Release Notes

Transcription

Release Notes
®
®
Juniper Networks JUNOS 10.1 Software
Release Notes
Release 10.1R4
17 November 2010
Revision 5
These release notes accompany Release 10.1R4 of the JUNOS Software. They describe
device documentation and known problems with the software. JUNOS Software runs
on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX
Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.
You can also find these release notes on the Juniper Networks JUNOS Software
Documentation Web page, which is located at
http://www.juniper.net/techpubs/software/junos.
Contents
JUNOS Software Release Notes for Juniper Networks M Series Multiservice
Edge Routers, MX Series Ethernet Service Routers, and T Series Core
Routers .....................................................................................................6
New Features in JUNOS Release 10.1 for M Series, MX Series, and T
Series Routers ....................................................................................6
Class of Service ..................................................................................6
High Availability ...............................................................................12
Interfaces and Chassis ......................................................................12
JUNOS XML API and Scripting ..........................................................18
MPLS Applications ............................................................................21
Multiplay ..........................................................................................22
Routing Policy and Firewall Filters ....................................................23
Routing Protocols .............................................................................24
Services Applications ........................................................................27
Subscriber Access Management .......................................................27
System Logging ................................................................................36
■
1
JUNOS 10.1 Software Release Notes
User Interface and Configuration ......................................................38
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M
Series, MX Series, and T Series Routers ............................................42
Class of Service ................................................................................42
Forwarding and Sampling ................................................................42
Interfaces and Chassis ......................................................................42
Layer 2 Ethernet Services .................................................................46
MPLS Applications ............................................................................46
Multiplay ..........................................................................................47
Platform and Infrastructure ..............................................................47
Routing Policy and Firewall Filters ....................................................47
Routing Protocols .............................................................................48
Services Applications ........................................................................48
Subscriber Access Management .......................................................51
User Interface and Configuration ......................................................52
VPNs ................................................................................................52
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series
Routers .............................................................................................55
Current Software Release .................................................................55
Previous Releases .............................................................................79
Errata and Changes in Documentation for JUNOS Software Release 10.1
for M Series, MX Series, and T Series Routers ................................107
Changes to the JUNOS Documentation Set .....................................107
Errata .............................................................................................108
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M
Series, MX Series, and T Series Routers ..........................................113
Basic Procedure for Upgrading to Release 10.1 ..............................113
Upgrading a Router with Redundant Routing Engines ....................116
Upgrading Juniper Routers Running Draft-Rosen Multicast VPN to
JUNOS Release 10.1 .................................................................116
Upgrading the Software for a Routing Matrix .................................118
Upgrading Using ISSU .....................................................................119
Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled
for Both PIM and NSR ..............................................................119
Downgrade from Release 10.1 .......................................................120
JUNOS Software Release Notes for Juniper Networks SRX Series Services
Gateways and J Series Services Routers ................................................122
New Features in JUNOS Release 10.1 for SRX Series Services Gateways
and J Series Services Routers ..........................................................122
Software Features ...........................................................................123
Hardware Features .........................................................................138
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX
Series Services Gateways and J Series Services Routers ..................139
Application Layer Gateways (ALGs) ................................................139
Chassis Cluster ...............................................................................139
Command-Line Interface (CLI) ........................................................140
Configuration .................................................................................142
Flow and Processing .......................................................................143
Interfaces and Routing ...................................................................144
Intrusion Detection and Prevention (IDP) .......................................144
J-Web .............................................................................................145
2
■
Management and Administration ...................................................145
Security ..........................................................................................146
WLAN .............................................................................................146
Known Limitations in JUNOS Release 10.1 for SRX Series Services
Gateways and J Series Services Routers ..........................................147
[accounting-options] Hierarchy ......................................................147
AX411 Access Point .......................................................................147
Chassis Cluster ...............................................................................147
Command-Line Interface (CLI) ........................................................148
Dynamic VPN .................................................................................149
Flow and Processing .......................................................................149
Hardware .......................................................................................150
Interfaces and Routing ...................................................................151
Intrusion Detection and Prevention (IDP) .......................................153
J-Web .............................................................................................154
NetScreen-Remote ..........................................................................155
Network Address Translation (NAT) ................................................155
Performance ..................................................................................156
SNMP .............................................................................................156
System ...........................................................................................156
Unified Threat Management (UTM) ................................................156
VLAN ..............................................................................................156
VPNs ..............................................................................................156
WLAN .............................................................................................156
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J
Series Services Routers ...................................................................157
Outstanding Issues In JUNOS Release 10.1 for SRX Series Services
Gateways and J Series Services Routers ...................................157
Resolved Issues in JUNOS Release 10.1 for SRX Series Services
Gateways and J Series Services Routers ...................................176
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX
Series Services Gateways and J Series Services Routers ..................182
Application Layer Gateways (ALGs) ................................................182
Attack Detection and Prevention ....................................................182
CLI Reference .................................................................................183
Command-Line Interface (CLI) ........................................................183
CompactFlash Card Support ...........................................................183
Flow and Processing .......................................................................183
Hardware Documentation ..............................................................184
Installing Software Packages ..........................................................185
Integrated Convergence Services ....................................................186
Interfaces and Routing ...................................................................187
Intrusion Detection and Prevention (IDP) .......................................187
J-Web .............................................................................................189
Screens ...........................................................................................189
Hardware Requirements for JUNOS Release 10.1 for SRX Series Services
Gateways and J Series Services Routers ..........................................190
Transceiver Compatibility for SRX Series and J Series Devices .......190
Power and Heat Dissipation Requirements for J Series PIMs ..........190
Supported Third-Party Hardware ....................................................190
J Series CompactFlash and Memory Requirements ........................191
■
3
JUNOS 10.1 Software Release Notes
Dual-Root Partitioning Scheme Documentation for SRX Series Services
Gateways ........................................................................................192
Dual-Root Partitioning Scheme .......................................................192
Maximizing ALG Sessions .....................................................................201
Using Dual Chassis Cluster Control Links: Upgrade Instructions for the
Second Routing Engine ..................................................................201
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX
Series Services Gateways and J Series Services Routers ..................203
JUNOS Software Release Notes for EX Series Switches ................................203
New Features in JUNOS Release 10.1 for EX Series Switches ................203
Hardware .......................................................................................204
Access Control and Port Security ....................................................205
Bridging, VLANs, and Spanning Trees ............................................205
Class of Service (CoS) .....................................................................205
Infrastructure .................................................................................205
Interfaces .......................................................................................206
Layer 2 and Layer 3 Protocols ........................................................206
Management and RMON ................................................................206
MPLS ..............................................................................................206
Packet Filters ..................................................................................206
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX
Series Switches ...............................................................................207
Layer 2 and Layer 3 Protocols ........................................................207
Infrastructure .................................................................................207
User Interface and Configuration ....................................................207
Limitations in JUNOS Release 10.1 for EX Series Switches ....................208
Access Control and Security ...........................................................208
Class of Service ..............................................................................208
Firewall Filters ................................................................................208
Infrastructure .................................................................................209
Interfaces .......................................................................................210
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches ........211
Access Control and Port Security ....................................................211
Bridging, VLANs, and Spanning Trees ............................................211
Class of Service ..............................................................................211
Infrastructure .................................................................................211
J-Web Interface ...............................................................................212
Resolved Issues in JUNOS Release 10.1 for EX Series Switches .............213
Access Control and Port Security ....................................................213
Bridging, VLANs, and Spanning Trees ............................................213
Class of Service ..............................................................................214
Firewall Filters ................................................................................214
Hardware .......................................................................................215
Infrastructure .................................................................................215
J-Web Interface ...............................................................................216
Errata in Documentation for JUNOS Release 10.1 for EX Series
Switches .........................................................................................217
4
■
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series
Switches .........................................................................................218
Upgrading or Downgrading from JUNOS Release 9.4R1 for EX Series
Switches ..................................................................................218
Upgrading from JUNOS Release 9.3R1 to Release 10.1 for EX Series
Switches ..................................................................................218
Upgrading from JUNOS Release 9.2 to Release 10.1 for EX Series
Switches ..................................................................................218
Downgrading from JUNOS Release 10.1 to Release 9.2 for EX4200
Switches ..................................................................................220
JUNOS Documentation and Release Notes ..................................................221
Documentation Feedback ............................................................................221
Requesting Technical Support .....................................................................221
Revision History ..........................................................................................223
■
5
JUNOS 10.1 Software Release Notes
JUNOS Software Release Notes for Juniper Networks M Series Multiservice Edge
Routers, MX Series Ethernet Service Routers, and T Series Core Routers
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series
Routers on page 6
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series,
MX Series, and T Series Routers on page 42
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series
Routers on page 55
■
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M
Series, MX Series, and T Series Routers on page 107
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX
Series, and T Series Routers on page 113
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
The following features have been added to JUNOS Release 10.1. Following the
description is the title of the manual or manuals to consult for further information.
Class of Service
■
Intelligent oversubscription service support (MX Series routers with Trio
MPC/MIC interfaces)—Arriving packets are assigned to one of two traffic classes
(control and best-effort) based on their header types and destination MAC address.
This allows for lower priority packets to be dropped more intelligently when
oversubscription occurs. Only packets mapped to queue 3 are marked as control
packets. Protocols such as telnet, FTP, and SSH that are mapped to queue 0 are
classified as best-effort. No configuration is necessary, but the queue assignments
can be altered with a multifield classifier.
[Class of Service]
■
CoS aspects of the MPC/MIC (MX Series routers with Trio MPC/MIC
interfaces)—Cover all aspects of CoS configuration for this hardware combination.
Support includes shaping rates at the queue level, configurable bandwidth profiles
with percentages, dynamic bandwidth allocation among different services,
scheduler node scaling, and delay buffer allocation. To configure, include the
relevant statements at the [edit class-of-service] hierarchy level and apply them
if necessary at other hierarchy levels such as the [edit interfaces] hierarchy level.
[Class of Service, Network Interfaces]
■
Per-priority shaping (MX Series platforms with Trio MPC/MIC
interfaces)—Enables you to configure a separate shaping rate for each of the
five priority levels so that higher priority services such as voice and video do not
starve lower priority services such as data. To configure, include the
shaping-rate-(excess | priority)-level rate [ burst-size burst ] statement at the [edit
class-of-service traffic-control-profiles tcp-name] hierarchy level and apply the traffic
control profile at the [edit interfaces] hierarchy level.
[Class of Service]
6
■
JUNOS Software Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series Ethernet Service Routers,
and T Series Core Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Distribute excess bandwidth among different services for a subscriber (MX
Series routers with Trio MPC/MIC interfaces)—Service providers often use
tiered services that must carry excess bandwidth as traffic patterns vary. By
default, excess bandwidth between a configured guaranteed rate and shaping
rate is shared equally among all queues, which might not be optimal for all
subscribers to a service. You can control the distribution of this excess bandwidth
with the excess-rate statement. To configure the excess rate for a traffic control
profile, include the excess-rate statement at the [edit class-of-service
traffic-control-profiles tcp-name] hierarchy level and apply the traffic control profile
at the [edit interfaces] hierarchy level. To configure the excess rate for a queue,
include the excess-rate and excess-priority statements at the [edit class-of-service
scheduler scheduler-name] hierarchy level.
[Class of Service]
■
Scheduler node scaling (MX Series routers with Trio MPC/MIC interfaces)—The
hardware supports multiple levels of scheduler nodes. In per-unit-scheduling
mode, each logical interface (unit) can have four or eight queues and has a
dedicated level 3 scheduler node. The logical interfaces share a common level
2 node (one per port). In hierarchical-scheduling mode, a set of logical interfaces,
each with four or eight queues, has a level 2 CoS profile and one of its logical
interface children has a level 3 CoS profile. To better control system resources
in hierarchical-scheduling mode, you can limit the number of hierarchical levels
in the scheduling hierarchy to two. In this case, all logical interfaces and interface
sets with CoS profiles share a single (dummy) level 2 node, thereby increasing
the maximum number of logical interfaces with CoS profiles (the interface sets
must be at level 3). To configure scheduler node scaling, include the
maximum-hierarchy-levels statement at the [edit interfaces xe-fpc/pic/port
hierarchical-scheduler] hierarchy level. The only supported value is 2.
[Class of Service, Network Interfaces]
■
Forwarding-class aliases (M320 and T Series routers)—Enable you to configure
up to 16 forwarding classes and 8 queues, with multiple forwarding classes
assigned to single queues. To configure, include the class and queue-num
statements at the [edit class-of-service forwarding-classes] hierarchy level.
[Class of Service]
■
VLAN shaping on aggregate devices (MX Series routers with Trio MPC/MIC
interfaces)—VLAN shaping (per-unit scheduling) is supported on aggregated
Ethernet interfaces when link protection is enabled on the aggregated Ethernet
interface. When VLAN shaping is configured on aggregate Ethernet interfaces
with link protection enabled, the shaping is applied to the active child link. To
configure link protection on aggregated Ethernet interfaces, include the
link-protection statement at the [edit interfaces aex aggregated-ether-options]
hierarchy level. Traffic passes only through the designated primary link. This
includes transit traffic and locally generated traffic on the router. When the
primary link fails, traffic is routed through the backup link. You also can reverse
traffic, from the designated backup link to the designated primary link. To revert
back to sending traffic to the primary designated link when traffic is passing
through the designated backup link, use the revert command; for example, request
interfaces revert ae0. To configure a primary and a backup link, include the
primary and backup statements at the [edit interfaces ge-fpc/pic/port
gigether-options 802.3ad aex] hierarchy level or the [edit interfaces xe-fpc/pic/port
fastether-options 802.3ad aex] hierarchy level. To disable link protection, delete
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
7
JUNOS 10.1 Software Release Notes
the link-protection statement at the [edit interfaces aex aggregated-ether-options
link-protection] hierarchy level. To display the active, primary, and backup link
for an aggregated Ethernet interface, use the operational mode command show
interfaces redundancy aex.
[Class of Service, Network Interfaces]
■
Re-marking of MVPN GRE encapsulation DCSP at ASBR (MX Series routers
with Trio MPC/MIC interfaces)—Enables you to configure DSCP marking for
GRE encapsulated packets that aligns with the service provider core CoS policy
for an MVPN. To configure, include the DSCP rewrite-rule dscp dscp-rule-name
with the values at the [edit class-of-service] hierarchy level and then apply the
rewrite rule to the core-facing multicast interface at the [edit class-of-service
interfaces] hierarchy level.
[Class of Service]
■
PD-5-10XGE-SFPP, 10-port 10-Gigabit Ethernet (Type 4) PIC (T640, T1600,
and TX Matrix routers with G-FPC4, ST-FPC4, and ST-FPC4.1)—Supports a
WAN bandwidth of 100 Gbps in addition to the following features:
■
Intelligent handling of oversubscribed traffic
■
Line rate operation on up to five 10-Gigabit Ethernet ports
■
Tap features, such as flexible encapsulation, source address (SA) MAC
learning, MAC accounting, and MAC policing
■
Stacked virtual LAN (VLAN) tag and VLAN rewrite functionalities
[Network Interfaces, Class of Service, PIC Guide]
■
Intelligent oversubscription services (MX Series with 16-port 10-Gigabit
Ethernet MPC with SFP+)—The 16-port 10-Gigabit Ethernet Modular Port
Concentrator (MPC) is an oversubscribed configuration. Consequently, it is
necessary to protect control traffic over best-effort traffic as soon as packets
enter the line card. To do this, packets entering the line card are assigned a
preclassifier control traffic class according to the header types (such as destination
MAC addresses, and Layer 4 ports) in the packet. The preclassifier provides a
good way to classify and queue important control traffic in a different high-priority
queue from that used for best-effort traffic.
The preclassifier (control or best effort) is assigned prior to packets being accepted
into the initial stream and is used by the line card as an early designation (before
any class-of-service configuration is applied). When oversubscription occurs,
control traffic will be queued separately and should not be subject to any dropped
packets.
The Layer 2 protocols supporting the preclassifier are:
8
■
■
802.1ah
■
802.1g
■
802.1x
■
802.3ad
■
ARP
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
GMRP
■
GVRP
■
LACP
■
PVST
■
xSTP
The Layer 3 protocols supporting the preclassifier are:
■
IGMP
■
IPv4/IPv6 ICMP
■
IPv4/IPv6 ISIS
■
IPv4/IPv6 OSPF
■
IPv4/IPv6 PIM
■
IPv4 Router Alert
■
IPv4/IPv6 RSVP
■
IPv4/IPv6 VRRP
The Layer 4 protocols supporting the preclassifier are:
■
IIPv4/ IPv6 BGP
■
IPv4/ IPv6 LDP
■
IPv4 UDP/L2TP
■
RIP (UDP port checks)
The preclassifier is also supported on label-switching encapsulation PPP.
[Class of Service]
■
Feature support on 16-port 10-Gigabit Ethernet MPC with SFP+ (MX Series
routers)—The following features are supported on the 16-port 10-Gigabit Ethernet
MPC with SFP+:
■
Accepts traffic destined for GRE tunnels or DVMRP (IP-in-IP) tunnels (JUNOS
Release 10.0R2)
■
Bidirectional Forwarding Detection (BFD) protocol (JUNOS Release 10.0R2)
■
Border Gateway Protocol (BGP) (JUNOS Release 10.0R2)
■
BGP/Multiprotocol Label Switching (MPLS) virtual private networks (VPNs)
(JUNOS Release 10.0R2)
■
Distance Vector Multicast Routing Protocol (DVMRP) and generic routing
encapsulation (GRE) support, access side and server side (JUNOS Release
10.0R2)
■
Firewall filters (JUNOS Release 10.0R2)
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
9
JUNOS 10.1 Software Release Notes
10
■
■
Flexible Ethernet encapsulation (JUNOS Release 10.0R2)
■
Graceful Routing Engine switchover (GRES) (JUNOS Release 10.0R2)
■
Ingress differentiated (JUNOS Release 10.0R2)
■
Differentiated Services code point rewrite (DSCP) (JUNOS Release 10.0R2)
■
Intelligent oversubscription (JUNOS Release 10.0R2)
■
Integrated routing and bridging (IRB) (JUNOS Release 10.1R1)
■
Intermediate System-to-Intermediate System (IS-IS) (JUNOS Release 10.0R2)
■
Internet Group Management Protocol (IGMP) (excludes snooping) (JUNOS
Release 10.0R2)
■
IPv4 (JUNOS Release 10.0R2)
■
IP multicast (JUNOS Release 10.0R2)
■
Label Distribution Protocol (LDP) (JUNOS Release 10.0R2)
■
Labeled-switched path (LSP) accounting, policers, and filtering (JUNOS Release
10.0R2)
■
LAN-PHY mode (JUNOS Release 10.0R2)
■
Layer 2 frame filtering (JUNOS Release 10.0R2)
■
IEEE 802.3ad link aggregation (JUNOS Release 10.0R2)
■
Link Aggregation Control Protocol (LACP) (JUNOS Release 10.0R2)
■
Local loopback (JUNOS Release 10.0R2)
■
MAC learning, policing (JUNOS Release 10.0R2)
■
Multiple tag protocol identifiers (TPIDs), accounting, and filtering (JUNOS
Release 10.0R2)
■
Multiprotocol Label Switching (MPLS) (JUNOS Release 10.0R2)
■
Nonstop active routing (NSR) (JUNOS Release 10.0R2)
■
Multitopology routing (MTR) (JUNOS Release 10.0R2)
■
Open Shortest Path First (OSPF) (JUNOS Release 10.0R2)
■
Packet mirroring (JUNOS Release 10.0R2)
■
Quality of service (QoS) per port: (JUNOS Release 10.0R2)
■
Eight queues per port
■
Excess-rate configuration at the traffic-control-profile level
■
Excess-rate and excess-priority configuration at the queue level
■
Shaping at the port level
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
■
Shaping at the queue level
■
Scheduling of queues based on weighted round-robin (WRR) per priority
class
■
Tricolor marking
■
Weighted random early detection (WRED)
QoS per virtual LAN (VLAN): (JUNOS Release 10.0R2)
■
Accounting, filtering, and policing
■
IEEE 802.1p rewrite
■
Classification
■
Excess-rate configuration at the traffic-control-profile level
■
Tricolor marking
■
Resource Reservation Protocol (RSVP) (JUNOS Release 10.0R2)
■
Routing Information Protocol (RIP) (JUNOS Release 10.0R2)
■
Simple Network Management Protocol (SNMP) (JUNOS Release 10.0R2)
■
IEEE 802.1Q VLANs: (JUNOS Release 10.0R2)
■
VLAN stacking and rewriting
■
Channels defined by two stacked VLAN tags
■
Flexible VLAN tagging
■
IP service for nonstandard TPID and stacked VLAN tags
■
Virtual private LAN service (VPLS) (JUNOS Release 10.0R2)
■
Virtual private network (VPN) (JUNOS Release 10.0R2)
■
Virtual Router Redundancy Protocol (VRRP) for IPv4 (JUNOS Release 10.0R2)
To support these features, some modifications have been made to the following
configuration statements:
■
The ability to configure the DSCP as the action of a filter rule is already
present in the JUNOS Software. However, with this line card, the value range
permitted is modified from 0, to 0 through 63. To include DSCP as the action
of a filter rule, include the dscp value parameter at the [edit firewall filter
filter-name] hierarchy level.
■
To fully leverage the features offered through the new chipset on the line
card, include the enhanced-hash-key option at the [edit forwarding-options]
hierarchy level.
[Class of Service]
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
11
JUNOS 10.1 Software Release Notes
■
IEEE 802.1ak-2007 MVRP (MX Series routers)—The Multiple VLAN Registration
Protocol (MVRP) is a standards-based Layer 2 network protocol used among
switches to dynamically share and update VLAN information with other bridges.
VLAN information exchanged includes:
■
The set of VLANs that currently have active members
■
The ports through which the active members can be reached
To operate MVRP, edge ports should have the static VLAN configuration. The
edge ports will not be configured for MVRP. MVRP is only enabled on the
core-facing trunk ports where no static VLANs are configured.
To configure MVRP, include the mvrp statement and desired options at the [edit
protocols] hierarchy level.
[Class of Service]
■
Elevated packet drops during oversubscription (MX Series routers with Trio
MPC/MIC interfaces)—During periods of oversubscription, the WRED process
drops more packets than expected from relatively full queues. There is no
configuration for this feature, which transparently applies scaling to
oversubscribed queues.
[Class of Service]
High Availability
■
Enhancements to unified ISSU support on PICs (T Series)—JUNOS Release 10.1
extends unified ISSU support for the following PICs to T Series routers:
■
PB-1CHOC12-STM4-IQE-SFP, 1-port channelized OC12/STM4 enhanced IQ
PIC
■
PB-1OC12-STM4-IQE-SFP, 1-port non-channelized OC12/STM4 enhanced IQ
PIC
■
PB-4CHDS3-E3-IQE-BNC, 4-port channelized DS3/E3 enhanced IQ PIC
■
PB-4DS3-E3-IQE-BNC, 4-port non-channelized DS3/E3 enhanced IQ PIC
[High Availability]
Interfaces and Chassis
12
■
■
New 60-Gigabit Ethernet Queuing MPC (model number
MX-MPC2-3D-Q)—Supported on MX Series routers. For a list of supported MPCs,
see the MX Series Line Card Guide.
■
New 60-Gigabit Ethernet MPC (model number MX-MPC2-3D)—Supported on
MX Series routers. For a list of supported MPCs, see the MX Series Line Card
Guide.
■
New 60-Gigabit Ethernet Enhanced Queuing MPC (model number
MX-MPC2-3D-EQ)—Supported on MX Series routers. For a list of supported
MPCs, see the MX Series Line Card Guide.
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
New 20-port Gigabit Ethernet MIC with SFP (model number
MIC-3D-20GE-SFP)—Supported on MX Series routers. For a list of supported
MPCs, see the MX Series Line Card Guide.
■
New Modular Port Concentrators (MPCs) and Modular Interface Cards
(MICs)—Supported on MX Series platforms. Up to two MICs plug into the MPC
to provide the physical interface for the MPC line card. The MPCs provide
increased capacity on Gigabit Ethernet and 10-Gigabit Ethernet hardware. For a
list of supported MPCs and MICs, see the MX Series Line Card Guide.
[Network Interfaces]
■
New 4-port 10-Gigabit Ethernet MIC with XFP (model number
MIC-3D-4XGE-XFP)—Supported on MX Series routers. For a list of supported
MPCs, see the MX Series Line Card Guide.
■
Layer 2 VPLS, IRB, and mesh group feature parity (MX Series routers with
Trio MPC/MIC interfaces)—Support for Layer 2 feature parity with JUNOS Release
9.1 on MX Series routers that include Trio Modular Port Concentrators (MPCs)
and Modular Interface Cards (MICs).
Layer 2 feature parity includes:
■
Layer 2 bridging
■
VPLS forwarding
■
MAC address learning, aging, and MAC address limit
■
Mesh group support
■
Implicit VLAN mapping
■
Integrated routing and bridging (IRB)
■
Multicast over IRB
■
MAC statistics
Layer 2 features that are not supported in this release include:
■
■
Spanning Tree Protocols (xSTP)
■
VLAN Spanning Tree Protocol (VSTP)
■
Multiple Spanning Tree Protocol (MSTP)
■
Rapid Spanning Tree Protocol (RSTP)
■
Layer 2 Tunneling Protocol (L2TP)
Upgrading a T1600 router to be the LCC0 of the TX Matrix Plus router—You
can now upgrade an operational T1600 router to be the lcc0 in a newly configured
TX Matrix plus router. The procedures require JUNOS Release 10.1 on the TX
Matrix Plus router and the T1600 router. Reboot is required to transfer control
of the T1600 router to the routing matrix. You can also downgrade the lcc0 to
a standalone T1600 router by rolling back to the former configuration. Upgrade
and integration of subsequent operational T1600 routers to form lcc1 and lcc2
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
13
JUNOS 10.1 Software Release Notes
(and so on) is not supported. Use the offline procedures to upgrade and integrate
the remaining T1600 routers into the routing matrix.
[TX Matrix Plus Hardware, System Basics and Services Command Reference]
■
Per-unit scheduling for GRE tunnels using IQ2 PICs (M7i, M10i, M120, and
M320 routers with E3–FPC)—Supports enhanced IQ2 PIC and IQ2E PIC
performance, adding all functionality of tunnel PICs. The QoS for the GRE tunnel
traffic will be applied as the traffic is looped through the IQ2/IQ2E PIC.
Shaping is performed on full packets that pass through the GRE tunnel.
IQ2 and IQ2E PICs support all interfaces that are supported on tunnel PICs, as
follows:
■
gr-fpc/pic/port
■
vt-fpc/pic/port
■
lt-fpc/pic/port
■
ip-fpc/pic/port
■
pe-fpc/pic/port
■
pd-fpc/pic/port
■
mt-fpc/pic/port
The port variable is always zero.
The provided tunnel functionality is the same as that of regular tunnel PICs.
When tunnel services are enabled on IQ2 and IQ2E PICs, they work exclusively
as tunnel PICs. The physical ports on the PICs cannot be used in tunnel mode.
To configure exclusive tunnel mode, use the tunnel-only statement at the [chassis
fpc number pic number] hierarchy level.
You can use the show interfaces queue gr-fpc/pic/port command to display
statistics for the specified tunnel.
[Network Interfaces, Class of Service, PIC Guide]
■
Root System Domain (RSD) configuration of logical interface filters on shared
interfaces (JCS1200 platform)—Enables Root System Domain (RSD) configuration
support for logical interface filters on shared interfaces. In previous releases,
logical interface filters were configured on each Protected System Domain (PSD).
This release supports configuration on the RSD.
To configure a logical interface filter on the RSD, apply the firewall filter to the
logical interface on the shared interface by including the filter output filter-name
statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy
level on the RSD.
Filtering is performed on the PSD, but logical interface filters configured on the
RSD are applied automatically by the PSD. Filters configured on the RSD can
co-exist with filters configured on the PSD. Counter statistics related to PSD
filtering are available on the RSD.
