routing Engines, log in to the backup Routing Engine on the

TX Matrix platform before you issue the request system software add command. You can also update the software on the TX Matrix platform only or on a specific T640 routing node as needed by including the lcc or scc option.

NOTE: We recommend you run the same JUNOS software release on the master and backup Routing Engines on all components of a routing matrix. If you elect to run different JUNOS software releases on the Routing Engines, a change in Routing Engine mastership can cause one or all routing nodes to be logically disconnected from the

TX Matrix platform. It is also a best practice to make sure that all master Routing

Engines are re0

and all backup Routing Engines are re1

(or vice versa).

NOTE: You must use the same Routing Engine model on all routing platforms in a routing matrix. For example, it is not supported to use model RE-A-2000 on the TX

Matrix platform and model RE-1600 on the routing nodes.

Upgrading Using ISSU

Unified in-service software upgrade (ISSU) enables you to upgrade between two different JUNOS software releases with no disruption on the control plane and with minimal disruption of traffic. Unified in-service software upgrade is only supported by dual Routing Engine platforms. In addition, graceful Routing Engine switchover

(GRES) and nonstop active routing (NSR) must be enabled. For additional information about using unified in-service software upgrade, see the JUNOS High Availability

Configuration Guide.

84 ■

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

NOTE: Upgrading with ISSU from JUNOS 9.4R2 to any other release results in the loss of control traffic due to the loss of keepalives. This causes interfaces to go down and will result in the loss of respective adjacencies for all configured protocols. This problem only exist in JUNOS 9.4R2.

Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled for Both

PIM and NSR

JUNOS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the following PIM features are not currently supported with NSR. The commit operation fails if the configuration includes both NSR and one or more of these features:

Anycast RP

Draft-Rosen multicast VPNs (MVPNs)

Local RP

Next-generation MVPNs with PIM provider tunnels

PIM join load balancing

JUNOS 9.3 introduced a new configuration statement that disables NSR for PIM only, so that you can activate incompatible PIM features and continue to use NSR for the other protocols on the router: the nonstop-routing disable

statement at the

[edit protocols pim]

hierarchy level. (Note that this statement disables NSR for all PIM features, not only incompatible features.)

If neither NSR nor PIM is enabled on the router to be upgraded or if one of the unsupported PIM features is enabled but NSR is not enabled, no additional steps are necessary and you can use the standard upgrade procedure described in other sections of these instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use the standard reboot or ISSU procedures described in the other sections of these instructions.

Because the nonstop-routing disable statement was not available in JUNOS Release

9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to be upgraded from JUNOS Release 9.2 or earlier to a later release, you must disable

PIM before the upgrade and reenable it after the router is running the upgraded

JUNOS software and you have enter4ed the nonstop-routing disable

statement. If your router is running JUNOS Software Release 9.3 or later, you can upgrade to a later release without disabling NSR or PIM–simply use the standard reboot or ISSU procedures described in the other sections of these instructions.

To disable and reenable PIM:

1.

On the router running JUNOS Release 9.2 or earlier, enter configuration mode and disable PIM:

[edit] user@host# deactivate protocols pim user@host# commit

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

■ 85

JUNOS 9.5 Software Release Notes

2.

3.

Upgrade to JUNOS Release 9.3 or later software using the instructions appropriate for the router type. You can either use the standard procedure with reboot or use ISSU.

After the router reboots and is running the upgraded JUNOS software, enter configuration mode, disable PIM NSR with the nonstop-routing disable

statement, and then reenable PIM:

[edit] user@host# set protocols pim nonstop-routing disable user@host# activate protocols pim user@host# commit

Downgrade from Release 9.5

To downgrade from Release 9.5 to another supported release, follow the procedure for upgrading, but replace the 9.5 jinstall package with one that corresponds to the appropriate release.

NOTE: You cannot downgrade more than three releases. For example, if your routing platform is running JUNOS Release 9.3, you can downgrade the software to

Release 9.0 directly, but not to Release 8.5 or earlier; as a workaround, you can first downgrade to Release 9.0 and then downgrade to Release 8.5.

For more information, see the JUNOS Software Installation and Upgrade Guide.

Related Topics

New Features in JUNOS Software Release 9.5 for M-series, MX-series, and T-series

Routing Platforms on page 6

Changes in Default Behavior and Syntax in JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 41

Issues in JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing

Platforms on page 45

Errata and Changes in Documentation for JUNOS Software Release 9.5 for

M-series, MX-series, and T-series Routing Platforms on page 75

86 ■

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for M-series, MX-series, and T-series Routing Platforms

JUNOS Software Release Notes for SRX-series Services Gateways

JUNOS Software Release Notes for SRX-series Services Gateways

JUNOS for SRX-Series Services Gateways Product Overview on page 87

New Features in JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 98

Changes In Default Behavior and Syntax on page 122

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 124

Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for

SRX-series Services Gateways on page 128

Issues in JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 129

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 140

JUNOS for SRX-Series Services Gateways Product Overview

Application Layer Gateways (ALGs)

FTP ALG

JUNOS software for SRX-series devices provides File Transfer Protocol (FTP) support for services and applications that transfer data using FTP, allowing legitimate FTP traffic to go through the device while blocking out malicious FTP packets. The FTP ALG monitors PORT, PASV, and 229 commands. It performs

Network Address Translation (NAT) of the IP or port in the message and gate opening on the device as necessary.

To configure the FTP ALG, use the edit security alg ftp statement at the [ edit security alg ] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide.

TFTP ALG

JUNOS software for SRX-series devices provides Trivial File Transfer Protocol

(TFTP) support for services and applications that transfer data using TFTP, allowing legitimate TFTP traffic to go through the device while blocking out malicious TFTP packets. The TFTP ALG processes the TFTP packets that initiate the request and opens a pinhole to allow return packets from the reverse direction to the port that sends the request.

To configure TFTP ALG, use the edit security alg tftp

statement at the [ edit security alg

] hierarchy level. For more information, see the JUNOS Software Security

Configuration Guide.

Chassis Clustering

Chassis clustering—You can connect a pair of the same kind of supported

SRX-series devices into a cluster to provide stateful failover of JUNOS processes and services. Interchassis clustering removes the single point of failure in the

JUNOS Software Release Notes for SRX-series Services Gateways

■ 87

JUNOS 9.5 Software Release Notes network by allowing the devices to be configured in a redundant cluster, with one device acting as the primary device and the other as a backup. If the primary device fails, the backup takes over traffic processing. Clustered devices synchronize configuration, kernel, and Packet Forwarding Engine session states across the cluster to facilitate high availability of interfaces and services. JUNOS software includes the following chassis cluster features:

Resilient system architecture includes a single control plane for the entire cluster to manage multiple Packet Forwarding Engines.

Configuration and dynamic runtime states are synchronized between the services gateways within a cluster.

Graceful restart of the routing protocols enables the services gateway to minimize traffic disruption during a failover.

Physical interfaces are grouped and monitored to trigger failover to the backup services gateway if the failure parameters cross a configured threshold.

For more information, see the JUNOS Software Security Configuration Guide.

NOTE: In this release of JUNOS software for SRX-series devices, synchronization of

IDP-specific runtime data does not occur across the cluster. As a result, IDP processing is not continued for sessions that fail over. (IDP processing resumes for sessions created after failover.)

NOTE: When configuring chassis clusters, you are automatically in configure private mode. As a result, you must commit changes from the top of the hierarchy. For information about the configure private mode, see the JUNOS CLI User Guide.

Flow and Processing

Combo-mode SPU—The central point (CP) in the architecture has two basic flow functionalities: load balancing and traffic identification. However, the central point functionalities and normal flow processing are embedded in a single

Services Processing Unit (SPU), and this shared SPU is operating in combination, or combo mode. In combo mode, the number of threads is divided among the central point and the flow services, based on the number of SPUs in the system.

NOTE: This feature is applicable only for SRX 3400, SRX 3600, SRX 5600, and SRX

5800 devices.

Flow-based stateful processing—In addition to packet processing, JUNOS software for SRX-series devices performs flow-based stateful processing. When a packet enters the device, the system applies any packet-based filter processing associated with the interface to the packet. Next, the system attempts to match the packet against an existing session based on a session's match criteria (source

88 ■

JUNOS for SRX-Series Services Gateways Product Overview

JUNOS for SRX-Series Services Gateways Product Overview

■ and destination addresses, source and destination ports, and protocol and session tokens derived from the zone and virtual router). If a packet matches an existing session, the system processes it according to the flow's session features, security policies, screens, and other features. If the packet does not match an existing session, the system establishes a new session for the packet based on routing, policy, and other classification information. Before a packet leaves the device, the system applies filters and traffic shaping to it.

Distributed multithread flow—The SRX-series services gateway is multicore, multichassis hardware with distributed computing engines. The Network

Processing Units (NPUs) and multicore Services Processing Units (SPUs) on the

Services Processing Cards (SPCs) comprise the data plane.

Packets for any given flow could traverse two NPUs and possibly more than one

SPU (in the case of tunnels). Therefore, a distributed flow module is needed that can span multiple computing engines.

NOTE: This feature is applicable only for SRX 3400, SRX 3600, SRX 5600, and SRX

5800 devices.

To configure flow options, use the flow

statement at the [ set security

] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

Interfaces and Routing

Interfaces—Interfaces act as a doorway through which traffic enters and exits a device. Several security-related configuration and runtime attributes are kept in an interface object. Different modules in the data path use these attributes.

Many interfaces can share exactly the same security requirements; however, different interfaces can also have different security requirements for inbound and outbound (I/O) data packets.

Security processing and inbound and outbound (I/O) data packets analysis are separated in JUNOS software and SRX-series devices. As a result, the line-card interface on the Input/Output Card (IOC) and the security processors on the

Services Processing Card (SPC) are separated by a fabric. The security data plane is simultaneously performing multiprocessing (32-way MT per XLR SPU) and distributed processing (SRX 5600 and SRX 5800 devices distribute the processing over a maximum of 2 SPUs per SPC). For more information, see the JUNOS

Software Interfaces and Routing Configuration Guide for Security Devices.

Routing—SRX-series devices support using the Border Gateway Protocol (BGP), the Open Shortest Path First (OSPF) Protocol, and the Routing Information

Protocol (RIP) to deliver routing information across networks. To configure the services gateway to use these protocols, use the bgp , ospf , or rip statements

(respectively) at the [ protocols

] hierarchy level. You can also configure the services gateway to use static routes. For more information, see the JUNOS Software

Interfaces and Routing Configuration Guide for Security Devices.

SRX-series devices also support the following additional routing functionality:

DHCP—JUNOS software for SRX-series supports Dynamic Host Configuration

Protocol (DHCP) client, relay, and server functions, enabling the services gateway to provide IP addresses and settings to hosts that are connected to

JUNOS for SRX-Series Services Gateways Product Overview

■ 89

JUNOS 9.5 Software Release Notes

■ the device’s interfaces. When you configure the SRX-series device as a DHCP server, hosts can connect to the device's interface via subnet or through

DHCP relay. To configure DHCP, use the dhcp statement at the [ system services ] hierarchy level.

NTP—JUNOS software for SRX-series incorporates Network Time Protocol

(NTP) support, enabling the services gateway to synchronize time and coordinate time distribution in a large, diverse network. To configure NTP, use the ntp statement at the [ system ] hierarchy level.

For more information, see the JUNOS Software Administration Guide for Security

Devices.

NOTE: This release of JUNOS software for the SRX-series devices does not support packet-based protocols such as MPLS, Connectionless Network Service (CLNS), and

IP version 6 (IPV6).

IPv4—JUNOS software for SRX-series devices supports processing IPv4 (IP version

4) traffic through an interface. The IPv4 protocol family supports 32-bit addresses and subnets. To enable the IPv4 protocol for an interface, specify inet for the interface family. For example, use edit interfaces ge-0/0/3 unit 0 family inet address 10.10.10.10/24

.

Class of service (CoS)—The JUNOS software for SRX-series devices class of service (CoS) feature provides a set of mechanisms that you can use to provide differentiated services when best-effort traffic delivery is insufficient. When a network experiences congestion and delay, some packets must be dropped. CoS allows you to classify and then divide traffic into classes and offer various levels of throughput and packet loss when congestion occurs. This allows packet loss to happen according to rules that you configure. Note that CoS policing is not available in this release.

You can use an SRX-series devices to control traffic rate by applying classifiers and shapers. To configure CoS components, use the component you want to configure at the

[edit class-of-service] hierarchy level of the configuration. For more information, see the JUNOS Software Interfaces and Routing Configuration

Guide for Security Devices.

Network interfaces—SRX 3400 and SRX 3600 devices support a Switch Fabric

Board (SFB) and Common Form-factor Module (CFM) slots.

The following table lists CFM slots on SRX 3400 and SRX 3600 devices:

Table 2: CFM Slots on SRX 3400 and SRX 3600 Devices

CFM Type

I/O Cards (IOC)

Services Processing Cards (SPC)

Network Processing Cards (NPC)

SRX 3400 Devices

Slots—1 through 4

Slots—any

Slots—5 through 7

SRX 3600 Devices

Slots—1 through 6

Slots—any

Slots—10 through 12

90 ■

JUNOS for SRX-Series Services Gateways Product Overview

Security

JUNOS for SRX-Series Services Gateways Product Overview

The unique name of each network interface identifies its type and location and indicates whether it is a physical interface or an optional logical unit created on a physical interface. The name of each network interface has the following format to identify the physical device that corresponds to a single physical network connector:

type-slot/pic/port

For the SRX 3400 and 3600 devices:

The Switch Fabric Board (SFB) is always slot 0 .

The PIC number is always 0 . Only one PIC can be installed in a slot.

The designated port numbers are described in the following format:

For the SFB built-in copper Gigabit Ethernet ports, this number begins at

0

and increases from top to bottom, left to right, to a maximum of

7

. For the SFB built-in fiber Gigabit Ethernet ports, this number begins at 8 and increases from left to right to a maximum of 11 .

For 16-port Gigabit Ethernet IOCs, this number begins at 0 and increases to a maximum of

15

.

For 2-port 10-Gigabit Ethernet IOCs, this number is 0 or 1 .

NOTE: This feature is applicable only for SRX 3400 and SRX 3600 devices.

Security zones—Security zones are the building blocks for policies; they are logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing groups of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them. From the perspective of security policies, traffic enters into one security zone (to-zone) and goes out on another (from-zone). To configure security zones, use the zones statement at the [ security zones ] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

Security policies—Security policies can be configured to control traffic flow from one zone to another by defining a certain action on the kinds of traffic that is allowed from specified sources to specified destinations at scheduled times.

When packets match a policy, the policy instructs the flow to apply different rules for features. To configure a policy, use the policy statement at the [ set security policies

] hierarchy level.

Firewall screens—JUNOS software for SRX-series provides various detection methods and defense mechanisms to combat the following security breaches at all stages of their execution:

SYN, UDP, and ICMP flood attacks

Network DoS attacks

JUNOS for SRX-Series Services Gateways Product Overview

■ 91

JUNOS 9.5 Software Release Notes

Operating system-specific DoS attacks

To configure screen options, use the screen

statement at the [ set security screen

] hierarchy level.

Firewall user authentication—Firewall user authentication enables you to restrict and permit access to protected resources behind a firewall based on a user’s source IP address and other credentials. You may use pass-through authentication or Web authentication to control access to the protected resources. With pass-through authentication, a user from one zone tries to access resources from another zone over an FTP, Telnet, or HTTP connection. With Web authentication, a user tries to connect to an IP address on the device over an HTTP connection.

With both methods, the device forwards the user’s credentials to the server of your choice (local, RADIUS, LDAP, or RSA SecurID) to authenticate the user and control subsequent access requests.

To configure pass-through authentication, use the following statements: set security policies from-zone zone-name to-zone zone-name policy policy-name then permit firewall-authentication pass-through

To configure Web authentication, use the following statements: set security policies from-zone zone-name to-zone zone-name policy policy-name then permit firewall-authentication web-authentication

For more information, see the JUNOS Software Security Configuration Guide.

IPsec VPN—A virtual private network (VPN) provides a means for securely communicating among remote computers across a public wide area network

(WAN) such as the Internet. Using the JUNOS Software VPN feature, you can secure traffic from your local area network (LAN) to remote users (end-to-site

VPN) or between two separate LANs (site-to-site VPN). JUNOS Software uses IP security (IPsec) to secure the VPN traffic at the IP layer, authenticating and encrypting traffic by using phased tunnel negotiations. For more information, see the JUNOS Software Security Configuration Guide.

Network Address Translation—Network Address Translation (NAT) is a method by which IP addresses in a packet are mapped from one group to another and, optionally, port numbers in the packet are translated into different port numbers.

NAT is described in RFC 1631 to solve IP (version 4) address depletion problems.

On an SRX-series devices, JUNOS software decouples NAT configuration from policy configuration. NAT has its own rules to regulate traffic on the SRX-series devices.

To configure NAT, use the nat statement at the [ set security ] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

Static NAT—Static Network Address Translation (NAT) defines a one-to-one static mapping from one IP subnet to another IP subnet. To configure static NAT, use the static

statement at the [ edit security nat

] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

92 ■

JUNOS for SRX-Series Services Gateways Product Overview

JUNOS for SRX-Series Services Gateways Product Overview

Intrusion Detection and Prevention (IDP)

IDP application identification—Juniper Networks provides predefined application signatures that detect TCP and UDP applications running on nonstandard ports.

Identifying these applications allows IDP to apply appropriate attack objects to applications running on nonstandard ports. It also improves performance by narrowing the scope of attack signatures for applications without decoders.

Application signatures are available as part of the security package provided by

Juniper Networks. You download predefined application signatures along with the security package updates. Application identification is enabled by default and is automatically turned on when you configure the default application in the

IDP policy. For more information, see the JUNOS Software Security Configuration

Guide.

IDP custom attacks and groups—JUNOS CLI support is available for creating

IDP custom attacks and groups. You can use the JUNOS configuration statements to configure the required fields. For more information, see the JUNOS Software

CLI Reference.

IDP DiffServ marking—Configuring Differentiated Services Code Point (DSCP) values in IDP policies provides a method of associating class-of-service (CoS) values—thus different levels of reliability—for different types of traffic on the network. DSCP is an integer value encoded in the 6-bit field defined in IP packet headers. It is used to enforce CoS distinctions. CoS allows you to override the default packet-forwarding behavior and assign service levels to specific traffic flows.

You can configure DSCP value as an action in an IDP policy rule. Based on the

DSCP value, behavior aggregate classifiers set the forwarding class and loss priority for the traffic, determining the forwarding treatment the traffic receives.

For more information, see the JUNOS Software Security Configuration Guide.

IDP J-Web support—You can configure IDP policies and request security package updates by using Quick Configuration pages in the J-Web user interface. You can also display IDP status and memory usage in the J-Web monitoring pages. For more information, see the JUNOS Software Security Configuration Guide and the

JUNOS Software Administration Guide for Security Devices.

IDP logging—The basic JUNOS system logging continues to function after IDP is enabled. An IDP-enabled device supports basic JUNOS system logging and continues to record events that occur because of routine operations, such as a user login into the configuration database. It records failure and error conditions, such as failure to access a configuration file. In addition to the regular system log messages, IDP generates event logs for attacks. To manage attack log volume and message size, IDP supports log suppression.

Enabling log suppression ensures that minimal numbers of logs are generated for the same event or attack that occurs multiple times. To configure log suppression, use the suppression

statement at the

[edit security idp sensor-configuration log] hierarchy level. For more information, see the JUNOS

Software Security Configuration Guide.

IDP session-limit threshold-crossing event—The number of IDP sessions per

SPU is typically 128K, except on 4G SPUs in non-combo mode, where it is set to 256K. These numbers can be found in the IDP documentation. When the

JUNOS for SRX-Series Services Gateways Product Overview

■ 93

JUNOS 9.5 Software Release Notes

■ number of IDP sessions exceeds the allowed limit, log messages are generated indicating that the number of IDP sessions exceeded the limit. When the number of IDP sessions drops to fewer than 5120 from the allowed high-water mark, another log message will be sent indicating that IDP sessions have dropped below the allowed limit.

IDP policies—Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through an IDP-enabled device. It allows you to define policy rules to match a section of traffic based on a zone, network, and application, and then take active or passive preventive actions on that traffic.

A policy is made up of rulebases, and each rulebase contains a set of rules. You define rule parameters, such as traffic match conditions, action, and logging requirements and then add the rules to rulebases. You can create new IDP policies from scratch, or start with a predefined template provided by Juniper Networks.

Juniper Networks also provides custom application objects and attack objects that you can configure as match conditions in policies.

To configure an IDP policy, use the idp-policy

statement at the [ edit security idp

] hierarchy level. For more information, see the JUNOS Software Security

Configuration Guide.

IDP protocol detector engine—The IDP protocol detector engine contains

Application Layer protocol decoders or services. You can download the protocol detector updates along with the signature database updates.

IDP supports 52 protocol decoders or services. Protocol decoders scan protocol headers and message body to identify individual fields in the protocols to determine if data conforms to the RFC. You configure protocol decoders in IDP policy rules to specify the protocol that an attack uses to access your network.

For more information, see the JUNOS Software Security Configuration Guide.

IDP signature database—Signature database is one of the major components of IDP. It contains definitions of different objects—such as attack objects, application signatures objects, and service objects—that are used in defining IDP policy rules. As a response to new vulnerabilities, Juniper Networks periodically provides a file containing attack database updates on the Juniper Web site.

To protect your network from new threats, you can download signature database updates manually or configure your device to download them automatically at a specified interval. For more information, see the JUNOS Software Security

Configuration Guide.

IDP SSL Inspection—Secure Sockets Layer (SSL) is a protocol suite that consists of different versions, ciphers, and key exchange methods. SSLv2, SSLv3, and

TLS protocols are supported. Combined with the Application Identification feature, the SSL Inspection feature enables SRX-series devices to inspect HTTP traffic encrypted in SSL on any TCP/UDP port. SSL inspection is disabled by default and can be enabled by using the configuration CLI. To display all installed keys and associated servers, use the show security idp ssl-inspection key

command. This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

For more information, see the JUNOS Software Security Configuration Guide.