[Protected System Domain]
14
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Two new AC power supply modules (AC Power Entry Module 10kW US and
AC Power Entry Module 10kW EMEA) in chassis—The JUNOS Software now
supports two new AC power supply modules on T640 and T1600 routers: AC
Power Entry Module 10kW US and AC Power Entry Module 10kW EMEA (for
U.S. and EMEA markets, respectively). The two Power Entry Modules (PEMs)
cannot interoperate and the JUNOS Software reports an alarm when they do.
The show chassis environment pem command output will show AC Input: status
instead of DC Input: status and the Temperature will show the actual temperature
reading. Two new power supply descriptions, US and EMEA, are added to
distinguish the new modules from existing ones in the output of the show chassis
hardware command output.
[System Basics and Service Command Reference]
■
Next-hop cloning and permutations disabled in T Series enhanced scaling
FPCs (FPC Type 1-ES, FPC Type 2-ES, FPC Type 3-ES, and FPC Type 4-ES)—The
next-hop cloning and permutations are now disabled in these FPCs with enhanced
load-balancing capability. As a result, the memory utilization is reduced for a
highly scaled system with a high number of next hops on ECMP or aggregated
interfaces.
[System Basics]
■
Fragmentation support for GRE-encapsulated packets (Multiservices DPC)
(M120, M7i/M10i with enhanced CFEB, M320 with E3 FPC, and MX Series
routers only)—Enables the Packet Forwarding Engine to update the IP
identification field in the outer IP header of packets encapsulated with generic
routing encapsulation (GRE), so that reassembly of the packets is possible after
fragmentation. The previous CLI constraint check that requires you to configure
either the clear-dont-fragment-bit statement or a tunnel key with the
allow-fragmentation statement is no longer enforced. There are no associated
changes to the CLI statements or operational mode commands.
NOTE: For other routers, the earlier configuration constraint check still holds.
[Services Interfaces, MPLS Applications, MX Series Layer 2 Configuration Guide]
■
NAT compliance enhancements—Add modifications to the existing NAT
functionality on the services PICs to achieve compliance with RFCs UDP 4787,
TCP 5382, and ICMP 5508. These enhancements apply to IPv4–IPv4, IPv6–IPv6,
and IPv4–IPv6 source NAT and are not supported with destination NAT. New
CLI configuration settings associated with RFC 4787 include the mapping-timeout
statement at the [edit services nat pool pool-name] hierarchy level and the
address-pooling, filtering-type, and mapping-type statements at the [edit services
nat rule rule-name term term-name then translated] hierarchy level. There are no
associated changes to the operational mode commands.
[Services Interfaces]
■
Support for VRF in Routing Engine-based sampling on M Series, M320, MX
Series, M120, and T Series routers—For VRF Routing Engine-based sampling,
the kernel queries the correct VRF route table based on the ingress interface
index for the received packet. For interfaces configured in VRF, the sampled
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
15
JUNOS 10.1 Software Release Notes
packets contain the correct input and output interface SNMP index, the source
and destination AS numbers, and the source and destination mask.
There are two ways to verify the sampled packets. The first is to include the file
sampled statement at the [edit forwarding-options sampling traceoptions] hierarchy
level and the local dump statement at the [edit forwarding-options family inet output
flow-server server] hierarchy level, and check the sampled file using the tail –f
/var/tmp/sampled command from the router shell. The second is to export and
verify the sampled packets to the flow-server.
[Services Interfaces, Feature Guide]
■
New 4-port Channelized OC12 Enhanced Intelligent Queuing (IQE) type 3
PIC (M Series and T Series routers)—Provides increased channelization and an
improved QoS model; with channelization capabilities and scaling that make it
ideal for edge aggregation.
Improved QoS functionality supports policing based on DSCP/IPPREC/EXP, five
priority levels, two shaping rates (CIR and PIR), option to use shared scheduling
on set of logical interfaces, DSCP rewrite on ingress, and configurable delay
buffers for queueing. The QoS capabilities provide service differentiation for
service providers.
The interface configuration syntax of existing IQ PICs is retained, but
configuration limits are changed to match the augmented capabilities of IQE
PICs.
All functionality available on the 4-port Channelized OC12 IQ Type 2 PIC is
supported by this PIC.
[Network Interfaces]
■
Enhanced Intelligent Queuing (IQE) PICs add support for T3 and T1
channelization under SDH framing (M40e, M120, and M320 with Sahara-FPC,
and T Series routers)—The following IQE PICs are supported:
■
1-port COC48 IQE
■
4-port COC12 IQE
■
1-port COC12 IQE
■
2-port COC3 IQE
The JUNOS Software supports T1 and CT1 interface types under CAU4. To
configure T1 and CT1 interfaces under CAU4, use the t1 and ct1 statements at
the [edit interfaces cau4-fpc/pic/port:unit partition number interface-type] hierarchy
level.
With T1 and CT1 interface configurations under CAU4 interfaces, you can
configure a maximum of 84 T1 or CT1 inerfaces. However, the partition range
under CAU4 interfaces was previously restricted to from 1 to 63. This range has
increased to from 1 to 84 for T1 and CT1 interfaces.
The JUNOS Software supports T1, CT1, T3, and CT3 interfaces under Channelized
AU4 partitions. To configure T1, CT1, T3, and CT3 interfaces under Channelized
AU4, use the ct1 and t1 statements at the [edit interfaces cau4-fpc/pic/port:unit
partition partition-number] hierarchy level or the ct3 and t3 statements at the [edit
interfaces cau4-fpc/pic/port:unit partition number interface-type] hierarchy level.
16
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
The JUNOS Software also supports M13 mapped T1 interfaces under CAU4. To
configure a T1 interface under CAU4, use the t1 statement at the [edit interfaces
cau4-fpc/pic/port:unit partition partition-number interface-type t1] or [edit interfaces
cau4-fpc/pic/port:unit partition partition-number interface-type ct1] hierarchy level.
The JUNOS Software does not allow combined configurations of E1 and E3
interfaces together under a CAU4 interface.
Similarly, you cannot mix T1, E1, T3, and E3 interfaces directly under CAU4.
NOTE: The TUG-3 partition is not supported.
ITU-T VT-mapping in combination with TUG3 partition is not supported.
[Network Interfaces, PIC Guide]
■
Stateful firewall chaining for FTP, TFTP, and RTSP data sessions (MX Series
routers with Multiservices DPCs, and M120 or M320 routers with Multiservices
400 PICs)—Adds support for stateful firewall rule sets in Dynamic Application
Awareness for JUNOS Software service chains. New application-level gateways
(ALGs) are available for FTP (junos-ftp), TFTP (junos-tftp), and RTSP (junos-rtsp);
you can include them as values for the applications statement at the [edit services
stateful-firewall rule rule-name term term-name from] hierarchy level. In addition,
you can include new statement options at the [edit interfaces ms-fpc/pic/port
services-options ignore-errors] hierarchy level to enable stateful firewall sessions
to operate in a no-drop mode and ignore various traffic errors that would normally
result in dropped packets. There are no CLI changes in the APPID, IDP, AACL,
or L-PDF configurations. The associated operational mode commands should
report the new applications when identified.
[Services Interfaces]
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
17
JUNOS 10.1 Software Release Notes
JUNOS XML API and Scripting
18
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
New JUNOS XML API operational request tag elements—Table 1 on page 19
lists the JUNOS Extensible Markup Language (XML) operational request tag
elements that are new in JUNOS Release 10.1, along with the corresponding CLI
command and response tag element for each one.
Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 10.1
Request Tag Element
CLI Command
Response Tag Element
<clear-dhcpv6-server-binding-information>
clear_dhcpv6_server_binding_information
clear dhcpv6 server binding
NONE
<clear-dhcpv6-server-statistics-information>
clear_dhcpv6_server_statistics_information
clear dhcpv6 server statistics
NONE
<clear-mpls-static-lsp-information>
clear_mpls_static_lsp_information
clear mpls static-lsp
NONE
<clear-mvrp-interface-statistics>
clear_mvrp_interface_statistics
clear mvrp statistics
NONE
<clear-idp-appddos-cache>
clear_idp_appddos_cache
clear security idp application-ddos cache
NONE
<clear-idp-status-information>
clear_idp_status_information
clear security idp status
<clear-idp-status-information>
<clear-vrrp-information>
clear_vrrp_information
clear vrrp
<vrrp-message>
<clear-vrrp-interface-statistics>
clear_vrrp_interface_statistics
clear vrrp interface
<vrrp-message>
<request-script-refresh-from>
request_script_refresh_from
request system scripts refresh-from
NONE
<get-dhcpv6-server-binding-information>
get_dhcpv6_server_binding_information
show dhcpv6 server binding
<dhcpv6-server-binding-information>
<get-dhcpv6-server-statistics-information>
get_dhcpv6_server_statistics_information
show dhcpv6 server statistics
<dhcpv6-server-statistics-information>
<get-mpls-static-lsp-information>
get_mpls_static_lsp_information
show mpls static-lsp
<mpls-static-lsp-information>
<get-mvrp-information>
get_mvrp_information
show mvrp
<mvrp-information>
<get-mvrp-applicant-information>
get_mvrp_applicant_information
show mvrp applicant-state
<mvrp-applicant-state>
<get-mvrp-dynamic-vlan-memberships>
get_mvrp_dynamic_vlan_memberships
show mvrp dynamic-vlan-memberships
<mvrp-vlan-information>
<get-mvrp-interface-information>
get_mvrp_interface_information
show mvrp interface
<mvrp-interface-information>
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
19
JUNOS 10.1 Software Release Notes
Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 10.1 (continued)
Request Tag Element
CLI Command
Response Tag Element
<get-mvrp-registration-state>
get_mvrp_registration_state
show mvrp registration-state
<mvrp-registration-information>
<get-mvrp-interface-statistics>
get_mvrp_interface_statistics
show mvrp statistics
<mvrp-interface-statistics>
<get-idp-subscriber-policy-list>
get_idp_subscriber_policy_list
show security idp policies
<idp-subscriber-policy-list>
<get-idp-policy-template-information>
get_idp_policy_template_information
show security idp policy-templates-list
<idp-policy-template-information>
<get-idp-detail-status-information>
get_idp_detail_status_information
show security idp status detail
<idp-detail-status-information>
<get-service-nat-mapping-information>
get_service_nat_mapping_information
show services nat mappings
<service-nat-mapping-information>
<get-task-memory-information>
get_task_memory_information
show task memory
<task-memory-information>
<get-vrrp-information>
get_vrrp_information
show vrrp
<vrrp-information>
<get-vrrp-interface-information>
get_vrrp_interface_information
show vrrp interface
<vrrp-information>
<get-vrrp-track-interfaces>
get_vrrp_track_interfaces
show vrrp track
<vrrp-information>
20
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
[JUNOS XML API Operational Reference]
MPLS Applications
■
Static LSPs at the ingress router—You can now configure a named static LSP
at the ingress router. This feature allows you to configure multiple static LSPs
between two specific routers. It is not necessary to configure unique names for
static versus dynamic LSPs (a static LSP could have the same name as a dynamic
LSP configured on the same router). This feature also allows you to configure a
single-hop static LSP by specifying either an explicit null label or no label.
To configure a static LSP on an ingress router, include the ingress statement at
the [edit protocols mpls static-label-switched-path static-lsp-name] hierarchy level.
You must also configure the to and next-hop statements at the [edit protocols mpls
static-label-switched-path static-lsp-name] hierarchy level. You can optionally
configure the push statement. If you configure the push statement, you must
specify a non-reserved label in the range of 0 through 1,048,575.
To display information about ingress static LSPs, issue the show mpls lsp static
ingress command. To display routing table entries corresponding to ingress static
LSPs, issue the show route table inet.3 command or the show route next-hop
next-hop-ip-address static-label-switched-path static-lsp-name command.
[MPLS, Routing Protocols and Policies Command Reference]
■
Static LSPs at the transit router—You can now configure a named static LSP
on a transit router. To configure a transit static LSP, include the transit statement
at the [edit protocols mpls static-label-switched-path path-name] hierarchy level
and include the next-hop statement at the [edit protocols mpls
static-label-switched-path static-lsp-name] hierarchy level. You must also configure
either the pop or the swap statement at the [edit protocols mpls
static-label-switched-path static-lsp-name transit] hierarchy level. If you configure
the swap statement, you must specify a non-reserved label in the range of 0
through 1,048,575.
The transit static LSP is added to the mpls.0 routing table. You should configure
each static LSP using a unique name and at least a unique incoming label on the
router. Each transit static LSP can have one or more incoming labels configured.
If a transit LSP has more than one incoming label, each would effectively operate
as an independent LSP, meaning you could configure all of the related LSP
attributes for each incoming label. The range of incoming labels available is
limited to the standard static LSP range of labels (1,000,000 through 1,048,575).
To verify that a static LSP has been added to the routing table, issue the show
route table mpls.0 command.
[MPLS]
■
Bypass static LSPs—You can now configure a named bypass static LSP for ingress
and transit static LSPs, to be used if the primary LSP fails. To configure a bypass
static LSP, include the bypass statement at the [edit protocols mpls
static-label-switched-path path-name] hierarchy level. You must also configure the
to and next-hop statements at the [edit protocols mpls static-label-switched-path
static-lsp-name bypass] hierarchy level. You can also configure link and node
protection for static LSPs. If you configure both link and node protection for the
static LSP and the primary link fails, the node protection feature is preferred.
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
21
JUNOS 10.1 Software Release Notes
[MPLS]
■
Static LSP revert timer—You can now configure a revert timer for ingress and
transit static LSPs. After traffic has been switched to a bypass static LSP, it is
typically switched back to the primary static LSP when it comes back up. There
is a configurable delay in the time (called the revert timer) between when the
primary static LSP comes up and when traffic is reverted back to it from the
bypass static LSP. This delay is needed because when the primary LSP comes
back up, it is not certain whether all of the interfaces on the downstream node
of the primary path have come up yet. The delay range is from 0 through 65,535
seconds and is configurable at each interface. If you configure a value of 0, traffic
is never automatically reverted to the primary LSP, even if it does come back
up. The only exception is if the bypass LSP goes down. The default value is 5
seconds. To configure the revert timer for an interface, include the
protection-revert-time statement at the [edit protocols mpls interface interface-name
static] hierarchy level. You can display the revert timer value for an interface
using the show mpls interface detail command.
[MPLS]
■
Static LSP traceoptions—You can now configure the traceoptions statement to
trace messages related to ingress and transit static LSPs by including the static
flag at the [edit protocols mpls traceoptions flag] hierarchy level.
[MPLS]
■
Static LSP statistics—You can now display statistics related to MPLS static LSPs
by issuing the show mpls static-lsp statistics command and the monitor static-lsp
lsp-name command. The show mpls static-lsp statistics command includes the
following options: ingress, transit, bypass, and name static-lsp-name. This command
displays the packet count and byte count for the static LSP. You can clear the
statistics for static LSPs by issuing the clear mpls static-lsp statistics command.
You can also log the static LSP statistics to a file by specifying a file for the MPLS
statistics statement. You can configure this file using the set protocols mpls
statistics interval interval file filename command.
[MPLS, Routing Protocols and Policies Command Reference]
Multiplay
■
Border Gateway Function (BGF) RTCP XR reporting—Provides support for the
H.248 RECRTCPXR (Received RTCP Extended Reporting) and RECRTCPXRBM
(Received RTCP XR Burst Mode) reporting packages. The RECRTCPXR package
defines properties and statistics that provide extended quality-of-service metrics
received from the gateway controller. The RECRTCPXRBM package defines
properties and statistics that provide burst metrics received from the gateway
controller. Report data is available to the BGF when the gateway controller sends
the relevant XR reporting packets and RTCP monitoring is active. Not all gateway
controllers send the extended reporting packets. When XR packets are not
received, all XR fields are displayed as 0s (zeroes).
You can use the following existing command to display the RECRTCPXR and
RECRTCPXRBM report fields for a given gate-id: show services pgcp gate
gateway-name statistics gate-id gate-id.
[Multiplay Solutions, System Basics Command Reference]
22
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Integrated Multi-Services Gateway (IMSG) failed call reporting—Provides more
extensive statistics on failed calls through improved show command output.
You can use the following existing command to display statistics on failed calls:
show services border-signaling-gateway calls-failed gateway gateway-name.
[Multiplay Solutions, System Basics Command Reference]
■
Integrated Multi-Services Gateway (IMSG) media release—Enables the IMSG
SIP function to release media resources when handling calls between two entities
in the same media realm (the virtual interface specified in the PGCP
configuration). When the new call usage policies for both entities allow media
release, media resources are shared instead of being reserved for both entities.
This improves the utilization of media resources and prevents latency.
To configure media release, enter the media-release statement at the [edit services
border-signaling-gateway gateway-name sip new-call-usage-policy policy-name term
term-name then media-policy] hierarchy level.
[Multiplay Solutions, Services Interfaces]
Routing Policy and Firewall Filters
■
New MPLS firewall filter match conditions (T Series routers)—The JUNOS
Software now supports filtering MPLS-tagged IPv4 packets based on IP parameters
for up to five MPLS stacked labels.
To configure the filter match conditions for an MPLS family based on IP
parameters, include the from statement at the [edit firewall family family-name
filter filter-name term term-name] hierarchy level:
from {
match-conditions;
}
NOTE: New filter match conditions are applicable only for MPLS-tagged IPv4 packets.
MPLS-tagged IPv6 packets are not supported by this filter.
[Policy Framework, Routing Protocols and Policies Command Reference]
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
23
JUNOS 10.1 Software Release Notes
Routing Protocols
■
BGP support for MDT-SAFI updates without a route target—By default, the
JUNOS Software requires MDT-SAFI updates to have a route target attached.
Some vendors do not support attaching route targets to the MDT-SAFI updates.
For interoperability with these vendors, the JUNOS Software allows importing
MDT-SAFI updates without a route target being attached. The MDT-SAFI is
imported if the MDT default address in the MDT-SAFI prefix matches the MDT
default address configured within the routing instance.
To configure the MDT default address, include the group-address group-address
statement at the [edit routing-instances routing-instance-name provider-tunnel
pim-ssm] hierarchy level.
[Multicast, Policy Framework]
■
Distributed periodic packet management support for aggregate
interfaces—Extends support for the Bidirectional Forwarding Detection (BFD)
protocol to use the periodic packet management daemon (PPMD) to distribute
IPv4 sessions over aggregate interfaces. PPMD automatically runs on the Routing
Engine and the Packet Forwarding Engine. To disable PPMD on the Packet
Forwarding Engine only, include the no-delegate-processing statement at the [edit
routing-options ppm] hierarchy level. Only IPv4 BFD sessions over aggregate
interfaces are supported. PPMD does not support IPv6 BFD sessions over an
aggregate interface or MPLS BFD sessions over an aggregate interface.
[Routing Protocols]
■
PIM join suppression support—Enables a router to defer sending join messages
to an upstream router when identical join messages are sent on the same
multiaccess network. This improves scalability and efficiency by reducing the
number of identical messages sent to the same router.
This feature is useful when there are a large number of routers on a multiaccess
network that will be receiving traffic for a particular multicast group. Suppressing
joins at each router saves bandwidth and reduces heavy processing at upstream
routers.
PIM join suppression can be implemented per multiaccess interface and per
multicast group. It is only needed on downstream routers, and does not need to
be implemented on upstream routers in order for it to work.
A tracking bit field on the LAN prune delay hello option is used in the CLI to
enable join suppression for downstream routers. By default, the tracking bit is
set to 1 and PIM join suppression is disabled. This is the default behavior for
JUNOS Release 10.0 and earlier for Juniper Networks routers. With join
suppression disabled (T-bit=1), a downstream receiving router will send join
messages even if it receives identical joins for the same upstream router, as long
as no other router in the network has join suppression enabled. When the tracking
bit is set to 0 for at least one neighbor on this interface, join suppression is
enabled, and the receiving router will defer sending identical joins. Use
reset-tracking-bit in the CLI to enable join suppression.
When an upstream router receives a join message, its behavior is independent
of the value of the T-bit in the hello option. When join suppression is triggered,
a timer is activated and all sending of joins is deferred for the length of time
24
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
specified by the timer. This is a random timer with value ranges between 0 to
Max Override Interval. The timer is reset each time join suppression is triggered,
and the defer period is dependent on other settings in the LAN prune delay,
including propagation-delay and override-interval.
Use the show protocols PIM command to see if the reset-tracking-bit is present,
indicating that the T-bit has been changed to 0 and PIM join suppression is
enabled.
[Multicast, Routing Protocols and Policies Command Reference]
■
Improve IGMPv3 snooping performance using bulk updates 1a3,14—Whenever
an individual interface joins or leaves a multicast group, a new next-hop entry
is installed in the routing table and the forwarding table. This can require a lot
of processing time when the frequency and number of IGMP join and leave
messages are high.
A new configuration statement can be used to accumulate outgoing interface
changes and perform bulk updates to the routing table and forwarding table.
This reduces the processing time and memory overhead required when processing
join and leave messages, thus improving scalability.This is useful for applications
such as Internet Protocol television (IPTV), in which users changing channels
can create thousands of interfaces joining or leaving a group in a short period
of time.
To enable bulk updates of join and leave messages, include the next-hop-hold-time
statement and specify the number of milliseconds to wait before processing the
messages. The next-hop-hold-time statement can be configured at the [edit
routing-instances routing-instance-name] hierarchy level. The hold time can be
configured from 1 to 1000 milliseconds. The routing instance must be of type
VPLS or virtual-switch.
If the next-hop-hold-time statement is deleted from the router configuration, IGMP
bulk updates are disabled. The configuration of the next-hop-hold-time statement
can be verified using the show multicast snooping route command.
[Multicast, Routing Protocols and Policies Command Reference]
■
Hub-and-spoke support for multiprotocol BGP-based multicast VPNs with
PIM-SSM GRE S-PMSI transport—Multiprotocol BGP-based (MBGP) multicast
VPNs (also referred to as next-generation Layer 3 VPN multicast) can be
configured using protocol-independent multicast source-specific multicast
(PIM-SSM) selective provider multicast service interface (S-PMSI) tunnels in a
hub-and-spoke topology.
This feature is useful in the following scenarios:
■
Customer sources and rendezvous points (RPs) are located only in the hub
sites and customer receivers are located in spoke sites or other hub sites.
■
Customer sources are located only in spoke sites and customer receivers are
located only in hub sites.
To configure MBGP MVPNs to use PIM-SSM S-PMSI tunnels in a hub-and-spoke
topology:
■
Include the group-range statement and specify the group address range at
the [edit routing-instances routing-instance-name provider-tunnel selective group
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
25
JUNOS 10.1 Software Release Notes
group-address source source-address pim-ssm] hierarchy level on all PE routers
participating in the MVPN.
■
Include the threshold-rate statement and specify zero as the threshold value
at the [edit routing-instances routing-instance-name provider-tunnel selective
group group-address source source-address] hierarchy level on all PE routers
participating in the MVPN.
■
Include the family inet-mvpn statement and family inet6-mvpn statement at
the [edit routing-instances routing-instance-name vrf-advertise-selective] hierarchy
level to selectively advertise routes on PE routers that use one VRF for unicast
routing and a separate VRF for MVPN routing.
[VPNs, Routing Protocols, Routing Protocols and Policies Command Reference]
26
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Services Applications
■
FlowTapLite enhancements—Extend support for interception of IPv6 packets
on MX Series, M120, and M320 routers. For IPv6, the global filter taps packets
from the default IPv6 routing table and does not tap packets from other VRFs.
To tap packets from other VRFs, you can install separate VRF filters. For IPv4,
the global filter intercepts all IPv4 packets irrespective of the VRF. The limit for
filters remains 3000, which is now shared between IPv4 and IPv6. For example,
you can install 3000 IPv4 filters or 3000 IPv6 filters, or a combination of both
that totals 3000. You cannot install 3000 IPv4 filters and 3000 IPv6 filters.
No new statements are required to configure these enhancements. However,
whether you use IPv6 flow tapping or not, you must include the family inet6
statement at the [edit interfaces vt-fpc/pic/port unit logical-unit-number] hierarchy
level.
[Services Interfaces]
Subscriber Access Management
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
27
JUNOS 10.1 Software Release Notes
■
JUNOS subscriber access scaling values (M120, M320, and MX Series
routers)—Table 2 on page 28 lists the DHCP, PPP, and PPPoE scaling values
supported for subscriber access in this release of M120, M320, and MX Series
routers. In this table, DPC means only MX Series Enhanced Queuing IP Services
DPCs (DPCE-R-Q-40GE-SFP and DPCE-R-Q-4XGE-XFP). These DPCs support only
DHCP subscribers; they do not support PPP subscribers.
Table 2: Subscriber Access Scaling Values for M120, M320, and MX Series Routers
Subscriber Access Feature
M120/M320
MX240
MX480/960
DHCP client bindings per chassis
–
120,000
120,000
Per DPC
–
16,000
16,000
Per chassis with DPCs
–
32,000
64,000
Per Trio MPC/MIC
–
64,000
64,000
Per chassis with Trio MPC/MIC
–
64,000
64,000
Dynamic PPPoE interfaces per chassis
15,999
63,999
63,999
Dynamic PPPoE interfaces per IQ2/IQ2E PIC
4000
–
–
Dynamic PPPoE interfaces per Trio MPC/MIC
–
32,000
32,000
Static interfaces per chassis
15,999
15,999
15,999
Per IQ2/IQ2E PIC
2000
–
–
Per chassis with IQ2/IQ2E PIC
8000
–
–
Per Trio MPC/MIC
–
32,000
32,000
Per chassis with Trio MPC/MIC
–
32,000
32,000
DHCP subscriber VLANs
PPP logical interfaces
PPPoE subscriber VLANs
PPP connections (logical interfaces) are supported in a range of configurations.
For example, 63,999 PPP connections per chassis are supported when all
subscribers are configured on the same VLAN. In this case, 63,999 pp0 interfaces
are configured under the same VLAN logical interface and the one remaining
logical interface is consumed for the single VLAN.
At the other extreme, when you configure each subscriber on a separate VLAN
(using stacked VLANs), up to 32,000 PPP connections per chassis are supported.
28
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
In this case, each subscriber connection consumes two logical interfaces: one
for the VLAN logical interface and one for the pp0 logical interface.
The M120, M320, and MX Series routers support a maximum of 2000 different
dynamic profiles per chassis. [Subscriber Access]
■
Support for dynamic CoS for subscriber interfaces on Trio MPC/MIC interfaces
(MX Series routers)—Enables you to configure dynamic CoS for subscriber
interfaces on Trio MPC/MIC interfaces that are now available on MX Series routers.
In earlier releases, dynamic CoS was supported on EQ DPCs only.
To configure dynamic CoS on Trio MPC/MIC interfaces, you must enable the
hierarchical scheduler for an interface at the [edit interfaces] hierarchy level. You
can then configure dynamic CoS parameters at the [edit dynamic-profiles
profile-name class-of-service] hierarchy level. The CoS parameters are dynamically
applied to subscriber’s services when they log in or change services.
Trio MPC/MIC interfaces support CoS for the following interface types: static
VLAN, demux, static and dynamic PPPoE, and aggregated Ethernet subscriber
interfaces.
In this release, hierarchical CoS for aggregated Ethernet interfaces is supported
on the Trio MPC/MIC product when a static VLAN configured over the aggregated
Ethernet interface. It is not supported for static or dynamic demux subscriber
interfaces configured over aggregated Ethernet.
[Subscriber Access]
■
Support for CoS on dynamic PPPoE subscriber interfaces (MX Series
routers)—Enables you to configure CoS for dynamic PPPoE subscriber interfaces
on Trio MPC/MIC interfaces available on MX Series routers and the Intelligent
Queuing 2 (IQ2) PIC on M120 and M320 Series routers.
In earlier releases, only static CoS was supported for static PPPoE subscriber
interfaces configured on IQ2 PICs on M120 and M320 Series routers.
To configure CoS for a dynamic PPPoE interface, configure the shaping and
scheduling parameters at the [edit dynamic-profiles profile-name class-of-service]
hierarchy level. You then attach the traffic control profile to the dynamic PPPoE
interface by including the output-traffic-control-profile profile-name statement at
the [edit dynamic-profiles profile-name class-of-service interfaces
$junos-interface-ifd-name unit $junos-underlying-interface-unit] hierarchy level.
When the subscriber logs in, PPP supplies pp0 as the $junos-interface-ifd-name
variable, and supplies the PPPoE logical interface number for the
$junos-underlying-interface-unit variable.
[Subscriber Access]
■
Support for IPv6 for dynamic subscriber services (MX Series routers)—Enables
you to configure IPv6 addressing and prefixes for dynamic subscriber services.
In earlier releases, dynamic subscriber services supported IPv4 addressing only.
You can now configure both IPv4 and IPv6 addressing in the same dynamic
profile to grant access and services to IPv4 and IPv6 subscribers.
In this release, IPv6 addressing is supported for static and dynamic VLAN
subscriber interfaces and dynamic demux subscriber interfaces.
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
29
JUNOS 10.1 Software Release Notes
To enable IPv6 addressing for a static VLAN subscriber interface, include the
family inet6 statement at the [edit dynamic profiles profile-name interfaces
interface-name unit logical-unit-number] hierarchy level.
To enable IPv6 addressing for a demux subscriber interface, include the family
inet6 statement at the [edit dynamic profiles profile-name interfaces demux0]
hierarchy level. To enable an IPv6 source address for the interface, specify the
new $junos-subscriber-ipv6–address predefined variable with the demux-source
statement at the [edit dynamic profiles profile-name interfaces demux0 unit
$junos-interface-unit family inet6] hierarchy level. The values for this variable are
supplied to the interface by DHCP when the subscriber logs in.
This feature enables you to configure dynamic, classic, and fast update firewall
filters for IPv6 families. In addition, you can configure aggregate CoS when IPv4
and IPv6 families share a logical interface, and per-family CoS when IPv4 and
IPv6 families do not share a logical interface (such as a demux interface).
The following new predefined variables have been added to implement IPv6
addressing for subscriber services:
Dynamic Profile Variable
Definition
$junos-framed-route-ipv6-address-prefix
Route prefix of an IPv6 access route.
$junos-framed-route-ipv6-nexthop
Next-hop address of an IPv6 access route.
$junos-input-ipv6-filter
Attaches a filter based on RADIUS VSA 26-106 (IPv6-Ingress-Policy-Name)
to the interface.
$junos-ipv6-ndra-prefix
IPv6 prefix value used when configuring the Router Advertisement
protocol.
$junos-output-ipv6-filter
Attaches a filter based on RADIUS VSA 26-107 (IPv6-Egress-Policy-Name)
to the interface.
$junos-preferred-source-ipv6-address
Selects the preferred IPv6 source address associated with the loopback
address used for the subscriber.
$junos-subscriber-ipv6-address
IPv6 address of the subscriber.
RADIUS supports activation, deactivation, and change of authorization (CoA) for
IPv6 services. The following new RADIUS attributes and VSAs have been added
to implement IPv6 addressing for subscriber services:
Attribute Number
Attribute Name
97
Framed-IPv6-Prefix
99
Framed-IPv6-Route
26-106
IPv6-Ingress-Policy-Name
26-107
IPv6-Egress-Policy-Name
30
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Attribute Number
Attribute Name
26-129
IPv6-NdRa-Prefix
26-151
IPv6-Acct-Input-Octets
26-152
IPv6-Acct-Output-Octets
26-153
IPv6-Acct-Input-Packets
26-154
IPv6-Acct-Output-Packets
26-155
IPv6-Acct-Input-Gigawords
26-156
IPv6-Acct-Output-Gigawords
26-157
IPv6-NdRa-Pool-Name
You can monitor IPv6 statistics by issuing the show subscribers and show
network-access aaa subscriber commands.
[Subscriber Access]
■
Support for dynamic PPPoE interfaces (M120, M320, and MX Series
routers)—Enables you to configure dynamically created PPPoE logical interfaces
over statically created underlying interfaces. For subscriber access purposes, the
dynamic PPPoE logical interface represents a dynamic PPPoE subscriber interface.
The router automatically and transparently creates the dynamic interface in
response to an external event, such as the receipt of traffic on an underlying
interface. For example, the router creates a dynamic PPPoE logical interface
when it receives a PPPoE Active Discovery Request (PADR) control packet from
the client on an underlying interface to which a PPPoE dynamic profile is
assigned. The router uses the information configured in the dynamic profile to
determine the properties of the dynamic PPPoE logical interface.
The use of dynamically created PPPoE interfaces gives you the flexibility of
having the router create the dynamic PPPoE logical interface only when the
subscriber logs in on the associated underlying interface. By contrast, statically
created interfaces always allocate and consume system resources upon interface
creation, even when no traffic is flowing on the interface. Configuring and using
dynamically created interfaces helps you effectively and conveniently manage
subscriber access networks that provide services to large numbers of subscribers.
Configuration of dynamic PPPoE logical interfaces is supported on Intelligent
Queuing 2 (IQ2) PICs on M120 and M320 Series routers, and on Trio MPC/MIC
interfaces on MX Series routers.
To configure a dynamic PPPoE logical interface:
1.
Configure a dynamic profile to define the attributes of the dynamic PPPoE
logical interface. To do so, include the following statements at the [edit
dynamic-profiles profile-name] hierarchy level:
dynamic-profiles {
profile-name {
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
31
JUNOS 10.1 Software Release Notes
interfaces pp0 {
unit $junos-interface-unit {
keepalives interval seconds;
no-keepalives;
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
ppp-options {
chap;
pap;
}
family inet {
unnumbered-address interface-name;
address address;
service {
input {
service-set service-set-name <service-filter filter-name>;
}
output {
service-set service-set-name <service-filter filter-name>;
}
}
filter {
input filter-name;
output filter-name;
}
}
}
}
}
}
You can use most of these same statements to configure statically created
PPPoE interfaces, with the following important differences. When you
configure a profile to dynamically create a PPPoE interface, you must specify
the $junos-interface-unit predefined dynamic variable instead of the actual
logical unit number for the unit statement, and the $junos-underlying-interface
predefined dynamic variable instead of the actual name of the underlying
interface for the underlying-interface statement.
2.
Assign the dynamic profile to the underlying interface on which the router
creates the dynamic PPPoE interface. To do so, include the
pppoe-underlying-options statement at the [edit interfaces interface-name unit
logical-unit-number] hierarchy level, as follows:
interfaces {
interface-name {
unit logical-unit-number {
encapsulation ppp-over-ethernet;
pppoe-underlying-options {
access-concentrator name;
dynamic-profile profile-name;
duplicate-protection;
max-sessions number;
}
32
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
}
}
}
The statements at the [edit interfaces interface-name unit logical-unit-number
pppoe-underlying-options] hierarchy level define the following PPPoE-specific
attributes for the underlying interface:
■
To provide an alternative access concentrator (AC) name in the AC-NAME
tag in a PPPoE control packet, include the access-concentrator statement.
■
To assign a previously configured dynamic profile to the underlying
interface, include the dynamic-profile statement. This is the only required
statement for configuring dynamic PPPoE interfaces at the [edit interfaces
interface-name unit logical-unit-number pppoe-underlying-options] hierarchy
level.
■
To prevent the activation of another dynamic PPPoE logical interface
on the same underlying interface on which a dynamic PPPoE logical
interface is already active for the same client, include the
duplicate-protection statement.
■
To configure the maximum number of dynamic PPPoE logical interfaces
(sessions) that the router can activate on the underlying interface, include
the max-sessions statement.
To display information about the dynamic PPPoE interface configuration, use
the show pppoe underlying-interfaces, show pppoe statistics, and show pppoe
interfaces operational commands. You can also use the clear pppoe statistics
command to clear packet statistics on the underlying interface.
[Subscriber Access]
■
Support for PPPoE Layer 3 wholesale configuration in a subscriber access
network—Enables you to configure PPPoE Layer 3 wholesaling within a
subscriber access network. Wholesale access is the process by which an access
network provider partitions the access network into separately manageable and
accountable subscriber segments for resale to other network providers. An access
network provider may elect to wholesale all or part of its network to one or more
service providers (retailers).
In a Juniper Networks subscriber access network, you accomplish Layer 3
partitioning through the use of logical systems (LSs) and routing instances. Logical
systems enable you to divide a physical router into separate, distinct, logical
administrative domains. This method of division enables multiple providers to
administer the router simultaneously and each have access to only the portions
of the configuration that are relevant to their specific logical system. The JUNOS
Software supports up to 15 named logical systems in addition to the default
logical system (inet.0).
Routing instances are typically used in Layer 3 VPN scenarios. A routing instance
does not have the same level of administrative separation as does a logical
system. The routing instance defines a distinct routing table, set of routing
policies, and set of interfaces, but it does not provide administrative isolation.
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
33
JUNOS 10.1 Software Release Notes
When configuring PPPoE Layer 3 wholesale for a subscriber access network,
keep the following in mind:
■
PPPoE Layer 3 wholesaling supports the use of only the default logical system
using multiple routing instances.
■
Each routing instance must contain a loopback with one or more addresses
to be used for the unnumbered interface. However, unlike configuring Layer
3 wholesale for DHCP, the loopback interface address does not have to be
within the same subnetwork as the client IP address.
■
The system ignores the preferred-source-address option for the
unnumbered-address statement when it is configured. To avoid confusion,
we recommend that you do not configure the preferred-source-address option
for the unnumbered-address statement when configuring an unnumbered
interface. However, the system will function appropriately, regardless of
whether or not you have configured the preferred-source-address option.
To configure PPPoE Layer 3 wholesale for a subscriber access network:
■
Include the routing-instances statement along with the $junos-routing-instance
dynamic variable at the [edit dynamic-profiles profile-name] hierarchy level.
■
Include the interface statement along with the $junos-interface-name dynamic
variable at the [edit dynamic-profiles profile-name routing-instances
“$junos-routing-instance”] hierarchy level.
■
Include the unnumbered-address statement along with $junos-loopback-interface
dynamic variable at the [edit dynamic-profiles profile-name interfaces pp0 unit
“$junos-interface-unit” family inet] hierarchy level.
To view the logical system and routing instance for each subscriber, use the show
subscriber operational command.
[Subscriber Access, Broadband Subscriber Management]
■
PPP PAP and CHAP enhancements for subscriber management (M120 and
M320 routers)—Subscriber management supports both bidirectional and
unidirectional PPP PAP and CHAP authentication.
In subscriber management, the router's PPP interface typically authenticates the
remote client (the subscriber). Bidirectional authentication is not usually used in
a subscriber management environment, even though it is supported for static
interfaces. Also, subscriber management uses AAA to authenticate subscribers,
which removes the need to specify an access profile or a default password for
PAP or CHAP authentication.
34
■
■
For static interfaces, the router supports bidirectional authentication. If you
do not include the passive statement in the configuration, the router functions
as the authenticator for remote clients. If you include the passive statement,
the router is authenticated by the remote client. Also, when you specify the
passive statement for static interfaces, you must specify other attributes, as
described in the JUNOS Network Interfaces Guide.
■
For dynamic interfaces, the router supports unidirectional authentication
only—the router always functions as the authenticator. When you configure
PPP authentication in a dynamic profile (at the [edit dynamic-profiles] hierarchy
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
level), the pap and chap statements do not support any additional
configuration options, including the passive statement. PPP dynamic
interfaces are supported only on PPPoE interfaces (interface pp0) for this
release.
To configure CHAP or PAP authentication for static interfaces, use the following
stanza:
[edit interfaces interface-name unit logical-unit-number]
ppp-options {
chap {
access-profile name;
default-chap-secret name;
local-name name;
passive;
}
pap {
access-profile name
default-pap-password password;
local-name name;
local-password password;
passive;
}
}
To configure CHAP or PAP authentication for dynamic interfaces, use the following
stanza:
[edit dynamic-profiles profile-name interfaces pp0 unit $junos-interface-unit]
ppp-options {
chap;
pap;
}
[Subscriber Access, Network Interfaces]
■
Support for input and output filters on the Trio MPC/MIC interfaces on MX
Series routers—Enables you to apply input and output filters to logical interfaces
that are running over the Trio MPC/MIC interfaces on MX Series routers.
To apply input and output filters for logical interfaces, include the input
input-filter-name and output output-filter-name statements. To apply these filters
statically, include the statements at the [edit interfaces interface-name unit
logical-unit-number filter] hierarchy level. To apply these filters dynamically, include
the statements at the [edit dynamic-profiles profile-name interfaces interface-name
unit “$junos-interface-unit” filter] hierarchy level. For information about how to
create filters, see the Policy Framework Configuration Guide.
[Subscriber Access, Network Interfaces, Policy Framework]
■
PPPoE interface support for subscriber secure policy traffic mirroring on Trio
MPC/MIC interfaces on MX Series routers—Enables you to configure subscriber
secure policy traffic mirroring to provide RADIUS-initiated mirroring for
subscribers on PPPoE interfaces that are running over Trio MPC/MIC interfaces
on MX Series routers.
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
35
JUNOS 10.1 Software Release Notes
For information about how to configure subscriber secure policy traffic mirroring,
see the Subscriber Access Configuration Guide.
[Subscriber Access]
■
Support for PPP/PPPoE subscriber interfaces on the Trio MPC/MIC family of
products (MX Series routers)—Enables you to configure PPP/PPPoE subscriber
interfaces that are running over the Trio MPC/MIC family of products when used
on MX Series routers. To configure PPP/PPPoE subscriber interfaces, you use
the statements and procedures that are described in the JUNOS Network Interfaces
Guide.
[Subscriber Access, Network Interfaces]
■
Support for demux VLAN interface configuration on Ethernet and aggregate
Ethernet Trio MPC/MIC interfaces—Enables the static or dynamic creation of
demux VLAN interfaces with an underlying interface of aggregate Ethernet or
Gigabit/10–Gigabit Ethernet.
When configuring static VLAN demux interfaces, specify a VLAN ID for the vlan-id
statement at the [edit dynamic-profiles profile-name interfaces demux0 unit
unit-number] hierarchy level. You must also specify the underlying device name
for the underlying-interface statement at the [edit dynamic-profiles profile-name
interfaces demux0 unit unit-number demux-options] hierarchy level.
When configuring dynamic VLAN demux interfaces, specify the VLAN ID variable
($junos-vlan-id) for the vlan-id statement at the [edit dynamic-profiles profile-name
interfaces demux0 unit unit-number] hierarchy level. You must also specify the
underlying device name variable ($junos-interface-ifd-name) for the
underlying-interface statement at the [edit dynamic-profiles profile-name interfaces
demux0 unit unit-number demux-options] hierarchy level.
In addition, keep the following in mind while configuring dynamic VLANs over
IP demux interfaces:
■
Only single VLAN and stacked VLAN tag options are supported as VLAN
selectors.
■
IP demux over IP demux stacking is not supported.
■
This support is limited to Trio MPC/MIC interfaces on MX Series routers.
[Subscriber Access]
System Logging
■
36
■
New and deprecated system log families and tags—The following system log
families are new in this release:
■
ALARMD—Describes messages with the ALARMD prefix. They are generated
by the alarm process (alarmd).
■
CONNECTION—Describes messages with the CONNECTION prefix. They
are generated whenever the alarm process is unable to connect to another
process.
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
FCD—Describes messages with the FCD prefix. They are generated by the
Fibre Channel process (fcd) which connects servers to disks and tape devices
in a storage area network.
■
GPRSD—Describes messages with the GPRSD prefix. They are generated by
the general packet radio service process (gprsd) that integrates with existing
GSM networks and offers mobile subscribers with packet-switched data
services access to corporate networks and the Internet.
■
LIBJSNMP—Describes messages with the LIBJSNMP prefix. They are generated
by the libjsnmp process.
■
UTMD—Describes messages with the UTMD prefix. They are generated by
the unified threat management process (utmd), which protects the network
from all types of attack.
■
WEBFILTER—Describes messages with the WEBFILTER prefix. They are
generated by the Web filtering process (webfilter), which allows you to
manage Internet usage by preventing access to inappropriate Web content.
The following system log messages are new in this release:
■
COSD_NULL_INPUT_ARGUMENT
■
DCD_GRE_CONFIG_INVALID
■
DCD_PARSE_ERROR_MAX_HIER_LEVELS
■
DCD_PARSE_ERR_INCOMPATIBLE_CFG
■
EVENTD_ALARM_CLEAR
■
EVENTD_TEST_ALARM
■
PFE_ANALYZER_CFG_FAILED
■
PFE_ANALYZER_SHIM_CFG_FAILED
■
PFE_ANALYZER_TABLE_WRITE_FAILED
■
PFE_ANALYZER_TASK_FAILED
■
PFE_COS_B2_ONE_CLASS
■
PFE_COS_B2_UNSUPPORTED
■
RPD_RA_CFG_CREATE_ENTRY_FAILED
■
RPD_RA_CFG_INVALID_VALUE
■
RPD_RA_DYN_CFG_ALREADY_BOUND
■
RPD_RA_DYN_CFG_INVALID_STMT
■
RPD_RA_DYN_CFG_SES_ID_ADD_FAIL
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
37
JUNOS 10.1 Software Release Notes
■
RPD_RA_DYN_CFG_SES_ID_MISMATCH
■
RPD_RT_CFG_BR_CONFLICT
The following system log messages are no longer documented:
■
DFWD_CONFIG_FW_UNSUPPORTED
■
LLDPD_PARSE_ARGS
■
LLDPD_PARSE_BAD_SWITCH
■
LLDPD_PARSE_CMD_ARG
■
LLDPD_PARSE_CMD_EXTRA
■
LLDPD_PARSE_USAGE
■
LPDFD_DYN_SDB_OPEN_FAILED
User Interface and Configuration
■
Enhanced support for up to 64 ECMP next hops for load balancing on M10i
routers with Enhanced CFEB, M320, M120, MX Series, and T Series Core
routers—The JUNOS Software supports configurations of 16, 32, or 64 equal-cost
multipath (ECMP) next hops for RSVP and LDP LSPs on M10i routers with an
Enhanced CFEB, and M320, M120, MX Series, and T Series routers. For networks
with high-volume traffic, this provides more flexibility to load-balance the traffic
over as many as 64 LSPs.
To configure the maximum limit for ECMP next hops, include the maximum-ecmp
next-hops statement at the [edit chassis] hierarchy level:
[edit chassis]
maximum-ecmp next-hops;
You can configure a maximum ECMP next-hop limit of 16, 32, or 64 using this
statement. The default limit is 16.
The following types of routes support the ECMP maximum next-hop configuration
for as many as 64 ECMP gateways:
38
■
■
Static IPv4 and IPv6 routes with direct and indirect next-hop ECMPs
■
LDP ingress and transit routes learned through associated IGP routes
■
RSVP ECMP next hops created for LSPs
■
OSPF IPv4 and IPv6 route ECMPs
■
ISIS IPv4 and IPv6 route ECMPs
■
EBGP IPv4 and IPv6 route ECMPs
■
IBGP (resolving over IGP routes) IPv4 and IPv6 route ECMPs
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
The enhanced ECMP limit of up to 64 ECMP next hops is also applicable for
Layer 3 VPNs, Layer 2 VPNs, Layer 2 circuits, and VPLS services that resolve
over an MPLS route, because the available ECMP paths in the MPLS route can
also be used by such traffic.
NOTE:
The following FPCs on M320, T640, and T1600 routers only support 16 ECMP next
hops:
■
(M320, T640, and T1600 routers only) Enhanced II FPC1
■
(M320, T640, and T1600 routers only) Enhanced II FPC2
■
(M320 and T640 routers only) Enhanced II FPC3
■
(T640 and T1600 routers only) FPC2
■
(T640 and T1600 routers only) FPC3
If a maximum ECMP next-hop limit of 32 or 64 is configured on an M320, T640, or
T1600 router with any of these FPCs installed, the Packet Forwarding Engines on
these FPCs use only the first 16 ECMP next hops. For Packet Forwarding Engines on
FPCs that support only 16 ECMP next hops, the JUNOS Software generates a system
log message if a maximum ECMP next-hop limit of 32 or 64 is configured. However,
for Packet Forwarding Engines on other FPCs installed on the router, a maximum
configured ECMP limit of 32 or 64 ECMP next hops is applicable.
To view the details of the ECMP next hops, issue the show route command. The
show route summary command also shows the current configuration for the
maximum ECMP limit. To view details of the ECMP LDP paths, issue the traceroute
mpls ldp command.
[System Basics, Policy Framework, Routing Protocols Command Reference]
■
Support for configuring time-based user access—The JUNOS Software enables
you to configure time-based restrictions for user access to log in to a device. This
is useful for restricting the time and duration of user logins for all users belonging
to a login class. You can specify the days of the week when users can log in, the
access start time, and the access end time.
■
To configure user access on specific days of the week, without any restrictions
on the duration of login, include the allowed-days statement only.
[edit system]
login {
class class-name {
allowed-days days-of-the-week;
}
■
To configure user access on all the days of the week for a specific duration,
include the access-start and access-end statements only.
[edit system]
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
39
JUNOS 10.1 Software Release Notes
login {
class class-name {
access-start HHMM;
access-end HHMM;
}
}
■
To configure user access on specific days of the week for a specified duration,
include the allowed-days, access-start, and access-end statements.
[edit system]
login {
class class-name {
allowed-days days-of-the-week;
access-start HHMM;
access-end HHMM;
}
}
[System Basics]
■
Dynamic IPv6 filters (MX Series routers)—Subscriber management now supports
dynamic IPv6 filters. The dynamic filter feature supports both classic and fast
update filters, and both IPv4 and IPv6.
You specify the filters in a dynamic profile, which associates the filter to an
interface. When the dynamic profile is triggered, the profile applies the filter to
an interface.
You use the filter statement at the [edit dynamic-profiles profile-name interfaces
interface-name unit logical-unit-number family (inet | inet6)] hierarchy level to
associate a dynamic profile to an interface.
[Subscriber Access, Policy Framework]
■
Support for classifiers and rewrite rules in dynamic subscriber-based CoS
(MX Series routers)—You can now associate classifiers and rewrite rules with a
subscriber interface in a dynamic profile. You must statically configure the
classifiers and rewrite rules at the static [edit class-of-service] hierarchy level.
To associate a classifier configuration with a subscriber interface in a dynamic
profile, include the classifiers statement at the [edit dynamic profiles profile-name
class-of-service interfaces interface-name unit logical-unit-number] hierarchy level.
The supported classifier types for subscriber interfaces are dscp, dscp-ipv6,
ieee-802.1, and inet-precedence.
To associate a rewrite-rule configuration with a subscriber interface in a dynamic
profile, include the rewrite-rules statement at the [edit dynamic profiles profile-name
class-of-service interfaces interface-name unit logical-unit-number] hierarchy level.
The supported rewrite rules for subscriber interfaces are dscp, dscp-ipv6,
ieee-802.1, and inet-precedence.
[Subscriber Access]
■
40
■
Dynamic configuration of the router advertisement protocol—In a network
deployment where router interfaces are configured statically, you might need
to configure the router advertisement protocol on only a small number of
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
interfaces on which it might run. However, in a subscriber access network, static
configuration of the router advertisement protocol becomes impractical because
the number of interfaces that potentially need the router advertisement protocol
increases substantially. In addition, deploying services in a dynamic environment
requires dynamic modifications to interfaces as they are created. To ensure that
dynamic interfaces are created with the ability to use the router advertisement
protocol, this release supports their configuration dynamically at the [edit
dynamic-profiles profile-name protocols] hierarchy level. The dynamic profile applies
router advertisement protocol configuration to dynamic interfaces as they are
created.
To minimally configure the router advertisement protocol, include the
router-advertisement statement at the [edit dynamic-profiles profile-name protocols]
hierarchy level, and the interface statement along with the $junos-interface-name
dynamic variable. All other statements are optional.
Optional router advertisement protocol statements include current-hop-limit,
default-lifetime, managed-configuration, max-advertisement-interval,
min-advertisement-interval, no-managed-configuration, no-other-stateful-configuration,
other-stateful-configuration, prefix, reachable-time, and retransmit-timer. All of these
statements appear at the [edit dynamic-profiles profile-name protocols
router-advertisement] hierarchy level.
NOTE: Statements used for router advertisement protocol configuration at the [edit
dynamic-profiles profile-name protocols] hierarchy level are identical in function to the
same statements used for static router advertisement protocol configuration, with
the exception of the interface and prefix statements which use dynamic variables.
[Subscriber Access]
Related Topics
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series,
MX Series, and T Series Routers on page 42
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers on
page 55
■
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M
Series, MX Series, and T Series Routers on page 107
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX
Series, and T Series Routers on page 113
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
41
JUNOS 10.1 Software Release Notes
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series,
and T Series Routers
Class of Service
■
Forwarding class to queue number maps not supported on Multiservices link
services intelligent queuing (LSQ) interfaces—If you configure a forwarding
class map associating a forwarding class with a queue number, these maps are
not supported on Multiservices link services intelligent queuing (lsq-) interfaces.
[Class of Service]
Forwarding and Sampling
■
Enhancement to the show firewall command—The show firewall command now
supports a terse option that enables you to display only the names of firewall
filters. This option displays no other information about the firewall filters
configured on your system. Use the show firewall terse command to verify that
all the correct filters are installed.
[Routing Protocols and Policies Command Reference]
Interfaces and Chassis
■
Disabling MAC address learning of neighbors through ARP or neighbor
discovery for IPv4 and IPv6 traffic for logical interfaces—The JUNOS Software
provides the no-neighbor-learn configuration statement at the [edit interfaces
interface-name unit interface-unit-number family inet] and [edit interfaces
interface-name unit interface-unit-number family inet6] hierarchy levels.
To disable ARP address learning for IPv4 traffic for a logical interface, include
the no-neighbor-learn statement at the [edit interfaces interface-name unit
interface-unit-number family inet] hierarchy level:
[edit interfaces interface-name unit interface-unit-number family inet]
no-neighbor-learn;
To disable neighbor discovery for IPv6 traffic for a logical interface, include the
no-neighbor-learn statement at the [edit interface interface-name unit
logical-unit-number family inet6] hierarchy level:
[edit interfaces interface-name unit interface-unit-number family inet6]
no-neighbor-learn;
[System Basics]
■
42
■
Enhancement to show oam ethernet link-fault-management detail command—The
output of the show oam ethernet link-fault-management detail command now
includes the following two new fields: OAM total symbol error event information
and OAM total frame error event information. These fields display the total number
of errored symbols and errored frames, respectively, and are updated at every
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
interval regardless of whether the threshold for sending event TLVs has been
crossed. Previously, the show oam ethernet link-fault management detail command
displayed only the number of errored symbols reported in TLV events transmitted
since the OAM layer was reset and the number of errored frames detected since
the OAM layer was reset.
[Interfaces Command Reference]
■
Enhancement to show oam ethernet connectivity-fault-management
commands—The output of the show oam ethernet connectivity-fault-management
mep-statistics, show oam ethernet connectivity-fault-management interfaces, and
show oam ethernet connectivity-fault-management mep-database commands
includes the following three new fields: Out of sync 1DMs received, which displays
the number of out of sync one-way delay measurement packets received; Valid
DMMs received, which displays the number of valid two-way delay measurement
request packets received, and Invalid DMMs received, which displays the number
of invalid two-way delay measurement request packets received.
[Interfaces Command Reference]
■
Logical and physical Ethernet interface bandwidth—If you configure a
bandwidth on a logical Ethernet interface greater than the bandwidth configured
for the corresponding physical Ethernet interface, the commit fails. The bandwidth
of the logical interface should always be less than the bandwidth of the physical
interface. If you do not configure a bandwidth for the logical interface, it is
automatically set to the bandwidth configured for the physical interface.
[Network Interfaces]
■
Support for line-rate mode on 10-port 10-Gigabit Oversubscribed Ethernet
(OSE) PIC (T640, T1600, TX Matrix Plus routers)— Enables you to configure
the T640, T1600, and TX Matrix Plus routers to operate the 10-port 10-Gigabit
OSE PIC in line-rate mode, in which the OSE PIC disables oversubscription and
operates in line-rate mode. By default, the 10-port 10-Gigabit OSE PIC operates
in 2:1 oversubscription mode.