94 ■

JUNOS for SRX-Series Services Gateways Product Overview

JUNOS for SRX-Series Services Gateways Product Overview

J-Web

J-Web user interface—A graphical user interface enables you to configure, monitor, troubleshoot, and manage the SRX-series devices through an Internet browser. The J-Web interface includes Quick Configuration pages to perform basic configuration of the devices and monitoring tools to view system health, routes, and statistics. The J-Web interface provides diagnostic tools (such as ping and traceroute ) and file utilities to manage configuration files, licenses, and temporary files on the device. The J-Web interface also includes a Chassis View, which provides a graphical, dynamic view of the SRX-series of devices.

J-Web Chassis View—The Chassis View allows the dynamic display of line cards, link states, errors, individual Physical Interface Cards (PICs), Flexible PIC

Concentrators (FPCs), fans, power supplies, and so on. It also helps you view the current status of the services gateway.

The Chassis View appears on the Dashboard page by default when you log in to the services gateway.

NOTE: The Chassis View option can be enabled or disabled in the Dashboard

Preference dialog box. To access the Dashboard Preference dialog box, click the icon on the upper-right corner of the Dashboard page and select Chassis View from the

Dashboard Preference dialog box. You can also enable Chassis View by clearing the

Internet Explorer cookies.

NOTE: To use the Chassis View, a recent version of Adobe Flash that supports

ActionScript and AJAX (version 9 must be installed).

For more details about how to use the J-Web Chassis View, see the JUNOS Software

Administration Guide.

Management and Administration

Chassis management—JUNOS software for SRX-series devices provides the ability to monitor and manage select chassis components. This includes monitoring chassis clusters, component temperature and cooling systems, chassis firmware, and chassis location. The CLI also provides commands for bringing most chassis components online and offline.

To bring chassis components online and offline, use the chassis statement at the [ request ] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide.

NOTE: In SRX-series devices, the offline , online , and restart commands are supported only on IOCs and are not supported on SPCs.

JUNOS for SRX-Series Services Gateways Product Overview

■ 95

JUNOS 9.5 Software Release Notes

The chassis control daemon (chassisd) comprises the following major components:

Switch Control Board (SCB)

Routing Engine (RE)

Network Processing Card (NPC)

Services Processing Card (SPC)

Input/Output Card (IOC)

Power Module (PWM)

Front Panel Display (FPD)

Fan Tray

Map Table fru

To view chassis details, use the show chassis statement.

NOTE: This feature is applicable only for SRX 3400, and SRX 3600 devices.

System logging—JUNOS software for SRX-series devices generates separate system log messages (also called syslog messages) to record events that occur on the system’s data and control planes.

The data plane logs primarily include a list of security events that the system has handled directly inside the data plane. Because the system has already handled these events, it does not send them on to the Routing Engine. Instead, the system streams the logs directly to external log servers, bypassing the Routing

Engine. To view the data plane logs, use the log statement at the [ security ] hierarchy level.

NOTE: In SRX-series, data plane logs and control plane logs have to be configured separately only for SRX 3400, SRX 3600, SRX 5600, and SRX 5800.

For all other SRX-series devices, the system sends this list of control plane events and the security events that the system has handled directly inside the data plane on to the eventd process on the Routing Engine, which then handles the events by using JUNOS event policies and/or by generating system log messages. You can choose to send control plane logs to a file, user terminal, routing platform console, or remote machine.

To generate control plane and security event generated within the data plane, use the syslog

statement at the [ system

] hierarchy level. For more information, see the JUNOS Software Administration Guide for Security Devices.

Packet tracing—The JUNOS software for SRX-series devices trace function provides a tool for applications to write security and security flow debugging information to a file. The information that appears in this file is based on

96 ■

JUNOS for SRX-Series Services Gateways Product Overview

JUNOS for SRX-Series Services Gateways Product Overview

■ configured criteria. These criteria include source port, destination port, protocol, interface, and string matching. Use this information to analyze security application issues. The trace function operates in a distributed manner, with each thread writing to its own trace buffer. These trace buffers are then collected at one point, sorted, and written to trace files. Trace messages are delivered using the

InterProcess Communications (IPC) protocol.

To configure trace options, use the traceoptions statement at the [ set security ] hierarchy level. For more information, see the JUNOS Software Security

Configuration Guide.

Services Processing Unit (SPU) monitoring—JUNOS software for SRX-series devices provides a new JUNOS software-based security device that uses multiple processors to process traffic. SPU monitoring allows for:

CPU utilization per SPU in percentage

Memory utilization per SPU in percentage

These metrics provide information that can be used to prevent unexpected outages and look for trends for capacity planning. To monitor the Flexible PIC

Concentrator (FPC) card by using the SPU unit’s CPU and memory utilization, use the show security monitoring fpc statement.

Simple Network Management Protocol (SNMP)—JUNOS software for SRX-series devices supports SNMP, which is part of the Internet protocol suite that is used to monitor network-attached devices for conditions that warrant administrative attention. SNMP enables the monitoring of network devices from a central location.

The SNMP agent exchanges network management information with SNMP manager software running on a network management system (NMS), or host.

The agent responds to requests for information and actions from the manager.

The agent also controls access to the agent’s Management Information Base

(MIB), the collection of objects that can be viewed or changed by the SNMP manager. The SNMP manager collects information on network connectivity, activity, and events by polling managed devices.

A MIB is a hierarchy of information used to define managed objects in a network device. The MIB structure is based on a tree structure, which defines a grouping of objects into related sets. Each object in the MIB is associated with an object identifier (OID), which names the object. The “leaf” in the tree structure is the actual managed object instance, which represents a resource, event, or activity that occurs in your network device. MIBs are either standard or enterprise-specific.

Standard MIBs are created by the Internet Engineering Task Force (IETF) and documented in various RFCs. Depending on the vendor, many standard MIBs are delivered with the Network Management System (NMS) software. You can also download the standard MIBs from the IETF Web site,

http://www.ietf.org

, and compile them into your NMS, if necessary.

Enterprise-specific MIBs are developed and supported by a specific equipment manufacturer. If your network contains devices that have enterprise-specific

MIBs, you must obtain them from the manufacturer and compile them into your network management software. For a list of Juniper Networks enterprise-specific supported MIBs, see “Juniper Networks Enterprise-Specific MIBs” in the JUNOS

Network Management Configuration Guide.

JUNOS for SRX-Series Services Gateways Product Overview

■ 97

JUNOS 9.5 Software Release Notes

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Software Features on page 98

Hardware Features—SRX 210 Services Gateways on page 109

Hardware Features—SRX 240 Services Gateways on page 114

Hardware Features—SRX650 Services Gateways on page 117

Hardware Features—SRX 5600 and SRX 5800 Services Gateways on page 121

Software Features

Application Layer Gateways (ALGs)

DNS ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides Domain Name System (DNS) support. The DNS ALG monitors DNS query and reply packets and closes the session if the DNS flag indicates the packet is a reply message.

To configure the DNS ALG, use the edit security alg dns statement at the [ edit security alg

] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide.

FTP ALG

Now supported on SRX 240 and SRX650 devices. Existing support on SRX 210,

SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

For information on functionality, see the “JUNOS for SRX-Series Services Gateways

Product Overview” section.

To configure these ALGs, use the edit security alg ftp and edit security alg ftp statements at the [ edit security alg

] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

H.323 ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides H.323 standard and H.323 Avaya support. The H.323 standard is a legacy VoIP protocol defined by the International

Telecommunication Union Telecommunication Standardization (ITU-T). H.323

consists of a suite of protocols (such as H.225.0 and H.245) that are used for call signaling and call control for VoIP.

To configure the H.323 ALG, use the edit security alg h323

statement at the [ edit security alg

] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

MGCP ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides Media Gateway Control Protocol

(MGCP) support. MGCP is a text-based Application Layer protocol used for call

98 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ setup and call control between the media gateway and the media gateway controller (MGC).

To configure the MGCP ALG, use the edit security alg mgcp statement at the [ edit security alg ] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

PPTP ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides Point-to-Point Tunneling Protocol

(PPTP) support. PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and is widely deployed for building virtual private networks (VPNs).

To configure the PPTP ALG, use the edit security alg pptp statement at the [ edit security alg ] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

RPC ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides basic Remote Procedure Call

(RPC) support. RPC is a protocol that allows an application running in one address space to access the resources of applications running in another address space as if the resources were local to the first address space. The RPC ALG is responsible for RPC packet processing.

To configure the RPC ALG, use the edit security alg rpc

statement at the [ edit security alg

] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

RSH ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides Remote Shell (RSH) support.

The RSH ALG handles TCP packets destined for port 514 and processes the RSH port

command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.

To configure the RSH ALG, use the edit security alg rsh

statement at the [ edit security alg ] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

RTSP ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides Real-Time Streaming Protocol support.

To configure the RTSP ALG, use the edit security alg rtsp statement at the [ edit security alg ] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

SCCP ALG

Now supported on SRX 210 devices.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 99

JUNOS 9.5 Software Release Notes

JUNOS software for SRX-series devices provides Skinny Client Control Protocol

(SCCP) support. SCCP is a Cisco proprietary protocol for call signaling. Skinny is based on a call-agent-based call-control architecture. The control protocol uses binary-coded frames encoded on TCP frames sent to well-known TCP port number destinations to set up and tear down RTP media sessions. The SCCP protocol, just as other call control protocols, negotiates media endpoint parameters, specifically the RTP port number and the IP address of media termination by embedding information in the control packets. The SCCP ALG parses these control packets and facilitates media and control packets to flow through the SRX-series devices.

To configure the SCCP ALG, use the edit security alg sccp statement at the [ edit security alg ] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

SIP ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides Session Initiation Protocol (SIP) support. SIP is an Internet Engineering Task Force (IETF)-standard protocol for initiating, modifying, and terminating multimedia sessions over the Internet.

Such sessions might include conferencing, telephony, or multimedia, with features such as instant messaging and application-level mobility in network environments.

To configure the SIP ALG, use the edit security alg sip

statement at the [ edit security alg ] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

SQLNET ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides Structured Query Language

(SQL) support. The SQLNET ALG processes SQL TNS response frames from the server side. It parses the packet and looks for (HOST = ipaddress) , (PORT =

port) patterns and performs NAT and gate opening on the client side for the TCP data channel.

To configure the SQLNET ALG, use the edit security alg sqlnet statement at the

[ edit security alg

] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

TALK ALG

Now supported on SRX 210 devices.

JUNOS software for SRX-series devices provides TALK protocol support. The

TALK protocol uses UDP port 517 and port 518 for control channel connections.

The <ui>talk</ui> program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd . The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.

To configure the TALK ALG, use the edit security alg talk

statement at the [ edit security alg

] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

TFTP ALG

100 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Chassis Clustering

Now supported on SRX 240 and SRX650 devices. Existing support on SRX 210,

SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

For information on functionality, see the “JUNOS for SRX-Series Services Gateways

Product Overview.”

To configure the TFTP ALG, use the edit security alg tftp

statement at the [ edit security alg ] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide

Active/active chassis clustering

This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

The data plane now supports active/active chassis clustering for these SRX-series devices. The chassis clustering on these SRX-series devices is no longer restricted to the creation of only one redundancy group beyond redundancy group 0. You can now configure one or more redundancy groups numbered 1 through 128.

Multiple redundancy groups make it possible for traffic to arrive on an interface of one redundancy group and egress on an interface that belongs to another redundancy group. In this situation, the ingress and egress interfaces might not be active on the same node. When this happens, the traffic is forwarded over the fabric link to the appropriate node. SRX-series chassis clusters operate with an active/backup control plane.

Control link recovery

This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

Prior to this release, when a node was disabled due to control link failure, after fixing the issue, you had to manually reboot the disabled node to make the disabled node rejoin the cluster. With this release, you can specify that control link recovery be done automatically by the system by using the set chassis cluster control-link-recovery

command (this feature is disabled by default). Once the system determines that the control link is healthy, it issues an automatic reboot on the disabled node. When the disabled node reboots, the node rejoins the cluster. There is no need for any manual intervention.

Cold synchronization monitoring

This feature is now supported on SRX 210, SRX 240, and SRX650 devices.

Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

The process of synchronizing data plane RTOs (runtime objects) on the startup of the Services Processing Units (SPUs) or flowd is called cold sync. Chassis clustering supports the process of monitoring the cold-sync state of all SPUs or flowd on a node. Also, if you enable preempt, cold-sync monitoring prevents the node from taking over mastership until the cold-sync process is completed for all the SPUs or flowd on the node.

Flowd monitoring

This feature is supported on SRX 210 devices.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 101

JUNOS 9.5 Software Release Notes

Chassis clustering supports the process of monitoring the health of the flowd process. A failed flowd process causes failover of redundancy group x to the secondary node.

SNMP failover traps

This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

Chassis clustering supports SNMP traps, which are triggered whenever there is a redundancy group failover. You can specify that a trace log be generated by using the set chassis cluster traceoptions flag snmp

command.

SPU monitoring

This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

Chassis clustering supports the process of monitoring the health of the SPUs and of the central point (CP). A single, failed SPU causes failover of redundancy group

x to the secondary node. A central point failure triggers failover to the secondary node.

102 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Intrusion Detection and Prevention (IDP)

Configuring IDP test conditions in custom anomaly attacks

This feature is supported on SRX 210, SRX 240, SRX650, SRX 3400, SRX 3600,

SRX 5600, and SRX 5800 devices.

The user can now see the supported test conditions for a protocol in the CLI.

When configuring IDP custom attacks, you can now list supported test conditions for a specific protocol. For example, to configure test conditions for ICMP:

1.

List supported test conditions for ICMP and choose the one you want to configure:

[edit security idp custom-attack test1 attack-type anomaly] user@host# set test icmp?

Possible completions:

<test> Protocol anomaly condition to be checked

ADDRESSMASK_REQUEST

DIFF_CHECKSUM_IN_RESEND

DIFF_CHECKSUM_IN_RESPONSE

DIFF_LENGTH_IN_RESEND

2.

Configure the service for which you want to configure the test condition.

[edit security idp custom-attack test1 attack-type anomaly] user@host# set service ICMP

3.

Configure the test condition (specifying the protocol name is not required):

[edit security idp custom-attack test1 attack-type anomaly] user@host# set test ADDRESSMASK_REQUEST

Interfaces and Routing

Class of Service (CoS)

This feature is now supported on SRX 210, SRX 240, and SRX650 devices.

Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

CoS allows you to divide traffic into classes and specify various levels of throughput and packet loss when congestion occurs. This allows packet loss to happen occur according to the rules you configure. For more information about the JUNOS implementation of CoS and about configuring CoS, see the JUNOS

Software Interfaces and Routing Configuration Guide.

Configuring simple filters and policers

This feature is supported on SRX 3400 and SRX 3600 devices.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 103

JUNOS 9.5 Software Release Notes

To handle oversubscribed traffic in the SRX 3400 and SRX 3600 series devices, you can configure simple filters and policing. The simple filter functionality comprises of the following:

Classifying packets according to configured policies

Taking appropriate actions based on the results of classification

Intermediate System-to-Intermediate System (IS-IS)

This feature is supported on SRX 210, SRX 240, SRX650, SRX 3400, SRX 3600,

SRX 5600, and SRX 5800 devices.

IS-IS protocol, a classless interior routing protocol developed by the International

Organization for Standardization (ISO) as part of the development of the Open

Systems Interconnection (OSI) protocol suite. Like OSPF routing, IS-IS uses hello packets that allow network convergence to occur quickly when network changes are detected.

For more information about the IS-IS protocol and about configuring IS-IS, see the JUNOS Software Interfaces and Routing Configuration Guide.

Jumbo frame support

This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

Jumbo frames, or 9192 byte MTUs, on Gigabit Ethernet interfaces and 10-Gigabit

Ethernet interfaces. To configure jumbo frame support, see the JUNOS Software

Interfaces and Routing Configuration Guide.

Layer 2 bridging and transparent mode

This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

This release provides Layer 2 bridging with transparent mode. Transparent mode provides full security services on top of Layer 2 bridging functions. An SRX services gateway operates in Layer 2 transparent mode when all physical interfaces on the device are configured as Layer 2 logical interfaces. There is no command to enable transparent mode on the device.

NOTE: You cannot define both Layer 2 and Layer 3 logical interfaces on a physical interface.

To configure a Layer 2 logical interface, use the unit

statement at the

[edit interfaces] hierarchy, and configure the logical interface with the bridge family type. You can configure the logical interface as an access or a trunk interface.

A bridge domain is a set of logical interfaces that share the same flooding or broadcast characteristics. You can configure a set of bridge domains that are associated with a trunk interface. The set of bridge domains then functions as a switch: a packet received on a trunk interface is forwarded based on the VLAN

ID (a packet is forwarded within the bridge domain that has the same VLAN ID as the packet) and destination MAC. VLAN-based MAC learning, forwarding, and aging are supported. To configure a bridge domain, use the

[edit bridge-domains]

104 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways hierarchy to specify the VLAN ID(s) for packets that will be forwarded on the bridge domain.

NOTE: In this release, Layer 2 bridging does not support STP. It is the user’s responsibility to ensure that no flooding loops exist in the network topology.

You can optionally configure an integrated routing and bridging (IRB) interface for management traffic on the device. For this release, the IRB interface does not support traffic forwarding or routing. To configure an IRB interface, create an irb

logical interface in the

[edit interfaces]

hierarchy, and then reference the

IRB interface in the [edit bridge-domains] hierarchy.

When packets are forwarded through a bridge domain, security policies can be applied between Layer 2 security zones. To create Layer 2 security zones, use the security-zone

statement at the

[edit security zones]

hierarchy, and specify the interfaces that belong to the zone. (The IRB interface cannot be assigned to any security zone.) You can configure screen options, address books, or TCP-RST for

Layer 2 security zones.

NOTE: You can configure the same screen options for a Layer 2 security zone as for a Layer 3 security zone, with the exception of IP spoofing.

You configure a transparent mode security policy in the same way as for policies configured for Layer 3 zones, with the following exceptions:

NAT is not supported

Layer 2 IPsec VPN is not supported

ALGs are not supported

IDP policies are not supported for Layer 2 traffic

To configure a transparent mode security policy, use the [edit security policies] hierarchy.

NOTE: Chassis clustering of SRX devices in transparent mode is not supported in this release.

For more information, see the JUNOS Software Interfaces and Routing Configuration

Guide.

3G wireless network connections

This feature is supported on SRX 210 devices.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 105

JUNOS 9.5 Software Release Notes

IPsec

This release allows SRX 210 devices to use 3G networks as primary or backup

WAN links. Juniper supports the following 3G wireless modem cards installed in the ExpressCard slot of the SRX 210 services gateway:

Sierra Wireless AirCard Global System for Mobile communications (GSM)

High-Speed Downlink Packet Access (HSDPA) ExpressCard

Sierra Wireless AirCard Code-Division Multiple Access (CDMA)

1xEvolution-Data Optimized (EV-DO) rev. A ExpressCard

The physical interface cl-0/0/8 is created automatically when the 3G modem is installed in the SRX 210 services gateway. To configure the interface, use the set interfaces cl-0/0/8

statement at the

[set interfaces]

hierarchy level. To configure the logical dialer interface, use the set interfaces dln statement at the

[set interfaces]

hierarchy level. For more information, see the JUNOS Software

Interfaces and Routing Configuration Guide.

Multicast Interfaces

This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

Multicast traffic streams between a single source and multiple destinations. In

Protocol Independent Multicast (PIM) sparse mode, the first-hop routing platform encapsulates packets destined for the rendezvous point device. The packets are encapsulated with a unicast header and are forwarded through a unicast tunnel to the rendezvous point. The rendezvous point then de-encapsulates the packets and transmits them through its multicast tree.

Within a device, packets are routed to the PIM interfaces pe-0/0/0 for encapsulation and pd-0/0/0

for de-encapsulation. These interfaces are not associated with physical network interfaces and are created internally when you issue the set protocol pim

command. You must configure PIM with the

[edit protocols pim]

hierarchy to perform PIM encapsulation or de-encapsulation.

For more information about multicast protocols and configuring multicast protocols on Juniper Networks devices, see the JUNOS Multicast Protocols

Configuration Guide

IPsec multiple flow thread architecture

This feature is now supported on SRX 210, SRX 240 and SRX650 devices. Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

These devices provide a multiple flow thread architecture that results in increased

IPsec performance. For more information, see the JUNOS Software Security

Configuration Guide.

Dynamic VPN

This feature is supported on SRX 210 and SRX 240 devices.

The dynamic VPN feature uses Internet Protocol Security (IPsec) technology to create secure VPN tunnels. This feature simplifies remote access by enabling users to establish VPN tunnels without having to manually configure VPN settings on their PCs or laptops. Instead, the client is dynamically delivered to users from

106 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways the SRX 210 or SRX 240 devices upon successful authentication. This Layer 3 remote access client uses client-side configuration settings that it receives from the server to create and manage a secure VPN tunnel to the server. For more information, see the JUNOS Software Security Configuration Guide.

Management and Administration

Support for the TFTPBOOT installation method

This feature is supported on SRX 210 devices.

You install the JUNOS software by using the Trivial File Transfer Protocol BOOT

(TFTPBOOT) method. During installation of the JUNOS software, the secondary boot loader in the services gateway retrieves the JUNOS software package from a TFTP server. The software image is then installed on the internal flash. Using

TFTP installation to install a new image will wipe out any user-generated configurations on the router. The router will come up with the factory default configuration.

NOTE: The TFTPBOOT method can be used only on LANs.

To install the software image on the internal flash, issue the following command at the loader prompt.

Loader > install

URL

where URL is tftp://<tftp server ip> <package name>

You can use the TFTPBOOT method in the following scenarios:

To bring up the SRX 210 services gateway if the standard boot process fails

To install the JUNOS software on the SRX 210 services gateway for the first time

To start JUNOS without using the NAND flash

For more information about the other installation methods, see the JUNOS

Software Administration Guide for Security Devices.

Security

Unified Access Control (UAC) integration

This feature is now supported on SRX 240, and SRX650 devices. Existing support on SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.

You can configure an SRX-series services gateway to act as a JUNOS Enforcer in a Unified Access Control (UAC) deployment. When deployed as a JUNOS Enforcer, the SRX-series device enforces the policies that are defined on the UAC’s Infranet

Controller. To configure the SRX-series device as a JUNOS Enforcer, enable the application-services

statement at the

[edit security policies from-zone zone-name to-zone zone-name policy match then permit]

hierarchy level. Then use the unified-access-control statement at the [edit services] hierarchy level to configure

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 107

JUNOS 9.5 Software Release Notes

UAC features. For more information, see the JUNOS Software Security Configuration

Guide.

Unified Threat Management (UTM) features

These features are supported on SRX 210, SRX 240, and SRX650 devices.

Antispam—E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. When the device detects an e-mail message deemed to be spam, it either drops the message or tags the message header or subject field with a preprogrammed string.

The antispam feature uses a constantly updated spam block list (SBL). Sophos updates and maintains the IP-based SBL. The antispam feature is a separately licensed subscription service.

To configure antispam, use the antispam statement at the [set security utm feature-profile]

hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide.

Content filtering—Content filtering blocks or allows certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. Content filtering does not require a separate license.

To configure redirect content filtering, use the content-filtering statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

Express antivirus—Express antivirus scanning is offered as a less CPU intensive alternative to the full file-based antivirus feature. The express antivirus feature, like the full antivirus feature, scans specific Application

Layer traffic for viruses against a virus signature database. However, unlike full antivirus, express antivirus does not reconstruct the original application content. Rather, it just sends (streams) the received data packets, as is, to the scan engine. With express antivirus, the virus scanning is executed by a hardware pattern matching engine. This improves performance while scanning is occurring, but the level of security provided is lessened. Juniper

Networks provides the scan engine. The express antivirus scanning feature is a separately licensed subscription service.

To configure express antivirus, use the antivirus juniper-express-engine statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

Full file-based antivirus—A virus is executable code that infects or attaches itself to other executable code to reproduce itself. Some malicious viruses erase files or lock up systems. Other viruses merely infect files and overwhelm the target host or network with bogus data. The full file-based antivirus feature provides file-based scanning on specific Application Layer traffic checking for viruses against a virus signature database. It collects the received data packets until it has reconstructed the original application content, such as an e-mail file attachment, and then scans this content.

Kaspersky Lab provides the internal scan engine. The full file-based antivirus scanning feature is a separately licensed subscription service.

108 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Hardware

To configure full file-based antivirus, use the antivirus kaspersky-lab-engine statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

Integrated Web filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. With the integrated Web filtering solution, the decision-making for blocking or permitting Web access is done on the device after it identifies the category for a URL either from user-defined categories or from a category server (Websense provides the

CPA Server). The integrated Web filtering feature is a separately licensed subscription service.

To configure integrated Web filtering, use the web-filtering surf-control-integrated statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security

Configuration Guide.

Redirect Web filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. The redirect Web filtering solution intercepts HTTP requests and forwards the server URL to an external

URL filtering server provided by Websense to determine whether to block or permit the requested Web access. Redirect Web filtering does not require a separate license.

To configure redirect Web filtering, use the web-filtering websense-redirect statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

UTM licensing—The majority of UTM features function as a subscription service requiring a license. You can redeem this license once you have purchased your subscription license SKUs.

To apply your UTM license, use the system license update

statement at the

[request] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide.

Antivirus SNMP support—SNMP support is provided for the following antivirus functionality: scan engine monitoring, signature database update status, and scan statistics.

For more information, see the JUNOS Network Management Guide.

Hardware Features—SRX 210 Services Gateways

JUNOS software for the SRX 210 services gateway integrates the world-class network security and routing capabilities of Juniper Networks. JUNOS software for the SRX

210 includes a wide range of security services, including policies, screens, Network

Address Translation (NAT), and other flow-based services, that are also supported on the other SRX-series services gateways.

The SRX 210 services gateway offers features that provide complete functionality and flexibility for delivering secure Internet and intranet access. This services gateway offers stable, reliable, and efficient IP routing along with WAN and LAN connectivity.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 109

JUNOS 9.5 Software Release Notes

The gateway provides Internet Protocol Security (IPsec), virtual private network (VPN), and firewall services for small and medium companies and enterprise branch and remote offices.

The SRX 210 services gateway can be connected directly to traditional private networks, such as leased line, Frame Relay, and MPLS networks, or the public Internet.

There are three variants of the SRX 210 services gateway:

Low Memory

High Memory

Power over Ethernet (PoE)

The SRX 210 services gateway has redundant and resilient hardware. The following table provides the SRX 210 services gateway chassis specifications.

Table 3: SRX 210 Services Gateway Chassis Specifications

Description

Chassis height

Chassis width

Chassis depth

Value

1 rack unit (U)

11 in. (280 mm)

7 in. (179 mm)

The following table provides information about the SRX 210 services gateway hardware features.

Table 4: SRX 210 Services Gateway Hardware Features

Feature

Gigabit Ethernet

Fast Ethernet

Universal serial bus

Console

ExpressCards

Description

Two ports on the front panel provide LAN and WAN connectivity to hubs, switches, local servers, and workstations with link speeds of 10/100/1000 Mbps.

In the PoE version, the PoE is supported on both ports.

Six ports on the front panel provide LAN and WAN connectivity to hubs, switches, local servers, and workstations with link speeds of 10/100 Mbps.

In the PoE version, the PoE is supported on the first two Fast Ethernet ports.

Two ports on the front panel support a USB storage device that can function as a secondary boot device in the event of internal flash failure. USB ports also provide interfaces for communicating with peripherals such as USB storage devices and USB storage device adapters.

One port on the front panel functions as a management port for directly logging into a device to configure it by using the CLI.

One slot on the rear panel can hold a 3G wireless ExpressCard.

110 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Table 4: SRX 210 Services Gateway Hardware Features (continued)

Mini-PIM

External power supply

Memory

One slot on the front panel supports the following Mini-Physical Interface Modules

(Mini-PIMs) to provide LAN and WAN functionality, along with access to the T1, E1, Gigabit

Ethernet, ADSL, and Serial interfaces:

T1/E1 Mini-PIM

1-port SFP Mini-PIM

ADSL2+ Mini-PIM

Serial Mini-PIM

The total power consumption by the three SRX 210 services gateway variants is as follows:

Low Memory—35.5 W @12 V

High Memory—36.5 W @ 12 V

PoE—36.5 W @ 12 V

50 W @ 48 V

Fixed Random Access:

Low Memory—512 MB

High Memory—1GB

PoE—1GB

Boot flash—4 MB

Internal flash—1 GB

For more information, see the SRX 210 Services Gateway Hardware Guide.

Support for the 3G ExpressCard

Wireless WAN access is becoming widely available and comparable in cost to ISDN and DSL. The SRX 210 services gateway provides support for a wireless interface that serves both as a backup and as the primary WAN connection.

Juniper Networks supports 3G wireless modem cards that you can install into the

ExpressCard slot in SRX 210 services gateways.

The 3G ExpressCard provides the following key features:

Operating mode selection—You can select the operating mode you want to use for the 3G ExpressCard. The supported operating modes are EVDO, HSPDA, and

Automatic.

Activation of new cards through the CLI—You can activate CDMA ExpressCards through the JUNOS CLI.

Unlocking ExpressCards—You can unlock both CDMA and Global System for

Mobile (GSM) ExpressCards through the JUNOS CLI.

Call logging support—Call logging provides details about the calling number, dialed number, direction and duration of the call, and traffic.

For more information, see the SRX 210 Services Gateway Hardware Guide.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 111

JUNOS 9.5 Software Release Notes

Support for PoE

Power over Ethernet (PoE) is the implementation of the IEEE 802.3 AF standard, allowing both data and electric power to pass over a copper Ethernet LAN cable.

The SRX 210 services gateway supports PoE on Gigabit Ethernet ports. The PoE ports transfer electrical power, along with data, to remote devices over standard twisted-pair cable in an Ethernet network. PoE ports allow you to plug in devices that require both network connectivity and electric power, such as VOIP phones, wireless LAN access points, and IP telephones.

You can configure the gateway to act as power sourcing equipment to supply the power to powered devices connected on the designated ports.

The following table lists the SRX 210 services gateway PoE specifications.

Table 5: SRX 210 Services Gateway PoE Specifications

Power Management Schemes

Supported standards

Supported ports

Total PoE power sourcing capacity

Per port power limit

Power management modes

Value

IEEE 802.3 AF

Legacy (pre-standards)

PoE is supported on the two Gigabit Ethernet ports and two Fast Ethernet ports.

50 W

15.4 W

Static: power allocated for each interface can be configured

Class: power allocation for interfaces is decided based on the class of powered device connected

ADSL Interface Support on SRX 210

The SRX 210 services gateway provides a single-port ADSL2+ Mini-Physical Interface

Module (Mini-PIM). The ADSL2+ Mini-PIM provides a single physical interface for

ADSL network media types.

The ADSL2+ Mini-PIM supports the following operational modes:

ADSL mode for ANNEX-A

ADSL mode for ANNEX-B

ADSL mode for ANNEX-M

The ADSL interface provides the following key features:

112 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Automatic configuration of the ADSL line after negotiation with the DSLAM, minimizing configuration

Supports ADSL, ADSL2, and ADSL2+ protocols on the same interface card

Gasp support

MLPPP over two ADSL cards

Asynchronous Transfer Mode (ATM) Adaptation Layer 5 (AAL5) encapsulation

For more information, see the JUNOS Software Interfaces and Routing Configuration

Guide for Security Devices.

Support for the T1 and E1 Interfaces

The T1/E1 Mini-Physical Interface Module (Mini-PIM) provides the physical connection to T1 or E1 network media types and also performs T1 or E1 framing and line-speed signaling.

The T1 and E1 interfaces provide the following key features:

Integrated channel service unit (CSU) or data service unit (DSU) to eliminate the need for a separate external device.

56-Kbps and 64-Kbps operating modes

Independent internal and external clocking option

Alarm reporting with a 24-hour history

Loopback, bit error rate test (BERT), facilities data link [FDL (T1 only)], and Long

Buildout (T1 only) diagnostics

Multilink Frame Relay and Multilink PPP support

Complete configuration and management by CLI and J-Web

For more information, see the JUNOS Software Interfaces and Routing Configuration

Guide for Security Devices.

Support for Connectivity to a Gigabit Ethernet Device or Network

The 1-Port Small Form factor Pluggable (SFP) Mini-Physical Interface Module

(Mini-PIM) provides connectivity to a single Gigabit Ethernet device or network.

The 1-Port SFP Mini-PIM provides the following key features:

Enables you to install and remove transceivers without powering down the device

Provides real-time visual status of connectivity and traffic flows

Provides Link Up/Down alarm

Supports different transceiver types

For more information, see the SRX 210 Services Gateway Hardware Guide.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 113

JUNOS 9.5 Software Release Notes

Serial Mini-Physical Interface Module

Serial WAN links provide bidirectional links that require very few control signals. In a basic serial setup, the data circuit-terminating equipment (DCE) is responsible for establishing, maintaining, and terminating a connection. A modem is a typical DCE device. A serial cable connects the DCE to a telephony network where, ultimately, a link is established with data terminal equipment (DTE). DTE is typically where a link terminates.

Key Features

Autoselection of operation modes based on DTE or DCE cables

Local and remote loopback diagnostics

Configurable clock rate for the transmit (TX) clock and receive (RX) clock

Complete configuration and management by CLI and J-Web configuration editor

Hardware Features—SRX 240 Services Gateways

Hardware

JUNOS software for the SRX 240 services gateway integrates the world-class network security and routing capabilities of Juniper Networks products. JUNOS software for the SRX 240 services gateway includes a wide range of security services, including policies, screens, NAT, and other flow-based services that are also supported on the other SRX-series services gateways.

The SRX 240 device offers features that provide complete functionality and flexibility for delivering secure Internet and intranet access. The SRX 240 device offers stable, reliable, and efficient IP routing and WAN and LAN connectivity.

The device provides IP Security (IPsec), virtual private network (VPN), and firewall services for small and medium companies and enterprise branch and remote offices.

The SRX 240 services gateway can be connected directly to a traditional private network such as leased line, Frame Relay, or Multi Protocol Label Switching

(MPLS) networks as well as the public Internet.

There are three types of SRX 240 services gateways:

Low Memory

High Memory

PoE

Table 6 on page 115 lists the hardware features supported on the SRX 240 services

gateway.

114 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Table 6: Hardware Features of the SRX 240 Services Gateway

Features

DDR Memory

PoE Support

Input Power

AC input voltage

SRX 240 Services Gateway

Low Memory

512 MB

No

119 W

100 to 240 VAC

SRX 240 Services Gateway SRX 240 Services Gateway

High Memory

1 GB

No

128 W

100 to 240 VAC

PoE

1 GB

Yes

317 W

100 to 240 VAC

The SRX 240 services gateway has redundant and resilient hardware.

Table 7 on page 115 describes the SRX 240 services gateway hardware

specifications.

Table 7: Hardware Specifications of the SRX 240 Services Gateway

Description

Chassis height

Chassis width

Chassis depth

Maximum thermal output

Temperature

Value

1 Rack Unit (U)

17.5 in (444 mm)

16 in (408.23)

SRX 240 Low Memory:

AC Power: 396 BTU/hour (116W)

DC Power: 338 BTU/hour (99W)

SRX 240 High Memory:

AC Power: 427 BTU/hour (125W)

DC Power: 365 BTU/hour (107W)

SRX 240 PoE:

AC Power: 560 BTU/hour (164W)

DC Power: 478 BTU/hour (140W)

Normal operation ensured in temperature range of 32°F (0°C) to

104°F (–40°C)

Nonoperating storage temperature in shipping container: –40°F

(–40°C) to 158°F (70°C)

Table 8 on page 116 describes the SRX 240 services gateway hardware features.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 115

JUNOS 9.5 Software Release Notes

Table 8: SRX 240 Services Gateway Hardware Features

Features

Gigabit Ethernet

Universal Serial Bus (USB)

Console

Mini-PIM

Power supply

Memory

Description

Sixteen ports on the front panel provide LAN and WAN connectivity to hubs, switches, local servers, and workstations with link speeds of 10/100/1000 Mbps.

NOTE: On the PoE version of the SRX 240 services gateway, all 16 Gigabit Ethernet ports support PoE.

Two ports on the front panel support a USB storage device that can function as a secondary boot device in the event of internal flash failure. USB ports also provide interfaces for communicating with peripherals such as USB storage devices and

USB storage device adapters.

One port on the front panel functions as a management port for directly logging into a device to configure it using the CLI.

Four slots on the front panel support the following Mini-Physical Interface Modules

(Mini-PIMs) to provide LAN and WAN functionality, along with access to the T1,

E1, Gigabit Ethernet, and ADSL interfaces:

T1/E1 Mini-PIM

1-port SFP Mini-PIM

ADSL2+ Mini-PIM

Serial Mini-PIM

100 to 240 VAC (Integrated single AC power supply)

Fixed Random Access — 512 MB Memory (RAM)

Boot flash — 4 MB

Internal flash — 1 GB

For more information, see the SRX 240 Services Gateway Hardware Guide.

Serial Mini-Physical Interface Module

Serial WAN links provide bidirectional links that require very few control signals. In a basic serial setup, the data circuit-terminating equipment (DCE) is responsible for establishing, maintaining, and terminating a connection. A modem is a typical DCE device. A serial cable connects the DCE to a telephony network where, ultimately, a link is established with data terminal equipment (DTE). DTE is typically where a link terminates.

Key Features

Autoselection of operational modes based on DTE or DCE cables

Local and remote loopback diagnostics.

Configurable clock rate for transmit (TX) and receive (RX) clocks.

Complete configuration and management by CLI and J-Web configuration editor.

For more information, see the SRX 240 Services Gateway Hardware Guide.

116 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Power Over Ethernet

Introduction

Power over Ethernet (PoE) is the implementation of the IEEE 802.3 AF standard, allowing both data and electric power to pass over a copper Ethernet LAN cable.

The SRX 240 services gateway supports PoE on Gigabit Ethernet ports. The PoE ports transfer electrical power, along with data, to remote devices over standard twisted-pair cable in an Ethernet network. PoE ports allow you to plug in devices that require both network connectivity and electric power, such as VOIP phones, wireless LAN access points, and IP telephones.

You can configure the gateway to act as power sourcing equipment to supply the power to powered devices connected on the designated ports.

SRX 240 Services Gateway PoE Specifications

Table 9 on page 117 lists the SRX 240 Services Gateway PoE specifications:

Table 9: SRX 240 Services Gateway PoE Specifications

Power Management Schemes

Supported standards

Supported ports

Total PoE power sourcing capacity

Per port power limit

Power management modes

Values

IEEE 802.3 AF

IEEE 802.3 AT (draft)

Legacy (pre-standards)

Supported on all sixteen Gigabit Ethernet ports

150 W

30 W

Static

: power allocated for each interface can be configured

Class

: power allocation for interfaces is decided based on the class of powered device connected

Hardware Features—SRX650 Services Gateways

Hardware

The SRX650 is a mid-range dynamic services gateway that consolidates network infrastructure and security applications for regional offices, large branch offices, and small to medium enterprises. The services gateway provides cost-effective, scalable integration of routing, security, and other mid-range applications for these sites.

The SRX650 services gateway has a modular 2U chassis that fits a 19-inch rack with a depth of approximately 18.1 inches. It contains a rear-pluggable Services and

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 117

JUNOS 9.5 Software Release Notes

Routing Engine (SRE) module that improves processing performance for mid-range applications, particularly routing and firewall services.

The SRX650 services gateway provides the following features:

Symmetric Multiprocessing (SMP)-based data forwarding.

Hardware-based control and data plane separation.

4 on-board 10/100/1000Base-T Gigabit Ethernet ports.

A Services and Routing Engine with 1 GB memory configuration, which contains the management ports (console and USB) for the services gateway.

Support for dual AC power supplies with a redundant configuration in the chassis

(approximately 645 W power supply is supported). The AC power supplies are hot-swappable.

Support for 2 GB CompactFlash (CF) storage devices. The SRE contains a hot-pluggable CF storage device used to upload and download files, and the chassis contains a CF storage device used to store the operating system.

JUNOS support for advanced security and routing services on the SRE.

Services and Routing Engine module—The Services and Routing Engine (SRE) module provides processing power for security services, routing protocol processes, and other software processes that control the services gateway interfaces, some of the chassis components, system management, and user access to the device.

The services gateway must have at least one SRE installed. You can install additional

SREs to increase processing power or to create SRE redundancy. SREs install horizontally in the back of the chassis in slots SRE0 and SRE1/SRE1.1. An SRE weighs

3 lbs 13.6 oz (1.75 kg).

CAUTION: SREs are not Online Insertion and Removal (OIR) capable. You must power off the services gateway before removing or inserting an SRE.

NOTE: Slot SRE0 is a full-length slot capable of holding a full-slot module such as an

SRE. The SRE1 and SRE1.1 slots are capable of holding either two half-slot modules or one full-slot module.

If a slot is not occupied by a card, a blank panel must be installed to shield the empty slot and to maintain proper cooling of the services gateway.

NOTE: For this release, the SRE must be installed into the lower slot (SRE0).

118 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Gigabit-Backplane Pluggable Interface Modules—The SRX650 services gateway supports the following Gigabit-backplane Pluggable Interface Modules (GPIMs):

16-Port Gigabit Ethernet XGPIM

16-Port Gigabit Ethernet with PoE XGPIM

24-Port Gigabit Ethernet XPIM

24-Port Gigabit Ethernet with PoE XPIM

Dual T1/E1 GPIM-contains 2 fixed T1/E1 ports labeled 0 to 1 which supports framed clear channel

Quad T1/E1 GPIM-contains 4 fixed T1/E1 ports labeled 0 to 3 which supports framed clear channel

A GPIM is a network interface card that installs in the front slots of the services gateway to provide physical connections to a LAN or a WAN. The GPIM receives incoming packets from a network and transmits outgoing packets to a network.

PIM Terminology:

GPIM — Gigabit-backplane PIM (GPIM) includes standard GPIMs that are installed in a single high, single wide GPIM slot and has gigabit connectivity to the system backplane.

XGPIM — The XGPIM can only be installed in the 20-gigabit GPIM slots (slots

2 and 6 on the front panel).

XPIM — The XGPIM can only be installed in the 20-gigabit GPIM slots (slots

2 and 6 on the front panel).

CAUTION: GPIMs are not Online Insertion and Removal (OIR) capable. You must power off the services gateway before removing or inserting a GPIM. Ensure that the

GPIM is installed in the appropriate GPIM slot before powering on the services gateway.

The services gateway GPIMs communicate with the backplane at various performance levels and might require specific GPIM slot placement. GPIM slots are located in the front of the chassis and can hold up to 8 standard

GPIMs. The Dual T1/E1 GPIM and Quad T1/E1 GPIM can be plugged into any

GPIM slot on the services gateway and provide the physical connection to

T1 or E1 network media types. The SRX650 services gateway chassis can also hold GPIMs that use more than one standard slot:

Double-high single-wide, which uses two standard slots vertically

Double-high double-wide, which uses two vertical and two horizontal slots for a total of four standard slots

NOTE: When installing the 24-Port Gigabit Ethernet XPIM, which uses four slots, you must install it in the 20-gigabit GPIM slots 2 and 6, which refer to the bottom four slots 1 to 4, or the top four slots 5 to 8.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 119

JUNOS 9.5 Software Release Notes

The Dual T1/E1 GPIM and Quad T1/E1 GPIM provide the following common key features for both T1 and E1 modes:

HDLC operating mode supports 56-Kbps and 64-Kbps

Independent internal and external clocking option

Alarm reporting with 24-hour history

MTU supports 9K bytes

The Dual T1/E1 GPIM and Quad T1/E1 GPIM provide the following key

features specific to either T1 or E1 modes as listed in Table 10 on page 120.