[System Basics]
■
New CoS information field added to the show interfaces extensive command
output—The output of the show interfaces extensive command now displays the
class-of-service queue allocation information of the physical interfaces (intelligent
queueing PICs such as IQ2 and so on) under the new class-of-service information
category. In the previous releases, the class-of-service queue allocation
information for physical interfaces was listed within the Packet Forwarding Engine
configuration category:
host@user# show interfaces extensive ge-7/1/3
Packet Forwarding Engine configuration:
Destination slot: 7
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Limit
0 best-effort
low
none
3 network-control
Buffer
Priority
%
95
bps
950000000
%
95
usec
0
5
50000000
5
0
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
43
JUNOS 10.1 Software Release Notes
low
none
Direction : Input
CoS transmit queue
Limit
0 best-effort
low
none
3 network-control
low
none
Bandwidth
Buffer
Priority
%
95
bps
950000000
%
95
usec
0
5
50000000
5
0
[Interfaces Command Reference]
■
Restriction on compatibility-mode adtran and verilink—On 2-port and 4-port
channelized DS3 (T3) IQ interfaces, you cannot configure compatibility-mode
adtran, or verilink at the [edit interfaces interface-name t3-options] hierarchy level.
If configured, the default mode is applied on both the interfaces, that is, no
subrating.
[Network Interfaces]
■
Support for internal clocking mode on OSE PICs—The 10-port 10-Gigabit
Oversubscribed Ethernet (OSE) PIC supports only internal clocking mode on its
ports.
[Network Interfaces]
■
Commit-time warning messages at the [edit interfaces] hierarchy level are
now system logged—CLI commit-time warnings displayed for configuration at
the [edit interfaces] hierarchy level have been removed and are now logged as
system log messages. This change is applicable to JUNOS Release 10.1R1 and
later, 10.0R2, and 9.3R4. [CLI User Guide]
■
Invalid count of queues—The PD-5-10XGE-SFPP PICs in T Series routers do not
display ingress control queue statistics as output from the show interfaces queue
xe-fpc/pic/port forwarding-class command. However, you can use the following
commands to display the ingress control queue statistics:
■
show interfaces queue both-ingress-egress xe-fpc/pic/port
■
show interfaces queue xe-fpc/pic/port
■
show interfaces queue xe-fpc/pic/port ingress
[Network Interfaces]
■
Support for configuration of a range of interfaces through the interface-range
statement—Enables you to group a range of identical interfaces and apply a
common configuration for the interfaces using a reduced number of configuration
statements. To configure an interface-range group, include the interface-range
statement and substatements at the [edit interfaces] hierarchy level. To view an
interface range group in expanded configuration, use the show | display inheritance
command.
[Network Interfaces, Interfaces Command Reference]
■
44
■
Enhancement to the show chassis fabric fpcs command—In JUNOS Release
10.1 and later, the show chassis fabric fpcs command issued on a T640 or T1600
router displays destination errors in addition to link errors. The command output
displays a list of Packet Forwarding Engines that have destination errors, for
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
those SIBs that are in the Check state. This enhancement is also applicable to
JUNOS Release 9.6 and 10.0. The following sample shows the enhanced output
for this command:
user@host> show chassis fabric fpcs
Fabric management FPC state:
FPC #3
PFE #1
SIB #2
Plane enabled
SIB #3
Link error
Destination error on PFEs
6
8
20
0
1
2
3
4
5
14
15
16
17
18
19
0
1
2
3
4
5
14
15
16
17
18
19
7
9
10
11
12
13
21
SIB #4
Destination error on PFEs
6
7
20
21
8
9
10
11
12
13
[System Basics Command Reference]
■
Modification to the output of the show interfaces extensive command
output—For IQ2E interfaces, the show interfaces extensive command output no
longer displays the schedulers field, because there is no static scheduler
partitioning of schedulers among different ports in IQ2E.
[Interfaces Command Reference]
■
Enhancement to the show chassis sibs command—The show chassis sibs
command now displays destination errors for SIBS in the Check state. In JUNOS
Release 10.1 and later and JUNOS Release 9.6 and 10.0, the command displays
the number of destination errors for SIBS in the Check state:
user@host> show chassis sibs
Slot State
0
Empty
1
Empty
2
Check (21 destination errors)
55 seconds
3
Check (0 destination errors)
45 seconds
4
Empty
Uptime
1 day, 1 hour, 32 minutes,
1 day, 1 hour, 32 minutes,
use "show chassis fabric fpcs" to determine which PFEs have destination
errors
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
45
JUNOS 10.1 Software Release Notes
However, for JUNOS Release 9.3 and 9.5, the command only displays the message
destination errors or no destination errors for a SIB that is in the Check state, but
does not display the number of destination errors:
user@host> show chassis sibs
Slot State
0
Empty
1
Empty
2
Check (destination errors)
55 seconds
3
Check (no destination errors)
45 seconds
4
Empty
Uptime
1 day, 1 hour, 32 minutes,
1 day, 1 hour, 32 minutes,
use "show chassis fabric fpcs" for more details
In addition, the command also displays a message to use the show chassis fabric
fpcs command for more information about the destination errors.
If there are no SIBs in the Check state, there is no change in the output of this
command.
[System Basics Command Reference]
Layer 2 Ethernet Services
■
Modification to the output of the show dhcp (relay or server) binding
commands—The output of the show dhcp server binding summary command,
the show dhcp relay binding summary command, and the show dhcpv6 server
binding command has been modified to include the number of clients in the init
state and the requesting state.
[Subscriber Access]
MPLS Applications
■
MPLS statistics file now optional—The file statement configured at the [edit
protocols mpls statistics] hierarchy level is now optional. You still must configure
the MPLS statistics statement to collect LSP statistics for the MPLS MIBs. Rather
than accessing the LSP statistics in the MPLS statistics file, you can view the
statistics using SNMP instead. This change helps to reduce disk space usage on
the routing engine, especially on routers on which numerous LSPs have been
configured.
[MPLS]
■
46
■
NSR tracing flags for MPLS—You can now configure MPLS tracing flags for
nonstop active routing (NSR) synchronization events. This enables you to track
the progress of NSR synchronization between Routing Engines and record these
operations to a log file. To configure, include the flag nsr-synchronization or flag
nsr-synchronization-detail statement at the [edit protocols mpls traceoptions]
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
hierarchy level. The two statements are not mutually exclusive; you can track
the events at a high level and in detail.
[High Availability, MPLS, Routing Protocols]
Multiplay
■
Border gateway function (BGF) improved efficiency and scalability through
use of service interface pools—You can now use service interface pools to
improve the maintainability and scalability of your service set configurations.
When your service sets handle VPN traffic, you must specify a service interface
pool for the next next-hop-service for the service sets. The interfaces that are
members of the pool can serve as either inside or outside interfaces.
You should also specify service interface pools as the next-hop service for service
sets that do not currently handle VPN traffic. You gain the immediate benefit of
more efficient resource utilization and you can add VPNs to the service set in
the future without reconfiguring your service sets.
[Multiplay Solutions]
Platform and Infrastructure
■
Enhancement to show interfaces command—The show interfaces command
includes a new field, INET6 Address flags, that displays a flag for any IPv6 address
that is in a state other than “permanent” or “ready-to-use.”
[Interfaces Command Reference]
Routing Policy and Firewall Filters
■
The ipsec-sa sa-name firewall filter action is no longer supported on the MX Series
routers. To configure one or more actions for a firewall filter, include the actions
statement at the [edit firewall family family-name filter filter-name term term-name
then] hierarchy level.
[Policy]
■
Enhanced match-conditions support for VPLS and bridge firewall filters (MX
Series routers and routers with Enhanced IQ2 [IQ2E] PICs only)—The protocol
families vpls and bridge now support the interface-set match condition for firewall
filters. To configure, include the interface-set interface-set-name statement at the
[edit firewall family bridge filter filter-name term term-name from] or the [edit firewall
family vpls filter filter-name term term-name from] hierarchy level. The protocol
family bridge is supported only on MX Series routers.
An interface set is a set of logical interfaces used to configure hierarchical class-ofservice schedulers. Previously only the following protocol families supported the
interface-set match condition: ipv4, ipv6, any, and mpls.
[Policy]
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
47
JUNOS 10.1 Software Release Notes
Routing Protocols
■
OSPF sham link—An OSPF sham link is now installed in the routing table as a
hidden route. Previously, an OSPF sham link was not installed in the routing
table. In addition, a BGP route is no longer exported to OSPF if a corresponding
OSPF sham link is available. To configure a sham link, include the sham-link local
ip-address statement at the [edit routing-instances routing-instance-name protocols
ospf] hierarchy level.
[Routing Protocols]
■
Removal of BGP warning message—If a BGP group is created without any
defined peers, the warning message no longer appears when the configuration
is committed.
[Routing Protocols]
■
Increase in limit to external paths accepted for BGP route target filtering—You
can now specify for BGP to accept up to 256 external paths for route target
filtering. Previously, the maximum number that you could configure was 16.
The default value remains one (1). To specify the maximum number of external
paths for BGP to accept for route target filtering, include the external-paths number
statement at the [edit protocols bgp family route-target] hierarchy level. This
statement is also supported for BGP groups and neighbors.
[Routing Protocols]
■
Support for having the algorithm that determines the single best path evaluate
AS numbers in AS paths for VPN routes—By default, the third step of the
algorithm that determines the active route evaluates the length of the AS path
but not the contents of the AS path. In some VPN scenarios with BGP multiple
path routes, it can also be useful to compare the AS numbers of the AS paths
and to have the algorithm select the route whose AS numbers match. Include
the as-path-compare statement at the [edit routing-instances routing-instance-name
routing-options multipath] hierarchy level.
[Routing Protocols]
Services Applications
■
Option to view APPID counters—Use the option under show services
application-identification counter to view the APPID counters for the specified
interface.
[System Basics and Services Command Reference]
■
Session offloading on Multiservices PICs—To enable session offloading on a
per-PIC basis for Multiservices PICs, include the session-offload statement at the
[edit chassis fpc] hierarchy level.
[System Basics]
■
Option to clear the “do not fragment” bit—To clear the “do not fragment” bit
for IPsec with dynamic endpoints, include the clear-dont-fragment-bit statement
at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.
[Services Interfaces]
48
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Option to clear tunnel MTU—To clear the tunnel MTU, include the tunnel-mtu
statement at the [edit services ipsec-vpn rule rule-name term term-name then]
hierarchy level.
[Services Interfaces]
■
New configuration to avoid IDP traffic loss (M120, M320, and MX Series
routers)—When the Multiservices PIC or DPC configured for a service set is either
administratively taken offline or undergoes a failure, all the traffic entering the
configured interface with an IDP service set would be dropped without
notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure
statement at the [edit services service-set service-set-name service-set-options]
hierarchy level and (for TCP traffic only) the ignore-errors tcp statement at the
[edit interfaces interface-name services-options] hierarchy level. When you configure
these statements, the affected packets are forwarded in the event of a
Multiservices PIC or DPC failure or going offline, as though interface-style services
were not configured. This issue applies only to M120, M320, and MX Series
routers.
[Services Interfaces]
■
M120 router performance with IDP—For M120 routers, the performance number
is 4500 connections per second when IDP is enabled.
[Services Interfaces]
■
Enhancement to the output of the show services accounting commands—The
output for the show services accounting usage, show services accounting status,
show services accounting memory, and show services accounting errors operational
mode commands has been updated to include new fields for use in querying
service PICs.
[System Basics and Services Command Reference]
■
Default idle timeout value for UDP- and TCP-based applications—Upon
identification by AppID, the default idle timeout value is set to 30 seconds for
UDP-based applications and 1 hour for TCP-based applications. These settings
can be overridden by including the idle timeout statement at the [edit services
application-identification application application] hierarchy level.
[Services Interfaces]
■
New statement to bypass traffic on exceeding flow limit—If the flow in the
service-set crosses the maximum limit set by the max-flow statement, the
bypass-traffic-on-exceeding-flow-limits allows the packets to bypass without
creating a new session. Following are the required privilege levels:
■
interface—To view the statement in the configuration
■
interface-control—To add the statement to the configuration
[Services Interfaces]
■
Diffie-Hellman group5 added to group1 and group2—The group5 designation
specifies that IKE should use the 1536-bit Diffie-Hellman prime modulus group
when performing the new Diffie-Hellman exchange. To configure the
Diffie-Hellman group for an IKE proposal, include the dh-group statement at the
[edit services ipsec-vpn ike proposal proposal-name] hierarchy level:
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
49
JUNOS 10.1 Software Release Notes
[edit services ipsec-vpn ike proposal proposal-name]
dh-group (group1 | group2| group5);
[Services Interfaces]
■
Permanent limitation for session-timeout on APPID—If session-timeout is
configured for an APPID application, a session for that application will be cleared
once the session-timeout expires. Once the same session is re-created as a new
session, it will not be identified by APPID.
[Services Interfaces]
■
Integrated Multi-Services Gateway (IMSG)—The clear services
border-signaling-gateway gateway-name statistics command no longer clears the
active calls counter.
[System Basics and Services Command Reference]
■
New configuration statements for assigning policies—The following
configuration statements at the [edit services border-signaling-gateway gateway-name
service-point service-point-name service-policies] hierarchy level have been
deprecated and replaced by new statements:
■
new-call-usage-policies [policy-and-policy-set-names]
■
new-transaction-policies [policy-and-policy-set-names]
Each statement applied policies to calls or transactions entering at the service
point. Each is replaced by statements that explicitly apply policies to transactions
or policies entering the service point or exiting from the service point. The new
statements are:
■
new-call-usage-input-policies [policy-and-policy-set-names]
■
new-call-usage-output-policies [policy-and-policy-set-names]
■
new-transaction-input-policies [policy-and-policy-set-names]
■
new-transaction-output-policies [policy-and-policy-set-names]
[Services Interfaces, System Basics and Services Command Reference]
■
Requirement for client-to-servicer and server-to-client signatures—For certain
applications that have signatures for both client-to-server and server-to-client
directions, APPID (DAA) needs to see the data packets in both directions on the
same session to finish the identification process. For example, for SIP proxy
calls, the server may not send the response on the same session (different
destination port) and that session will not be identified as application junos:sip.
[Services Interfaces]
■
Integrated Multi-Services Gateway (IMSG) maximum number of policies and
policy-related entities per Border Signaling Gateway (BSG)—The following
table shows the maximum number of policies and related entities.
Entity
Maximum
Policies (total of new call usage and new transaction policies) per BSG
750
50
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Entity
Maximum
New call usage policies per BSG
500
New transaction policies per BSG
500
Policies per service point
10
Service points per BSG
100
Terms per policy
20
Terms per BSG
10,000
Total of AND and OR operators in a policy term
4
[Session Border Control Solutions]
Subscriber Access Management
■
Enabling and disabling DHCP snooping support—You can now explicitly enable
or disable DHCP snooping support on the router. If you disable DHCP snooping
support, the router drops snooped DHCP discover and request messages.
To enable DHCP snooping support, include the allow-snooped-clients statement
at the [edit forwarding-options dhcp-relay overrides] hierarchy level. To disable
DHCP snooping support, include the no-allow-snooped-clients statement at the
[edit forwarding-options dhcp-relay overrides] hierarchy level. Both statements are
also supported at the named group level and per-interface level.
In JUNOS Release 10.0 and earlier, DHCP snooping is enabled by default. In
release 10.1 and later, DHCP snooping is disabled by default.
[Subscriber Access]
■
RADIUS interim accounting—When subscriber management receives the
RADIUS Acct-Interim-Interval attribute (attribute 85), RADIUS interim accounting
is performed based on the value in the attribute. The router uses the following
guidelines:
■
Attribute value is within the acceptable range (10 to 1440
minutes)—Accounting is updated at the specified interval.
■
Attribute value of 0—No RADIUS accounting is performed.
■
Attribute value is less than the minimum acceptable value (10
minutes)—Accounting is updated at the minimum interval.
■
Attribute value is greater than the maximum acceptable value (1440
minutes)—Accounting is updated at the maximum interval.
In previous releases, a RADIUS attribute set to zero (0) prevented subscribers
from connecting.
[Subscriber Access]
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
51
JUNOS 10.1 Software Release Notes
User Interface and Configuration
■
Restriction on the usage of the annotate command in the configuration
hierarchy—The JUNOS Software supports annotation of the configuration using
the annotate command up to the last level in the configuration hierarchy.
However, annotation of the configuration options or statements within the last
level in the hierarchy is not supported. For example, in the following sample
configuration hierarchy, annotation is supported up to the level 1 parent hierarchy,
but is not supported for the metric child statement:
[edit protocols]
isis {
interface ge-0/0/0.0 {
level 1 metric 10;
}
}
}
[CLI User Guide]
■
Support for accounting is restricted to events and operations on a master
Routing Engine—Starting with JUNOS Release 9.3, accounting for backup Routing
Engine events or operations is not supported on accounting servers such as
TACACS+ or RADIUS. Accounting is only supported for events or operations on
a master Routing Engine.
[CLI User Guide]
■
Options added to the show arp command—The vpn and logical-system options
have been added to the show arp command.
[System Basics Command Reference]
■
Change in range of the saved-core-files configuration statement—The range
of the saved-core-files configuration statement at the [edit system] hierarchy level
has been revised from 1 through 64, to 1 through 10.
[System Basics]
VPNs
■
SCU support for VRF routing instances with vrf-table-label configured—You
can now configure source class usage (SCU) to count packets on Layer 3 VPNs
configured with the vrf-table-label statement. Include the source-class-usage
statement at the [edit routing-instances routing-instance-name vrf-table-label]
hierarchy level. The source-class-usage statement at this hierarchy level is
supported only for the virtual routing and forward (VRF) instance type. Previously,
you could not enable SCU when the vrf-table-label statement was configured.
Destination class usage (DCU) is not supported when the vrf-table-label is
configured.
[VPNs, Network Interfaces]
■
52
■
Mirroring IRB packets as Layer 2 packets (MX Series router)—If you associate
an IRB with the bridge domain (or VPLS routing instance), and also configure
within the bridge domain (or VPLS routing instance) a forwarding table filter with
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
the port-mirror or port-mirror-instance action, then the IRB packet is mirrored as
a Layer 2 packet. You can disable this behavior by configuring the
no-irb-layer-2-copy statement in the bridge domain (or VPLS routing instance).
[MX Series Layer 2 Configuration]
■
Layer 2 circuits, call admission control (CAC), and bypass LSPs—You can now
configure CAC on Layer 2 circuit-based LSPs with bandwidth constraints and
also enable link and node protection. However, if the primary LSP fails, CAC
might not be applied to the bypass LSP, meaning that the bypass LSP might not
meet the bandwidth constraint for the Layer 2 circuit. To minimize the risk of
losing traffic, the Layer 2 circuit continues to use the non-CAC bypass LSP while
an attempt is made to establish a new Layer 2 circuit route over an LSP that does
support CAC. Previously, the Layer 2 circuit route was deleted if the bypass LSP
did not have sufficient bandwidth.
[VPNs]
■
Service VLANs and the use of vlan-id all statement in a VPLS routing
instance—If you configure the vlan-id all statement in a VPLS routing instance,
we recommend using the input-vlan-map pop and output-vlan-map push statements
on the logical interface to pop the service VLAN ID on input and push the service
VLAN ID on output and in this way limit the impact of doubly-tagged frames on
scaling.
[MX Series Layer 2 Configuration]
■
Layer 2.5 VPNs support ISO family and MPLS family over TCC (MX Series
routers)—JUNOS Release 8.3 introduced support for M320 and T Series routers.
JUNOS Release 10.1 extends support to MX Series routers.
Interfaces supporting TCC (Ethernet, extended VLANs, PPP, HDLC, ATM, and
Frame Relay) support ISO traffic and MPLS traffic on Layer 2.5 VPNs. Previously,
Layer 2.5 VPNs configured on MX Series routers supported only inet traffic. For
a protocol to be supported on a Layer 2.5 VPN, you must configure both ends
of the VPN with the protocol configuration. IPv6 is not supported.
To enable ISO or MPLS traffic over TCC, include the mpls or iso statement at the
[edit interfaces interface-name unit logical-unit-number family tcc protocol] hierarchy
level. To display which protocol is supported for an interface, issue the show
interfaces interface-name extensive operational mode command. The protocol is
displayed in the Flags field.
To enable ISO over TCC in cases in which the Ethernet interface is on a
customer-edge (CE) router, include the point-to-point statement at the [edit
protocols isis interface interface-name] hierarchy level on the CE router. When
you include this statement, the IS-IS protocol treats the Ethernet interface as
point to point, even though the actual interface is a LAN interface.
The M Series routing platforms continue to support only inet traffic for Layer 2.5
VPNs.
[Network Interfaces, Translational Cross-Connect and Layer 2.5 VPNs Feature Guide,
VPNs]
■
New configuration statement for removing dynamically learned MAC
addresses from the MAC address database—Media access control (MAC) flush
processing removes MAC addresses from the MAC address database that have
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
53
JUNOS 10.1 Software Release Notes
been learned dynamically. With the dynamically learned MAC addresses removed,
MAC address convergence requires less time to complete.
In this release, you enable MAC flush processing for the virtual private LAN
service (VPLS) routing instance or for the mesh group under a VPLS routing
instance by using the mac-flush statement instead of the mac-tlv-receive and
mac-tlv-send statements.
mac-flush [ explicit-mac-flush-message-options ];
To clear dynamically learned MAC addresses globally across all devices
participating in the routing instance, you can include the statement at the
following hierarchy levels:
■
[edit logical-systems logical-system-name routing-instances routing-instance-name
protocols vpls]
■
[edit routing-instances routing-instance-name protocols vpls]
To clear the MAC addresses on the routers in a specific mesh group, you can
include the statement at the following hierarchy levels:
■
[edit logical-systems logical-system-name routing-instances routing-instance-name
protocols vpls mesh-group mesh-group-name]
■
[edit routing-instances routing-instance-name protocols vpls
mesh-group mesh-group-name]
NOTE: The mac-tlv-receive and mac-tlv-send statements were removed from
Release 10.0 of the JUNOS Software and are no longer visible in the [edit
logical-systems logical-system-name routing-instances routing-instance-name protocols vpls]
and [edit routing-instances routing-instance-name protocols vpls] hierarchy levels.
Although the mac-tlv-receive and mac-tlv-send statements are recognized in the current
release, they will be removed in a future release. We recommend that you update
your configurations and use the mac-flush statement.
To also configure the router to send explicit MAC flush messages, you can include
explicit-mac-flush-message-options with the statement:
■
any-interface—(Optional) Send a MAC flush message when any
customer-facing attachment circuit interface goes down.
■
any-spoke—(Optional) Send a MAC FLUSH-FROM-ME flush message to all
provider edge (PE) routers in the core when one of the spoke pseudowires
between the multitenant unit switch and the other network-facing provider
edge (NPE) router goes down, causing the multitenant unit switch to switch
to the this NPE router.
54
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
NOTE: This option has a similar effect in a VPLS multihoming environment with
multiple multitenant unit switches connected to NPE routers, where both multitenant
unit switches have pseudowires that terminate in a mesh group with local-switching
configured. If the any-spoke option is enabled, then both PE routers send MAC
FLUSH-FROM-ME flush messages to all PEs in the core.
■
propagate—(Optional) Propagate MAC flush to the core.
[VPNs]
Related Topics
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
on page 6
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers on
page 55
■
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M
Series, MX Series, and T Series Routers on page 107
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX
Series, and T Series Routers on page 113
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
The current software release is Release 10.1R4. For information about obtaining the
software packages, see “Upgrade and Downgrade Instructions for JUNOS Release
10.1 for M Series, MX Series, and T Series Routers” on page 113.
■
Current Software Release on page 55
■
Previous Releases on page 79
Current Software Release
Outstanding Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series
Routers
Class of Service
■
On MX Series routers with Enhanced DPCs, bandwidth sharing between two
schedulers, one with high and the other with strict-high priority, might not be
as expected when the schedulers are oversubscribed. That is, only one queue
can use all of the excess bandwidth. This issue occurs when the schedulers are
configured on logical interfaces. [PR/265603]
■
Under certain conditions, the class-of- service configuration might not take effect
on an Intelligent Queuing 2 (IQ2) PIC. [PR/541814]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
55
JUNOS 10.1 Software Release Notes
Forwarding and Sampling
■
A high CPU utilization by the DFWD process might occur if the interface lo0 is
configured as part of interface group 0. [PR/497242]
■
The numerical values configured for the ip-options match criteria on a firewall
filter matches any ip-options no matter what is specified. [PR/516778]
■
The BGP process changes in a committed import policy using a background job.
If the BGP is already in the process of updating its routes from a change in the
import policy, and the import policy is subsequently changed in another commit,
the second commit's policy might not complete correctly. As a workaround,
ensure that there are no outstanding BGP reconfiguration jobs in progress prior
to committing a new import policy. This can be verified using the show task jobs
command and searching for BGP Reconfig. [PR/550902]
■
The routing protocol process crashes and does not start if the policy condition
is enabled for IPv6. As a workaround, remove the policy condition for IPv6 from
the configuration and restart the routing protocol process. [PR/553158]
■
The SSH keys are not in sync between the master and backup Routing Engine
when SSH is enabled after a graceful Routing Engine switchover (GRES).
[PR/455062]
■
When an ISSU upgrade is performed to or from JUNOS Releases 9.6R3 or 10.0R2,
the logical interface and logical interface sets that have traffic control profiles
configured on them will be affected. [PR/491834]
■
For Automatic Protection Switching (APS) on SONET/SDH interfaces, there are
no operational mode commands that display the presence of APS mode
mismatches. An APS mode mismatch occurs when one side is configured to use
bidirectional mode, and the other side is configured to use unidirectional mode.
[PR/65800]
■
The output of the show interfaces diagnostics optics command includes the "Laser
rx power low alarm" field even if the transceiver is a type (such as 1x10-Gigabit
Ethernet) that does not support this alarm. [PR/103444]
■
When the Rx power level is a negative value, the SFP diagnostics output displays
an invalid receiver power level reading. [PR/235771]
■
When an ATM II interface is configured as a Layer 2 circuit with cell transport
mode on a router running JUNOS Release 8.2 or earlier, interoperability issues
with other network equipment and other Juniper Networks routers running
JUNOS Release 8.3 or later might occur. [PR/255622]
General Routing
High Availability
Interfaces and Chassis
56
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
On the M120 router, hot swapping the fan tray might cause the Check CB alarm
to activate. [PR/268735]
■
On the JCS1200 platform, when you issue the clear -config -T switch[1] command
using the management module, the switch module returns to its factory default
setting instead of the Juniper Networks default setting. As a workaround, do not
issue the command. [PR/274399]
■
On the Juniper Control System (JCS) platform, the control and management
traffic for all Routing Engines shares the same physical link on the same switch
module. In rare cases, the physical link might become oversubscribed, causing
the management connection to Protected System Domains (PSDs) to be dropped.
[PR/293126]
■
The bridge-domain MAC learn limit on the Packet Forwarding Engine can
sometimes become negative if the bridge domain is deleted and added
immediately as part of a configuration change. If that happens, the MAC learning
on that bridge domain can be affected. As a workaround, deactivate and activate
the bridge domain or VPLS routing instance configuration. [PR/467549]
■
Due to a larger number of components on the MX480 board, it takes more time
to boot up than a comparable MX Series boards. [PR/468665]
■
If a firewall show command is followed by the clear command in a very quick
succession, there is a possibility that the show command will time out. If the
show command is issued after a few seconds (5 seconds ideally), this issue will
not be seen. [PR/479497]
■
With JUNOS Releases 10.0 and 10.1, Trio DPCs do not support more than 31
remote PEs in a VPLS instance. Also, they do not support more than 31 AE
bridging logical interfaces in a bridge domain. [PR/488139]
■
When trigger hold timer UP/DOWN values for a defect condition is configured
or changed from the CLI, the up or down timer for the defect is started, based
on the current defect condition in the hardware. If the timer value is large enough
and the defect condition is changed in the hardware when the timer is still
running, a new defect will be reflected in the alarms only after the timer has
expired. [PR/509890]
■
Under certain conditions, some Packet Forwarding Engines may fail to install
VPN multicast routes when downstream interfaces are RLSQ bundles.