Table 10: Dual T1/E1 GPIM and Quad T1/E1 Specific T1 or E1 Features

Description

Operation modes

T1 Mode

Framed clear channel

Fractional operation mode supports flexible configuration for time slots (numbered 1-24)

Framing

Line encoding

Superframe (D4/SF)

Extended Superframe (ESF)

B8ZS

AMI

E1 Mode

Framed clear channel (64-Kbps)

Unframed clear channel

Fractional operation mode supports flexible configuration for time slots (numbered 0-31)

G704

G704 with no CRC4

G703 Unframed

HDB3

USB Support

The following USB devices have been tested with SRX650 devices:

Sandisk micro (1 and 2 GB)

Lexar (1 and 2 GB)

NOTE: Contact a customer service representative for more information on supported

USB devices.

Power over Ethernet

Both 16-Port XGPIM and 24-Port XPIM support Power over Ethernet (PoE) if a

PoE-capable power supply and PIM module are installed in the chassis. PoE is the implementation of the IEEE 802.3 AF standard, which allows both data and electric power to pass over a copper Ethernet LAN cable. The active Services and Routing

Engine (SRE) manages the overall system PoE power.

The SRX650 services gateway provides PoE ports, which supply electric power over the same ports that are used to connect network devices. PoE ports allow you to plug

120 ■

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways in devices that require both network connectivity and electric power, such as VOIP,

IP phones, and wireless access points. You can configure the services gateway to act as power sourcing equipment to supply the power to the GPIMs connected on the designated PoE ports.

Table 11 on page 121 lists the SRX650 Services Gateway PoE Specifications.

Table 11: SRX650 Services Gateway PoE Specifications

Power Management Schemes

Supported standards

Supported slots

Total PoE power sourcing capacity

Per-port power limit

Power management modes

Values

IEEE 802.3 AF

IEEE 802.3 AT

Legacy (pre-standards)

PoE is supported on the following front panel slots:

2

4

6

8

250 W with one power supply

500 W with two power supplies

31.2 W

Static : power allocated for each interface can be configured

Class : power allocation for interfaces is decided based on the class of powered device connected

For more information, see the SRX650 Services Gateway Hardware Guide.

Hardware Features—SRX 5600 and SRX 5800 Services Gateways

Flex I/O Card

This release of JUNOS supports the new SRX5K-FPC-IOC modular Flex I/O Card (IOC) for the SRX 5600 and SRX 5800 services gateways.

Flex IOCs are IOCs that have two slots and accept port modules that add Ethernet ports to your services gateway. A flex IOC with port modules installed in it functions in the same way as a regular IOC, but allows greater flexibility in adding different types of Ethernet ports to your services gateway.

Table 12 on page 122 lists the Port Modules for SRX 5600 and SRX 5800 services

gateway Flex IOC.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 121

JUNOS 9.5 Software Release Notes

Table 12: Port Modules for SRX 5600 and SRX 5800 Services Gateway Flex

IOC

Module

SRX-IOC-16GE-TX

SRX-IOC-4XGE-XFP

Port type

10/100/1000 RJ-45

10 Gigabit XFP

Ports

16

4

NOTE: A third port module type, the SRX-IOC-16GE-SFP, is described in the SRX

5600 Services Gateway Hardware Guide and SRX 5800 Services Gateway Hardware

Guide, but this is not available in the 9.5 release.

Related Topics

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 124

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways on page 129

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 140

Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for

SRX-series Services Gateways on page 128

Changes In Default Behavior and Syntax

CLI

If more than 10 users logged into the router then not all the users are displayed in CLI.

CLI Commands No Longer Supported

The show dhcp relay and show dhcp server commands are no longer supported.

Flow and Processing

On SRX650 devices, although the physical installed DRAM is 2 GB, and uboot detected is 2 GB, JUNOS software detects only 1GB.

On SRX-series devices, the factory default for the maximum number of backup configurations allowed is 5. Therefore, you can have one active configuration and a maximum of five rollback configurations. Increasing this backup configuration number will result in increased memory usage on disk and increased commit time.

To modify the factory defaults, use the following commands root@vidar7# set system max-configurations-on-flash number

122 ■

Changes In Default Behavior and Syntax

Changes In Default Behavior and Syntax root@vidar7# set system max-configuration-rollbacks number

Where max-configurations-on-flash

indicates backup configurations to be stored in the configuration partition and max-configuration-rollbacks indicates the maximum number of backup configurations.

Interfaces and Routing

Intrusion Detection and Prevention (IDP)

Moving to compressed DFA—With compressed DFA, the application signature will have a different file name

/var/db/idpd/bins/compressed_ai.bin

, instead of the current /var/db/idpd/bins/compiled_ai.bin

.

Specifying service fields for custom attack definition in IDP—On SRX-series devices, while running commands in IDP, ensure that you provide the service field values in lowercase.

Example: set security idp custom-attack temp severity info attack-type signature context packet direction any pattern .* protocol udp destination-port match equal value 1333

Here the protocol service field value udp

is specified in lowercase.

The IDP ip-action statement is now supported on TCP, UDP, and ICMP flows.

When the ip-action target is service, the ip-action flow is applied if the traffic matches the values specified for source port, destination port, source address and destination address. However, for ICMP flows, the destination port is 0, so that any ICMP flow matching source port, source address, and destination address would be blocked. For more information, see the JUNOS Software CLI Reference

Guide.

J-Web

On SRX-series devices, we need to minimize the number of writes to the flash device to ensure that we do not hit flash issues. Disable writing the logs to the flash by default. Options can be to write to memory or to a secondary device like USB or over the network.

For SRX 210, SRX 240, and SRX650 devices, the LED status for (Alarm, HA, 3g,

Power Status and Power) shown in the front panel of chassis viewer will not replicate the exact status as we see in the device.

Changes In Default Behavior and Syntax

■ 123

JUNOS 9.5 Software Release Notes

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways

Accounting-Options Hierarchy

In the CLI accounting-options hierarchy for SRX 210 and SRX 240 devices, accounting, source-class, and destination-class are not supported.

Chassis Cluster

For this release of JUNOS software, the following features are not supported when chassis clustering is enabled on the device:

All packet-based protocols, such as MPLS, Connectionless Network Service (CLNS), and IP version 6 (IPv6)

Any function that depends on the configurable interfaces:

■ lsq-0/0/0 —Link services Multilink Point-to-Point Protocol (MLPPP), Multilink

Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP) gr-0/0/0 —Generic routing encapsulation (GRE) and tunneling

■ ip-0/0/0

—IP-over-IP (IP-IP) encapsulation pd-0/0/0

, pe/0/0/0

, and mt-0/0/0

—All multicast protocols

■ lt-0/0/0 —Real-time performance monitoring (RPM)

WXC Integrated Services Module (WXC ISM 200)

Layer 2 Ethernet switching

ISDN BRI

Multicast traffic streams

Dial-up VPN is not supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 chassis clusters. It is supported in standalone mode.

IDP feature is not supported in active/active chassis clustering.

Additional limitations include:

For SRX 3000 and SRX 5000 line chassis clusters, screen statistics data can be gathered on the primary device only.

After fabric interfaces have been configured on a chassis cluster, removing the fabric configuration on either node will cause the redundancy group 0 (RG0) secondary node to move to a disabled state. (Resetting a device to the factory default configuration removes the fabric configuration and thereby causes the

RG0 secondary node to move to a disabled state.) After the fabric configuration is committed, do not reset either device to the factory default configuration.

124 ■

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways

CLI

On SRX 210 and SRX 240 devices, J-Web crashes if more than nine users log into the router via the CLI.

The number of users allowed to access the routers is limited.

For SRX 210 devices: four CLI users and three J-Web users

For SRX 240 devices: six CLI users and five J-Web users

Flow and Processing

Sessions ssh telnet web

Maximum Concurrent ssh , telnet , and Web Session

For ssh, telnet, and Web sessions, the maximum number of concurrent sessions is as follows:

3

3

SRX 210 Devices SRX 240 Devices

3

5

5

5

5

5

SRX650 Devices

5

NOTE: These defaults are provided for performance reasons.

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 125

JUNOS 9.5 Software Release Notes

Hardware

This section covers the filter and policing limitations:

The following features are not supported by simple filter on SRX 3400 and SRX

3600 devices:

Forwarding class as match condition.

The following features are not supported by policer and three-color-policer on

SRX 3400 and SRX 3600 devices:

■ color-aware mode of a three-color-policer

■ filter-specific policer

■ forwarding class as action of a policer

■ logical interface policer logical interface three-color policer

■ logical interface bandwidth policer packet loss priority as action of a policer packet loss priority as action of a three-color-policer

The following features are not supported by a firewall filter on SRX 3400, SRX

3600, SRX 5600, and SRX 5800 devices:

■ policer action

■ egress FBF

FTF

The following are the limitations of a simple filter on SRX 3400 and SRX 3600 devices:

In one Broadcom packet processor on an IOC, up to 100 logical interfaces can be applied with simple filters.

In one Broadcom packet processor on an IOC, max number of terms of all simple filters is 4000.

In one Broadcom packet processor on an IOC, max number of policers is

4000.

126 ■

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways

In one Broadcom packet processor on an IOC, max number of three-color-policers is 2000.

The maximum burst size of a policer or three-color-policer is 16M bytes.

Interfaces and Routing

MAC pause frame and FCS error frame counters are not supported for the interfaces ge-0/0/0

through ge-0/0/3

on the SRX650 services gateway.

On SRX 240 devices, the IP Multicast switching is not supported and hence the multicast snooping is based on corresponding IP multicast L2 address

(01:00:5e:xx:xx:xx). In this case all multicast receivers with IP multicast address mapped to the same L2 address will receive the packets.

VLAN Range from 3967 to 4094 falls under reserved VLAN for SRX 240 and

SRX650 and user is not allowed configured VLANs from this range.

On SRX650 devices, the last 4 ports of 24 GE-GPIM can be used either as RJ45 or SFP ports. If both are present and providing power, the SFP media is preferred.

If the SFP media is removed or the link is brought down, then the interface will switch to the RJ45 medium. This can take up to 15 seconds, during which the

LED for the RJ45 port may go up and down intermittently. Similarly when RJ45 medium is active, and a SFP link is brought up, the interface will transition to

SFP medium and this transition could also take a few seconds.

The user can only use IPsec on an interface that resides in routing instance inet

0. The user is able to assign an external interface to the IKE policy if that interface is placed in a routing instance other than inet 0, but the configuration is not supported.

Intrusion Detection and Prevention (IDP)

On SRX-series devices, IP actions do not work when you select a timeout value greater than 65535 in the IDP policy.

On SRX 210, SRX 240, and SRX650 devices, the maximum number of IDP sessions supported in 9.5 is 16K.

This release of JUNOS software for SRX-series devices supports all IDP policy templates except All Attacks. There is a 100-MB policy size limit, and the current

IDP policy templates supported are dynamic, based on the attack signatures being added. Therefore, be aware that supported templates might eventually grow past this 100-MB policy size limit.

The following IDP policies are supported on SRX devices:

DMZ_Services

DNS_Service

File_Server

Getting_Started

IDP_Default

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 127

JUNOS 9.5 Software Release Notes

Recommended

Web_Server

By default, the detector embedded in the SRX-series devices has the SIP, SSL,

SSH, and MSPRC protocol decoders disabled.

IDP failover is not supported in chassis clustering.

NetScreen-Remote

NetScreen-Remote is not supported on SRX-series devices.

System

By default, the detector embedded in the SRX-series devices has the SIP, SSL,

SSH, and MSPRC protocol decoders disabled.

On the four Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/3) of an SRX650 device, if a port is linked up at 10 Mbps or 100 Mbps, it will not support jumbo frames. Frames greater than 1500 bytes will be dropped.

Related Topics

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways on page 98

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways on page 129

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 140

Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for

SRX-series Services Gateways on page 128

Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for SRX-series

Services Gateways

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, the show command does not support the oam , dot1x , subscribers , link-management , and vpls options.

[PR/313099]

Related Topics

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways on page 98

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 124

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways on page 129

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 140

128 ■

Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for SRX-series Services Gateways

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

Outstanding Issues in JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 129

Resolved Issues in JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 139

Outstanding Issues in JUNOS Software Release 9.5 for SRX-series Services

Gateways

Application Layer Gateways (ALGs)

On SRX 210 devices, an SCCP call cannot be set up after disabling and enabling

SCCP ALG. The call does not go through. [PR/409586]

Authentication

After the user is authenticated, if the webauth-policy is deleted or changed and an entry exists in the firewall authentication table, then an authentication entry created as a result of webauth will be deleted only if a traffic flow session exists for that entry. Otherwise, the webauth

entry will not get deleted and will only age out. This behavior will not cause a security breach. [PR/309534]

Chassis Cluster

Configuring an SRX-series device with set system process jsrp-service disable only on a primary node of the cluster causes the cluster to go into an incorrect state. [PR/292411]

The SRX-series device will crash if you use the set system processes chassis-control disable

command for 4 to 5 minutes and then enable it. Do not use this command on an SRX-series device in a chassis cluster. [PR/296022]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, 8 queue configurations are not reflected on the chassis cluster interface. [PR/389451]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, iflset functionality is not supported for aggregated interfaces like reth . [PR/391377]

On SRX 210 devices in a chassis cluster, when you upgrade the nodes, sometimes the forwarding daemon might crash and get restarted. [PR/396728]

On the SRX 210 Low Memory device in a chassis cluster, the firewall filter does not work on the reth

interfaces. [PR/407336]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, snmpwalk on jnxJsSPUMonitoringObjectsTable

in a cluster from the primary node shows information for only the local SPC installed in that node. Instead, it should show information about all the SPCs in the primary and secondary nodes. [PR/408261]

On SRX 210 devices in a chassis cluster, the restart forwarding method is not recommended because when the control link goes through forwarding, restart forwarding causes disruption in the control traffic. [PR/408436]

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 129

JUNOS 9.5 Software Release Notes

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices on failover, both the primary Routing Engine and secondary Routing Engine are sending SNMP traps. Only the primary Routing Engine should send SNMP traps. [PR/417782]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, the queue statistics are not correct after deletion and re-creation of an IFL or creation of a new IFL.

IFL statistics are not cleared for 15 minutes after chassis-control is restarted.

[PR/417947]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices in an active/active chassis cluster, when the fabric link fails and then recovers, services with a short time-to-live such as FTP ALG stop working. [PR/419095]

On SRX 5600 devices in a chassis cluster, replay errors are seen on peer devices.

[PR/422371]

On SRX 210 High Memory devices in a chassis cluster, when the stress test is stopped, the primary H323 counters of Number of active calls should be 0 , but

128 is incorrectly displayed. [PR/429560]

On SRX 5800 devices, SNMP traps might not be generated for the ineligible-primary state with the current software design. [PR/434144]

Class of Service

On an SRX-series device, class-of-service-based forwarding (CBF) is not working.

[PR/304830]

Flow and Processing

On an SRX-series device, the show security flow session

command currently does not display aggregate session information. Instead, it displays sessions on a per-SPU basis. [PR/264439]

On an SRX-series device, when traffic matches a deny policy, sessions will not be created successfully. However, sessions are still consumed, and the

Unicast-sessions

and

Sessions-in-use

fields shown by the show security flow session summary command will reflect this. [PR/284299]

Configuring the flow filter on SRX-series devices with the all flag might result in traces that are not related to the configured filter. As a workaround, use the flow trace flag basic with the command set security flow traceoptions flag . [PR/304083]

On SRX 210 and SRX 240 devices, broadcast TFTP is not supported when flow is enabled on the device. [PR/391399]

On SRX 240 and SRX650 devices, tagged frames on an access port with the same VLAN tag are not getting dropped. [PR/414856]

If an SRX 210 device receives more traffic than it can handle, Node1 either disappears or gets disabled. [PR/416087]

On SRX 5600 devices, when the system is in an unstable state (for example,

SPU reboot), NFS might generate residual.nfs files under /var/tmp , which can occupy the disk space for very long time. As a workaround, run request sys storage cleanup

command to clean up when the system has low disk space.

[PR/420553]

130 ■

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

On SRX 210 devices, dynamic VPN does not support the ability to automatically generate the routes when the radius server is used to assign the IP addresses.

[PR/421137]

On SRX650 devices, the input DA errors are not updated when packets are dropped due to MAC filtering on the following:

SRX 240

SRX 210

16-port and 24-port GPIMs

SRX650 front-end port

This is due to MAC filtering implemented in hardware.

[PR/423777]

On SRX 5800 devices, when VPN is not in use, the device will not generate the var/tmp/spu_kmd_init/ file, which is logged by Iked_cfg . This should not happen because it is not an error condition. As a result, disk space may be wasted over time. As a workaround, run the cp /dev/null /var/tmp/spu_kmd_init command from the shell to create this file. Also run request sys storage cleanup

to clean up when the system has low disk space. [PR/425380]

On SRX650 devices, continuous messages are displayed from syslogd

when ports are in switching mode. [PR/426815]

On SRX650 devices, the uplinks to the CPU can be exhausted and the system can be limited to 2.5 GB throughput traffic when the device is using similar kinds of source MAC addresses. [PR/428526]

On SRX 240 and SRX650 devices, CLI help for the VLAN name under

Interface vlan member and protocols xstp is not displayed properly. Instead, this message appears: mgd:unable to execute /usr/bin/vlanconfiginfo: No such file or directory .

[PR/429018]

On SRX650 devices, packet loss is observed when the device interoperates with an SSG20 with AMI line-encoding. [PR/430475]

On SRX 3400 devices in combo mode, the firewall authentication

Age

and

Access time remaining are displayed incorrectly as 0 and Infinite , respectively. This does not affect aging functionality. The authentication entry is aged out after the configured timeout. [PR/434985]

On SRX 240 devices, when you configure the syslog hostname as 1 or 2, the device goes to the shell prompt. [PR/435570]

On SRX650 devices, when you run scaling scripts of the scheduler, an nsd core file is generated. For example, when you are configuring 257 schedulers, the

257th scheduler (counting from 0) is not allocated. The ID

0

is considered invalid, and only 1 through 256 are valid IDs. [PR/437064]

On SRX platforms running flow-based code, multiple flows with high traffic volumes to unknown destinations can cause the kernel to run out of buffer space.

[PR/507137]

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 131

JUNOS 9.5 Software Release Notes

Hardware

On an SRX 210 device, the MTU size is limited to 1518 bytes for the 1-port SFP

Mini-PIM. [PR/296498]

On SRX210 device, chassis Mini-PIMs LED’s do not go to the off state when the

FPC is offline. [PR/299434]

On an SRX 210 device in a chassis cluster, when you upgrade to the 9.5 image, the interface links do not come up and are not seen in the Packet Forwarding

Engine. As a workaround, you can reboot the device to bring up the interface.

[PR/399564]

On SRX 210 devices in a chassis cluster, sometimes the reth interface MAC address might not make it to the switch filter table. This results in the dropping of traffic sent to the reth . As a workaround, restart the Packet Forwarding Engine.

[PR/401139]

On an SRX 210 device in a chassis cluster, the fabric monitoring option is enabled by default. This can cause one of the nodes to move to a disabled state. You can disable fabric monitoring by using the following CLI command: set chassis cluster fabric-monitoring disable

[PR/404866]

On SRX 3400 and SRX 3600 devices, the minor alarm is not triggered when the central point or SPU session table is full. [PR/405990]

On SRX 210, SRX 240, and SRX650 devices, after the device fragments packets,

FTP over a GRE link might not perform properly due to packet serialization.

[PR/412055]

On SRX 240 devices, SRX650 devices, and 16-port or 24-port GPIMs, the 1G half-duplex mode of operation is not supported in the autonegotiation mode.

[PR/424008]

Infrastructure

On an SRX 5600 device, when snmp mib walk is running, the snmpd core file is seen after 4 to 5 hours. [PR/387117]

Interfaces and Routing

When the firewall and IDP policy both enable diffServ marking with a different

DSCP value for the same traffic, the firewall DSCP value takes precedence and the traffic is marked using the firewall DSCP value. [PR/297437]

On an SRX 3400 device, the IPv6 transit counters on the reth interface show invalid value statistics. [PR/391407]

On SRX650 devices, when VLAN tagging is configured and traffic is sent, the output of show interfaces ge-0/0/1 media detail

VLAN tagged frame count is not shown. [PR/397849]

132 ■

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

On SRX 5600 and SRX 5800 devices, ping to far-end reth

interfaces does not work for different routing instances. [PR/408500]

On an SRX 3600 device, there might be VPN sync issues with IPsec SA. This happens when the secondary node reboots during primary node IPsec negotiation.

[PR/413727]

On SRX 5600 devices in a chassis cluster, the IPsec statistics counters display incorrect random numbers on the Routing Engine after a small amount of traffic is sent. [PR/415451]

The SRX 5600 and SRX 5800 devices might get disabled when you configure more than 1000 reth logical interfaces. [PR/417391]

On SRX 240 devices, drops in out-of-profile LLQ packets might be seen in the presence of data traffic even when the combined (data+LLQ) traffic does not oversubscribe the multilink bundle. [PR/417474]

On an SRX 5800 device, running the clear security ike sa

command does not delete the IKE SA. This happens when you try to delete the IKE SA by using the clear

command after loading and overwriting the configuration. As a workaround, reboot the device. [PR/420162]

On SRX 240 and SRX650 devices, when you are configuring the link options on an interface, only the following scenarios are supported:

Autonegotiation is enabled on both sides.

Autonegotiation is disabled on both sides (forced speed), and both sides are set to the same speed and duplex.

If one side is set to autonegotiation mode and the other side is set to forced speed, the behavior is indeterminate and not supported. [PR/423632]

On SRX-series devices, the RPM operation will not work for the probe-type tcp-ping when the probe is configured with the option destination-interface .

[PR/424925]

On SRX650 devices, the following are not implemented in this release for T1/E1

GPIMs:

Line Loopback

FDL Payload Loopback

Inband Line Loopback

Inband Payload Loopback

[PR/425040]

On SRX650 devices, the kernel crashes when the link goes down during TFTP installation of the srxsme

image. [PR/425419]

On SRX 3400 and SRX 3600 devices in a chassis cluster, ESP authentication errors are seen while traffic is sent through 4000 site-to-site IPsec tunnels.

[PR/426073]

On SRX 3400 and SRX 3600 devices in a chassis cluster, Routing Engine kmd shows fewer tunnels than spu-kmd after the primary node is rebooted.

[PR/426139]

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 133

JUNOS 9.5 Software Release Notes

On SRX650 devices, during CoS tests, a core file is generated at pif_ds1_bert

.

This causes the CT1/E1-PIM FPC to go offline when the ifinfo core file is seen.

The FPC does not recover even after interface-control/chassisd is restarted.

[PR/426982]

On SRX 3400 and SRX 3600 devices in a chassis cluster, tunnels are not evenly distributed to four kmd

threads. [PR/427526]

On SRX650 devices, doing an redundancy group 0 failover with 1000 ifls on the reth

interface causes replication errors. As a result, ksyncd

generates a core file.

[PR/428636]

On SRX 210 devices, the dialer interface goes down when the call is idle for a short interval because the Sierra ExpressCard is rejecting the redial attempts from the dialer. As a workaround, restart the flowd to restore the connection.

[PR/428735]

On SRX 240 devices, the following issues might be encountered when 1-Port

SFP Mini-PIMs are used along with T1/E1 or serial Mini-PIMs:

Device timeout messages might be seen on I2C access.

T1/E1 or serial cards might not get detected.

[PR/429906]

On SRX 240 devices, the Mini-PIM LEDs glow red for a short duration (1 second) when the device is powered on. [PR/429942]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, after you configure rpf-check

, a ping to that particular interface fails. [PR/431135]

On SRX 240 devices, during the TFTP installation, if TFTP timeout occurs, then booting the existing kernel using the boot command might crash the kernel. As a workaround, use the reboot command from the loader prompt. [PR/431955]

On SRX650 devices, configuring dual and quad T1/E1 framing at the chassis level takes no effect. [PR/432071]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, interface statistics on the st0 interface are not accurate. As a workaround, use the statistics on the security association (SA) to determine input and output bytes and packets.

[PR/436857]

On SRX650 devices, the Q-pic-large-buffer is not active. [PR/437389]

On SRX 240 devices, the serial interface maximum speed in extensive output is displayed as 16384 Kbps instead of 8.0 Mbps. [PR/437530]

On SRX 240 devices, the Scheduler Oinker messages are seen on the console at various instances with various Mini-PIM combinations. These messages are seen during bootup, restarting fwdd, restarting chassisd, and configuration commits.

[PR/437553]

On SRX 240 devices, the file installation fails on the right USB slot when both of the USB slots have USB keys attached. [PR/437563]

On SRX 240 devices, when users swap the USBs after startup, the chassis-control subsystem might not respond to any chassis-related commands. As a workaround, avoid plug and play for the right USB slot. [PR/437798]

134 ■

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

On SRX 240 devices, the combinations of Mini-PIMs cause SFP-Copper links to go down in some instances during bootup, restarting fwdd, and restarting chassisd. As a workaround, reboot the device and the link will be up. [PR/437788]

On SRX 210 and SRX 240 devices, when autoinstallation is configured to run on a particular interface, the DHCP client is run on that interface. The device tries to get the configuration file from the TFTP server. During this process, the autoinstallation status might get into the configuration acquisition state because it cannot reach the UDP port through which the device sends read request to the

TFTP server. The issue might be seen in packet mode or flow mode. [PR/438181]

On SRX 210 devices, the E1Mini-PIM interface flaps and traffic does not go through the link after restarting the forwarding during Transit traffic. [PR/441312]

Intrusion Detection and Prevention (IDP)

On SRX 5600 and SRX 5800 devices, when you downgrade to the 9.2 software image, the IDP policy compilation fails, takes an indefinite time to finish, or becomes slow due to IDP policy cache.

Workaround:

1.

Stop the idpd

daemon by using the set system processes idp-policy disable command and commit the configuration.

2.

Delete all policy cache files in the /var/db/idpd/db folder.

3.

Log on to the SRX-series as root user, and use the following UNIX commands: rm–f /var/db/idpd/db/dfa* /var/db/idpd/db/pcre* .

4.

Reboot the system.

5.

Enable the idpd daemon by using the delete system processes idp-policy command and commit the configuration.

6.

Ensure that the cache files are regenerated and are located in the

/var/db/idpd/db folder.

[PR/300428]

On SRX 5600 devices, the licensing service currently does not support the different traceoption flags (config, events, all) that are available through the configuration setup. The current default behavior is to trace all . This is the reason that the tracelog

file will contain all log information exported by the daemon.

[PR/310783]

On SRX-series devices, the IDP status command show security idp status

displays an error message when the device is processing heavy data traffic. [PR/388048]

On SRX-series devices, the IDP status command show security idp status

might fail when processing heavy traffic. As a result, IDP flow, session statistics, and packet statistics do not match firewall statistics. [PR/389501]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, HTTPS sessions with higher data transaction sizes fail due to heavy CPU usage, which results in the failure of new connections. [PR/390308]

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 135

JUNOS 9.5 Software Release Notes

J-Flow

J-Web

The SRX 210 device supports only one IDP policy at any given time. When you make changes to the IDP policy and commit, the current policy is completely removed before the new policy becomes effective. During the update, IDP will not inspect the traffic that is passing through the device for attacks. As a result, there is no IDP policy enforcement. [PR/392421]

On SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, in J-Web selecting Configuration > Quick Configuration > Security Policies > IDP

Policies > Security Package Update > Help brings up the IDP policy help page instead of the Signature update help page. To access the corresponding help page, select: Configuration > Quick Configuration > IDP Policies >

Signature/Policies Update and then click Help. [PR/409127]

On SRX 210 devices, during attack detection, multiple attacks get detected. This happens when the IDP policy contains rules that have the match criteria for the same attacks. Error/warning messages do not appear during policy compilation.

[PR/414416]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, the idp-policy subsystem is not responding to management requests. Sometimes when policy changes are committed, some of the operational commands might not be successful. Until policy changes are effective, users might see errors. [PR/432026]

On SRX 5800 devices, IDP is not officially supported in an active/active chassis cluster configuration. The user must disable the IDP configuration when the devices are configured in an active/active chassis cluster. [PR/432252]

SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices support 4-byte autonomous system (AS) for BGP configuration. However, the J-Flow template versions 5 and 8 do not support 4-byte AS, because these J-Flow templates have

2 bytes for the SRC/DST AS field. [PR/416497]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, J-Flow sampling on the virtual router interface does not show the values of autonomous system (AS) and mask length values. The AS and mask length values of cflowd

packets show

0 while sampling the packet on the virtual router interface. [PR/419563]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, the LEDs on the

Routing Engine and PICs are not shown as green when they are up and online on the J-Web Chassis View. [PR/297693]

On SRX-series devices, when the user adds LACP interface details, a pop-up window appears in which there are two buttons to move the interface left and right. The LACP page currently does not have images incorporated with these two buttons. [PR/305885]

On SRX 210 Low Memory devices, there is no maximum length limit when the user commits the hostname in CLI mode; however, only a maximum of 58 characters are displayed in the System Identification panel. [PR/390887]

136 ■

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

On SRX 210, SRX 240, and SRX650 devices, in J-Web, the complete content of the ToolTipis not displayed in the Chassis View. As a workaround, drag the

Chassis Viewer image down to see the complete ToolTip. [PR/396016]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, in J-Web, when you right-click Configure Interface on an interface in Chassis View, the

Configuration>Quick Configuration>Interface page is displayed. [PR/405392]

On SRX-series devices, the CLI Terminal feature is not working in J-Web over

IPv6. [PR/409939]

On SRX-series devices, the

Ajax

calls need to be optimized and should be in synchronization with the existing configuration screens (STP, GVRP, and

IGMP-Snooping). [PR/422523]

On SRX 210 and SRX 240 devices, when J-Web users select the tabs on the bottom-left menu, the corresponding screen is not displayed fully, so users must scroll the page to see all content. This issue occurs when the computer is set to a low resolution. As a workaround, set the computer resolution at 1280 x 1024.

[PR/423555]

On SRX 240 devices, on the J-Web monitor interface page, it is not possible to generate an interface graph of two interfaces that are on two different pages of the interface summary table. [PR/429572]

Management and Administration

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, no trap is generated for redundancy group 0 failover. You can check on the redundancy group 0 state only when you log in to the device. Nonavailability of such information without login results in the failure of the snmpwalk on the backup/secondary node. As a workaround, use a master-only IP address across the cluster. This way, you can query a single IP address and that IP address will always be the master for redundancy group 0. [PR/413719]

On an SRX 210 device with an FTP session ramp-up rate of 70, either of the following might disable the secondary node:

Back-to-back redundancy group 0 failover

Back-to-back primary node reboot

[PR/414663]

Power over Ethernet (PoE)

On SRX 210 and SRX 240 devices in a chassis cluster, PoE configuration and operational commands operate on only one chassis. The PoE interfaces of the other chassis are not configurable and not displayed in operational command output even though the data ports are recognized. [PR/415174]

On SRX 240 and SRX 210 devices, the output of the PoE operational commands takes roughly 20 seconds to reflect a new configuration or a change in status of the ports. [PR/419920]

On SRX 210 and SRX 240 devices, the deactivate poe interface all command does not deactivate the PoE ports. Instead, the PoE feature can be turned off by using

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 137

JUNOS 9.5 Software Release Notes

■ the disable

configuration option. Otherwise, the device must be rebooted for the deactivate setting to take effect. [PR/426772]

On SRX 210 and SRX 240 devices, the output for the show poe telemetries command shows the telemetry data in chronological order. This should be changed to reverse-chronological (most recent data first). [PR/429033]

On SRX 210 and SRX 240 devices, the class-4 powered device does not get powered on when PoE is configured to operate in Class management mode.

[PR/437406]

The SRX 210 and SRX 240 devices, the powered device takes more time than what is specified by the standards to power off when operating under overload conditions. [PR/437416]

On SRX 240 and SRX 210 devices, the last powered device will not power on if the allocated power becomes equal to the power limit on the device. Power allocated must always be less than the power limit. For example, on the SRX

240 device, the powered devices cannot be configured such that allocated power becomes 150 W, even though it is possible to allocate the power up to 149.8 W.

[PR/437792]

Security

The SRX-series devices do not support egress filter-based forwarding (FBF).

[PR/396849]

On SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices in a chassis cluster, if the Infranet Controller auth table mapping action is configured as provision auth table as needed

, UAC terminates the existing sessions after Routing

Engine failover. You might have to initiate new sessions. Existing sessions will not get affected after Routing Engine failover if the Infranet Controller auth table mapping action is configured as always provision auth table . [PR/416843]

System

On SRX-series devices, when the J-Web session is terminated from the CLI, error and warning messages related to J-Web appear in the logs. [PR/311181]

Unified Threat Management (UTM)

Content filtering provides the ability to block protocol commands. In some cases, blocking these commands interferes with protocol continuity, causing the session to hang. For instance, blocking the

FETCH

command for the IMAP protocol causes the client to hang. [PR/303584]

The express antivirus initial database download fails due to the slow start of the router interface. To get a proper update, you can either wait until the next auto-update or manually update the database by using the CLI. [PR/388535]

When the content filtering message type is set to protocol-only

, customized messages appear in the log file. [PR/403602]

The express antivirus feature does not send a replacement block message for

HTTP upload (POST) transactions if the current antivirus status is engine-not-ready

138 ■

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

VPN

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ and the fallback setting for this state is block

. An empty file is generated on the

HTTP server without any block message contained within it. [PR/412632]

On SRX 240 and SRX650 devices, Outlook Express is sending infected mail (with an EICAR test file) to the mail server (directly, not through DUT). Eudora 7 is using the IMAP protocol to download this mail (through DUT). Mail retrieval is slow, and the EICAR test file is not detected. [PR/424797]

On SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices, transparent mode does not support UTM and IDP policy. The UTM and IDP options should be hidden from the policy application-services list. [PR/427921]

On SRX650 devices operating under stress conditions, the UTM subsystem file partition might fill up faster than UTM can process and clean up existing temporary files. In that case, the user might see error messages. As a workaround, reboot the system [PR/435124]

On SRX 240 devices, FTP download for large files (larger than 4 MB) does not work in a two-router topology. [PR/435366]

On SRX 210, SRX 240, SRX650 devices, the Websense server stops taking new connections after http

stress. All new sessions get blocked. As a workaround, reboot the Websense server. [PR/435425]

On SRX 240 devices, if the device is under UTM stress traffic for several hours, users might get the following error while issuing UTM command: the utmd subsystem is not responding to management requests .

As a workaround, restart the utmd

process. [PR/436029]

On an SRX-series device, the shared IKE limit does not work in remote access.

[PR/288551]

On SRX 210 High Memory devices, certification-based VPN IKE negotiation fails sometimes if the user uses the PKI wildcard as the local ID. As a workaround, reboot the device. [PR/411398]

On SRX 210 and SRX 240 devices, when you uninstall Juniper Access Manager

(JAM), the client prompts for a reboot. Ignore the prompt. It is caused by a reboot flag in some JAM files that have not been removed from your system. All the

JAM executables have been removed. [PR/428315]

Resolved Issues in JUNOS Software Release 9.5 for SRX-series Services

Gateways

The following issues from JUNOS Release 9.5 R3 have been resolved in this release.

The identifier following the description is the tracking number in our bug database.

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 139

JUNOS 9.5 Software Release Notes

Chassis Cluster

On SRX 210 devices, existing FTP data transfer failed because the primary node of the device chassis cluster was rebooted or powered off. [PR/429296: This issue has been resolved.]

Interfaces and Routing

On SRX650 devices, resource errors were seen in the show interface extensive command output during bidirectional traffic on the CT/E1 GPIMs. [PR/430181:

This issue has been resolved.]

J-Web

On SRX-series devices, on the J-Web spanning-tree configuration page, the Edit interface/msti window did not save the data before committing the configuration.

[PR/433506: This issue has been resolved.]

Power over Ethernet (PoE)

On SRX 240 series devices in a chassis cluster (active-active mode) and policy based IPsec VPN configured together, ftp put

(in port mode) command failed after a RG2 (egress RG) manual failover. [PR/438590: This issue has been resolved.]

Related Topics

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways on page 98

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 124

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 140

Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for

SRX-series Services Gateways on page 128

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways

This section lists outstanding issues with the documentation.

Attack Detection and Prevention

The default parameters documented in the firewall/NAT screen configuration options table in the JUNOS Software Security Configuration Guide and the J-Web online Help do not match the default parameters in the CLI. The correct default parameters are: tcp {

syn-flood {

140 ■

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways

Chassis Clustering

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

timeout 20;

}

}

[edit security screen ids-option untrust-screen]

The JUNOS Software Security Configuration Guide for SRX-series services gateways contains incorrect information in the “Hardware Setup for SRX-series Chassis

Clusters” section.

The text incorrectly says that the connection that serves as the control link must be the built-in controller port on each device. SRX 5600 and SRX 5800 devices do not contain built-in ports. Their control ports should be on corresponding

Services Processing Cards (SPCs) in the two devices in the cluster, with a slot numbering offset of 6 for SRX 5600 devices and 12 for SRX 5800 devices. Also, the text incorrectly says that the fabric link connection can be a combination of any pair of Gigabit Ethernet interfaces on the devices. The fabric link connection can be a pair of Fast Ethernet or Gigabit Ethernet interfaces for SRX 210 devices and a pair of Gigabit Ethernet or 10-Gigabit Ethernet interfaces for all other

SRX-series devices.

The figure showing the fabric link connection for the pair of SRX 5800 devices incorrectly shows two-port Input/Output Cards (IOCs). The IOCs have 4 ports.

The “Setting the Node ID and Cluster ID” and “Active/Passive Chassis Cluster

Scenario” sections in the JUNOS Software Security Configuration Guide incorrectly show command syntax as the following: set chassis cluster node 0 cluster-id 1 set chassis cluster node 1 cluster-id 1 reboot

The command syntax should be as follows: set chassis cluster cluster-id 1 node 0 set chassis cluster cluster-id 1 node 1 reboot

CLI

The JUNOS Software CLI Reference Guide erroneously contains some content concerned with policy-based NAT configuration. This release supports only rule-based NAT configuration.

Page 976 of the JUNOS Software CLI Reference Guide for J-series Services Routers and SRX-series Services Gateways displays the “show security alg status” title when it should display the “show security alg sip transactions” title. The information for Syntax, Release Information, Description, and Options is also incorrect. The correct information is provided below.

Syntax— show security alg sip transactions <node (

node-id

| all | local | primary)>

Release information—Command modified in Release 9.2 of JUNOS software; node options added in Release 9.0 of JUNOS software.

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 141

JUNOS 9.5 Software Release Notes

Description—Display information about Session Initiation Protocol (SIP)

Application Layer Gateway (ALG) transactions.

This command is supported on J-series and SRX-series devices.

Options

■ none—Display all SIP ALG transactions.

■ node

—(Optional) For chassis cluster configurations, display SIP transactions on a specific node (device) in the cluster.

node-id

—Identification number of the node. It can be 0 or 1.

■ all —Display information about all nodes.

local —Display information about the local node.

primary

—Display information about the primary node.

CompactFlash Card Support

The JUNOS Software Administration Guide incorrectly states that JUNOS supports a 256-MB CompactFlash card size. JUNOS supports only 512-MB and 1024-MB

CompactFlash card sizes.

Device Support

The “Installing Software using the TFTPBoot Method on the SRX 100/SRX 210/SRX

650 Services Gateway” section and the “Administration Features on SRX

100/210/240 Services Gateways” section in the JUNOS Software Administration

Guide incorrectly imply that the SRX100 device is supported. The SRX100 device is not supported in this release.

DLSw

The JUNOS Software Interfaces and Routing Configuration Guide incorrectly states that the data link switching (DLSw) protocol is supported in this release. DLSw support ended in JUNOS Release 9.3.

Flow

The JUNOS Software CLI Reference and the JUNOS Software Security Configuration

Guide state that the following aggressive aging statements are supported on SRX-series devices when in fact they are not supported on SRX 3400, 3600, 5600, and SRX

5800 devices:

[edit security flow aging early-ageout]

[edit security flow aging high-watermark]

[edit security flow aging low-watermark]

142 ■

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways

Installing Software Packages

The current SRX 210 documentation does not include the following information:

On SRX 210 devices, the /var hierarchy is hosted in a separate partition (instead of the root partition). If JUNOS software installation fails due to insufficient space:

1.

Use the request system storage cleanup

command to delete temporary files.

2.

Delete any user-created files in both the root partition and under the /var hierarchy.

Intrusion Detection and Prevention (IDP)

In the JUNOS Software Security Configuration Guide, the following information in the "Verifying the Policy Compilation and Load Status" section is incorrect:

The text does not indicate that the log file must be created first.

The path for the log file is incorrect.

Note the following correct information:

Create the log file first by entering set security idp traceoptions file idpd . You can then set flags by entering set security idp traceoptions flag all .

The correct path for the idpd log file is

/var/log

, not

/var/db

J-Web

The J-Web Security Package Update help page does not have information about download status.

Screens

The following guide contains incorrect screen configuration instructions:

JUNOS Software Design and Implementation Guide, “Implementing Firewall

Deployments for Branch Offices” chapter

Examples throughout this guide describe how to configure screen options using the set security screen screen-name CLI statements. Instead, you should use the set security screen ids-option screen-name

CLI statements. All screen configuration options are located at the

[set security screen ids-option screen-name]

level of the configuration hierarchy.

Related Topics

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways on page 98

Known Limitations in JUNOS Software Release 9.5 for SRX-series Services

Gateways on page 124

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways

■ 143

JUNOS 9.5 Software Release Notes

Issues in JUNOS Software Release 9.5 for SRX-series Services Gateways on page 129

Unsupported CLI Statements and Commands in JUNOS Software Release 9.5 for

SRX-series Services Gateways on page 128

144 ■

Errata in Documentation for JUNOS Software Release 9.5 for SRX-series Services Gateways

JUNOS Software Release Notes for J-series Services Routers

JUNOS Software Release Notes for J-series Services Routers

New Features in JUNOS Software Release 9.5 for J-series Services

Routers on page 145

Known Limitations in JUNOS Software Release 9.5 for J-series Services

Routers on page 150

Changes in Default Behavior and Syntax on page 151

Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152

Errata in Documentation for JUNOS Software Release 9.5 for J-series Services

Routers on page 158

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services

Routers on page 160

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series

Services Routers on page 162

New Features in JUNOS Software Release 9.5 for J-series Services Routers

JUNOS Software on page 145

JUNOS Software

Release 9.5 of JUNOS software includes the following features.

Chassis Clustering

Control link recovery—This feature is supported on J2320, J2350, J4350, and

J6350 Services Routers. Prior to this release, when a node was disabled due to control link failure, after fixing the issue, you had to manually reboot the disabled node to make the disabled node rejoin the cluster. With this release, you can specify that control link recovery be done automatically by the system by using the set chassis cluster control-link-recovery

command (this feature is disabled by default). Once the system determines that the control link is healthy, it issues an automatic reboot on the disabled node. When the disabled node reboots, the node rejoins the cluster. There is no need for any manual intervention.

Cold synchronization monitoring—This feature is supported on J-series Services

Routers.The process of synchronizing data-plane runtime objects (RTOs) on the startup of the Services Processing Units (SPUs) or flowd is called cold sync. Chassis clustering supports the process of monitoring the cold-sync state of all SPUs or flowd on a node. Also, if you enable preempt, cold-sync monitoring prevents the node from taking over mastership until the cold-sync process is completed for all the SPUs or flowd on the node.

SNMP failover traps—This feature is supported on the J-series Services Routers.

Chassis clustering supports SNMP traps, which are triggered whenever there is a redundancy group failover. You can specify that a trace log be generated by using the set chassis cluster traceoptions flag snmp

command.

JUNOS Software Release Notes for J-series Services Routers

■ 145

JUNOS 9.5 Software Release Notes

Flow-Based Processing

J-series devices now use flow-based processing comparable to that used on SRX-series devices. For more information, see the JUNOS Software Interfaces and Routing

Configuration Guide for Security Devices.