[PR/515878]
■
When a SIB is taken offline via a CLI command, the output of the show chassis
sibs command does not display the message “Offlined by cli command.”
However, this message is correctly displayed for the FPCs. [PR/519842]
■
The output of the show chassis environment pem command displays the voltage
used in FPC slots 0 through 3, even after the FPC is taken offline. [PR/528821]
■
If no dot1p classifier is explicitly configured for the logical interface of vid=0,
to accept priority tagged packets, packets without an IP header such as STP will
determine the forwarding class based on the priority tag value. [PR/529207]
■
The output of the show chassis hardware detail | display xml command does not
list the SSRAM modules as direct chassis-sub-modules of the SFM x SPR.
[PR/529277]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
57
JUNOS 10.1 Software Release Notes
■
A CFM ping command fails when the maintenance domain or maintenance
association is longer than 32 characters. [PR/550014]
■
A destination error occurs when an active SCB plane is unplugged. [PR/555250]
■
In previous Ethernet OAM 802.1ag implementation, an extra 8 bytes (0019 0008
0000 0000) is found in the CFM delay measurement reply (DMR) and loopback
reply (LBR) messages when compared with the original delay measurement
message (DMM) and loopback message (LBM). The extra bytes do not impact
the normal DMM and DMR, or LBM and LBR processing. [PR/557513]
■
DHCP packets may not be processed on an auto-sensed VLAN interface if the
DHCP configuration for the interface is performed after the auto-sensed VLAN
interface is instantiated. As a workaround, clear the auto-sensed VLAN interface(s)
after the DHCP configuration is made for the interface(s). [PR/417958]
■
Configuring passive clients to run on demultiplexer interfaces does not result in
the access-internal route pointing to the client demultiplexer interface as expected.
When configuring passive clients on demultiplexer interfaces, keep the following
in mind:
Layer 2 Ethernet Services
■
Configuring passive clients on demultiplexer interfaces requires specific
static route additions to function properly.
■
Only unnumbered demultiplexer is supported. However, the underlying
interface can be either numbered or unnumbered.
When configuring passive clients over demultiplexer interfaces by using
unnumbered underlying interfaces, you must add static routes for both the
client-facing and DHCP server-facing interfaces on the router as follows:
■
The configuration for the server-facing interface must contain the route IP
address of the DHCP relay agent and the qualified next-hop interface value
to the server.
■
The configuration for the client-facing interface must contain the link address
for the next-hop IP address of the server-facing interface and be configured
to resolve that IP address.
When configuring passive clients over demultiplexer interfaces by using numbered
underlying interfaces, you must add a static route such that the client-facing
interface configuration contains a next-hop address that points to the DHCP
server-facing interface on the router. [PR/511676]
■
58
■
On a TX Matrix router, an aggregate bundle composed of member links from
different LCCs has the same slot/PIC/port, and results in duplication of Link
Aggregation Control Protocol (LACP) port numbers. For example, a bundle with
actor and partner shown below will result in a duplicate LACP port number since
ge-0/3/0 and ge-8/3/0 (and similarly ge-1/3/0 and ge-9/3/0) are the same
slot/PIC/port but from different LCCs.
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Actor
ge-0/3/0
ge-8/3/0
Partner
ge-1/3/0
ge-9/3/0
On MX960 routers, duplicate LACP port numbers will result in aggregate bundles
composed of member links for the same PIC and port on slots (0, 8), (1,9), (2,10),
and (3,11). Also, the following sets of ports on any slot will have duplicate LACP
port numbers:
■
PIC 0 port 8 and PIC 1 port (0,8)
■
PIC 0 port 9 and PIC 1 port (1,9)
■
PIC 2 port 8 and PIC 3 port (0,8)
■
PIC 2 port 9 and PIC 3 port (1,9)
NOTE: The duplicate LACP port number described above does not affect the
aggregation, but affects the SNMP extracting port information and shows an identical
pair of SNMP dot3adAggPortPartnerOperPort and dot3adAggPortActorPort for the
above mentioned links of the aggregate bundle.
[PR/526749]
■
The PIM neighborship does not come up over the irb interface after the DPC is
restarted. [PR/559101]
■
The SNMP process might restart when a core dump is generated. [PR/517230]
■
The use-mac-address option that is used to generate the SNMP engine-id does not
work. [PR/557569]
■
The SNMP process dumps core when snmpget or snmpget-next is used for SNMPv3
with security parameters that have variables that might result in a large error
response. As a workaround, use a smaller PDU and fewer variables in SNMPv3
with authentication. [PR/559166]
■
The rt column in the output of the show mpls lsp command and the active route
counter in the output of the show mpls lsp extensive command are incorrect
when the per-packet load balancing is configured. [PR/22376]
■
For point-to-multipoint label-switched paths (LSPs) configured for VPLS, the ping
mpls command reports a 100 percent packet loss even though the VPLS
connection is active. [PR/287990]
■
When a Layer 2 circuit uses a static LSP as the tunnel between the PE routers,
and traffic is switched to an ingress bypass LSP, the statistics for both the primary
LSP and the bypass LSP should be updated. However, the statistics are now
updated only for the primary LSP. As a workaround, use the set protocols mpls
Network Management
MPLS Applications
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
59
JUNOS 10.1 Software Release Notes
traffic-engineering mpls-forwarding command to update the statistics for both the
primary and bypass LSPs. [PR/495002]
■
During an RSVP local repair process, when a link flaps or the IGP metric changes
along the LSP path, the routing protocol process scheduler slips. [PR/513312]
■
When a commit is performed, the RSVP path messages are clustered together
for a link- or node-protected interface from the current RSVP implementation.
This might result in dropped RSVP path messages on the neighboring Juniper
Networks routers as the queue for these packets becomes overwhelmed.
[PR/536190]
■
When a large number of point-to-multipoint LSPs exist during periods of high
network instability with many links flapping, and MBB rerouting of a
point-to-multipoint LSP occurs, an MPLS route can become stale. This can cause
a routing protocol process assertion failure on a transit router. [PR/555219]
■
On T Series routers, a Layer 2 maximum transmission unit (MTU) check is not
supported for MPLS packets exiting the routing platform. [PR/46238]
■
When you configure a source class usage (SCU) name with an integer (for
example, 100) and use this source class as a firewall filter match condition, the
class identifier might be misinterpreted as an integer, which might cause the
filter to disregard the match. [PR/50247]
■
If you configure 11 or more logical interfaces in a single VPLS instance, VPLS
statistics might not be reported correctly. [PR/65496]
■
When a large number of kernel system log messages are generated, the log
information might become garbled and the severity level could change. This
behavior has no operational impact. [PR/71427]
■
In the situation where a Link Services (LS) interface to a CE router appears in
the VPN routing and forwarding table (VRF table) and a fragmentation is required,
Internet Control Message Protocol (ICMP) cannot be forwarded out of the LS
interface from a remote PE router that is in the VRF table. As a workaround,
include the vrf-table-label statement at the [edit routing-instances
routing-instance-name] hierarchy level. [PR/75361]
■
Traceroute does not work when ICMP tunneling is configured. [PR/94310]
■
If you ping a nonexistent IPv6 address that belongs to the same subnet as an
existing point-to-point link, the packet loops between the two point-to-point
interfaces until the time-to-live expires. [PR/94954]
■
On T Series and M320 routers, multicast traffic with the "do not fragment" bit
is being dropped due to configuring a low MTU value. The router might stop
forwarding all traffic transiting this interface if the clear pim join command is
executed. [PR/95272]
■
A firewall filter that matches the forwarding class of incoming packets (that is,
includes the forwarding-class statement at the [edit firewall filter filter-name term
term-name from] hierarchy level) might incorrectly discard traffic destined for the
Routing Engine. Transit traffic is handled correctly. [PR/97722]
Platform and Infrastructure
60
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
The JUNOS Software does not support dynamic ARP resolution on Ethernet
interfaces that are designated for port mirroring. This causes the Packet
Forwarding Engine to drop mirrored packets. As a workaround, configure the
next-hop address as a static ARP entry by including the arp ip-address statement
at the [edit interfaces interface-name] hierarchy level. [PR/237107]
■
When you perform an in-service software upgrade (ISSU) on a routing platform
with an FPC3 or an Enhanced FPC3 with 256 MB of memory and the number
of routes in the routing table exceeds 750,000, route loss might occur. If route
loss occurs, as a workaround, perform either of the following tasks:
■
Replace the FPC3 or Enhanced FPC3 with another FPC that has more
memory, or
■
After the ISSU is complete, reboot only the FPC3 or Enhanced FPC3.
[PR/282146]
■
For Routing Engines rated at 850 MHz (which appear as RE-850 in the output of
the show chassis hardware command), messages like the following might be
written to the system log when you insert a PC Card: “bad Vcc request” and
“Device does not support APM.” Despite the messages, operations that involve
the PC card work properly. [PR/293301]
■
On a Protected System Domain, an FPC might generate a core file and stop
operating under the following conditions:
■
A firewall policer with a large number of counters (for example, 20,000) is
applied to a shared uplink interface, and
■
The FPC that houses the interface does not have a sufficiently powerful CPU.
As a workaround, reduce the number of counters or install a more powerful FPC.
[PR/311906]
■
When a CFEB failover occurs on an M10i or M7i router that has had 4000 or
more IFLs, the following message appears:
IFRT: 'IFD ioctl' (opcode 10) failed
ifd 153; does not exist
IFRT: 'IFD Ether autonegotiation config' (opcode 163) failed
The message has no operational impact. When the backup CFEB becomes the
active CFEB, the message will not display. [PR/400774]
■
When the show route forwarding-table family vpls vpn vpls-name command is used,
the following message is logged in the log file: “/kernel: rtsock: received msg 0
with version 0, expected 96, a reboot or upgrade may be required (proc =
rtinfo).” This is because the rtinfo utility does not fill the message version in the
message buffer that is sent to the kernel. [PR/443413]
■
In some cases, the alarms displayed in FPM and the alarms shown using the
show chassis alarms sfc 0 command mismatch. [PR/445895]
■
The SFC management interface em0 is often displayed as fxp0 in several warning
messages. [PR/454074]
■
On M Series and T Series routers, the kernel crashes when graceful Routing
Engine switchover (GRES) is turned on. [PR/463099]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
61
JUNOS 10.1 Software Release Notes
■
The VPN label does not get pushed on the label stack for Routing
Engine–generated traffic with l3vpn-composite-next-hop activated. As a
workaround, configure per-packet load balancing to push the VPN/tunnel labels
correctly. [PR/472707]
■
On restarting with a large-scale configuration (16,000 logical interfaces per MPC),
the MPC-3D-16XGE-SFPP card may take up to 15 minutes to come up.
[PR/478548]
■
Swapping out eight FPC cards and replacing them with a different FPC type
causes the kernel to crash when the last FPC is powered on. [PR/502075]
■
The tty sessions to a router can cause a null pointer de-reference. [PR/502816]
■
The TTL for a GRE-encapsulated IPv6 packet malfunctions as the TTL on the wire
is one less than the CLI-configured tunnel TTL. [PR/506454]
■
In an MPLS environment, the source Network Address Translation (NAT) or Port
Address Translation (PAT) for traffic between two remote VPNs does not work
when the vrf-table-label option is removed from the VRF where the inside-service
interfaces are located. [PR/524294]
■
After the Multiservices PIC’s homing PE interfaces used for multicast VPN (MVPN)
are taken offline and brought back online, the following message might be logged:
“flip-re0 fpc3 SLCHIP(0): %PFE-3: Channel 8189 (iif=701) on stream 32 already
exists.” [PR/527813]
Routing Policy and Firewall Filters
62
■
■
If a routing protocol running an MSDP receives an SA that is filtered via the MSDP
import policy, it will still create a forwarding entry if it subsequently receives a
(*,G) join for that group. [PR/63053]
■
The following features are not supported in a 12-16x10G DPC:
■
Known unicast and unknown unicast types in the input match condition
'Traffic-type' in a family bridge/VPLS
■
The following match conditions do not work:
■
learn-vlan-1p-priority
■
learn-vlan-1p-priority-except
■
learn-vlan-id
■
learn-vlan-id-except
■
user-vlan-1p-priority
■
user-vlan-1p-priority-except
■
user-vlan-id
■
user-vlan-id-except
■
VPLS flood FTF and input FTF
■
Simple filters
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Filter action 'then ipsec-sa'
■
Filter action 'then next-hop-group'
■
Mac-filter output accounting and output policing
[PR/466990]
Routing Protocols
■
When you configure damping globally and use the import policy to prevent
damping for specific routes, and a new route is received from a peer with the
local interface address as the next hop, the route is added to the routing table
with default damping parameters, even though the import policy has a non-default
setting. As a result, damping settings do not change appropriately when the route
attributes change. [PR/51975]
■
When you issue the show ldp traffic-statistics command, the following system
log message might be generated for all forwarding equivalence classes (FECs)
with an ingress counter set to zero: "send rnhstats GET: error: ENOENT — Item
not found." [PR/67647]
■
If ICMP tunneling is enabled on the router and you configure a new logical system
that does not have ICMP tunneling enabled, the feature is globally disabled.
[PR/81884]
■
The keepalive timeout counter for multicast sessions may not display after you
deactivate and activate the pim protocol. This is a cosmetic issue and there is no
interruption to the multicast traffic flow. [PR/419509]
■
Setting the advertise-high-metric option while using IS-IS overload also suppresses
route leaking. [PR/419624]
■
On JUNOS OSPF, all locally generated Type 5 LSAs are purged and regenerated
while deleting an NSSA area from the area border router (ABR). [PR/457579]
■
Under rare situations, a software validation failure might cause the routing
protocol process to restart. This might otherwise have caused route drops.
[PR/476143]
■
When aggregate interfaces are used for VPN applications, load balancing may
not occur with a Layer 2 circuit configuration. [PR/471935]
■
During transient periods where both a secondary and primary LSP exist in a
routing table, and the number of LSP NHs is greater than 16 in a multigateway
scenario, IS-IS may remove the preferred LSP NH. For example, IS-IS could
remove an HIPRI LSP. [PR/485748]
■
The Juniper Networks rendezvous point (RP) does not process PIM Register
messages from a first-hop router in an IPv6 embedded RP group when the
Register message does not have the null-bit set. [PR/486902]
■
When a PPMD delegation of BFD sessions is configured over AE interfaces,
graceful Routing Engine switchover and NSR do not work. [PR/505058]
■
The BGP BMP message for IPv6 withdraw encoding does not follow the BMP-draft.
[PR/512780]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
63
JUNOS 10.1 Software Release Notes
■
When an interface comes up after a down event, and LDP-IGP sync is configured
for that interface, OSPF does not include the interface in its LFA calculations
while the interface is in LDP Sync hold-down state. [PR/515482]
■
When the received next hop for a route has the same address of the EBGP peer
to which the route is readvertised, the next hop is errorneously set to the peer's
address instead of the next hop to self. [PR/533647]
■
When a certain combination of route damp parameters is configured for BGP,
the resulting internal calculations result in an attempt to allocate 0 bytes of
memory, causing the routing protocol process to crash and restart. As a
workaround, avoid the exact combination of these values in the configuration.
[PR/534780]
■
When an interface is added to a routing instance with rpf-check enabled, the
routing protocol process might crash if a route distinguisher is also changed at
the same time. [PR/539321]
■
When a policy matching an extended community using a 4-byte AS and a
wildcard is configured, the match condition might fail to match the relevant
communities. As a workaround, configure exact matches. [PR/550539]
■
In JUNOS Release 10.0 and later, a direct route to a VRF with a rib-group is not
advertised as an inet-vpn route to the IBGP neighbor because of the error "BGP
label allocation failure: Need a nexthop address on LAN." [PR/552377]
■
If a new VPN is added when advertise-default is used with the route-target family,
the necessary route refresh is not sent. [PR/561211]
■
Packets might not be correctly evaluated by a filter in an MPC that contains
non-contiguous prefixes. As a workaround, replace the non-contiguous prefixes
with equivalent sets of contiguous prefixes. [PR/564286]
■
The show services accounting flow-detail extensive command sometimes displays
incorrect information about input and output interfaces. [PR/40446]
■
When a routing platform is configured for graceful Routing Engine switchover
(GRES) and Adaptive Services (AS) PIC redundancy, and a switchover to the
backup Routing Engine occurs, the redundant services interface (rsp-) always
activates the primary services interface (sp-), even if the secondary interface was
active before the switchover. [PR/59070]
■
Detection of failure of remote PPP clients on the LNS through LCP echo requests
will take longer due to an increase in the number of echo request retries.
[PR/250640]
■
When the Border Signaling Gateway (BSG) configuration contains a policy that
has a term with regular expressions, configuration changes might not take effect
immediately after the commit process is complete. In most cases, the new policy
takes effect immediately. However, complex policies may take longer to take
effect depending on how many regular expressions they contain.
Services Applications
For example, if you have a term with four regular expressions, configuration
changes do not take effect until 50 seconds after you receive the message that
the commit process is complete. This behavior occurs whether you have a list
or regular expressions (for example, regular-expression [sip:88824.* sip:88821.*
64
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
sip:88822.sip:88823.*]), or you group regular expressions using the | symbol
(for example, "sip:88821.*|sip:88822.*|sip:88823.*|sip:88824.*").
The time taken for the software to apply the configuration changes increases
exponentially with the number of regular expressions in your configuration.
[PR/448474]
■
When a standard application is specified under the [edit security idp idp-policy
policy-name rulebase-ips rule rule-name match application] hierarchy level, the IDP
does not detect the attack on the non-standard port (for example, junos:ftp on
port 85). [PR/477748]
■
The Multiservices PIC or Multiservices DPC might restart when SIP traffic is
processed on the corresponding Application Layer Gateway. [PR/478331]
■
The output of the show services ids destination-table command might not display
any flow and related statistics in the IDS anomaly table for a certain period of
time after the flows are activated. [PR/490584]
■
In the export version of the JUNOS Software, the signature download does not
work for AppID and IDP features in the Dynamic Application Awareness (DAA)
suite. In order to resolve this, install the Crypto software suite. [PR/499395]
■
After a user establishes an SSH connection, the sshd process is spawned on the
server and services the user. After the connection is established, the sshd process
listens on a socket, and keeps polling in the select(), and sleeps until there is
something to be processed on the socket. When the client closes the connection,
a message is sent on the socket to the server, which reads and processes the
tear-down of the connection. However, when a blocking TCP is sent to the client
to detect the client's presence, the time-out never expires. [PR/538342]
■
When unit 0 of the Multiservices-PIC interface is not specified, the monitor
interface traffic command does not display the input packet number properly for
that particular MS-I/F interface. [PR/544318]
Subscriber Access Management
■
The revert-interval value configured in the [edit access profile] hierarchy level is
ignored. [PR/454040]
■
The RADIUS accounting stop messages do not include the Acct-Terminate-Cause
attribute (type 49). [PR/458034]
■
For a dynamic PPPoE interface in which the subscriber is assigned to a
non-default routing-instance (via the LSRI-Name or redirect-LSRI-Name RADIUS
VSAs), the IP address assigned to the subscriber must be specified via the
framed-ip-address RADIUS attribute. An IP address can not be allocated from a
local pool defined in the assigned routing-instance, either when RADIUS returns
no address attributes or when the RADIUS framed-pool attribute is returned.
[PR/471677]
■
On an MX Series router configured for PPP subscriber access, configuring a large
number of PPP subscribers on a single MPC may result in a long boot time for
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
65
JUNOS 10.1 Software Release Notes
the MPC. Distributing subscribers over multiple MPCs will improve boot times.
[PR/490987]
■
The destination and destination-profile options for address and
unnumbered-address within the family inet and inet6 are allowed to be specified
within a dynamic profile, but are not supported. [PR/493279]
User Interface and Configuration
■
When the allow-command show interfaces $ is set in the class definition (specified
inside a user configuration), the user is unable to access any commands that
begin with show. [PR/55413]
■
Deletion of configuration groups cannot be prevented with the allow-configuration
and deny-configuration statements. [PR/59187]
■
The JUNOScript perl module for NETCONF does not support configuration-text.
[PR/82004]
■
"Local Password:" is prompted even though the authentication order has the
password configured. [PR/94671]
■
When the CLI screen length is set to zero and the show log command is used,
the “more” prompt ignores the CLI screen length of zero, and only a fraction of
the number of lines is displayed. [PR/103595]
■
The logical system administrator can modify and delete master administrator-only
configurations by performing local operations such as issuing the load override,
load replace, and load update commands. [PR/238991]
■
The “replace:” tag is missing from the output of the save terminal command from
inside a configuration object.
Example:
edit system
save terminal
system {
host-name blue;
}
[PR/269736]
66
■
■
The user can still commit an invalid configuration successfully, even when DDL
checks exist. [PR/282896]
■
After AI scripts are added, the existing management sessions (including the one
used to add the AI scripts) must exit the edit mode and reenter it for any
subsequent configuration changes to take effect. Changes made in these existing
edit sessions are not written to the candidate configuration. [PR/297475]
■
A user class configuration with a deny command ".*" returns a .noop error when
the Return key is pressed on the router’s CLI. As a workaround, replace "^$"
with "^.noop-command$" in allow regex, i.e., allow-commands "(show
interfaces)|(show route)|(exit)|(^.noop-command$)";. [PR/311426]
■
On M Series, MX Series, and T Series routers, the user cannot differentiate
between active and inactive configurations for system identity, management
access, user management, and date and time pages. [PR/433353]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
In the J-Web interface , the “Generate Report” option under Monitor Event and
Alarms opens the report in the same web page. [PR/433883]
■
Selecting the monitor port for any port in the Chassis Viewer page displays the
common Port Monitoring page instead of the corresponding Monitoring page of
the selected port. [PR/446890]
■
On MX Series routers, J-Web does not display the USB related information under
Monitor>SystemView>System Information>Storage. [PR/465147]
■
On M7i and M10i routers with Enhanced CFEB installed, the chassis viewer
plug-in does not display the Routing Engine in the front view and the E-CFEB in
the rear view. However, the chassis contents from the system (left side tab)
display the list of components correctly. [PR/483375]
■
Using the new-line character \n within op script argument descriptions will cause
the help output to be displayed incorrectly and could result in extra output being
displayed when the op script runs. [PR/485253]
■
In the J-Web interface, the options Access Concentrator, Idle Timeout, and Service
Name for PPPoE logical interfaces are not supported on MX Series routers.
[PR/493451]
■
On J-Web, the error message: “Fatal error: Allowed memory size..." displays
when the Interfaces tab is selected. This message also displays when the
Interfaces tab under Class-of-Service is selected. [PR/495825]
■
J-Web does not display the drop-profile-map, excess-priority, excess-rate, and
rate-limit (transmit rate) parameters under the scheduler configuration for M
Series and MX Series routers. [PR/495947]
■
The licenses are not synced between the master and backup Routing Engine
unless the system license traceoptions file file-name statement is configured.
[PR/501443]
■
Invalid XML characters such as &#x11 (0x11) or &#20 (0x14) are allowed to be
loaded into the router. As a result, the XML parsers break as the characters are
not XML compliant. [PR/502994]
■
In JUNOS Release 10.2, the upload and install package does not show warning
messages when there are pending changes to be commited. As a workaround,
commit all pending commits before performing the upload, install package, or
reboot operations. [PR/514853]
■
The show log xxx | last x command behaves as if the screen length is set to 0,
and the --more xx%-- prompt does not appear. [PR/517023]
■
The annotate option does not appear when it is used under the edit private
command for class of service. [PR/535574]
■
The J-Web pages loads inconsistently when Add IPv4 or IPv6 filters are used in
the Internet Explorer and Firefox Web browsers. [PR/543607]
■
After the delete action is performed, the replace actions do not take effect in the
“load replace terminal” operation. [PR/556971]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
67
JUNOS 10.1 Software Release Notes
VPNs
■
When you modify the frame-relay-tcc statement at the [edit interfaces
interface-name unit logical-unit-number] hierarchy level of a Layer 2 VPN, the
connection for the second logical interface might not come up. As a workaround,
restart the chassis process (chassisd) or reboot the router. [PR/32763]
■
On a router configured for nonstop active routing (NSR) (the nonstop-routing
statement is included at the [edit routing-options] hierarchy level), if a nonstop
active routing switchover occurs after the configuration for routing instances
changes in certain ways, the BGP sessions between PE and CE routers might not
be established after the switchover. [PR/399275]
■
On MX Series, M120, and new EIII FPCs on M320 routers, the ISO/Connectionless
Network Service (CLNS) packets over the translational cross-connect (TCC) are
dropped in the case of Frame Relay, even though the family TCC has been
configured to switch family iso on the Frame Relay interface. [PR/462052]
■
In vlan-tagging, stacked-vlan-tagging, and flexible-vlan-tagging modes, untagged
packets or mismatching Tag Protocol ID (TPID) packets may be dropped. These
dropped packets are not accounted for and are not visible in the CLI. This issue
is specific to the 10-port 10-Gigabit Oversubscribed Ethernet (OSE) PICs.
[PR/496190]
■
If a VRF routing instance contains a static route that is resolved via a route that
was auto-exported from another routing instance, the static route may not be
removed when the physical interface goes down. [PR/531540]
Resolved Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series
Routers
Class of Service
68
■
■
When a VLAN ID is changed, the following message appears in the messages
log: "COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL
74. Reason: File exists.” This log message appears when the configuration is
committed with VPLS configured on the Gigabit Ethernet interface, and a
class-of-service classifier or rewrite rules that contain IEEE 802.1P on the interface
are used. [PR/408552: This issue has been resolved.]
■
On M Series and T Series routers, the forwarding class information is lost when
the packet enters the GRE tunnel with clear-dont-fragment-bit enabled. Additionally,
on an Enhanced FPC or M120 FEB, the packet is also likely to be dropped if it
is classified to a packet loss priority (PLP) value other than low. [PR/514162: This
issue has been resolved.]
■
Under certain race condition scenarios on an Enhanced Queuing DPC, configuring
rate limit might result in rate limit drops in that queue. [PR/519181: This issue
has been resolved.]
■
When a logical interface set has a shaping-rate less than the sum of the
transmit-rates of its queues and when the configuration is corrected so that the
logical interface set gets the right shaping-rate, ADPC might crash. [PR/523507:
This issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
On an MX FPC, traffic drops occur on a high-speed interface (OC12 and OC3).
Traffic drops might also occr in contract traffic on a rate-limited or shaped queue,
when the interface is congested. As a workaround, use a policer instead of a rate
limit and configure all the interfaces to the same speed on the MX FPC.
[PR/526339: This issue has been resolved.]
■
When class of service is configured for a routing instance using a wild card, the
classifier type might not populate correctly when a new routing instance is added.
[PR/537378: This issue has been resolved.]
■
When the rate-limit option is configured on a physical interface on IQ2 PICs, the
show interface queue command might not display the RL-dropped counters.
[PR/547218: This issue has been resolved.]
■
The egress rate limit over a logical interface might drop large packets. [PR/547506:
This issue has been resolved.]
■
If a configuration for a wildcard interface exists in a class-of-service hierarchy,
the cosd process might crash. [PR/555648: This issue has been resolved.]
■
When only the inet or MPLS family is configured on an interface, the logical
interface does not consider the default classifier slot for the ipprec-compatibility.
[PR/556497: This issue has been resolved.]
■
Port mirroring does not work under the bridge-domain forwarding-option filter.
[PR/529272: This issue has been resolved.]
■
When logical systems are configured, the show bridge-domains command might
time out and return the following error message: “error: timeout communicating
with l2-learning daemon.” [PR/536604: This issue has been resolved.]
■
A scheduler is associated with a forwarding class. When a forwarding class is
mapped to a different queue, the associated scheduler is not applied to the new
queue. [PR/540568: This issue has been resolved.]
■
On a sampled traffic on a Multiservices PIC, the multicast convergence slows
down with the message "RPD_KRT_Q_RETRIES: Indirect Next Hop Update: No
buffer space available." [PR/554363: This issue has been resolved.]