Intrusion Detection and Prevention (IDP)

Configuring IDP test conditions in custom anomaly attacks—The user can now see the supported test conditions for a protocol in the CLI.

When configuring IDP custom attacks, you can now list supported test conditions for a specific protocol. For example, to configure test conditions for ICMP:

1.

List supported test conditions for ICMP and choose the one you want to configure:

[edit security idp custom-attack test1 attack-type anomaly] user@host# set test icmp?

Possible completions:

<test> Protocol anomaly condition to be checked

ADDRESSMASK_REQUEST

DIFF_CHECKSUM_IN_RESEND

DIFF_CHECKSUM_IN_RESPONSE

DIFF_LENGTH_IN_RESEND

2.

Configure the service for which you want to configure the test condition.

[edit security idp custom-attack test1 attack-type anomaly] user@host# set service ICMP

3.

Configure the test condition (specifying the protocol name is not required):

[edit security idp custom-attack test1 attack-type anomaly] user@host# set test ADDRESSMASK_REQUEST

Interfaces and Routing

Link Fragmentation and Interleaving (LFI) over Asymmetric Digital Subscriber

Line (ADSL)—This release of JUNOS software supports link fragmentation and interleaving (LFI) for asymmetric digital subscriber line (ADSL). LIF requires

Multilink Point-to-Point Protocol (MPPP) on ADSL, which involves enabling the existing CLI under the xDSL interface to support MLPPP encapsulation and the family mlppp

. MLPPP LFI is supported on xDSL Single IFL (logical interface).

Voice over IP joint development with Avaya phase 1 (JD1)—This feature is now supported on J2320, J2350, J4350, and J6350 Services Routers.

146 ■

New Features in JUNOS Software Release 9.5 for J-series Services Routers

New Features in JUNOS Software Release 9.5 for J-series Services Routers

J-Web

J-Web User Interface—IPv6 management support for J-Web is available in this release. Users can access J-Web through the IPv6 address. The IPv6 address is assigned to the management interface and then J-Web is accessed.

J-Web Monitor pages for enhanced switching—The J-Web interface now provides Monitor pages for enhanced switching. New Monitor pages for enhanced switching allow you to monitor information and status for the following:

Internet Group Management Protocol (IGMP) snooping

Ethernet switching

J-Web Quick Configuration pages for enhanced switching—The J-Web interface now provides Quick Configuration pages for enhanced switching.

New Quick Configuration pages for enhanced switching allow you to configure information for the following:

Virtual LAN (VLAN)

Spanning Tree Protocol (STP)

Link Aggregation Control Protocol (LACP)

Generic Virtual Local Area Network Registration Protocol (GVRP)

IGMP snooping

Dot1X

Network Address Translation (NAT)

Network Address Translation (NAT) is a method by which IP addresses in a packet are mapped from one group to another and, optionally, port numbers in the packet are translated into different port numbers. NAT is described in RFC 1631 to solve IP

(version 4) address depletion problems. On J-series devices, JUNOS software decouples

NAT configuration from policy configuration. NAT now uses rules to regulate traffic on J-series devices. NAT on J-series Services Routers is compatible with SRX–series devices. NAT is configured in the same way as other SRX-series devices.

Unified Access Control (UAC) Integration

You can configure a J-series Services Router to act as a JUNOS Enforcer in a Unified

Access Control (UAC) deployment. When deployed as a JUNOS Enforcer, the J-series device enforces the policies that are defined on the UAC’s Infranet Controller.

To configure the J-series device as a JUNOS Enforcer, enable the uac-policy

option for the application-services statement at the [set security policies from-zone zone-name to-zone zone-name policy match then permit] hierarchy level. Then use the unified-access-control statement at the

[edit services] hierarchy level to configure UAC features. For more information, see the JUNOS Software Security Configuration Guide.

New Features in JUNOS Software Release 9.5 for J-series Services Routers

■ 147

JUNOS 9.5 Software Release Notes

Unified Threat Management (UTM)

Antispam—E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. When the device detects an e-mail message deemed to be spam, it either drops the message or tags the message header or subject field with a preprogrammed string.

The antispam feature uses a constantly updated spam block list (SBL). Sophos updates and maintains the IP-based SBL. The antispam feature is a separately licensed subscription service.

To configure antispam, use the antispam

statement at the

[set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software

Security Configuration Guide.

Content filtering—Content filtering blocks or allows certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. Content filtering does not require a separate license.

To configure redirect content filtering, use the content-filtering statement at the

[set security utm feature-profile]

hierarchy level. For more information, see the

JUNOS Software Security Configuration Guide.

Full file-based antivirus—A virus is executable code that infects or attaches itself to other executable code to reproduce itself. Some malicious viruses erase files or lock up systems. Other viruses merely infect files and overwhelm the target host or network with bogus data. The full file-based antivirus feature provides file-based scanning on specific Application Layer traffic checking for viruses against a virus signature database. It collects the received data packets until it has reconstructed the original application content, such as an e-mail file attachment, and then scans this content. Kaspersky Lab provides the internal scan engine. The full file-based antivirus scanning feature is a separately licensed subscription service.

To configure full file-based antivirus, use the antivirus kaspersky-lab-engine statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

Integrated Web filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. With the integrated Web filtering solution, the decision-making for blocking or permitting Web access is done on the device after it identifies the category for a URL either from user-defined categories or from a category server (Websense provides the CPA Server). The integrated Web filtering feature is a separately licensed subscription service.

To configure integrated Web filtering, use the web-filtering surf-control-integrated statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

Redirect Web filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. The redirect Web filtering solution intercepts HTTP requests and forwards the server URL to an external

URL filtering server provided by Websense to determine whether to block or permit the requested Web access. Redirect Web filtering does not require a separate license.

148 ■

New Features in JUNOS Software Release 9.5 for J-series Services Routers

VPLS

New Features in JUNOS Software Release 9.5 for J-series Services Routers

To configure redirect Web filtering, use the web-filtering websense-redirect statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.

UTM licensing—The majority of UTM features function as a subscription service requiring a license. You can redeem this license once you have purchased your subscription license SKUs.

To apply your UTM license, use the system license update statement at the

[request]

hierarchy level. For more information, see the JUNOS Software Security

Configuration Guide.

Antivirus SNMP support—SNMP support is provided for the following antivirus functionality: scan engine monitoring, signature database update status, and scan statistics.

For more information, see the JUNOS Network Management Guide.

This release supports virtual private LAN service (VPLS), an Ethernet-based point-to-multipoint Layer 2 virtual private network (VPN), on J-series Services Routers.

VPLS allows you to connect geographically dispersed Ethernet LAN sites to each other across a service provider's MPLS backbone.

To configure VPLS on a provider edge (PE) router to a customer edge (CE) router, use the following statements:

■ set interfaces <name> encapsulation ethernet-vpls | extended-vlan-vpls | vlan-vpls

■ set interfaces <name> unit 0 family vpls

To create and configure a VPLS routing instance, use the following statements:

■ set routing interfaces <name> instance-type vpls

■ set routing interfaces <name> protocols vpls site-range <number> site <name> site-identifier <number> set routing-instances <name> protocols vpls no-tunnel-services set routing-instances <name> route-distinguisher <distinguisher> set routing-instances <name> vrf-target target: <target> set routing-instances <name> instance-type vpls interface <interface>

NOTE: You must also configure MPLS label-switched paths (LSPs) between PE routers, internal BGP (IBGP) sessions between PE routers, and an interior gateway protocol

(IGP) on the PE routers.

For more information, see the JUNOS Software Interfaces and Routing Configuration

Guide for Security Devices.

New Features in JUNOS Software Release 9.5 for J-series Services Routers

■ 149

JUNOS 9.5 Software Release Notes

Related Topics

Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers on page 150

Changes in Default Behavior and Syntax on page 151

Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services

Routers on page 160

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series

Services Routers on page 162

Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers

Chassis Cluster

For this release of JUNOS software, the following features are not supported when chassis clustering is enabled on the router:

All packet-based protocols, such as MPLS, Connectionless Network Service (CLNS), and IP version 6 (IPv6)

Any function that depends on the configurable interfaces:

■ lsq-0/0/0

—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink

Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP) gr-0/0/0

—Generic routing encapsulation (GRE) and tunneling

■ ip-0/0/0

—IP-over-IP (IP-IP) encapsulation

■ pd-0/0/0 , pe/0/0/0 , and mt-0/0/0 —All multicast protocols lt-0/0/0 —Real-time performance monitoring (RPM)

WXC Integrated Services Module (WXC ISM 200)

Layer 2 Ethernet switching

ISDN BRI

Additional limitations include:

For a J-series chassis cluster, the maximum number of redundancy groups is equal to the number of redundant Ethernet interfaces configured by the user.

After fabric interfaces have been configured on a chassis cluster, removing the fabric configuration on either node will cause the redundancy group 0 (RG0) secondary node to move to a disabled state. (Resetting a device to the factory default configuration removes the fabric configuration and thereby causes the

RG0 secondary node to move to a disabled state.) After the fabric configuration is committed, do not reset either device to the factory default configuration.

A Fast Ethernet port from a 4-port Ethernet PIM cannot be used as a fabric link port in a chassis cluster.

150 ■

Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers

Changes in Default Behavior and Syntax

Intrusion Detection and Prevention (IDP)

On J-series Services Routers, IP actions do not work when users select a timeout value greater than 65535 in IDP policy.

J-Web

Some J-Web pages for new features (for example, the Quick Configuration page for the switching features on J-series Services Routers) display content in one or more modal pop-up windows. In the modal pop-up windows, you can interact only with the content in the window and not with the rest of the J-Web page. As a result, online help is not available when modal pop-up windows are displayed.

You can access the online help for a feature only by clicking the

Help

button on a J-Web page.

Simple Network Management Protocol (SNMP)

SNMP NAT related MIB is not supported in this release.

Unified Threat Management (UTM)

Unified Threat Management (UTM) requires 1 GB of memory. If your J2320,

J2350, or J4350 device has only 512 MB of memory, you must upgrade the memory to 1 GB to run UTM.

Related Topics

New Features in JUNOS Software Release 9.5 for J-series Services Routers on page 145

Changes in Default Behavior and Syntax on page 151

Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services

Routers on page 160

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series

Services Routers on page 162

Errata in Documentation for JUNOS Software Release 9.5 for J-series Services

Routers on page 158

Changes in Default Behavior and Syntax

The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the JUNOS software documentation:

Changes in Default Behavior and Syntax

■ 151

JUNOS 9.5 Software Release Notes

CLI

CLI Commands No Longer Supported

The show dhcp relay and show dhcp server commands are no longer supported.

Configuration

Network Address Translation (NAT)

J-series devices running JUNOS 9.5 now support rules-based NAT. Previously,

J-series devices supported policy-based NAT. As part of the upgrade procedure, a migration utility explained in the JUNOS Software Migration Guide converts any existing NAT policies to NAT rules. For more information, see the JUNOS

Software Migration Guide.

Security

J-series devices no longer allow a configuration in which a tunnel's source or destination address falls under the subnet of the same logical interface’s address.

J-series Services Routers do not support the authentication order password radius or password ldap

in the edit access profile profile-name authentication-order command. Instead, use the order radius password or ldap password .

Related Topics

New Features in JUNOS Software Release 9.5 for J-series Services Routers on page 145

Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers on page 150

Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services

Routers on page 160

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series

Services Routers on page 162

Errata in Documentation for JUNOS Software Release 9.5 for J-series Services

Routers on page 158

Issues in JUNOS Software Release 9.5 for J-series Services Routers

Outstanding Issues in JUNOS Software Release 9.5 for J-series Services

Routers on page 153

Resolved Issues in JUNOS Software Release 9.5 for J-series Services

Routers on page 157

152 ■

Issues in JUNOS Software Release 9.5 for J-series Services Routers

Issues in JUNOS Software Release 9.5 for J-series Services Routers

Outstanding Issues in JUNOS Software Release 9.5 for J-series Services

Routers

Application Layer Gateways (ALGs)

On J2350 Services Routers, an SCCP call cannot be set up after disabling and enabling SCCP ALG. The call does not go through. [PR/409586]

Authentication

In some operating systems, your attempt to log in to the router from a management device through FTP or Telnet might fail if you type your username and password in quick succession before the prompt is displayed. As a workaround, type your username and password after getting the prompt.

[PR/255024]

Chassis Cluster

In a chassis cluster, the show interface terse command on the secondary Routing

Engine does not display the same details as that of the primary Routing Engine.

[PR/237982]

On J4350 Services Routers, because the clear security alg sip call command triggers a SIP RTO to synchronize sessions in a chassis cluster, use of the command on one node with the node-id , local , or primary option might result in a SIP call being removed from both nodes. [PR/263976]

When a new redundancy group is added to a chassis cluster, the node with lower priority might be elected as primary when the preempt option is not enabled for the nodes in the redundancy group. [PR/265340]

When you commit a configuration for a node belonging to a chassis cluster, all the redundancy groups might fail over to node 0. If graceful protocol restart is not configured, the failover can destabilize routing protocol adjacencies and disrupt traffic forwarding. To allow the commit operation to take place without causing a failover, we recommend that you use the set chassis cluster heartbeat-threshold 5 command on the cluster. [PR/265801]

In a chassis cluster, J-Web does not enable you to commit any configuration. We recommend that you use the command-line interface (CLI) for configuration.

[PR/281986]

In a chassis cluster, a high load of SIP ALG traffic might result in some call leaks in active resource manager groups and gates on the backup router. [PR/268613]

On J2300, J2320, J2350, J4350, and J6350 Services Routers, in an active/active chassis cluster, when the fabric link fails and then recovers, services with a short time-to-live

, such as ALG FTP, stop working. [PR/419095]

On J4350 Services Routers in a chassis cluster, the FTP session is lost after Routing

Engine failover, although it still exists on the DUT active session. [PR/432203]

Issues in JUNOS Software Release 9.5 for J-series Services Routers

■ 153

JUNOS 9.5 Software Release Notes

Class of Service

J4350 and J6350 Services Routers might not have the requisite data buffers needed to meet expected delay-bandwidth requirements. Lack of data buffers might degrade CoS performance with smaller-sized (500 bytes or less) packets.

[PR/73054]

With a CoS configuration, when you try to delete all the flow sessions using the clear security flow session command, the WX application acceleration platform might fail over with heavy traffic. [PR/273843]

Enhanced switching

If the access port is tagged with the same VLAN that is configured at the port, the access port accepts tagged packets and determines the MAC. [PR/302635]

VLAN output traffic statistics are not being updated. [PR/305845]

Flow and Processing

In JUNOS software, the TTL value on the Internet control message protocol (ICMP) responses is set to 65. [PR/233844]

Even when forwarding options are set to drop packets for the ISO protocol family, the router forms End System-to-Intermediate System (ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2 terminating packets.

[PR/252957]

OSPF over a multipoint interface connected as a hub-and-spoke network does not restart when a new path is found to the same destination. [PR/280771]

On J-series Services Routers, outbound filters will be applied twice for host-generated IPv4 traffic. [PR/301199]

On J6350 Services Routers, when a basic SCCP call is made and the primary node is rebooted when the call is active, call information hot sync fails. The log on secondary node shows that the SCCP call information is not sychronized correctly, while the rm session will be synchronized successfully. [PR/426289]

On J-series Services Routers, NAT traffic that is going to the WXC ISM 200 and returning back in clear (that is, not accelerated by the WXC ISM 200) does not work. [PR/438152]

154 ■

Issues in JUNOS Software Release 9.5 for J-series Services Routers

Issues in JUNOS Software Release 9.5 for J-series Services Routers

Infrastructure

On J-series Services Routers, you cannot use a USB device that provides U3 features (such as the U3 Titanium device from SanDisk Corporation) as the media device during system boot. You must remove the U3 support before using the device as a boot medium. For the U3 Titanium device, you can use the U3

Launchpad Removal Tool on a Windows-based system to remove the U3 features.

The tool is available for download at http://www.sandisk.com/Retail/Default.aspx?CatID=1415

. (To restore the U3 features, use the U3 Launchpad Installer Tool accessible at http://www.sandisk.com/Retail/Default.aspx?CatID=1411

). [PR/102645]

If the device does not have an ARP entry for an IP address, it drops the first packet from itself to that IP address. [PR/233867]

On J2320, J2350, J4350, and J6350 Services Routers, when you press the F10 key to save and exit from BIOS configuration mode, the operation might not work as expected. As a workaround, use the Save and Exit option from the Exit menu. This issue can be seen on the J4350 and J6350 routers with BIOS Version

080011 and on the J2320 and J2350 routers with BIOS Version 080012.

[PR/237721]

On J2320, J2350, J4350, and J6350 Services Routers, the

Clear NVRAM

option in the BIOS configuration mode does not work as expected. This issue can be seen on the J4350 and J6350 routers with BIOS Version 080011 and on the J2320 and

J2350 routers with BIOS Version 080012. To help mitigate this issue, note any changes you make to the BIOS configuration so that you can revert to the default

BIOS configuration as needed. [PR/237722]

If you enable security trace options, the log file might not be created in the default location at

/var/log/security-trace

. As a workaround, manually set the log file to the directory

/var/log/security-trace

. [PR/254563]

Interfaces and Routing

The link status of the onboard Gigabit Ethernet interfaces ( ge-0/0/0 through ge-0/0/3 ) or the 1-port Gigabit Ethernet ePIM interface on J4350 and J6350

Services Routers fails when you configure these interfaces in loopback mode.

[PR/72381]

Asymmetric routing, such as tracing a route to a destination behind J-series routers running JUNOS software with Virtual Router Redundancy Protocol (VRRP), does not work. [PR/237589]

On J2320 Services Routers, when you enable the DHCP client, the default route is not added to route-table. [PR/296469]

On J2320, J2350, J4350, and J6350 Services Routers, boadcast TFTP is not supported when flow

is enabled on the device. [PR/391399]

On J-series Services Routers, the RPM operation will not work for the probe-type tcp-ping

when the probe is configured with the option destination-interface

.

[PR/424925]

Issues in JUNOS Software Release 9.5 for J-series Services Routers

■ 155

JUNOS 9.5 Software Release Notes

J2350 Services Routers configured as a DHCP client will not receive the DNS server IP address passed on by the DHCP server. Without name-server, license updates, and AV attack object, updates will fail. [PR/428445]

On J2300, J2320, J2350, J4350, and J6350 Services Routers, doing an redundancy group 0 failover with 1000 ifls on the reth

interface causes replication errors that causes ksyncd to generate a core file. [PR/428636]

J-Web

On J4350 Services Routers, when the user adds LACP interface details, a pop-up window appears in which there are two buttons to move the interface left and right. The LACP page currently does not have images incorporated with these two buttons. [PR/305885]

On J2350, J4350, and J6350 Services Routers if the user opens J-Web using

Internet Explorer, the Configuration > Switching > LACP Sorting option for Aggegate

Interface column will not work. [PR/421634]

On J-series Services Routers, the

Ajax

calls need to be optimized and should be in synchronization with the existing configuration screens [STP, GVRP and

IGMP-Snooping]. [PR/422523]

On J2350, J4350, and J6350 Services Routers when J-Web users select the tabs on the bottom-left menu, the corresponding screen is not displayed fully, so users must scroll the page to see all content. This issue occurs when the computer is set to a low resolution. As a workaround, set the computer resolution to 1280 x 1024. [PR/423555]

Unified Access Control (UAC)

On J-series Services Routers, MAC address based authentication does not work when the router is configured as UAC L2 Enforcer. [PR/431595]

Unified Threat Management (UTM)

On J-series Services Routers, under stress conditions, it is possible that UTM sessions do not get cleaned up properly. The user will continue to see outstanding

UTM sessions even after traffic is stopped and flow sessions have been released.

If the number of outstanding leaked sessions exceeds desirable levels causing

UTM not to handle new traffic, the forwarding daemon will need to be restarted.

[PR/424426]

On J2320, J2350, J4350, and J6350 Services Routers, Outlook Express is sending infected mail (with an EICAR test file) to a mail server (directly, not through DUT).

Eudora 7 is using the IMAP protocol to download this mail (through DUT). Mail retrieval is slow, and the EICAR test fille is not detected. [PR/424797]

On J2300, J2320, J2350, J4350, and J6350 Services Routers, Websense server stops taking new connections after http

stress. All new sessions get blocked. As a workaround, reboot the WebSense server. [PR/435425]

156 ■

Issues in JUNOS Software Release 9.5 for J-series Services Routers

Issues in JUNOS Software Release 9.5 for J-series Services Routers

Virtual Private Network (VPN)

The proxy-identity

statement is valid for route-based VPN configuration only.

Policy-based VPN does not support the proxy-identity statement. [PR/296468]

WXC Integrated Services Module

When two J-series devices with WXC Integrated Services Modules (ISM 200s) installed are configured as peers, traceroute fails if redirect-wx is configured on both peers. [PR/227958]

JUNOS software does not support policy-based VPN with WXC Integrated Services

Modules (ISM200s). [PR/281822]

Resolved Issues in JUNOS Software Release 9.5 for J-series Services

Routers

The following issues from JUNOS Release 9.5 R3 have been resolved in this release.

The identifier following the description is the tracking number in our bug database.

Flow and Processing

On J2350, J4350, and J6350 Services Routers, OSPF over GRE over IPsec did not work. [PR/105279: This issue has been resolved.]

J-Web

On J-series Services Routers, on the J-Web spanning-tree configuration page, the

Edit interface/msti window did not save the data before committing the configuration. [PR/433506: This issue has been resolved.]