■
On M120 routers, the message: "stream blocked detected message" is displayed
when a Forwarding Engine Board (FEB) is switched from the backup to the
primary. [PR/540644: This issue has been resolved.]
■
The MX DPC might reboot with the error message: "EZ:
ezchip_get_srh_msg_from_srhq". [PR/310223: This issue has been resolved.]
■
When lockout is configured and the router is rebooted, the working router is
stuck in the wait-to-restore state while the protect router still shows channel state
working and no requests, but no longer shows the lockout flag. [PR/474482: This
issue has been resolved.]
Forwarding and Sampling
High Availability
Interfaces and Chassis
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
69
JUNOS 10.1 Software Release Notes
70
■
■
The chassisd process fails to create an interface when a PIC is brought online.
However, the state of both the PIC and FPC is online. [PR/479426: This issue
has been resolved.]
■
When an IQ2 PIC is brought online with a class-of-service configuration that
includes a scheduler using the rate-limit options, the system incorrectly reports
that rate limiting is not supported on the PIC. [PR/482199: This issue has been
resolved.]
■
An OAM trace displays an incorrect next-hop MAC value. [PR/494588: This issue
has been resolved.]
■
If a T640-FPC4-ES is installed in a T1600 router and an SIB statistics collection
is performed, the message log might report "JBUS: U32 read error, client .." only
if one of the SIBs is faulted or in the offline state. This system log message will
also appear if the T640-FPC4-ES FPC is removed from the chassis. There is no
operational impact. [PR/504363: This issue has been resolved.]
■
On an M20 router with AC PEMS, the alarm message “Power Supply x not
providing power” is generated when the power cord is removed. The alarm is
not cleared when the power cord is reconnected. [PR/506413: This issue has
been resolved.]
■
On M120 routers, all traffic is duplicated when the request chassis redundancy
feb switch-to-backup command is used, or the FEB is offline. This issue occurs
only when the status of the Automatic Protection Switching (APS) is protect.
[PR/506747: This issue has been resolved.]
■
On M7i routers with JUNOS Release 8.5 or later, the output of the show interfaces
fxp0 command shows the fxp0 interface to be in the “link up” state even when
the interface is disabled with no cables connected. [PR/508261: This issue has
been resolved.]
■
When the 1x10GE PIC is brought online, related error messages are seen in the
logs but without any functional impact. [PR/512094: This issue has been resolved.]
■
When the VRRP6 master changes, there is no log output for VRRP IPv6.
[PR/514821: This issue has been resolved.]
■
If a child T1 or E1 link of an MLPPP bundle with two or more children connected
to a Cisco router flaps, the T1/E1 link fails to rejoin the bundle due to an
inconsistent LCP state. As a workaround, bounce the whole bundle to clear the
issue. [PR/525489: This issue has been resolved.]
■
The queue counter of the aggregated Ethernet is counted up after the statistics
is cleared and the FPC is restarted. [PR/528027: This issue has been resolved.]
■
When M120 Type 1 FPCs are configured for 2:1 FPC:FEB mapping, and one of
the FPCs restarts, the restarting FPC might not initialize properly and might result
in a small percentage of packet loss for all interfaces on that FPC. As a
workaround, restart the FPC until the problem stops. [PR/529994: This issue has
been resolved.]
■
When the clear interfaces statistics command is used, if a member link is
deactivated from an aggregate (AE or AS on any platform) and if the show
interfaces extensive command is used immediately, incorrect values (very high
values) might be seen for the counters such as “Transmitted and Queued” packets
under the queue counters. If the clear interface statistics command is not issued
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
before deactivating the member link, this issue is not seen. [PR/530297: This
issue has been resolved.]
■
When any subscriber interface (PPPoE or DHCP) is used, the VPLS connections
go down. [PR/530435: This issue has been resolved.]
■
When Automatic Protection Switching (APS) is configured on a 4x STM-1 SDH,
SMIR PIC, the transmitted value of the K2 byte shows 0x00 for both unidirectional
and bidirectional instead of 0x04 and 0x05, respectively. [PR/531030: This issue
has been resolved.]
■
In JUNOS Release 10.0 and later, a significantly large number of the following
messages appear on the MX960 and SRX5800 routers:
MX960
MX960
MX960
MX960
MX960
/kernel:
/kernel:
/kernel:
/kernel:
/kernel:
PCF8584(WR): transmit failure on byte 1
PCF8584(WR): (i2c_s1=0x80, group=0xe, device=0x54)
PCF8584(WR): busy at start, attempting to clear
PCF8584(WR): (i2c_s1=0x00, group=0xe, device=0x54)
PCF8584(RD): ack failure on 2nd last byte
These messages are not an indication of a fan failure. They are cosmetic and
can be ignored. [PR/531253: This issue has been resolved.]
■
After a PIC restart, a statistics query on the AE interfaces might produce wrong
results. As a workaround, clear the statistics after a PIC restarts. [PR/531485:
This issue has been resolved.]
■
On Trio MPCs, multiple changes to a single term in quick succession results in
an incorrect filter state in the Packet Forwarding Engine. This causes the MPC
to crash. [PR/532791: This issue has been resolved.]
■
The kernel might crash when bundled messages are sent to the Packet Forwarding
Engine when the physical interface is deleted. [PR/532926: This issue has been
resolved.]
■
An XE circuit on MPC-3D-16XGE-SFPP might cause a high CPU utilization on the
MPC. [PR/535057: This issue has been resolved.]
■
On MX960 routers, the link status stays in the "Link ok" state when the SCB is
removed without taking it offline through the CLI or switch. [PR/536860: This
issue has been resolved.]
■
The SCB displays an incorrect state when it is removed without taking it offline
through the CLI or buttons. This is not a cosmetic error and might have an impact
on the traffic. [PR/536866: This issue has been resolved.]
■
The "frame-relay-ether-type" encapsulation is not programmed to the hardware
properly. As a result, the incoming packet parsing fails and the packets are
discarded. [PR/539484: This issue has been resolved.]
■
On MX Series routers with 10.x Power Budget, after a “Power Budget: Chassis
experiencing power shortage” alarm occurs, the alarm does not clear even after
the power budget problem is cleared. [PR/540522: This issue has been resolved.]
■
The MX-MPC1-3D-Q accepts VLAN-tagged packets even when the interface is
not configured with VLAN tagging. [PR/540620: This issue has been resolved.]
■
The link-up time on a 16x10-Gigabit Ethernet MPC is not as less as on other
platforms (ADPC and other MPCs) because of the emission dispersion
compensation (EDC) functionality of the PHY device on the MPC. This causes a
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
71
JUNOS 10.1 Software Release Notes
delay of 50 mS to 150mS and cannot be changed. [PR/540694: This issue has
been resolved.]
■
The sonet-options raise-rdi-on-rei and trigger options do not work well together.
Turning the raise-rdi-on-rei option on and back off requires the trigger option to
flap in order to assert or clear the RDI-L alarm. As a workaround, when both
sonet-options raise-rdi-on-rei and trigger options are configured, flap the
sonet-options trigger too. [PR/540745: This issue has been resolved.]
■
The space SCB stays in the same status when the SCB that is online is removed
without taking it offline. [PR/542615: This issue has been resolved.]
■
When a GE/XE interface on IQ2 PICs is disabled, and the link status is up, the
traffic received from the interface might still be forwarded. [PR/543388: This
issue has been resolved.]
■
When one of the units of an aggregated Ethernet is deactivated, all other units
go down. [PR/544587: This issue has been resolved.]
■
On a 10x10-Gigabit Ethernet PIC, the chassis scheduler maps for a wildcard
configuration does not work when the PIC is taken offline and brought back
online, due to an incorrect stream value. [PR/551161: This issue has been
resolved.]
■
When logical interfaces are created, the NPC crashes and the FPC goes down.
[PR/545314: This issue has been resolved.]
■
On a 10-Gigabit Ethernet PIC, a log is generated when the SFP is plugged in.
However, no log is generated when the SFP is not plugged in. [PR/548251: This
issue has been resolved.]
■
VRRP between IRB interfaces on a VPLS network shows a master-master status
after the existing master goes down and comes back up. [PR/552699: This issue
has been resolved.]
■
The EOA family configurations over a container ATM interface might be deleted
and added again upon every commit (including unrelated commits). [PR/553077:
This issue has been resolved.]
■
A Spanning Tree Protocol triggered MAC flush might fail if there are frequent
topology changes with a significant number of MAC addresses learned. For
multiple Spanning Tree Protocols, restart l2cpd-services to come out of the state,
and for the Rapid Spanning Tree Protocol, reboot the corresponding DPC.
[PR/529130: This issue has been resolved.]
■
On MX Series routers, when both the top and bottom fan trays are enhanced
and a mastership switch is performed, the alarm "craftd[1337]: Minor alarm set,
Mix of FAN-TRAYS" is displayed. This occurs only after a switchover or an
upgrade. This alarm is temporary, is cleared within a few seconds, and does not
cause any routing or forwarding issues on the chassis. [PR/541617: This issue
has been resolved.]
■
The AE interface does not show the system identifier for the attached interfaces
in actor role. Because of this, the AE interface gets stuck in the detached state
after it is rebooted from both ends. Additionally, the AE interface flaps when the
Layer 2 Ethernet Services
72
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
backup Routing Engine is rebooted and a graceful Routing Engine switchover
(GRES) is performed. [PR/547739: This issue has been resolved.]
MPLS Applications
■
The routing protocol process may sometimes crash at rsvp_find_lp_tag_route.
[PR/55748: This issue has been resolved.]
■
With BFD enabled over IGP and an RSVP session built across it, when the RSVP
peer does not support RSVP Hello (or is disabled), the BFD session down event
triggers only the IGP neighbor to go down. The RSVP session remains up until
a session timeout occurs. [PR/302921: This issue has been resolved.]
■
The routing protocol process might crash with an assert in rsvp_PSB_set_selfID
while a graceful Routing Engine restart is performed when P2MP LSPs are present.
[PR/512890: This issue has been resolved.]
■
The rlist entry corresponding to the previously existing rlist is not removed, which
causes the routing protocol process to crash. [PR/513160: This issue has been
resolved.]
■
An invalid SNMP get-next request for an LDP OID might cause the routing protocol
process to crash. This issue occurs only when LDP is enabled. [PR/530348: This
issue has been resolved.]
■
When a protected link flaps, certain RSVP routes do not lose association with
the p2mp_nh. [PR/530750: This issue has been resolved.]
■
The maximum average bandwidth utilization computed by MPLS for
auto-bandwidth may sometimes be higher than the actual traffic rate (twice the
traffic rate). This occurs when the MPLS statistics response from the Packet
Forwarding Engine comes in late, and two statistic entries for the same LSP fall
in the same MPLS auto-bandwidth averaging timer interval. [PR/536759: This
issue has been resolved.]
■
In a next generation MVPN with vrf-table-label configured on the provider edge,
the provider router connecting to that provider edge might keep an old
point-to-multipoint MPLS label entry upon label-switched path optimization or
reroute. There is no workaround. [PR/538144: This issue has been resolved.]
■
A label-switched path (LSP) with auto-bw might stay down for approximately 30
minutes after a Routing Engine switchover or a Routing Engine restart when
graceful restart fails. As a workaround, disable and reenable the MPLS or OSPF
stanza. [PR/539524: This issue has been resolved.]
■
When the RSVP path-mtu allow-fragmentation is configured, traffic failure might
occur. [PR/544365: This issue has been resolved.]
■
On a point-to-multipoint LSP setup, the routing protocol process of the transit
router might crash when the topology changes with respect to the ingress sub-LSP
router. There is no workaround. [PR/549778: This issue has been resolved.]
■
On MX80 routers, the MPLS LSP statistics do not record the transit traffic on a
single-hop LSP with an implicit NULL label. [PR/551124: This issue has been
resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
73
JUNOS 10.1 Software Release Notes
Network Management
■
SNMP may stop working after a router reboot, DPC/FPC/MPC restart, or a graceful
Routing Engine switchover. [PR/525002: This issue has been resolved.]
■
In JUNOS Release 9.2 and later, a memory leak occurs in the subagent in a
scenario where the snmpd process is not running, or there are issues in
communication with a subagent and traps are being generated by the subagent.
[PR/547003: This issue has been resolved.]
■
Redirect drops that are not real errors are taken into account for "Iwo HDRF"
error statistics that are reported in the output of the show pfe statistics errors
command on I-chip based routers. Because redirect drops are expected in a VPLS
(and Ethernet in general) environment, this behavior could be misleading.
[PR/430344: This issue has been resolved.]
■
After an 8216 Routing Engine upgrade to JUNOS Release 9.6 with "chassis"
deactivated, the backup Routing Engine starts to reboot with the panic message
"panic: filter_idx_alloc: invalid filter index" and crashes when the chassis
configuration is enabled and committed. After the Routing Engine finally comes
online, the CLI response is slow and the Routing Engine reboots again after three
minutes approximately. To stop these reboots, deactivate the chassis on the
backup Routing Engine. [PR/489029: This issue has been resolved.]
■
On T Series routers, the FPC might continuously reboot upon installation.
[PR/510414: This issue has been resolved.]
■
In a setup with two VPN routing and forwarding tables (VRFs) of a provider edge
connected to different customer edges and auto-export configured, when a ping
is executed from a customer edge to a provider edge interface in the other VRF
, the Internet Control Message Protocol reply returns the source interface IP of
the provider edge that is connected directly instead of the interface IP of the
other VRF provider edge. [PR/510834: This issue has been resolved.]
■
Under certain conditions, traffic flow through an RLSQ bundle can be dropped
after it is removed and added back to a VPN routing and forwarding table (VRF).
[PR/518170: This issue has been resolved.]
■
When the system default-router a.b.c.d command is used, the default route is not
installed in the Packet Forwarding Engine. [PR/523663: This issue has been
resolved.]
■
On MX Series routers, repeated graceful Routing Engine switchover (GRES) under
certain configurations might result in kernel panic. Three kernel cores are
observed: with a soft update files system trace, with a TCP packet processing
stack trace, and with a trace of IFF configuration write. [PR/525583: This issue
has been resolved.]
■
A neighbor solicitation request does not return any neighbor-advertised packets
when static neighbors are configured. [PR/527779: This issue has been resolved.]
■
The Packet Forwarding Engine incorrectly imposes a rate-limit function for the
host-bound virtual LAN tagged packets with an IEEE 802.1p value of 1. There is
no workaround. [PR/529862: This issue has been resolved.]
Platform and Infrastructure
74
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Asp_ifl_update messages may be seen on routers running JUNOS Release 10.0
and above. Ignore these messages as they do not impact functionality.
[PR/532648: This issue has been resolved.]
■
A router might send raw IPv6 host-generated packets over the Ethernet toward
its BGP IPv6 peers. [PR/536336: This issue has been resolved.]
■
When a SIB is taken offline without using the CLI or the offline button and brought
back online, the link error alarm does not clear. [PR/536673: This issue has been
resolved.]
■
The backup Routing Engine might cause the kernel to crash when a configuration
change occurs on the AE bundle during a next-hop index allocation. [PR/544092:
This issue has been resolved.]
■
On TX Series routers with T640-FPC3 FPCs and a large number of routes, when
an AE interface in an ECMP path goes down, small packet drops might occur in
the traffic on the other ECMP link. This issue does not occur when an indirect
next hop is used. [PR/545166: This issue has been resolved.]
■
In JUNOS Release 10.0 and later, the FPCs in M320 and T Series routers might
crash when the error “PFE: Detected error next-hop” (corrupted next-hop) is
encountered. [PR/546606: This issue has been resolved.]
■
On M120 routers, multicast packet drops occur when both the Fast Ethernet and
the SFP Gigabit Ethernet PICs are located on the same Packet Forwarding Engine.
[PR/546835: This issue has been resolved.]
■
In JUNOS Release 9.3 and later, when routers using Enhanced FPCs
(T640-FPCx-ES or T1600-FPC4-ES FPCs) have a configuration involving CBF LSPs
and aggregate interfaces, a jtree corruption might occur when a flap from a
member link in the aggregate occurs on the remote end, or the FPC of the remote
router is rebooted. To avoid this issue, use indirect-next-hop (routing-options
forwarding-table indirect-next-hop). The error message “PFE: Detected error
nexthop:" indicates a jtree corruption. [PR/548436: This issue has been resolved.]
■
In a multicast VPN scenario, if the default-vpn-source is configured under protocol
PIM, and then the FPC holding is configured, the Multiservices PIC might crash
when it is taken offline. [PR/550061: This issue has been resolved.]
■
The NTP server might not respond to clients whose source address is explicitly
configured. [PR/556024: This issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
75
JUNOS 10.1 Software Release Notes
Routing Policy and Firewall Filters
■
When a firewall loopback filter exists and the default term is discard, the multicast
forwarding cache entries will be created since the resolve request is dropped at
the Packet Forwarding Engine level. As a workaround, add an additional term
to accept the multicast destination address 224/4. [PR/531787: This issue has
been resolved.]
■
The output of the show ospf statistics command does not display hello packet
statistics. [PR/427725: This issue has been resolved.]
■
Packet drops occur during a GRE/NSR switchover, when class of service and
scheduler-map are enabled on the aggregated interface. [PR/502365: This issue
has been resolved.]
■
When a family inet6 addressing is added to a router configured with multicast
VPN, the routing protocol process might crash and restart. [PR/503296: This
issue has been resolved.]
■
The mirror receive task variable may not be cleared when the routing protocol
process is heavily scaled. Hence, the NSR replication for RIP status stays in the
"InProgress" state forever. [PR/516003: This issue has been resolved.]
■
Under rare circumstances, multiple commits might crash both Routing Engines.
The routing protocol process dumps core and restarts only on the master Routing
Engine. This issue occurs when commits are executed within one minute.
[PR/516479: This issue has been resolved.]
■
An ISSU upgrade to JUNOS Release 10.2 with PIM NSR configured fails whenever
an incompatble FRU (PIC) is required to be taken offline during a Routing Engine
switchover. As a workaround, disable NSR for PIM using the set protocols pim
nonstop-routing disable command for the ISSU uppgrade to be successful.
[PR/527668: This issue has been resolved.]
■
On MX80 routers, non IS-IS fragmented GRE packets are filtered before they are
forwarded to the Routing Engine. [PR/529727: This issue has been resolved.]
■
For JUNOS Release 9.5 and later, the BGP parse community begins with “0” as
the octal value. This behavior is different in earlier releases. [PR/530086: This
issue has been resolved.]
■
When the bridge MAC table is cleared on a router that has bridge interfaces on
MPC cards, the MAC learning process might be broken for some time (10 seconds
to a few minutes). This results in traffic being looped between the two routers.
[PR/530753: This issue has been resolved.]
■
The master routing protocol process crashes three minutes after a graceful Routing
Engine switchover. [PR/533363: This issue has been resolved.]
■
The Overload bit in the IS-IS LSP MT-TLV may trigger the IS-IS to install a default
route to the overload bit advertiser and the show isis database extensive
command may report an unknown TLV. [PR/533680: This issue has been
resolved.]
Routing Protocols
76
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
When the labeled-unicast inet6 route is reflected by route reflectors, the label
might be set to explicit-null. [PR/534150: This issue has been resolved.]
■
The routing protocol process might crash due to an invalid prefix-length value
in one of the flow-spec routes. [PR/534757: This issue has been resolved.]
■
If enough join state is associated with a neighbor and that neighbor goes down
and comes back up quickly, then that join state may be stranded in an unresolved
state until the clear pim join command is issued. [PR/539962: This issue has been
resolved.]
■
On Type 2 Trio MPCs, multiple changes to a single term in quick succession can
cause an incorrect filter state in the Packet Forwarding Engine. This causes the
MPC to crash. [PR/540674: This issue has been resolved.]
■
The routing protocol process might crash when a BGP connection attempt is met
with an RST from the peer. This is due to an unlikely race condition. [PR/540895:
This issue has been resolved.]
■
Under certain timing conditions, an interior gateway protocol topology change
can result in the BGP routes referencing an incorrect egress interface. This
problem can occur when active and inactive BGP routes are learned from the
same peer and the inactive BGP routes are deleted at the time of the topology
change. [PR/543911: This issue has been resolved.]
■
In instances with scaled LACP configurations, the periodic packet management
process (ppmd) might experience memory leaks. [PR/547484: This issue has
been resolved.]
■
When two identical local interface addresses are shared between two VRFs
through auto-export, the routing protocol process might cause a high CPU
utilization. [PR/547897: This issue has been resolved.]
■
An incoming BGP route with a long AS path that is a contributor to an aggregate
route might cause the routing protocol process to restart. [PR/548322: This issue
has been resolved.]
■
The GetRequest operation might fail for certain OIDs located in the multicast
routing MIB. [PR/549928: This issue has been resolved.]
■
If a PIM <S, G> join arrives when there is no route to the source, PIM RPF
checking is disabled, and a matching multicast route is present, the output
interfaces associated with the PIM <S, G> join are not added to the multicast
route. [PR/550703: This issue has been resolved.]
■
The IPv6 entries are removed from the output of the show pim interfaces
command when the corresponding interface is in the down state. This is a
cosmetic issue. [PR/550799: This issue has been resolved.]
■
When an interface-based IPv6 BGP session with a 2-byte AS format is used, the
system might crash. [553772: This issue has been resolved.]
■
An IS-IS adjacency flap at a precise interval can cause the routing protocol process
to restart on a neighbor, as it is in the process of purging the LSAs of the
previously down node from the local database. [PR/554233: This issue has been
resolved.]
■
The Juniper Networks PIM-SM ASM implementation might not set the SPTbit
when RPT and SPT are both preferred over the same interface. [PR/555650: This
issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
77
JUNOS 10.1 Software Release Notes
Services Applications
■
For Adaptive Services II PICs, a temporary file might be created every 15 minutes
in the /var/log/flowc/ directory even if flow collector services is not configured.
The file is deleted if there are no clients, and re-created only when a client
connects and attempts to write to the file. [PR/75515: This issue has been
resolved.]
■
The IPv6 gateway may have a NULL value when the destination address points
to an aggregated next hop. [PR/516058: This issue has been resolved.]
■
L2tpd asserts when short length frames are sent. This causes the l2tpd to crash.
As per RFC 1661 and 1662, such packets should be treated as invalid and
discarded. [PR/533057: This issue has been resolved.]
■
In JUNOS Release 10.0 and later, the routing instance name is restricted to 63
characters. [PR/533882: This issue has been resolved.]
■
The BGP_IPV4_NEXT_HOP field on the jflow v9 record matches the originator
ID instead of the BGP next hop. [PR/534598: This issue has been resolved.]
■
When traffic is forwarded in an L2TP session and a teardown request is received,
the AS PIC crashes with a memory access violation in mlppp_output. [PR/537225:
This issue has been resolved.]
■
On M Series routers configured for L2TP tunneling with several thousands of
PPP connections, when all the PPP sessions expire at the same time, the
Multiservices PIC might hang and become unusable. To recover the service,
restart the PIC. [PR/541793: This issue has been resolved.]
■
On SG3 PICs (Multiservices 500) with graceful Routing Engine switchover (GRES),
wrong record values are seen for the IPv4 netflow export packets. This error
occurs when the route records are not installed. [PR/545422: This issue has been
resolved.]
■
The IPv6 and MPLS route counts are not reflected in the output of the show
service accounting status command. [PR/550793: This issue has been resolved.]
User Interface and Configuration
78
■
■
J-Web does not display the USB option under Maintain>Reboot>Reboot from
the media. [PR/464774: This issue has been resolved.]
■
On TX Matrix and TX Matrix Plus routers, the syslog messages might not be sent
from the LCC to the SCC after a Routing Engine switchover. [PR/493138: This
issue has been resolved.]
■
On a router configured with a large number of interfaces, when a few interfaces
are constantly added and deleted, a minor memory leak may occur in the "pfed"
process. [PR/522346: This issue has been resolved.]
■
When a configuration with a long AS-path is displayed in XML format using the
show configuration | display xml | no-more command, the closing tag for the as-path
<path> is wrongly displayed as </path instead of </path>. [PR/525772: This
issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
The xnm service currently does not support logging of remote-host addresses in
system accounting. [PR/535534: This issue has been resolved.]
■
Navigation from the Monitor RIP Information page to the Route Information
page fails with errors. [PR/536255: This issue has been resolved.]
■
The system continues to use the TACACS server configuration even after it is
removed. As a workaround, deactivate and reactivate the accounting
configuration. [PR/544770: This issue has been resolved.]
■
When the load set command is used to refresh a script file, the script does not
refresh, and exits from the CLI after displaying the RPC-related errors.
[PR/555316: This issue has been resolved.]
■
When two MVPN routing instances and at least one L2VPN routing instance are
configured, the commit fails with the following message:
“RPD_RT_DUPLICATE_RD: routing-instance xxx has duplicate
route-distinguisher." As a workaround, configure the route-distinguisher-id for
each instance manually. [PR/511514: This issue has been resolved.]
■
When a CE-facing interface in a VPLS instance is deactivated, the routing protocol
process may get into a loop leading to a high CPU utilization. [PR/531987: This
issue has been resolved.]
■
Under certain circumstances, the container interfaces might not send the proper
martini modes to the routing protocol process. This results in incorrect
control-word-related information sent to the Packet Forwarding Engine.
[PR/541998: This issue has been resolved.]
■
In a VPLS multihoming scenario, the routing protocol process crashes when a
VPLS instance is deleted from the configuration. [PR/546177: This issue has been
resolved.]
■
The next generation MVPN traffic might be dropped at an egress PE router when
a Routing Engine restart event occurs on the point-to-multipoint ingress PE router.
This issue occurs when multiple route reflectors reflect the MVPN routes in the
core. [PR/556148: This issue has been resolved.]
VPNs
Previous Releases
Release 10.1R3
Class of Service
■
When you set the port speed of a multirate SONET Type 2 PIC to OC3, the
class-of-service (CoS) speed value is not changed correctly within the Packet
Forwarding Engine. The speed value remains OC12, which results in unexpected
CoS behavior. There is no workaround. [PR/279617: This issue has been resolved.]
■
If a logical interface is configured or added to an interface set for which an
existing traffic control profile is applied, any rate-limit functionality will not be
applied to the new logical interface. To resolve this problem, deactivate and
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
79
JUNOS 10.1 Software Release Notes
activate the interface portion of the class-of-service configuration. [PR/485872:
This issue has been resolved.]
■
On an Ichip-based platform for strict high priority queue (SHQ), the buffer size
allocated by the Packet Forwarding Engine is capped by the tx-rate. If the tx-rate
is configured to a very small value or is not configured, and is automatically
allotted a zero or a very small remaining value; the queue is also allotted a
proportionately small delay buffer. This can sometimes lead to Red and Tail
drops on the SHQ when there is a burst of traffic (with a certain traffic pattern)
on it. As a workaround, configure a nominal tx-rate value (5 percent) for the
SHQ. [PR/509513: This issue has been resolved.]
■
On M Series and T Series routers, the forwarding class information is lost when
the packet enters the GRE tunnel with clear-dont-fragment-bit enabled.
Additionally, on an Enhanced FPC or M120 FEB, the packet is also likely to be
dropped if it is classified to a packet loss priority (PLP) other than low.
[PR/514162: This issue has been resolved.]
■
In a scaled configuration, the class-of-service classifier does not work properly.
[PR/522840: This issue has been resolved.]
■
Policers cannot be modified after a system upgrade due to a flaw in the parser
routine. This error occurs when the current item is deleted and the parser cannot
proceed to the next item. With the fix, the routine in the forwarding process
(dwfd) has been modified so that the next item in the object tree is fetched before
the current object is parsed. [PR/433418: This issue has been resolved.]
■
When an unified ISSU is performed for JUNOS Release 10.0 through 10.2, the
T640-FPC4-ES crashes continuously. [PR/518301: This issue has been resolved.]
■
When a filter with an ip-options "any" firewall match is applied on an interface
on the MX-MPC, the filter is not applied. If the hardware is present at the time
of the configuration commit, a commit warning is issued. However, the commit
does not fail and the rest of the configuration is applied. [PR/524519: This issue
has been resolved.]