Related Topics

New Features in JUNOS Software Release 9.5 for J-series Services Routers on page 145

Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers on page 150

Changes in Default Behavior and Syntax on page 151

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services

Routers on page 160

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series

Services Routers on page 162

Errata in Documentation for JUNOS Software Release 9.5 for J-series Services

Routers on page 158

Issues in JUNOS Software Release 9.5 for J-series Services Routers

■ 157

JUNOS 9.5 Software Release Notes

Errata in Documentation for JUNOS Software Release 9.5 for J-series Services Routers

Chassis Clustering

The “Setting the Node ID and Cluster ID” and “Active/Passive Chassis Cluster

Scenario” sections in the JUNOS Software Security Configuration Guide incorrectly show command syntax as the following: set chassis cluster node 0 cluster-id 1 set chassis cluster node 1 cluster-id 1 reboot

The command syntax should be as follows: set chassis cluster cluster-id 1 node 0 set chassis cluster cluster-id 1 node 1 reboot

CLI

Page 976 of the JUNOS Software CLI Reference Guide displays the “show security alg status” title when it should display the “show security alg sip transactions” title. The information for Syntax, Release Information, Description, and Options is also incorrect. The correct information is provided below.

Syntax— show security alg sip transactions <node (

node-id

| all | local | primary)>

Release information—Command modified in Release 9.2 of JUNOS software; node options added in Release 9.0 of JUNOS software.

Description—Display information about Session Initiation Protocol (SIP)

Application Layer Gateway (ALG) transactions.

This command is supported on J-series and SRX-series devices.

Options

■ none—Display all SIP ALG transactions.

■ node

—(Optional) For chassis cluster configurations, display SIP transactions on a specific node (device) in the cluster.

node-id

—Identification number of the node. It can be 0 or 1.

■ all —Display information about all nodes.

158 ■

Errata in Documentation for JUNOS Software Release 9.5 for J-series Services Routers

Errata in Documentation for JUNOS Software Release 9.5 for J-series Services Routers

DLSw

The JUNOS Software Interfaces and Routing Configuration Guide incorrectly states that the data link switching (DLSw) protocol is supported in this release. DLSw support ended in JUNOS Release 9.3.

Intrusion Detection and Prevention (IDP)

In the JUNOS Software Security Configuration Guide, the following information in the "Verifying the Policy Compilation and Load Status" section is incorrect:

The text does not indicate that the log file must be created first.

The path for the log file is incorrect.

Note the following correct information:

Create the log file first by entering set security idp traceoptions file idpd

. You can then set flags by entering set security idp traceoptions flag all .

The correct path for the idpd log file is /var/log , not /var/db

J-Web

■ local

—Display information about the local node.

primary —Display information about the primary node.

J-Web Pages for Stateless Firewall Filters

There is no documentation describing the J-Web pages for stateless firewall filters.

To find these pages in J-Web, go to

Configuration

>

Firewall Filters

, then select

IPv4

Firewall Filters

or

IPv6 Firewall Filters

. After configuring filters, select

Assign to

Interfaces to assign your configured filters to interfaces.

PIM

The J2300, J4300, and J6300 Services Router Getting Started Guide incorrectly states that 1000Base-LH SFP (JX-SFP-1GE-LH) is not supported. This SFP is supported.

Screens

The following guide contains incorrect screen configuration instructions:

JUNOS Software Design and Implementation Guide, “Implementing Firewall

Deployments for Branch Offices” chapter

Examples throughout the guide describe how to configure screen options using the set security screen screen-name CLI statements. Instead, you should use the set security screen ids-option screen-name

CLI statements. All screen configuration

Errata in Documentation for JUNOS Software Release 9.5 for J-series Services Routers

■ 159

JUNOS 9.5 Software Release Notes options are located in the

[set security screen ids-option screen-name]

level of the configuration hierarchy.

Related Topics

New Features in JUNOS Software Release 9.5 for J-series Services Routers on page 145

Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers on page 150

Changes in Default Behavior and Syntax on page 151

Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services

Routers on page 160

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series

Services Routers on page 162

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services Routers

Power and Heat Dissipation Requirements for J Series PIMs on page 160

Supported Third-Party Hardware for J Series Services Routers on page 160

J Series CompactFlash and Memory Requirements on page 161

Power and Heat Dissipation Requirements for J Series PIMs

On J Series Services Routers, the system monitors the PIMs and verifies that the PIMs fall within the power and heat dissipation capacity of the chassis. If power management is enabled and the capacity is exceeded, the system prevents one or more of the PIMs from becoming active.

CAUTION: Disabling power management can result in hardware damage if you overload the chassis capacities.

You can also use CLI commands to choose which PIMs are disabled. For details about calculating the power and heat dissipation capacity of each PIM and troubleshooting procedures, see the J-series Services Routers Hardware Guide.

Supported Third-Party Hardware for J Series Services Routers

The following third-party hardware is supported for use with J-series Services Routers running JUNOS software.

USB Modem

We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR

5637.

Storage Devices

The USB slots on J-series Services Routers accept a USB storage device or USB storage device adapter with a CompactFlash card installed, as defined in the CompactFlash

160 ■

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services Routers

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services Routers

Specification published by the CompactFlash Association. When the USB device is installed and configured, it automatically acts as a secondary boot device if the primary CompactFlash card fails on startup. Depending on the size of the USB storage device, you can also configure it to receive any core files generated during a router failure. The USB device must have a storage capacity of at least 256 MB.

Table 13 on page 161 lists the USB and CompactFlash card devices supported for use

with the J-series Services Routers.

Table 13: Supported Storage Devices on the J-series Services Routers

Manufacturer

SanDisk—Cruzer Mini 2.0

SanDisk

SanDisk

Kingston

Kingston

SanDisk—ImageMate USB 2.0 Reader/Writer for

CompactFlash Type I and II

SanDisk CompactFlash

SanDisk CompactFlash

Storage Capacity

256 MB

512 MB

1024 MB

512 MB

1024 MB

N/A

512 MB

1 GB

Third-Party Part Number

SDCZ2-256-A10

SDCZ3-512-A10

SDCZ7-1024-A10

DTI/512KR

DTI/1GBKR

SDDR-91-A15

SDCFB-512-455

SDCFB-1000.A10

J Series CompactFlash and Memory Requirements

Table 14 on page 161 lists the CompactFlash card and DRAM requirements for J Series

Services Routers.

Table 14: J Series CompactFlash Card and DRAM Requirements

Model

J2320

J2350

J4350

J6350

Minimum CompactFlash Card

Required

512 MB

512 MB

512 MB

512 MB

Minimum DRAM Required

512 MB

512 MB

512 MB

1 GB

Maximum DRAM Supported

1 GB

1 GB

2 GB

2 GB

Hardware Requirements for JUNOS Software Release 9.5 for J-series Services Routers

■ 161

JUNOS 9.5 Software Release Notes

Related Topics

New Features in JUNOS Software Release 9.5 for J-series Services Routers on page 145

Known Limitations in JUNOS Software Release 9.5 for J-series Services Routers on page 150

Changes in Default Behavior and Syntax on page 151

Issues in JUNOS Software Release 9.5 for J-series Services Routers on page 152

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series

Services Routers on page 162

Errata in Documentation for JUNOS Software Release 9.5 for J-series Services

Routers on page 158

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series Services

Routers

For upgrade and download instructions for JUNOS Software Release 9.5, please see the JUNOS Software Migration Guide.

JUNOS Software Release Notes for EX-series Switches

New Features in JUNOS Software for EX-series Switches, Release 9.5 on page 162

Changes in Default Behavior and Syntax on page 166

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS

Release 9.5 for EX-series Switches on page 167

Errata in Documentation for JUNOS Software Release 9.5 for EX-series

Switches on page 178

New Features in JUNOS Software for EX-series Switches, Release 9.5

New features in Release 9.5 of JUNOS software for EX-series switches are described in this section.

Not all EX-series software features are supported on all EX-series platforms in the current release. For a list of all EX-series software features and their platform support, see

EX-series Switch Software Features Overview

.

New features are described on the following pages:

Hardware on page 163

Access Control and Port Security on page 164

Bridging, VLANs, and Spanning Trees on page 164

Class of Service (CoS) on page 164

Layer 3 Protocols on page 164

Management and RMON on page 165

162 ■

Upgrade and Downgrade Instructions for JUNOS Software Release 9.5 for J-series Services Routers

New Features in JUNOS Software for EX-series Switches, Release 9.5

MPLS on page 166

Virtual Chassis on page 166

Hardware

EX 8216 switch—The EX 8216 switch is a half-rack, midplane architecture, modular Ethernet switch that is designed for ultra-high-density environments such as campus aggregation, data center, or high-performance core switching environments. EX 8216 switches provide high availability and redundancy for all major hardware components, including Routing Engine (RE) modules, Switch

Fabric (SF) modules, fan trays (with redundant fans), and load-sharing 3000 W

AC and DC power supplies. Like other EX-series switches, EX 8216 switches provide high performance, scalability, and carrier-class reliability.

The EX 8216 switch chassis can accommodate a variety of Ethernet interfaces, supporting wire rate on all ports for all packet sizes. An EX 8216 switch accepts up to 16 line cards, double the number of line cards accepted by the EX 8208 switch. It offers the benefit of having more port density per rack unit of space than the EX 8208 switch.

The following line cards are available for all EX 8200 series switches and can be used interchangeably between EX 8208 and EX 8216 switches. You can install any combination of the line cards in the chassis:

8-port 10-Gigabit Ethernet SFP+ line card

48-port 10/100/1000 RJ-45 line card

48-port 100/1000 SFP line card

Four-post rack-mount kit—The four-post rack-mount kit is a separately orderable kit for EX 3200 and EX 4200 switches. This kit allows you to mount the switch on four posts of a four-post rack. It also provides two types of front brackets that allow you to mount the switch on two-post or four-post racks, either flush with the front of the rack or recessed 2 inches from the front of the rack.

New optical transceiver support—The SFP uplink module in EX 3200 and EX

4200 switches now supports five new optical transceivers:

EX-SFP-1FE-LX (100Base-LX, 10 km)

EX-SFP-GE10KT13R15 (1000Base-BX-U, 10 km)

EX-SFP-GE10KT15R13 (1000Base-BX-D, 10 km)

EX-SFP-GE40KT13R15 (1000Base-BX-U, 40 km)

EX-SFP-GE40KT15R13 (1000Base-BX-D, 40 km)

New optical transceiver support—The SFP+ uplink module in EX 3200 and

EX 4200 switches now supports two new optical transceivers:

EX-SFP-10GE-LR (10GBase-LR, 10 km)

EX-SFP-10GE-LRM (10GBase-LRM, 220 m)

New optical transceiver support—The SFP+ uplink module in EX 8200 series switches now supports one new optical transceiver:

New Features in JUNOS Software for EX-series Switches, Release 9.5

■ 163

JUNOS 9.5 Software Release Notes

EX-SFP-10GE-LRM (10GBase-LRM, 220 m)

Virtual Chassis cable—The maximum length allowed for a Virtual Chassis cable is now 5 meters.

Access Control and Port Security

Dynamic firewall filters—Firewall filters applied to interfaces enabled for 802.1X

or MAC RADIUS authentication are dynamically combined with the per-user policies sent to the switch from the RADIUS server. The switch uses internal logic to dynamically combine the interface firewall filter with the user policies from the RADIUS server and create an individualized policy for each of the multiple users or nonresponsive hosts that are authenticated on the interface.

Bridging, VLANs, and Spanning Trees

Private VLAN (PVLAN) enhancements—The following access security features are supported on PVLANs: MAC limiting, DHCP snooping, dynamic ARP inspection, IP source guard, and 802.1X.

Class of Service (CoS)

CoS rewrites—Differential Services code point (DSCP), IEEE 802.1p, and IP precedence bit value rewrites are enabled on routed VLAN interfaces (RVIs) on

EX 3200 and EX 4200 switches.

CoS multidestination—You can use the CoS multidestination feature on EX

8200 series switches to specify the traffic class to be applied to unknown-unicast, broadcast, and multicast traffic. Three new default classifiers are provided for multidestination traffic: multicast expedited forwarding , multicast assured forwarding

, and multicast best-effort

. A default forwarding class once configured is applied to all interfaces on the switch. A classifier option is provided to allow you to specify a classifier to be used for bridged registered multidestination traffic and IP multidestination traffic on each interface.

Layer 3 Protocols

Multicast Source Discovery Protocol (MSDP)—You can use MSDP to connect multiple IP version 4 Protocol Independent Multicast sparse mode (PIM SM) domains. Each PIM SM domain uses its own independent rendezvous point and does not have to depend on rendezvous points in other domains.

OSPF multitopology routing (MT-OSPF)—You can use the MT-OSPF feature to define multiple topologies and to configure topology-specific metrics for individual links as well as to exclude individual links from specific topologies. As a result, you can use a single instance of OSPF to carry connectivity and IP reachability information for different topologies. Information for different topologies is used to calculate independent shortest-path-first (SPF) trees and routing tables.

164 ■

New Features in JUNOS Software for EX-series Switches, Release 9.5

New Features in JUNOS Software for EX-series Switches, Release 9.5

Management and RMON

J-Web enhancements—The J-Web interface has the following enhancements:

The Ports Configuration page displays details about port role configuration.

The Link Aggregation Configuration page supports aggregating interfaces with any speed setting.

J-Web supports IPv6 configuration on the management interface.

The dashboard displays 10-gigabit SFP+ ports.

You can configure:

Spanning-tree protocols

GVRP

IGMP snooping

Redundant trunk groups (RTGs)

The monitoring feature has been enhanced to support:

Ethernet switching

Spanning-tree protocols

GVRP

IGMP snooping

The troubleshooting feature supports setting up real-time performance monitoring (RPM) and viewing RPM results.

Port mirroring:

Multiple VLAN support—You can configure multiple VLANs (up to 256) including a VLAN range and private VLANs (PVLANs) as ingress input to an analyzer in EX 3200 and EX 4200 switches or as egress input to an analyzer in EX 8200 series switches.

Layer 3 interface support—You can configure Layer 3 interfaces as ingress and egress input to an analyzer.

New Features in JUNOS Software for EX-series Switches, Release 9.5

■ 165

JUNOS 9.5 Software Release Notes

MPLS

JUNOS MPLS for EX-series switches—MPLS on EX-series switches supports

Layer 2 protocols and Layer 2 VPNs. You can configure MPLS on your switches to increase transport efficiency in your network. MPLS services can be used to connect various sites to a backbone network or to ensure better performance for low-latency applications such as VoIP and other business-critical functions.

MPLS on EX-series switches supports only single-label MPLS packets and does not support LDP-based MPLS. MPLS configurations on EX-series switches are compatible with configurations on other Juniper Networks devices that support

MPLS and circuit cross-connect (CCC).

Virtual Chassis

Autoprovisioning Virtual Chassis ports (VCPs)—In an existing preprovisioned

Virtual Chassis configuration, you can use the autoprovisioning feature to automatically configure uplink module ports as VCPs when you add switches to that configuration.

Related Topics

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS

Release 9.5 for EX-series Switches on page 167

Changes in Default Behavior and Syntax on page 166

Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches on page 178

Changes in Default Behavior and Syntax

The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the JUNOS software for

EX-series switches documentation:

166 ■

Changes in Default Behavior and Syntax

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

Class of Service

A new command has been introduced to change the buffering scheme: set class-of-service shared-buffers percent value

This option gives you the flexibility of controlling the shared egressed buffer allocation per interface. Uplink ports are not used for shared allocation.

Interfaces

The following counters are not supported on routed VLAN interfaces (RVIs): local statistics, traffic statistics, and transit statistics.

Virtual Chassis

On EX 4200 switches, if you enter the command request chassis routing-engine master switch and then enter the command again within 240 seconds, the switch will display an error message saying “Command aborted. Not ready for mastership switch, try after n seconds.”

Related Topics

New Features in JUNOS Software for EX-series Switches, Release 9.5 on page 162

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS

Release 9.5 for EX-series Switches on page 167

Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches on page 178

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5

for EX-series Switches

Outstanding issues in the JUNOS Release 9.5R4 software for EX-series switches and issues regarding software upgrade or downgrade are described on the following pages. The pages also list the issues that have been resolved since the last JUNOS

Release 9.4 release:

Outstanding Issues

The following are outstanding issues in the JUNOS Release 9.5R4 software for

EX-series switches. The identifier following the description is the tracking number in our bug database.

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

■ 167

JUNOS 9.5 Software Release Notes

NOTE: The following PRs that were previously included in the JUNOS Release 9.5

release notes as outstanding issues have been removed, because these issues are not present in JUNOS Release 9.5R4 for EX-series switches:

286600, 295588, 389276, 390812, 399331, 403842, 406032, 409321, 410947,

411660, 414110, 415772

Access Control and Port Security

On EX-series switches, if you configure the RADIUS server revert-interval interval option, the switch does not attempt to reconnect to the unreachable server after the revert interval has elapsed. [PR/304637]

On EX 8208 switches, the medium attachment unit (MAU) type field is empty in the Link Layer Discovery Protocol (LLDP) protocol data unit (PDU). [PR/392043]

Bridging, VLANs, and Spanning Trees

Class of Service

Packets sent to the CPU are not supported for system log, log, or reject messages on EX-series switches. [PR/399664]

Hardware

On 48-port SFP line cards used in EX 8208 switches, do not insert a transceiver into the first or last port on the bottom row (ports 1 and 47). Transceivers inserted in these ports are difficult to remove. As a workaround, you can remove the transceiver by using a small flathead screwdriver or other tool to lift the lock on the transceiver. [PR/423694]

Infrastructure

The RADIUS request sent by an EX-series switch contains both Extensible

Authentication Protocol (EAP) Identity Response and State attributes. [PR/300790]

On EX 8208 switches, RIP version 1 does not work properly. [PR/394905]

In the J-Web interface, you cannot commit some configuration changes in the

Ports Configuration and VLAN Configuration pages because of the following limitations for port mirroring ports and port mirroring VLANs:

A port configured as the output port for an analyzer cannot be a member of any VLAN other than the default VLAN.

A VLAN configured to receive analyzer output can be associated with only one port.

[PR/400814]

168 ■

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

Interfaces

After a redundant trunk group (RTG) interface switchover, MAC address aging does not stop, even though traffic is sent continuously and switched correctly.

[PR/416739]

Spanning-tree, GVRP, or IGMP snooping configuration windows might load slowly in the J-Web interface. Wait till the windows load completely before entering information, or some information might get lost. [PR/422523]

In the J-Web interface on EX 8208 and EX 8216 switches, IPv6 is listed as an option in the Management Options page in the EZSetup wizard, but it is not supported. [PR/425959]

In the J-Web interface, uploading a package might not work properly if you are using Internet Explorer version 7. [PR/424859]

In the J-Web interface, the Ethernet Switching monitoring page might not display monitoring details if there are more than 13,000 MAC entries on the switch.

[PR/425693]

If an SRE module, RE module, SF module, line card, or Virtual Chassis member is in offline mode, the J-Web interface might not update the dashboard image accordingly. [PR/431441]

In the J-Web interface, in the Port Security Configuration page, you are required to configure action when you configure MAC limit even though configuring an action value is not mandatory in the CLI. [PR/434836]

In the J-Web interface, interfaces configured with no-flow-control

might be displayed in the Link Aggregation Configuration page. [PR/437410]

On routed VLAN interfaces (RVIs), the analyzer (port mirroring configuration) might incorrectly append an 802.1q (802.1Q) header to the packets being mirrored. As a workaround, you can configure an egress analyzer on each port of the egress VLAN. [PR/445393]

If software forwarding process ( sfid

) usage is greater than 60 percent, there might be packet losses in packets originating from the Routing Engine. [PR/473753]

When you use the show interfaces extensive

command, the queued packet counter might not get updated and might display a value of 0 . [PR/263527]

On EX 8208 switches, after an interface is blocked by BPDU control, removing the BPDU control configuration does not unblock the interfaces. As a workaround, issue the clear ether bpdu-error

command from the CLI. [PR/407020]

On EX 8208 switches, if primary and backup interfaces for link protection are configured on a LAG interface (under the ether-options 802.3ad

statement), packets might egress on the backup interface instead of on the primary interface when the line card is restarted or during Routing Engine switchover. As a workaround, remove and reapply the LAG configuration. [PR/409934]

On EX 4200 switches, when port mirroring is configured on all interfaces, the mirrored packets leaving a tagged interface might contain an incorrect VLAN ID.

[PR/431101]

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

■ 169

JUNOS 9.5 Software Release Notes

Layer 3 Protocols

On EX 8208 switches, if Layer 3 traffic is routed with static routes and static ARP and is egressing on a routed VLAN interface (RVI), Layer 3 traffic might be dropped after you delete all configurations and roll back the configuration. To recover the traffic, flap the egress physical interface. [PR/417024]

Virtual Chassis

If a member whose MAC address is being used as a system MAC address of the

Virtual Chassis goes offline, the mac-persistence-timer parameter determines how long the Virtual Chassis continues to use the member’s MAC address. When the timer expires, the system MAC address of the Virtual Chassis changes and there might be a traffic loss for some period of time until the neighbor switches update the ARP table. As a workaround, you can clear ARP on the neighbor switches so the ARP updates happen immediately. [PR/435084]

Resolved Issues

Access Control and Port Security

When you have a port with membership in a VoIP VLAN and a guest VLAN and configured with 802.1X authentication, traffic in the VoIP VLAN is forwarded even after authentication has failed for the port. [PR/292268: This issue has been resolved.]

On EX-series switches, the LLDP-MED voice solution might not work properly unless the VLAN name is configured as voice . As a workaround, configure the

VLAN name as voice

for LLDP-MED to propagate the VLAN ID to the phone properly. [PR/421741: This issue has been resolved.]

Dynamic filters are not installed for all 802.1X clients authenticating with the same authentication credentials and are installed only for the first client.

[PR/422919: This issue has been resolved.]

Bridging, VLANs, and Spanning Trees

When frames are switched from access to trunk interfaces (that is, when incoming frames are not tagged), the priority bits in the 802.1Q header are set to

1

by default. [PR/273079: This issue has been resolved.]

If you have configured VSTP on an aggregated Ethernet interface with LACP enabled, the initial port cost value is shown as 200000000 . Deactivate and reactivate VSTP on the interface to set the port cost to the correct value (

10000

).

[PR/412099: This issue has been resolved.]

When the primary interface in a redundant trunk group (RTG) is disabled and then enabled, the ports in the RTG do not move into appropriate states.

[PR/413089: This issue has been resolved.]