■
On T640 and T1600 routers with ST chipset FPCs, in some cases when the IPv6
firewall filters with match conditions configured on address prefixes is longer
than 64 bits, the filter may not be evaluated correctly. This might lead to loss of
packets. [PR/524809: This issue has been resolved.]
■
When forwarding-options is configured without route-accounting, commit goes
through with the message, "Could not retrieve the route-accounting." However,
no functionality is affected. [PR/312933: This issue has been resolved.]
■
The backup Routing Engine can fail to obtain mastership in the following cases:
Forwarding and Sampling
Interfaces and Chassis
80
■
■
re0 gets stuck and doesn't reboot.
■
Due to a hardware problem, re0 looses its connectivity with both the Control
Board and the Packet Forwarding Engine.
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
[PR/405412: This issue has been resolved.]
■
On MX Series routers, traffic is forwarded over the backup link even after the
primary link is disabled and enabled again. [PR/493861: This issue has been
resolved.]
■
When link trace entries are added in the path database, there is no check to
determine if the current number of entries have reached the path database size.
Because of this, the entries may grow to be greater than the path database size
(configured or default). [PR/494584: This issue has been resolved.]
■
Under certain circumstances a backup Routing Engine reboot followed by a
Routing Engine failover can cause the LACP to flap, which causes AE bundles to
flap. [PR/502937: This issue has been resolved.]
■
On MX Series routers with JUNOS Release 10.0R2 or higher, the backup Routing
Engine might report the following warning message upon commit once network
service is configured under the chassis stanza: "WARNING: network services flag
has been changed, please reboot system." [PR/505690: This issue has been
resolved.]
■
The Routing Engine on slot 1 takes mastership regardless of the user-configured
Routing Engine mastership priority. [PR/507724: This issue has been resolved.]
■
When the show chassis hardware models command or the show chassis hardware
| display xml command is used, the FRU part-number 710-013035 displays the
model number T1600-FPC3-ES instead of T640-FPC3-ES. [PR/514072: This issue
has been resolved.]
■
When the show chassis hardware models or show chassis hardware | display xml
command is issued for M320-FPC*-E3 with part-numbers 710-025464,
710-025853, and 710-025855, the model number does not display correctly.
[PR/514074: This issue has been resolved.]
■
When traffic flows across IQE SDH/SONET interfaces, instantaneous inaccurate
traffic rate values with smaller packet sizes occur when the show interface
command is issued. [PR/514330: This issue has been resolved.]
■
The output of the show chassis hardware command may not display the SIB
details when the SIB is inserted in the slot. [PR/515789: This issue has been
resolved.]
■
On some XENPAK modules, the output of the show chassis hardware command
shows the message "NON-JNPR UNKNOWN" when the FPC is booted. There is
no impact on the traffic. To solve this issue, take the PIC offline and bring it back
online. [PR/516411: This issue has been resolved.]
■
On an M120, M7i, or M10i router with Enhanced CFEB running JUNOS Release
10.0 and a VRF routing instance configured with vrf-table-label, the VPN traffic
might not flow when an ATM II IQ PIC is used for a core-facing link. [PR/516485:
This issue has been resolved.]
■
When a Frame Relay interface goes down, the interface statistics might still
indicate that the data-link connection identifier (DLCI) is active. [PR/516497:
This issue has been resolved.]
■
When the configuration of shaping and scheduling is added or removed from
the CLI, the traffic from the other PE routers is lost. [PR/517320: This issue has
been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
81
JUNOS 10.1 Software Release Notes
■
On IQ2 and IQ2E 10GE PICs operating in WAN-PHY mode, the path trace
information does not get transmitted to the remote end. [PR/518331: This issue
has been resolved.]
■
When the centralized configuration management (CCM) interval is set to 1m or
above, the CCM flaps for an incorrect hold_time adjacency entry. [PR/520064:
This issue has been resolved.]
■
The CE_SUPPORT-DCD crashes when a commit is performed. [PR/521380: This
issue has been resolved.]
■
When one of two Ethernet connections to another Routing Engine is not present,
the mastership is not switched. [PR/521833: This issue has been resolved.]
■
When multiple routed IPsec tunnels are configured, and the tunnel with the
inside-service-interface defined in the service-set goes down, the other tunnels
with the ipsec-inside-interface configured only in the IPsec rules can stop
forwarding traffic until the main tunnel comes back up. [PR/524935: This issue
has been resolved.]
■
When M120 Type 1 FPCs are configured for 2:1 FPC:FEB mapping, and one of
the FPCs restarts, the restarting FPC might not initialize properly and result in a
small percentage of packet loss for all interfaces on that FPC. As a workaround,
restart the FPC until the problem stops. [PR/529994: This issue has been
resolved.]
■
The bpdu-block-on-edge configuration may not work properly when the interface
is configured as 'edge' under the [edit protocols vstp vlan vlan-id interface
interface-name] hierarchy level. [PR/522198: This issue has been resolved.]
■
After an LCC switchover, the SNMP process fails to send traps with resource
temporarily unavailable errors. [PR/493385: This issue has been resolved.]
■
Memory leaks might occur on the mib2d. [PR/517565: This issue has been
resolved.]
■
The SNMP MIB OID tree under dot3adAggPort fails. This issue may occur when
virtual LAN tagging is not configured on the AE interface, and if the mib2d process
is restarted using the restart mibprocess command. [PR/528555: This issue has
been resolved.]
■
A targeted LDP neighbor may remain up with an old IP address that was
previously in use with the loopback address on the remote neighbor. This may
happen when either of the following is performed on the remote neighbor:
Layer 2 Ethernet Services
Network Management
MPLS Applications
82
■
■
A secondary loopback (lower than the current primary) address is added
and no primary keyword is associated with either of these addresses.
■
A second loopback address is added with the primary keyword.
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
This results in the targeted LDP neighbor being up with both IP addresses. The
neighbor with the old address may continue to remain up even after the old
loopback address is deleted on the remote neighbor. This neighborship with the
old address eventually times out when the router-id is changed to reflect the new
loopback address on the remote neighbor. [PR/518102: This issue has been
resolved.]
■
At adjust intervals, the maximum average bandwidth utilization for the LSP
should be reset to zero. MPLS sometimes fails to reset the maximum average
bandwidth utilization for the LSP to zero while performing a periodic
auto-bandwidth adjustment at the adjust interval. This prevents periodic
auto-bandwidth adjustment from adjusting to a lower bandwidth when the traffic
rate drops. [PR/528619: This issue has been resolved.]
■
On M7i routers, kernel panic may occur during route changes. [PR/439420: This
issue has been resolved.]
■
The configured static NDP entry is cleared automatically after a certain interval.
[PR/453710: This issue has been resolved.]
■
An invalid IP protocol version is served as a valid version. The JUNOS router
forwards IP packets with version field set to values other than 4 and 6, for
example, 11 or any (unassigned). [PR/481071: This issue has been resolved.]
■
Memory leaks might occur on the mib2d rtslib. [PR/510902: This issue has been
resolved.]
■
The VPN PIM neighborship over the mt- interfaces may not recover after a
graceful Routing Engine switchover. [PR/511366: This issue has been resolved.]
■
When an AE interface on an ECMP path is taken down, packet drops may occur
on the traffic that is on another link in the ECMP path. [PR/513102: This issue
has been resolved.]
■
Under rare conditions, the compressed system-generated routing protocol process
core files might be corrupted. As a workaround, disable the compression using
sysctl kern.compress_user_cores. [PR/513193: This issue has been resolved.]
■
Setting the TCP maximum segment size (MSS) may not change the actual MSS
value. [PR/514196: This issue has been resolved.]
■
On M120 and MX Series routers, when an AE interface (with LACP enabled) is
used as a core-facing interface for L3VPN, non-MPLS traffic received on the AE
interface can sometimes get black-holed. To recover from this state, deactivate
and activate the AE interface in the configuration. [PR/514278: This issue has
been resolved.]
■
When IGMP snooping is enabled, a multicast traffic drop might occur if an IGMP
join or leave occurs on other interfaces. [PR/515420: This issue has been
resolved.]
■
When the primary link flaps with the route-memory-enhanced statement enabled,
jtree might get corrupted and traffic forwarding is affected. As a workaround,
deactivate the route-memory-enhanced statement under the chassis stanza.
Changes to the route-memory-enhanced statement take effect only when Packet
Forwarding Engine is rebooted. [PR/517919: This issue has been resolved.]
Platform and Infrastructure
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
83
JUNOS 10.1 Software Release Notes
■
On some M, MX, and T Series routers, when a firewall filter is applied on the
egress of an aggregate interface, packet loss may occur after adding, removing,
or changing the service configuration on the egress side of the aggregate interface.
As a workaround, deactivate and activate the output firewall filter on the aggregate
interface. [PR/517992: This issue has been resolved.]
■
When container AE interfaces are enabled on JUNOS Release 10.0 or 10.1, the
following message displays when one of the member links flap: “CHPJAR1-re0
fpc3 SCHED: %PFE-0: Thread 40 (PFE Manager) ran for 2015 ms without
yielding.” [PR/518714: This issue has been resolved.]
■
When the destination class usage (DCU) is configured with unicast reverse path
filter (uRPF) and egress forwarding-table filter within the VRF, a VPN route flap
might trigger a jtree memory leak. [PR/521609: This issue has been resolved.]
■
No NA packets are returned for NS requests with a static NDP, due to an issue
with the neighbor advertisement implementation for statically configured
neighbors. [PR/527779: This issue has been resolved.]
■
On some routers, enabling IP-payload-based load balancing for MPLS packets
can cause some pseudowire packets to be reordered. [PR/528657: This issue
has been resolved.]
Routing Policy and Firewall Filters
■
On some M, MX, and T Series routers, when a family CCC filter is applied on
multiple interfaces that belong to different L2VPN routing instances, packet loss
may occur after the routing instances are deactivated and activated. As a
workaround, deactivate and activate the CCC filter on the interfaces. [PR/521357:
This issue has been resolved.]
■
The backup Routing Engine may generate routing protocol process and kernel
cores if the BGP damping is configured along with nonstop active routing (NSR).
[PR/452217: This issue has been resolved.]
■
When l3vpn-composite-next-hop is configured, it should only be used by L3VPN
routes. However, non-L3VPN routes are also able to use it. [PR/496028: This
issue has been resolved.]
■
Upon a graceful Routing Engine switchover with NSR, the routing protocol process
will crash due to a wrong process for the PIM instance. [PR/503921: This issue
has been resolved.]
■
Nonstop routing (NSR) does not work correctly if an automatic route distinguisher
is used with an L2VPN routing-instance. [PR/513949: This issue has been
resolved.]
■
The output of the show igmp snooping interface command does not display
"-snooping," erroneously stating that IGMP itself is not running instead of
IGMP-snooping not running. [PR/516355: This issue has been resolved.]
■
The configured robust count value is not applied on the non-querier router when
it receives a robust count value of 0. It uses the default value (2) instead of the
configured value. [PR/520252: This issue has been resolved.]
Routing Protocols
84
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
The new NSR master may not send the OSPF hello messages immediately after
a switchover. [PR/522036: This issue has been resolved.]
■
After a graceful restart, the forwarding state of both provider edge routers might
get stuck at the pruned state. However, traffic flow is not affected. [PR/522179:
This issue has been resolved.]
■
When an l2circuit ID greater than 2,147,483,647 is configured, and l2circuit
tracing is enabled using the set protocols l2circuit traceoptions command, some
of the trace messages provide the wrong value (a negative number) for the virtual
circuit ID. [PR/523492: This issue has been resolved.]
■
The tag_encoder is unable to handle attempts to stack EXPLICIT_V6_ NULL (label
2) over an existing stack with label 2 on top. Additionally, the BGP module does
not send label 2 when readvertising a prefix from an inet6 unicast session to a
inet6 labeled-unicast session. [PR/523824: This issue has been resolved.]
■
On TX Matrix routers, the router can drop the PIM hello messages before a join
is triggered by the neighbor. This can cause multicast traffic to be dropped before
the next periodic join. [PR/529408: This issue has been resolved.]
■
When the labeled-unicast inet6 route is reflected by route reflectors, the label
might be set to explicit-null. [PR/534150: This issue has been resolved.]
■
A performance-related issue may occur when the IDP plug-in is enabled. The
connection per second for HTTP (64 bytes) with AACL, AI, and IDP (with
Recommended Attacks group) plug-ins has been downgraded to 7.6K through
7.9K per second. [PR/476162: This issue has been resolved.]
■
The IPv6 gateway may have a NULL value when the destination address points
to an aggregated next hop. [PR/516058: This issue has been resolved.]
■
NAT over FTP fails when it receives a SERVER 227 code string "Entering passive
mode" in lowercase. [PR/522029: This issue has been resolved.]
Services Applications
Subscriber Access Management
■
BFD sessions and other protocol adjacencies configured with low hello or dead
timers over an aggregate or IRB interfaces might flap upon configuration commit
when the dhcp-local-server or dhcp-relay is used. [PR/507428: This issue has
been resolved.]
User Interface and Configuration
■
Users who have superuser privileges will sometimes have their access restricted
to view permission only when they log in through TACACS. [PR/388053: This
issue has been resolved.]
■
If the time zone is set to “Europe/Berlin,” the command commit at "time-string"
will fail. [PR/483273: This issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
85
JUNOS 10.1 Software Release Notes
■
The group inherited configuration under the interface-range hierarchy level does
not take effect. [PR/522872: This issue has been resolved.]
■
Navigation from Monitor RIP Information page to the Route Information page
fails with errors. [PR/536255: This issue has been resolved.]
■
While upgrading JUNOS Software with l2circuit configuration underthe logical
systems, the validation might fail with an "interface version mismatch" error.
You can ignore this error and upgrade the JUNOS Software using the no-validate
option. [PR/497190: This issue has been resolved.]
■
The routing protocol process crashes repeatedly on the new master, a few minutes
after a graceful Routing Engine switchover (GRES). [PR/527465: This issue has
been resolved.]
VPNs
Release 10.1R2
Class of Service
■
The following operations may result in large incorrect queue statistics on IQ2
interfaces:
■
When the IQ2 PIC is restarted, or the interface is deactivated and reactivated,
while traffic is on and the configuration defines a high priority queue on the
interface.
■
When the high priority queue number is changed under the class-of-service
configuration while traffic is on.
[PR/489049: This issue has been resolved.]
■
The type-of-service (ToS) bits get truncated for IPv6 packets on a service PIC.
[PR/510193: This issue has been resolved.]
■
While the JUNOS Software adopts random as its sampling algorithm, the
SAMPLING_ALGORITHM in the jflowv9 template shows 0x01 (deterministic)
instead of 0x02 (random). [PR/438621: This issue has been resolved.]
■
A JUNOS Software compiler bug in the match combination optimization could
cause an incorrect firewall filter evaluation. [PR/493356: This issue has been
resolved.]
■
When the MS PIC used for an RLSQ interface resides on an E3 FPC (M320), traffic
might stop flowing across the RLSQ interface after the policer on the interface
is deactivated. [PR/498069: This issue has been resolved.]
■
When a Layer 2 policer is configured under a logical interface having multiple
families configured under it, and the policer is changed to another, the newly
configured policer might not take effect unless the policer configuration is
deactivated and reactivated. [PR/501726]
Forwarding and Sampling
86
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
When a filter group is configured on an interface residing on an ES FPC, the
rpf-check configured on that interface will not function correctly. As a
workaround, deactivate the configured filter group. [PR/503609: This issue has
been resolved.]
■
On configuring a three-color-policer, a dfwc core file is generated. [PR/509742:
This issue has been resolved.]
■
The following messages are displayed on both the primary and secondary RLSQ
MS 500 PICs: “SCHED: %PFE-0: Thread 7 ran for x ms without yielding,"
"Scheduler Oinker." [PR/286357: This issue has been resolved.]
■
CFMD might crash when the following are configured and commited at once on
a VPLS setup:
Interfaces and Chassis
■
Encapsulation VLAN-VPLS on a physical and logical interface
■
Family VPLS on a logical unit
■
Interface is added in the VPLS routing instance
As a workaround, add the above configurations one at a time and commit.
[PR/440108: This issue has been resolved.]
■
If virtual tunnel PICs and ingress traffic manager is enabled on the same Packet
Forwarding Engine/PIC on an EQ DPC, then the SNMP walk of the interface may
time out. [PR/458565: This issue has been resolved.]
■
In some cases during the periodic error status monitoring, error messages such
as “Wi seg ucode discards in fabric stream” may be displayed on adjacent
streams. These messages are cosmetic and can be ignored. [PR/481344: This
issue has been resolved.]
■
When loopback is configured on t3 under ct3, t1 under ct1, or e1 under ce1, no
error syslog message is logged. Additionally, the show interface extensive
command on the t3/t1/e1 displays "loopback" even though it is not actually
applied. [PR/486424: This issue has been resolved.]
■
The DPC remains in the ready state and the demux0 interface remains in a down
state after a chassisd restart without graceful Routing Engine switchover (GRES)
enabled. [PR/492961: This issue has been resolved.]
■
The AE logical interface flaps when the PIC that has the active link-protection
member link is taken offline. [PR/493492: This issue has been resolved.]
■
The No Redundant Config alarm that occurs in JUNOS Release 10.0 and above
after a PEM is shut down is invalid and is a non-impacting alarm message.
[PR/498089: This issue has been resolved.]
■
The one port OC12-3 PIC cannot support eight queues when the no-concatenate
option is configured. [PR/499452: This issue has been resolved.]
■
On a 4-port ChOC3/STM1 and 12–port T1/E1 circuit emulation PICs, the ATM
logical interface packets counter does not increment if the PIC is configured in
the ATM IMA mode. [PR/500153: This issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
87
JUNOS 10.1 Software Release Notes
88
■
■
When t1-options are configured at the [edit interfaces ct1-x/y/z] hierarchy level,
some ct1 interfaces of a 10xCHT1 IQ PIC might flap when the configuration
changes are committed. As a workaround, remove the t1-options. [PR/500820:
This issue has been resolved.]
■
Polling ifInOctets on Gigabit Ethernet IQ PIC VLANs might momentarily return a
higher value. [PR/500852: This issue has been resolved.]
■
On 40x1 Gigabit Ethernet PICs, very short fragments of fragmented TCP, UDP,
and ICMP packets may be incorrectly dropped with the diagnostic L4 length too
short. [501526: This issue has been resolved.]
■
The configured TTL set for GRE traffic is set properly for locally generated Routing
Engine packets, but is not set properly for transit packets. There is no
workaround. [PR/502087: This issue has been resolved.]
■
During a link UP/DOWN transition, jsscd may crash as a result of a NULL message
dereferencing by jsscd. [PR/502745: This issue has been resolved.]
■
In JUNOS Release 10.1, if the MPCs power up while the A-DPCs are offline, and
if ISSU is performed, the MPCs will crash. [PR/502837: This issue has been
resolved.]
■
When an ATM AIS cell is received from the virtual channel under vlan-vci-ccc
encapsulation, the logical interface will be incorrectly marked down. There is no
workaround. [PR/503653: This issue has been resolved.]
■
When the show lacp interface aex command is used for a nonexistent AE interface,
no error is returned. [PR/503806: This issue has been resolved.]
■
The yellow marking for the three-color-policers is incorrect. Even after the excess
burst buffer is full, the yellow counters continue to increment at the same rate
as the green buffers. [PR/504192: This issue has been resolved.]
■
As a result of an incorrect configuration for the DDR memory controller, errors
might be reported when a Trio-based MPC or MX80 boots. There is no
workaround. [PR/505490: This issue has been resolved.]
■
Under certain circumstances, the E3 IQ PIC might report bogus CCV, CES, and
CSES alarms. [PR/505921: This issue has been resolved.]
■
The JUNOS Software may accept duplicate data-link connection identifiers (DLCIs)
configured on the same physical interface. [PR/506908: This issue has been
resolved.]
■
When native-vlan-id is configured for aggregated interface with the child links on
an IQ2 PIC, the LACP are dropped and the links go down. [PR/507040: This issue
has been resolved.]
■
The show interfaces diagnostics optics interface command does not display the
unit of measurement when the received power is in a very low range (power <
5e-10). It shows the value of 0.00 without any unit of measurement. [PR/507653:
This issue has been resolved.]
■
On MX Series routers, the chassisd crashes when the SCB is taken offline and
removed. [PR/510950: This issue has been resolved.]
■
On M7i and M10i routers, the syncer process writes to the file
/var/rundb/chassisd.dynamic.db every 30 seconds. [PR/511901: This issue has
been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Under certain circumstances, the chassisd process might crash on a backup
Routing Engine while a configuration is commited. [PR/512044: This issue has
been resolved.]
■
Due to a flaw in implementation, the execution of the show interfaces
mac-database command causes the IQ2 PIC to reboot with the core. [PR/513407:
This issue has been resolved.]
■
The local protocol MTU on an interface with PPP encapsulation might become
higher than the configured media MTU after the PPP negotiation when the remote
end has a higher media MTU configured. [PR/514079: This issue has been
resolved.]
■
The monitor traffic interface (tcpdump) does not produce an outbound output
with matching option when used with the encapsulation
flexibile-ethernet-services. [PR/514247: This issue has been resolved.]
■
The DHCPv6 clients do not bind when routing-options access-internal is
configured. [PR/495358: This issue has been resolved.]
■
On MX960 routers, i2c messages related to the fan such as the following are
displayed:
Layer 2 Ethernet Services
Jan 26 13:32:22 rocky-re0 /kernel: PCF8584(WR): target ack failure on byte 0
Jan 26 13:32:22 rocky-re0 /kernel: PCF8584(WR): (i2c_s1=0x08, group=0xe,
device=0x54)
This is a cosmetic issue and has no impact on the router. [PR/500824: This issue
has been resolved.]
■
The SIP domain names encoded in the DHCPv6 attributes do not conform to
RFC 3319. [PR/512073: This issue has been resolved.]
■
The JUNOS Software drops SOLICIT messages, including the rapid commit option,
instead of ignoring that option and processing the remainder of the message.
[PR/512092: This issue has been resolved.]
■
When an RSVP LSP is configured with the no-install-to-address option and is not
associated with CCC connection flaps, the routing protocol process will crash
when the LSP comes up again. To avoid the problem, make sure that the LSP is
either a transmit LSP for a CCC connection or that the install option is also
configured on the LSP. [PR/471339: This issue has been resolved.]
■
A rare condition between the MVPN and RSVP P2MP signaling leads to the
creation of stale flood next hops. [PR/491586: This issue has been resolved.]
■
An incorrectly changed LDP session authentication key causes the LDP session
to fail, which results in the LDP/IGP syncronization feature not working. The IGP
continues to advertise the link at normal metric values. [PR/499226: This issue
has been resolved.]
MPLS Applications
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
89
JUNOS 10.1 Software Release Notes
■
In cases where the secondary Routing Engines contain no label-switched paths
in the up state due to the lack of NSR support, such label-switched paths might
not come up even after a switchover. [PR/501969: This issue has been resolved.]
■
LDP might not handle certain error conditions gracefully when NSR is enabled.
This might cause the LDP replication state to be stuck in the "In Progress" state
forever. [PR/505043: This issue has been resolved.]
■
The name of the bypass label-switched path supports only 32 characters instead
of 64. [PR/515244: This issue has been resolved.]
■
Under certain SNMP conditions, the following log message is displayed:
Network Management
M10i-RE0 pfed: PFED_NOTIF_GLOBAL_STAT_UNKNOWN: Unknown global
notification stat: transit options/ttl-exceeded (re-injected)
M10i-RE0 pfed: PFED_NOTIF_STAT_UNKNOWN: Unknown notification type stat:
Unknown
This log message might also be displayed during the installation of AI Scripts
(version 2.1R2 or above) on the router. AI Scripts versions prior to 2.1R2 do not
cause these messages. This is a cosmetic message, and does not have any impact.
[PR/427590: This issue has been resolved.]
■
Under certain conditions, the SNMPD crashes due to a BAD_PAGE_FAULT.
[PR/496351: This issue has been resolved.]
■
When certain FPCs (T1600-FPC4-ES, T640-FPC4-1P-ES, T640-FPC1-ES,
T640-FPC2-ES, and T640-FPC3-ES) receive corrupted cells via high-speed links,
they might unnecessarily reboot and report the following system log error
message: "Unrecoverable Error: Flist gtop bit toggled !." No reset is needed to
recover from this condition. [PR/441844: This issue has been resolved.]
■
The configured static NDP entry is cleared automatically after a certain interval.
[PR/453710: This issue has been resolved.]
■
When the flow monitoring version 9 feature is enabled on an MS PIC (or service
PIC that supports flow monitoring version 9), the MS PIC might crash upon
receiving certain corrupted IPv6 packets. [PR/458361: This issue has been
resolved.]
■
When an aggregated SONET with a Cisco High-Level Data Link Control (HDLC)
encapsulation is configured, a member link might not be marked as link-down
in the Packet Forwarding Engine if the remote end of the link is disabled.
[PR/472677: This issue has been resolved.]
■
The output of the show arp command does not display the entire demux interface
identifier, making it impossible to determine which specific demux sub-interface
a given ARP entry is associated with. [PR/482008: This issue has been resolved.]
■
A problem occurs on an M120 router with an FEB redundancy configuration
when the backup FEB is protecting a non-primary FEB. In this case, the Routing
Platform and Infrastructure
90
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Engine will prompt the incorrect Packet Forwarding Engine for status, causing
delays in the SNMP responses. [PR/490172: This issue has been resolved.]
■
If you configure an IP address with a larger subnet, for example, /19, on a
different interface first, the router begins to negotiate for the ARP of a specific
host on that interface and gets stuck in a hold state. If you later configure a more
specific subnet of /29 on another interface from where the host can be reached,
the forwarding table will still prefer the route with the hold entry via /19 instead
of the route with the ucst entry via /29. [PR/491468: This issue has been resolved.]
■
The syslog usually logs data only when the per-fabric-stream counter increases.
However, the syslog starts logging even though the counter value was not
increasing. [PR/493384: This issue has been resolved.]
■
The Source Class Usage (SCU) statistics counter value may drop occasionally
when it is used with the accounting profile. [PR/493662: This issue has been
resolved.]
■
The AE VLAN session classifier instantiation in a dynamic profile fails as the L2
classifier fails to install in the Packet Forwarding Engine. [PR/494488: This issue
has been resolved.]
■
In certain cases, a configuration change can cause the backup Routing Engine
to reboot. [PR/497290: This issue has been resolved.]
■
When a next-hop chain has multiple types of next-hop dependencies, including
indirect next-hop, aggregate next-hop, and multiple unicast next-hops, during
an aggregate link flap (down/up), a certain sequence of events from the kernel
is expected by the Packet Forwarding Engine for the next-hop change and delete
updates. However, during a quick link flap (down/up), in an extreme corner case,
the Packet Forwarding Engine does not receive the expected sequence, and the
FPC will crash. [PR/499315: This issue has been resolved.]
■
On IQ2 PICs, when copy-plp is enabled under class of service, the DCU provides
the wrong statistics. [PR/499378: This issue has been resolved.]
■
The MAC address of a configured static NDP entry is overwritten upon receiving
NA from a connected device. [PR/499418: This issue has been resolved.]
■
The static NDP entry remains permanent if the refcount is more than 1, even
after deleting the static configuration. [PR/499441: This issue has been resolved.]
■
The L2RW does not report an error when the required L2_pgm length is longer
than what the hardware can support. [PR/501318: This issue has been resolved.]
■
On an ichip platform, when the downstream multicast member link flaps, the
Packet Forwarding Engine rarely has a chance to fail multicast next-hop handling.
This can cause multicast traffic drops. [PR/501852: This issue has been resolved.]
■
On an MX Series router configured for PPP subscriber access, subscribers will
experience slow login times as the number of subscriber sessions increases.
[PR/502756: This issue has been resolved.]