When a VLAN is configured in the analyzer

stanza with an invalid VLAN tag, the

Ethernet switching process ( eswd ) will terminate abnormally. As a workaround,

170 ■

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

■ correct the VLAN index being referenced. [PR/421105: This issue has been resolved.]

When a gratuitous ARP message is sent to the switch, the message is ignored by the routed VLAN interface (RVI) and the switch does not update the ARP table.

[PR/426810: This issue has been resolved.]

When the ethernet-switching-options secure-access-port part of the configuration is enabled along with VSTP, under a high traffic rate, the VSTP BPDUs are sent to the Routing Engine with an incorrect code that causes a blocking port to go into the Forwarding state, which results in a spanning-tree loop. [PR/468095:

This issue has been resolved.]

Class of Service

On EX 8208 switches, when link protection is enabled on a LAG interface, the scheduler map configured on the LAG interface will not be active after a graceful

Routing Engine switchover (GRES) or after the class-of-service process ( cosd ) is restarted. As a workaround, remove and reapply the scheduler map on the LAG interface. [PR/415476: This issue has been resolved.]

Interchanging routed VLAN interfaces (RVIs) between VLANs does not interchange classifiers. Restart the class-of-service process ( cosd

) to interchange classifiers and make the classification work properly. [PR/417236: This issue has been resolved.]

On EX 8208 switches, when multiple forwarding classes are mapped to the same queue, the tail-drop counters for some queues might show an incorrect value.

[PR/413673: This issue has been resolved.]

Firewall Filters

Policers might be shared across interfaces that are part of the same Packet

Forwarding Engine. If the same policer is applied to two interfaces on the same

Packet Forwarding Engine, then the policer is shared. If the same policer is applied to two interfaces on different Packet Forwarding Engines, the policer is not shared and functions as two separate policers. [PR/405111: This issue has been resolved.]

Hardware

On EX 8216 switches, a fan failure trap is not generated when the fans go into a failed state. [PR/413426: This issue has been resolved.]

When an EX8216 switch power cycle completes, the

Last reboot reason

for the master and backup Routing Engines in the show chassis routing-engine command output might display incorrect values. [PR/415569: This issue has been resolved.]

On EX 8216 switches, online insertion and removal of a Switch Fabric (SF) module is not supported. [PR/422276: This issue has been resolved.]

Occasionally, on a switch with SFP FE-BX transceivers plugged into the uplink module, the I2C bus locks up and the uplink module is unusable after running traffic for a few hours. The system recovers after a reboot. [PR/430237: This issue has been resolved.]

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

■ 171

JUNOS 9.5 Software Release Notes

Infrastructure

If you reboot an EX 3200 or EX 4200 switch after you have configured the Power over Ethernet (PoE) guard-band value, the two ports that had been shut down because of their low priority become active again. They should have remained shut down. [PR/285262: This issue has been resolved.]

In the J-Web interface, neither the Add window nor the Edit window in the Link

Aggregation Configuration page displays the interfaces for which speed is configured explicitly. [PR/301532: This issue has been resolved.]

On EX 8208 switches, a 48-port RJ-45 line card configured for fixed mode

( no-auto-negotiation ) does not disable interfaces when the two ends of the connection are configured with different speeds. [PR/307834: This issue has been resolved.]

On EX 8208 switches, while commits of configuration changes under the interfaces

stanza or routing-options

stanza are in progress, VRRP advertisement does not occur for a short time. This can result in a change of VRRP mastership.

[PR/310524: This issue has been resolved.]

On EX 8208 switches, during chassis bootup, the system log might display the following messages:

"RT-HAL,rt_entry_add_msg_check,1116:unknown vlan index 0"

"RT-HAL,rt_msg_handler,407:route check failed"

[PR/313185, PR/313187: This issue has been resolved.]

On EX 8208 switches, occasionally the system log might display the following message when the switch is receiving simultaneous traffic: ex8200-re0 fpc7 Old expected RT_NH is NULL

[PR/314377: This issue has been resolved.]

In the Ports Configuration page in the J-Web interface, the default values displayed for Speed, Duplex, and Auto Negotiation for ports with SFP or XFP transceivers are incorrect. [PR/398858: This issue has been resolved.]

On EX 8208 switches, after a graceful Routing Engine switchover (GRES), the first sample ( show snmp rmon history output) shows incorrect statistics for broadcast and multicast packets. Correct statistics are displayed after the first sample. [PR/399317: This issue has been resolved.]

When you have connected a management device to an EX 8208 switch using

Telnet, issuing the show lacp statistics interfaces

command might cause the CLI to stop responding. [PR/402393: This issue has been resolved.]

On EX 8208 switches, the storm control configuration displays the default level for storm control as 80 percent of the link bandwidth although the actual default value and the maximum value for the storm control level is 50 percent of the link bandwidth. [PR/407540: This issue has been resolved.]

If you configure a port mirroring session in which the output is set to a VLAN with the input not configured, the commit will fail. As a workaround, configure

172 ■

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

■ the input and then commit the configuration. [PR/407559: This issue has been resolved.]

In the J-Web interface, when packets are being captured using Troubleshoot >

Packet capture, the PHP process consumes more than 90 percent of the CPU cycles. [PR/411070: This issue has been resolved.]

On EX 8208 switches in some topologies with multifeature scaling, multicast traffic to some groups might be dropped after multiple graceful Routing Engine switchovers (GRESs). [PR/412908: This issue has been resolved.]

On EX 8208 switches, transitioning from a remote port mirroring configuration to a local port mirroring configuration or the reverse does not work properly.

For example, if a remote port mirroring configuration transitions to a local port mirroring configuration, packets are mirrored as tagged packets. As a workaround, restart the line card. [PR/414122: This issue has been resolved.]

On EX 8208 switches with GRES enabled, sometimes the state of the backup

Routing Engine is shown as:

Kernel database: Connection error, Initialize error.

As a workaround, deactivate and reactivate GRES on the switch. [PR/413637:

This issue has been resolved.]

If the power supplied to an EX 8208 switch is insufficient, the behavior of the switch becomes nondeterministic and affects the operation of the switch.

[PR/414718: This issue has been resolved.]

On EX 8208 switches, the in-band management option is not supported in the

EZSetup wizard. Use the out-of-band management option while using the EZSetup wizard for initial configuration. [PR/414960: This issue has been resolved.]

On EX 8208 switches, in a scaled environment with a large number of routes and ARP entries, OSPF adjacency links might not come up while the switch is deleting ARP entries when there is data traffic through the interface. Stopping data traffic on the OSPF interface resolves this condition. [PR/414998: This issue has been resolved.]

On EX 8208 switches, if port mirroring is configured with a link aggregation group (LAG) interface as the input interface, packets are not mirrored correctly after a graceful Routing Engine switchover (GRES). As a workaround, restart the line card. [PR/415213: This issue has been resolved.]

On EX-series switches, the storm control command options no-broadcast and no-unknown-unicast do not have any effect. [PR/415542: This issue has been resolved.]

On EX 8208 switches, the LCD displays

FAN FAIL

even though the fans are operational and running at normal speed. [PR/415756: This issue has been resolved.]

Learned MAC address entries are not flushed when the interface mode changes for RTG interfaces. Clearing the Ethernet switching table resolves this problem.

[PR/416103: This issue has been resolved.]

On EX 8208 switches, after a graceful Routing Engine switchover (GRES), unicast routed traffic might egress as untagged packets or as packets with incorrect tag

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

■ 173

JUNOS 9.5 Software Release Notes

■ values. As a workaround, restart the egress line card. [PR/416358: This issue has been resolved.]

When the MSTP topology changes in an extended VLAN topology, sometimes sessions such as those for VRRP, BFD, and upper protocols dependent upon BFD

(such as PIM or OSPF) bounce briefly. [PR/416400: This issue has been resolved.]

On EX 8208 switches, when you commit some firewall filter configurations, the following error might be displayed: internal error: database reference has invalid type - not a container

[PR/416685: This issue has been resolved.]

Traffic might not be forwarded correctly in a Q-in-Q VLAN if a customer VLAN is added and deleted. [PR/416817: This issue has been resolved.]

In the J-Web interface, you cannot edit the Layer 2 Uplink port role without changing the group name of the redundant trunk group (RTG) on the Ports

Configuration page. [PR/417174: This issue has been resolved.]

An EX 4200 or EX 3200 switch with JUNOS Release 9.3R3 or earlier might experience an optical interface or Virtual Chassis interface transition resulting in a few milliseconds of traffic loss. [PR/418128: This issue has been resolved.]

On EX 3200 and EX 4200 switches, if you configure more than one analyzer

(port mirroring) session, an incorrect commit check error is displayed. As a workaround, configure only one analyzer session. [PR/428689: This issue has been resolved.]

In the J-Web interface, when you use the port profiles in the Ports configuration window to configure RSTP while STP or MSTP is configured on the switch and is in a disabled state, an error message might be displayed and the port profile configuration might be prevented from being committed. As a workaround, delete the disabled STP or MSTP configuration from the switch. [PR/429615:

This issue has been resolved.]

In the J-Web interface, when you are editing interfaces through either the Add

VLAN or Edit VLAN window in the IGMP Snooping Configuration page, the Edit interfaces section might not display interfaces details that have not yet been committed. [PR/432664: This issue has been resolved.]

In the J-Web interface, the Redundant Trunk Group Add or Edit window might list all the trunk interfaces configured on the switch without verifying the interface information. If a Virtual Chassis member ID is changed or a line card is moved to a different slot, the previous interface details might also be listed. [PR/433427:

This issue has been resolved.]

In the J-Web interface, the Edit MSTI window in the Spanning Tree Configuration page might not display details of an uncommitted interface configuration.

[PR/433506: This issue has been resolved.]

If all

interfaces is configured as analyzer (port mirroring configuration) input in the ingress or egress direction, the analyzer output interface might not be removed from the input list of interfaces, resulting in a mirroring loop. As a workaround, delete that particular analyzer configuration, commit the change and reconfigure the analyzer. [PR/436304: This issue has been resolved.]

174 ■

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

Interfaces

On EX 8200 series switches, when multiple analyzer (port mirroring configuration) sessions refer to a VLAN in the analyzer output stanza, the VLAN is created in the same commit cycle, and only the first analyzer will be functional in the system. As a workaround, you can restart the Ethernet switching process ( eswd

) after the commit. [PR/437098: This issue has been resolved.]

In the J-Web interface, if a VLAN has been configured in the interfaces stanza an incorrect validation message might be displayed when you are specifying an interface for an MST instance. [PR/437448: This issue has been resolved.]

In rare occurrences the hardware device routing table goes out of sync with the software routing table

thereby resulting in packet drops. The device routing table is responsible for correct packet transfer between interfaces across Virtual Chassis members. [PR/439486: This issue has been resolved.]

On EX 8208 switches with 48-port RJ-45 line cards, interface links might go down and come back up while you are adding the interfaces to an aggregated

Ethernet interface. [PR/395936: This issue has been resolved.]

On EX 8208 switches, sometimes the autonegotiation status on interfaces is shown as None , even though flow control is negotiated correctly, enabled, and functioning. [PR/302662: This issue has been resolved.]

On EX 8208 switches, if an analyzer (a port mirroring configuration) is configured to mirror traffic on both ingress and egress interfaces, traffic loss is observed on the mirrored port. [PR/398182: This issue has been resolved.]

On EX 8208 switches, when a Layer 3 subinterface and an RVI are next hops for a multicast group, modifying the subinterface configuration causes flooding in the VLAN until the IGMP snooping table is populated. [PR/403597: This issue has been resolved.]

On EX 8208 switches, if autonegotiation is enabled on an interface, the interface might go down and come up again after a GRES. As a workaround, configure the speed as 1 gigabit and the duplex mode as full duplex. [PR/410816: This issue has been resolved.]

On EX 8208 switches, multifield classifier (MFC)-based rewrites might not work.

[PR/412106: This issue has been resolved.]

On EX 3200 and EX 4200 switches, ping traffic does not always go through on an aggregated Ethernet interface. [PR/422148: This issue has been resolved.]

On EX 8208 switches, if a Layer 3 LAG interface is configured with VLAN tagging, disabling one subinterface disables the aggregated Ethernet interface.

As a workaround, do the following:

1.

Deactivate and activate the configuration.

2.

Delete and add the LAG interface again.

3.

Restart the respective line card.

[PR/413110: This issue has been resolved.]

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

■ 175

JUNOS 9.5 Software Release Notes

Layer 3 Protocols

Virtual Chassis

On EX 8208 switches, if you issue the clear pim join

command multiple times in a short time, multicast traffic fails to recover. As a workaround, restart the line card. [PR/405899: This issue has been resolved.]

On EX 8208 switches, after a graceful Routing Engine switchover (GRES), under certain circumstances, Layer 3 unicast traffic might egress with the wrong MAC address. As a workaround, issue the clear arp command to refresh the Address

Resolution Protocol (ARP) entries. [PR/418325: This issue has been resolved.]

When the dates on the members of a Virtual Chassis are not synchronized, a member switch or backup forwarding process ( pfem

) might not be able to connect to the master. [PR/278784: This issue has been resolved.]

Upgrading or Downgrading from JUNOS Release 9.4R1 for EX-series

Switches

The ARP aging time configuration in the system

configuration stanza in JUNOS Release

9.4R1 is incompatible with the ARP aging time configuration in JUNOS Release 9.3R1

or earlier and JUNOS Release 9.4R2 or later. If you have configured system arp aging-timer aging-time on EX-series switches running JUNOS Release 9.4R1 and upgrade to JUNOS Release 9.4R2 or later or downgrade to JUNOS Release 9.3R1 or earlier, the switch will display configuration errors on booting up after the upgrade or downgrade. As a workaround, delete the arp aging-timer aging-time

configuration in the system configuration stanza and reapply the configuration after you complete the upgrade or downgrade.

Upgrading from JUNOS Release 9.3R1 to Release 9.5 for EX-series Switches

If you are upgrading from JUNOS Release 9.3R1 and have voice over IP (VoIP) enabled on a private VLAN (PVLAN), you must remove this configuration before upgrading, to prevent upgrade problems. VoIP on PVLAN interfaces is not supported in releases later than JUNOS Release 9.3R1.

Upgrading from JUNOS Release 9.2 to Release 9.5 for EX-series Switches

For JUNOS Release 9.3 and later for EX-series switches, during the upgrade process, the switch performs reference checks on VLANs and interfaces in the 802.1X

configuration stanza. If there are references in the 802.1X stanza to names or tags of VLANs that are not currently configured on the switch or to interfaces that are not configured or do not belong to the ethernet-switching family, the upgrade will fail. In addition, static MAC addresses on single-supplicant mode interfaces are not supported.

176 ■

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

CAUTION: If your Release 9.2 configuration includes any of the following conditions, revise the configuration before upgrading to Release 9.5. If you do not take these actions, the upgrade will fail:

Ensure that all VLAN names and tags in the 802.1X configuration stanza are configured on the switch and that all interfaces are configured on the switch and assigned to the ethernet-switching family. If the VLAN or the interface is not configured and you try to commit the configuration, the commit will fail.

Remove static MAC addresses on single-supplicant mode interfaces. If they exist and you try to commit the configuration, the commit will fail.

In an 802.1X configuration stanza, if authentication-profile-name

does not exist and you try to commit the configuration, the commit will fail.

In an 802.1X configuration stanza, broadcast and multicast MAC addresses are not allowed in a static MAC configuration. If they exist and you try to commit the configuration, the commit will fail.

Support for static MAC address bypass in single or single-secure mode has been removed. If static MAC bypass in those modes exists and you try to commit the configuration, the commit will fail.

In an 802.1X configuration stanza, the switch will not accept the option vrange as an assigned VLAN name. If it exists and you try to commit the configuration, the commit will fail.

Enabling 802.1X and the port mirroring feature on the same interface is not supported. If you enable 802.1X and port mirroring on the same interface and then attempt to commit the configuration, the commit will fail.

In an 802.1X configuration stanza, if the VLAN name or tag specified under dot1x authenticator static does not exist and you try to commit the configuration, the commit will fail.

In the interfaces configuration stanza, if no-auto-negotiation is configured but speed and link duplex settings are not configured under ether-options

and you try to commit the configuration, the commit will fail. If no-auto-negotiation

is configured under ether-options , you must configure speed and link duplex settings.

In the ethernet-switching-options

configuration, if action

is not configured for the number of MAC addresses allowed on the interface (under secure-access-port interface interface-name mac-limit in the CLI or in the Port Security Configuration page in the J-Web interface), you must configure an action for the MAC address limit before upgrading from Release 9.2 to Release 9.5. If it is not configured and you try to commit the configuration, the commit will fail.

If you have configured a tagged interface on logical interface

0

(unit

0

), configure a tagged interface on a logical interface other than unit

0

before upgrading from

Release 9.2 to Release 9.5. If you have not done this and you try to commit the configuration, the commit will fail. Beginning with JUNOS software Release 9.3

for EX-series switches, untagged packets, BPDUs (such as in LACP and STP), and priority-tagged packets are processed on logical interface 0 and not on logical

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS Release 9.5 for EX-series Switches

■ 177

JUNOS 9.5 Software Release Notes

■ interface 32767. In addition, if you have not configured any untagged interfaces, the switch creates a default logical interface 0.

On EX 4200 switches, if you have installed advanced licenses for features such as BGP, rename the

/config/license

directory to

/config/.license_priv

before upgrading from Release 9.2 to Release 9.3 or later. If the switch does not have a

/config/license

directory, create the

/config/.license_priv

directory manually before you upgrade. If you do not rename the /config/license directory or create the /config/.license_priv

directory manually, the licenses installed will be deleted after you upgrade from Release 9.2 to Release 9.3 or later.

Downgrading from JUNOS Release 9.5 to Release 9.2 for EX 4200 Switches

When you downgrade a Virtual Chassis configuration from JUNOS Release 9.5 to

JUNOS Release 9.2 for EX-series switches, member switches might not retain the mastership priorities that had been configured previously. To restore the previously configured mastership priorities, commit the configuration by issuing the commit command.

Related Topics

New Features in JUNOS Software for EX-series Switches, Release 9.5 on page 162

Changes in Default Behavior and Syntax on page 166

Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches on page 178

Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches

Hardware

In JUNOS Release 9.5 for EX-series switches, statistical mirroring is supported only in the ingress direction on EX 8208 switches.

Infrastructure

The Alarm LED (labeled ALM) on EX-series switches indicates a minor alarm

(yellow or amber) when you power on a switch for the first time because no rescue configuration is saved on the switch.

The J-Web Online Help for configuring MAC limit and MAC move limit features in port security does not reflect recent changes to the default configuration values.

See the EX-series documentation topics for the most up-to-date information.

178 ■

Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches

Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches

Virtual Chassis

To form a Virtual Chassis configuration using network ports as Virtual Chassis ports (VCPs), directly connect the network ports to each other and configure them as VCPs.

Related Topics

New Features in JUNOS Software for EX-series Switches, Release 9.5 on page 162

Outstanding and Resolved Issues and Upgrade/Downgrade Issues in JUNOS

Release 9.5 for EX-series Switches on page 167

Changes in Default Behavior and Syntax on page 166

Errata in Documentation for JUNOS Software Release 9.5 for EX-series Switches

■ 179

JUNOS 9.5 Software Release Notes

JUNOS Documentation and Release Notes

For a list of related JUNOS documentation, see http://www.juniper.net/techpubs/software/junos/

.

If the information in the latest release notes differs from the information in the documentation, follow the JUNOS Release Notes.

To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/

.

Juniper Networks supports a technical book program to publish books by Juniper

Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using JUNOS Software and

Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using JUNOS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at http://www.juniper.net/books

.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to [email protected]

, or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/

. If you are using e-mail, be sure to include the following information with your comments:

Document name

Document part number

Page number

Software release version

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical

Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/customers/support/downloads/710059.pdf

.

Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/

.

180 ■

JUNOS Documentation and Release Notes

Requesting Technical Support

JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

Find CSC offerings: http://www.juniper.net/customers/support/

Search for known bugs: http://www2.juniper.net/kb/

Find product documentation: http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/

Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number

Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/

.

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/

.

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html

.

If you are reporting a hardware or software problem, issue the following command from the CLI before contacting support: user@host> request support information | save filename

To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to ftp.juniper.net:pub/incoming . Then send the filename, along with software version information (the output of the show version

command) and the configuration, to [email protected]

. For documentation issues, fill out the bug report form located at https://www.juniper.net/cgi-bin/docbugreport/

.

Requesting Technical Support

■ 181

JUNOS 9.5 Software Release Notes

Revision History

19 February 2010—Revision 4, JUNOS Release 9.5R4

30 October 2009—Revision 3, JUNOS Release 9.5R3

07 July 2009—Revision 2, JUNOS Release 9.5R2

26 May 2009—Revision 1, rev. 2, JUNOS Release 9.5R1

13 April 2009—Revision 1, JUNOS Release 9.5R1

Copyright © 2010, Juniper Networks, Inc. All rights reserved.

Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,

6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

182 ■

Requesting Technical Support

advertisement

Key Features

  • Enhanced IQ PIC
  • Nonstop active routing support
  • Unified ISSU support
  • Ethernet Local Management Interface
  • Ethernet Delay Measurement
  • Support for new Flexible PIC Concentrator
  • VLAN rewrite operations
  • Inter-PSD forwarding
  • Next-hop groups

Related manuals

Frequently Answers and Questions

What are the new features in JUNOS Release 9.5?
JUNOS Release 9.5 includes a variety of new features, including enhanced IQ PICs, nonstop active routing support for RSVP-TE LSPs, unified ISSU support on additional hardware, Ethernet Local Management Interface (E-LMI), Ethernet Delay Measurement (ETH-DM), support for new Flexible PIC Concentrators, VLAN rewrite operations, inter-PSD forwarding, and next-hop groups.
What are the known limitations of JUNOS Release 9.5?
There are a number of known limitations in JUNOS Release 9.5. You can find a complete list of these limitations in the release notes.
How do I upgrade to JUNOS Release 9.5?
The release notes include upgrade instructions for JUNOS Release 9.5. These instructions provide detailed steps on how to upgrade your router to this software release.
Download PDF

advertisement

Table of contents