■
RED drops occur in the SMQCHIP when the 10x10GE OSE and 4x10GE PICs are
swapped multiple times. [PR/506174: This issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
91
JUNOS 10.1 Software Release Notes
■
On a TX Matrix Plus router, if one of the two external RJ45 links between a
TXP-CIP and an LCC Control Board is broken, the router does not generate an
alarm. [PR/508219: This issue has been resolved.]
■
On tcpdump or when the monitor traffic interface command is used for an lo0
interface with the IP address having its last octet is greater than or equal to 224
(x.x.x.224 or higher), following message is received: "inet class for 0xe1e11955
unknown." [PR/511911: This issue has been resolved.]
■
If a static route points to a discard configuration, a failure might occur when the
router attempts to collect the multicast statistic data. [PR/434298: This issue has
been resolved.]
■
Deleting a logical system causes the routing protocol process to be stuck in an
infinite loop. [PR/439000: This issue has been resolved.]
■
The routing protocol process dumps core due to a soft assertion failed:
"rt_notbest_sanity: Path selection failure" in rt_table.c. As a workaround, use
the bgp path-selection external-router-id statement or the bgp path-selection
always-compare-med statement. [PR/451021: This issue has been resolved.]
■
When a PIC with a PIM-enabled interface is brought online, the router may send
the first PIM hello slightly before the interface comes up. This causes the router
to drop the first PIM hello message towards its neighbor. [PR/482903: This issue
has been resolved.]
■
After a graceful Routing Engine switchover (GRES) event with NSR enabled and
a scaled L3VPN eBGP test, some BGP sessions fail due to an expired hold down
timer if the hold-down timer is lower than the default 30 seconds. To avoid this
issue, set the hold-down timer to the default value of 30 seconds. [PR/501796:
This issue has been resolved.]
■
In an NSR configuration, the backup Routing Engine can lose the connection to
the active Routing Engine during a configuration commit. The problem occurs
more often when the configuration includes a large number of routing instances.
This is caused by the routing protocol process on the backup Routing Engine
leaking file descriptors during commit synchronization. To recover, restart the
routing protocol process on the backup Routing Engine. [PR/506883: This issue
has been resolved.]
■
When the routing-instances routing-instances-name routing-options multipath
vpn-unequal-cost equal-external-internal statement is configured, some VPN routes
learned from different route reflectors can be shown as multipath. [PR/507236:
This issue has been resolved.]
■
The routing protocol process might crash if the router receives a flow route with
a rate-limit bandwidth less than 1000 bps. [PR/508715: This issue has been
resolved.]
■
When more than 200 IGMP/MLD source-specific multicast groups (232.0.0.0/8)
are configured statically on an interface, and when an unrelated configuration
is committed, some groups are removed and added immediately after. This
causes packet drops on those groups. [PR/509013: This issue has been resolved.]
Routing Protocols
92
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Nonstop routing (NSR) does not work correctly if an automatic route distinguisher
is used with a L2VPN routing-instance. [PR/513949: This issue has been resolved.]
■
In route reflector and ASBR VPN scenarios, the routing protocol process might
crash as changes occur to a prefix in the primary table at the same time as BGP
tries to send out updates via the secondary table. [PR/515626: This issue has
been resolved.]
■
If the Juniper-Firewall-Attribute attribute in a RADIUS server configuration file
names a policer that sets a bandwidth limit for Layer 2 Tunneling Protocol (L2TP)
sessions but not an exclude-bandwidth limit, the bandwidth limit might not be
set correctly. [PR/254503: This issue has been resolved.]
■
On M Series routers (M120 and M320) with many service sets configured with
IDP policies, kernel messages are seen in the messages file once traffic passes
through these service sets. These messages stop when the traffic is stopped.
[PR/462580: This issue has been resolved.]
■
A static route pointing to a destination is incorrectly added for a source NAT
when a next-hop type service set is used. [PR/476165: This issue has been
resolved.]
■
Flow monitoring records are not generated as fragmented IPv6 packets are not
getting sampled. [PR/478571: This issue has been resolved.]
■
MSDPC might crash while running a combination of SIP and other ALGs due to
a possible double freeing of memory. [PR/491218: This issue has been resolved.]
■
The SIP ALG on the services PIC might cause NAT port leaks in some call
scenarios. [PR/491220: This issue has been resolved.]
■
The l2tp on an M7i LNS crashes following an upgrade from JUNOS Release 9.3R1
to 9.6R2. [PR/498423: This issue has been resolved.]
■
When using a NAT DCE RPC ALG on a services PIC, the PIC might crash while
processing the binding request. [PR/510997: This issue has been resolved.]
■
Route changes might not be updated in the PIC meta-db in cases where the route
messages that the PIC receives signify a change in the next-hop index.
[PR/512229]
Services Applications
User Interface and Configuration
■
The wildcard apply groups do not work properly in JUNOS Release 9.1 and above.
[PR/425355: This issue has been resolved.]
■
If a user in the Backup Routing Engine on a config-private mode activates graceful
Routing Engine switchover (GRES) and performs a commit synchronize, a
synchronization error might occur during the switchover. [PR/486637: This issue
has been resolved.]
■
Commit fails when the commit scripts are used and the configuration contains
a policy which uses an apply-group with a then action of 'then community +
export.' [PR/501876: This issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
93
JUNOS 10.1 Software Release Notes
■
The load replace command does not consider the allow-configuration
configuration. [PR/501992: This issue has been resolved.]
■
In configure private mode, activating and deactivating two consecutive nested
objects can cause a syntax error during commit. [PR/506677: This issue has
been resolved.]
■
On M10i, M120, M320, and MX Series routers with dual Routing Engines running
JUNOS Release 9.4 or later, the dfwd process running on the backup Routing
Engine might access the /var/pdb/rdm.taf file every 30 seconds, causing excessive
writes to the hard disk drive. This problem does not occur when GRES is enabled.
[PR/506691: This issue has been resolved.]
■
When different prefixes are advertised to the same source by different PE routers,
an egress PE router is prevented from picking the lower prefix route for RPF
when the PR advertising the higher prefix loses its route to the source.
[PR/493835: This issue has been resolved.]
■
When multipath is enabled in a routing instance with NG MVPN, the traffic might
get dropped on the receiver PE. [PR/508090: This issue has been resolved.]
VPNs
Release 10.1R1
The following issues have been resolved since JUNOS Release 10.0R4. The identifier
following the description is the tracking number in our bug database.
Class of Service
94
■
■
When you set the port speed of a multirate SONET Type 2 PIC to OC3, the CoS
speed value is not changed correctly within the Packet Forwarding Engine. The
speed value remains OC12, which results in unexpected CoS behavior. There is
no workaround. [PR/279617: This issue has been resolved.]
■
When a VLAN ID is changed, the following message appears in the messages
log: "COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL
74. Reason: File exists.” This log message appears when the configuration is
committed with VPLS configured on the Gigabit Ethernet interface, and the
class-of-service classifier or rewrite rules that contain IEEE 802.1P on the interface
are used. [PR/408552: This issue has been resolved.]
■
If a logical interface is configured or added to an interface-set for which an
existing traffic control profile is applied, any rate-limit functionality will not be
applied to the new logical interface. To correct this problem, deactivate and
activate the interface portion of the class-of-service configuration. [PR/485872:
This issue has been resolved.]
■
On an I-chip-based platform for strict high priority queue (SHQ), the buffer size
allocated by the Packet Forwarding Engine is capped by the tx-rate. If the tx-rate
is configured to a very small value or is not configured, and is automatically
allotted a zero or a very small remaining value; the queue is also allotted a
proportionately small delay buffer. This can sometimes lead to red and tail drops
on the SHQ when there is a burst of traffic (with a certain traffic pattern) on it.
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
As a workaround, configure a nominal tx-rate value (5 percent) for the SHQ.
[PR/509513: This issue has been resolved.]
■
On M Series and T Series routers, the forwarding class information is lost when
the packet enters the GRE tunnel with a clear-dont-fragment bit enabled.
Additionally, on an Enhanced FPC or M120 FEB, the packet is also likely to be
dropped if it is classified to a packet loss priority (PLP) other than low.
[PR/514162: This issue has been resolved.]
■
In a scaled configuration, the class-of-service classifier does not work properly.
[PR/522840: This issue has been resolved.]
■
When a logical interface set has a shaping-rate less than the sum of transmit-rates
of its queues and when the configuration is corrected so that the logical interface
set gets the correct shaping-rate, ADPC might crash. [PR/523507: This issue has
been resolved.]
■
On an MX-FPC Ichip physical interface queueing with rate-limit or exact
configuration enabled, the in-contract traffic is dropped when other queues are
over-subscribed. [PR/526339: This issue has been resolved.]
■
Policers cannot be modified after a system upgrade due to a flaw in the parser
routine. This error occurs when the current item is deleted and the parser cannot
proceed to the next item. With the fix, the routine in the forwarding process
(dwfd) has been modified so that the next item in the object tree is fetched before
the current object is parsed. [PR/433418: This issue has been resolved.]
■
While the JUNOS Software adopts random as its sampling algorithm, the
SAMPLING_ALGORITHM in the flow monitoring version 9 template shows 0x01
(deterministic) instead of 0x02 (random). [PR/438621: This issue has been
resolved.]
■
A JUNOS Software compiler bug in the match combination optimization can
cause an incorrect firewall filter evaluation. [PR/493356: This issue has been
resolved.]
■
When a Layer 2 policer is configured under a logical interface that has multiple
families configured under it, and the policer is changed to another, the newly
configured policer might not take effect unless the policer configuration is
deactivated and reactivated. [PR/501726: This issue has been resolved.]
■
When a filter with an ip-options "any" firewall match is applied on an interface
on the MX-MPC, the filter is not applied. If the hardware is present at the time
of the configuration commit, a commit warning is issued. However, the commit
does not fail and the rest of the configuration is applied. [PR/524519: This issue
has been resolved.]
■
On T640 and T1600 routers with ST chipset FPCs, in some cases where the IPv6
firewall filters with match conditions configured on address prefixes are longer
than 64 bits, the filter may not be evaluated correctly. This might lead to loss of
packets. [PR/524809: This issue has been resolved.]
■
When logical systems are configured, the show bridge-domains operational
command might timeout and return the following error message: “error: time
Forwarding and Sampling
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
95
JUNOS 10.1 Software Release Notes
out communicating with l2-learning daemon.” [PR/536604: This issue has been
resolved.]
Interfaces and Chassis
■
The MX DPC might reboot with the error message: "EZ:
ezchip_get_srh_msg_from_srhq". [PR/310223: This issue has been resolved.]
■
The backup Routing Engine can fail to obtain mastership in the following cases:
■
re0 gets stuck and doesn't reboot.
■
Due to a hardware problem, re0 looses its connectivity with both the Control
Board and the Packet Forwarding Engine.
[PR/405412: This issue has been resolved.]
■
When a backup Routing Engine is replaced after a graceful Routing Engine
switchover (GRES), the device control process (dcd) generates a new link local
address on non-MAC interfaces such as SONET. [PR/429078: This issue has been
resolved.]
■
CFMD might crash when the following is configured and commited at once on
a VPLS setup:
■
Encapsulation VLAN-VPLS on a physical and logical interface
■
Family VPLS on a logical unit
■
Interface is added in the VPLS routing instance
As a workaround, add the above configurations one at a time and commit.
[PR/440108: This issue has been resolved.]
96
■
■
When lockout is configured and the router is rebooted, the working router is
stuck in the wait-to-restore state while the protect router still shows channel state
working and no requests, but no longer shows the lockout flag. [PR/474482: This
issue has been resolved.]
■
When an IQ2 PIC is brought online with a class-of-service configuration that
includes a scheduler using the rate-limit options, the system incorrectly reports
that rate limiting is not supported on the PIC. [PR/482199: This issue has been
resolved.]
■
The AE logical interface flaps when the PIC that has the active link-protection
member link is taken offline. [PR/493492: This issue has been resolved.]
■
On MX Series routers, traffic is forwarded over the backup link even after the
primary link is disabled and enabled again. [PR/493861: This issue has been
resolved.]
■
When link trace entries are added in the path database, there is no check to see
if the current number of entries have reached the path database size. Due to
this, the entries were get learnt beyond the path database size (configured or
default). [PR/494584: This issue has been resolved.]
■
Polling ifInOctets on Gigabit Ethernet IQ PIC VLANs might momentarily return a
higher value. [PR/500852: This issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Under certain circumstances, a backup Routing Engine reboot followed by a
Routing Engine failover can cause the LACP to flap, which causes AE bundles to
flap. [PR/502937: This issue has been resolved.]
■
When the show lacp interface aex command is used for a nonexistent AE interface,
no error is returned. [PR/503806: This issue has been resolved.]
■
If a T640-FPC4-ES is installed in a T1600 router and an SIB statistics collection
is performed, the message log might report "JBUS: U32 read error, client .." only
if one of the SIBs is faulted or in the offline state. This system log message will
also appear if the T640-FPC4-ES FPC is removed from the chassis. There is no
operational impact. [PR/504363: This issue has been resolved.]
■
On MX Series routers with JUNOS Release 10.0R2 or higher, the backup Routing
Engine might report the following warning message upon commit once network
service is configured under the chassis stanza: "WARNING: network services flag
has been changed, please reboot system." [PR/505690: This issue has been
resolved.]
■
On an M20 router with AC PEMS, the alarm message “Power Supply x not
providing power” is generated when the power cord is removed. The alarm is
not cleared when the power cord is reconnected. [PR/506413: This issue has
been resolved.]
■
When an FEB switchover occurs on an Ichip with APS protect status enabled,
the traffic is duplicated. [PR/506747: This issue has been resolved.]
■
The JUNOS Software may accept duplicate data-link connection identifiers (DLCIs)
configured on the same physical interface. [PR/506908: This issue has been
resolved.]
■
The Routing Engine on slot 1 takes mastership regardless of the user-configured
Routing Engine mastership priority. [PR/507724: This issue has been resolved.]
■
On M7i routers with JUNOS Release 8.5 or later, the output of the show interfaces
fxp0 command shows the fxp0 interface to be in the link up state even when
the interface is disabled with no cables connected. [PR/508261: This issue has
been resolved.]
■
The AE interface does not generate ICMP redirect messages. [PR/508691: This
issue has been resolved.]
■
On M7i and M10i routers, the syncer process writes to the file
/var/rundb/chassisd.dynamic.db every 30 seconds. [PR/511901: This issue has
been resolved.]
■
Under certain circumstances, the chassisd process might crash on a backup
Routing Engine while a configuration is commited. [PR/512044: This issue has
been resolved.]
■
When the 1x10GE PIC is taken online, 1x10GE PIC related error messages displays
in the logs. However, these messages do not have any functional impact.
[PR/512094: This issue has been resolved.]
■
When a container logical interface unit is added or deleted, an APS channel
mismatch trap is raised from all the protect container interfaces. [PR/512825:
This issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
97
JUNOS 10.1 Software Release Notes
■
Due to a flaw in implementation, the execution of the show interfaces
mac-database command causes the IQ2 PIC to reboot with the core. [PR/513407:
This issue has been resolved.]
■
APSD does not perform a switchover to the primary circuit, and both the primary
and secondary circuits remain disabled when the following steps are performed:
■
Force traffic from the primary circuit to the secondary circuit.
■
Remove the Tx on the secondary circuit at the local end, or insert LOS on
the secondary circuit from the near end to the far end.
[PR/514052: This issue has been resolved.]
98
■
■
When the show chassis hardware models command or the show chassis hardware
| display xml command is used, the FRU part-number 710-013035 displays the
model number T1600-FPC3-ES instead of T640-FPC3-ES. [PR/514072: This issue
has been resolved.]
■
When the show chassis hardware models or show chassis hardware | display xml
command is issued for M320-FPC*-E3 with part-numbers 710-025464,
710-025853, and 710-025855, the model number does not display correctly.
[PR/514074: This issue has been resolved.]
■
A local protocol MTU on an interface with PPP encapsulation might be higher
than the configured media MTU after a PPP negotiation when the remote end
has a higher media MTU configured. [PR/514079: This issue has been resolved.]
■
The monitor traffic interface (tcpdump) does not produce an outbound output
with matching option when used with the encapsulation
flexibile-ethernet-services. [PR/514247: This issue has been resolved.]
■
Due to a 32 bit timer overflow, the SPC BCM register does not read properly.
This is a cosmetic issue. [PR/514325: This issue has been resolved.]
■
When traffic flows across IQE SDH/SONET interfaces, instantaneous inaccurate
traffic rate values with smaller packet sizes occur when the show interface
command is issued. [PR/514330: This issue has been resolved.]
■
The SIB details might not display in the output of the show chassis hardware
command after the SIB is inserted in the slot. [PR/515789: This issue has been
resolved.]
■
Under certain conditions, some Packet Forwarding Engines may fail to install
VPN multicast routes when downstream interfaces are RLSQ bundles. [PR/515878:
This issue has been resolved.]
■
The T1600-FPC4-ES might experience HSL2 CRC errors at the fabric portion
leading to "destination errors," "Check SIB," and other fabric plane errors. It is
recommended to upgrade the JUNOS Software to a version that contains the fix.
[PR/516201: This issue has been resolved.]
■
On some XENPAK modules, the output of the show chassis hardware command
shows the message "NON-JNPR UNKNOWN" when the FPC is booted. There is
no impact on the traffic. To solve this issue, take the PIC offline and bring it back
online. [PR/516411: This issue has been resolved.]
■
On an M120, M7i, or M10i router with Enhanced CFEB running JUNOS Release
10.0 and a VRF routing instance configured with vrf-table-label, the VPN traffic
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
might not flow when an ATM II IQ PIC is used for a core-facing link. [PR/516485:
This issue has been resolved.]
■
When a Frame Relay interface goes down, the interface statistics might still
indicate that the data-link connection identifier (DLCI) is active. [PR/516497:
This issue has been resolved.]
■
When the configuration of shaping and scheduling is added or removed from
the CLI, the traffic from the other PE routers is lost. [PR/517320: This issue has
been resolved.]
■
On IQ2 and IQ2E 10GE PICs operating in WAN-PHY mode, the path trace
information is not transmitted to the remote end. [PR/518331: This issue has
been resolved.]
■
In JUNOS Release 10.0 and later, the MIB value for OID ifSpeed and ifHighSpeed
on the aggregated Ethernet logical interface is shown incorrectly as 0. This occurs
when the bandwidth of the logical interface is not configured for the aggregated
Ethernet interface. [PR/519855: This issue has been resolved.]
■
When the centralized configuration management (CCM) interval is set to 1m or
above, the CCM flaps for an incorrect hold_time adjacency entry. [PR/520064:
This issue has been resolved.]
■
The CE_SUPPORT-DCD crashes when a commit is performed. [PR/521380: This
issue has been resolved.]
■
When multiple routed IPsec tunnels are configured, and the tunnel with the
inside-service-interface defined in the service-set goes down, the other tunnels
with the ipsec-inside-interface configured only in the IPsec rules might stop
forwarding traffic until the main tunnel comes back up. [PR/524935: This issue
has been resolved.]
■
When M120 Type 1 FPCs are configured for 2:1 FPC:FEB mapping, and one of
the FPCs restarts, the restarting FPC might not initialize properly and might result
in a small percentage of packet loss for all interfaces on that FPC. As a
workaround, restart the FPC. [PR/529994: This issue has been resolved.]
■
When the clear interfaces statistics command is used, if a member link is
deactivated from an aggregate (AE or AS on any platform) and if the show
interfaces extensive command is used immediately, incorrect values (very high
values) might be seen for the counters such as Transmitted and Queued packets
under the Queue counters. If the clear interface statistics command is not issued
prior to deactivating the member link, this will not occur. [PR/530297: This issue
has been resolved.]
■
When any subscriber interface (PPPoE or DHCP) is used, the VPLS connections
go down. [PR/530435: This issue has been resolved.]
■
When Automatic Protection Switching (APS) is configured on a 4x STM-1 SDH,
SMIR PIC, the transmitted value of the K2 byte shows 0x00 for both unidirectional
and bidirectional instead of 0x04 and 0x05, respectively. [PR/531030: This issue
has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
99
JUNOS 10.1 Software Release Notes
■
On MX960 routers, the link status stays in the "Link ok" state when the SCB is
removed without taking it offline through the CLI or switch. [PR/536860: This
issue has been resolved.]
■
On MX Series routers with 10.x Power Budget, after a “Power Budget: Chassis
experiencing power shortage” alarm occurs, the alarm does not clear even after
the power budget problem is cleared. [PR/540522: This issue has been resolved.]
■
When an ATM II interface is configured as a Layer 2 circuit with cell transport
mode on a router running JUNOS Release 8.2 or lower, interoperability issues
with other network equipment and another Juniper router running JUNOS Release
8.3 or higher may occur. [PR/255622: This issue has been resolved.]
■
The bpdu-block-on-edge configuration may not work properly when the interface
is configured as 'edge' at the [edit protocols vstp vlan vlan-id interface
interface-name] hierarchy level. [PR/522198: This issue has been resolved.]
■
A Spanning Tree Protocol triggered MAC flush might fail if there are frequent
topology changes with a significant number of MAC addresses learned. For
multiple Spanning Tree Protocols, restart l2cpd-services to come out of the state,
and for the Rapid Spanning Tree Protocol, reboot the corresponding DPC.
[PR/529130: This issue has been resolved.]
■
With BFD enabled over IGP and an RSVP session built across it, when the RSVP
peer does not support RSVP Hello (or is disabled), the BFD session down event
triggers only the IGP neighbor to go down. The RSVP session remains up until
a session timeout occurs. [PR/302921: This issue has been resolved.]
■
When a direct link between two PEs is disabled, the P2MP MPLS LSP may go
down with the CSPF error "bad strict route." [PR/500146: This issue has been
resolved.]
■
In cases where the secondary Routing Engine contains no label-switched path
up states due to lack of NSR support, such label-switched paths may not go to
the up state even after a switchover. [PR/501969: This issue has been resolved.]
■
The routing protocol process might crash with an assert in rsvp_PSB_set_selfID
while a graceful Routing Engine restart is performed when P2MP LSPs are present.
[PR/512890: This issue has been resolved.]
■
The name of the bypass label-switched path supports only 32 characters instead
of 64. [PR/515244: This issue has been resolved.]
■
A targeted LDP neighbor may remain up with an old IP address that was
previously in use with the loopback address on the remote neighbor. This may
occur when either of the following is performed on the remote neighbor:
Layer 2 Ethernet Services
MPLS Applications
100
■
■
A secondary loopback (lower than the current primary) address is added
and no primary keyword is associated with either of these addresses.
■
A second loopback address is added with the primary keyword.
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
This results in the targeted LDP neighbor being up with both IP addresses. The
neighbor with the old address may continue to remain up even after the old
loopback address is deleted on the remote neighbor. This neighborship with the
old address eventually times out when the router-id is changed to reflect the new
loopback address on the remote neighbor. [PR/518102: This issue has been
resolved.]
■
At adjust intervals, the maximum average bandwidth utilization for the LSP
should be reset to zero. MPLS sometimes fails to reset the maximum average
bandwidth utilization for the LSP to zero while performing a periodic
auto-bandwidth adjustment at the adjust interval. This prevents periodic
auto-bandwidth adjustment from adjusting to a lower bandwidth when the traffic
rate drops. [PR/528619: This issue has been resolved.]
■
The maximum average bandwidth utilization computed by MPLS for
auto-bandwidth might sometimes be higher than the actual traffic rate (twice
the traffic rate). This occurs when the MPLS statistics response from the Packet
Forwarding Engine comes in late, and two statistic entries for the same LSP fall
in the same MPLS auto-bandwidth averaging timer interval. [PR/536759: This
issue has been resolved.]
■
After an LCC switchover, the SNMP process fails to send traps with resource
temporarily unavailable errors. [PR/493385: This issue has been resolved.]
■
Memory leaks might occur on the mib2d. [PR/517565: This issue has been
resolved.]
■
The SNMPD might crash when the filter-duplicate statement is used. [PR/519389:
This issue has been resolved.]
■
SNMP might stop working after a router reboot, DPC/FPC/MPC restart, or a
graceful Routing Engine switchover. [PR/525002: This issue has been resolved.]
■
The SNMP MIB OID tree under dot3adAggPort fails. This issue might occur when
virtual LAN tagging is not configured on the AE interface, and if the mib2d process
is restarted using the restart mibprocess command. [PR/528555: This issue has
been resolved.]
■
The telnetd core file can be seen on routers enabled with telnet service.
[PR/267026: This issue has been resolved.]
■
On M7i routers, kernel panic might occur during route changes. [PR/439420:
This issue has been resolved.]
■
If you configure an IP address with a larger subnet, for example, /19, on a
different interface first and the router begins to negotiate for the ARP of a specific
host on that interface and gets stuck in a hold state. If you later configure a more
specific subnet of /29 on another interface from where the host can be reached,
the forwarding table will still prefer the route with the hold entry via /19 instead
of the route with the ucst entry via /29. [PR/491468: This issue has been resolved.]
Network Management
Platform and Infrastructure
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
101
JUNOS 10.1 Software Release Notes
102
■
■
The Source Class Usage (SCU) statistics counter value might drop occasionally
when used with the accounting profile. [PR/493662: This issue has been resolved.]
■
The AE VLAN session classifier instantiation in a dynamic profile fails as the L2
classifier fails to install in the Packet Forwarding Engine. [PR/494488: This issue
has been resolved.]
■
On an MX Series router , an uRPF with more than 16 route paths can trigger a
jtree error and might cause the DPC to crash. [PR/509091: This issue has been
resolved.]
■
In a setup with two VPN routing and forwarding tables (VRFs) of a provider edge
connected to different customer edges and auto-export configured, when a ping
is executed from a customer edge to a provider edge interface in the other VRF
, the Internet Control Message Protocol reply returns the source interface IP of
the provider edge that is connected directly, instead of the interface IP of the
other VRF provider edge. [PR/510834: This issue has been resolved.]
■
Memory leaks might occur on the mib2d rtslib. [PR/510902: This issue has been
resolved.]
■
The VPN PIM neighborship over the mt- interfaces might not recover after a
graceful Routing Engine switchover. [PR/511366: This issue has been resolved.]
■
On tcpdump or monitor traffic interface for a lo0 interface with an IP address
having the last octet >= 224 (x.x.x.224 or higher) , the following message
displays: "inet class for 0xe1e11955 unknown." [PR/511911: This issue has been
resolved.]
■
Under rare conditions, the compressed system-generated routing protocol process
core files might be corrupted. As a workaround, disable the compression using
sysctl kern.compress_user_cores. [PR/513193: This issue has been resolved.]
■
Setting the TCP maximum segment size (MSS) might not change the actual MSS
value. [PR/514196: This issue has been resolved.]
■
On M120 and MX Series routers, when an AE interface (with LACP enabled) is
used as a core-facing interface for L3VPN, non-MPLS traffic received on the AE
interface can sometimes get black-holed. To recover from this state, deactivate
and reactivate the AE interface in the configuration. [PR/514278: This issue has
been resolved.]
■
When IGMP snooping is enabled, a multicast traffic drop might be seen if an
IGMP join or leave occurs on other interfaces. [PR/515420: This issue has been
resolved.]
■
When the primary link flaps with the route-memory-enhanced statement enabled,
jtree might get corrupted and traffic forwarding is affected. As a workaround,
deactivate the route-memory-enhanced statement under the chassis stanza.
Changes to the route-memory-enhanced statement take effect only when Packet
Forwarding Engine is rebooted. [PR/517919: This issue has been resolved.]
■
On some M Series, MX Series, and T Series routers, when a firewall filter is
applied on the egress of an aggregate interface, packet loss might occur after
adding, removing, or changing the service configuration on the egress side of
the aggregate interface. As a workaround, deactivate and reactivate the output
firewall filter on the aggregate interface. [PR/517992: This issue has been
resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Under certain conditions, traffic flow through an RLSQ bundle can be dropped
after it is removed and added back to a VPN routing and forwarding table (VRF).
[PR/518170: This issue has been resolved.]
■
When container AE interfaces are enabled on JUNOS Release 10.0 or 10.1, the
following message displays when one of the member links flap: “CHPJAR1-re0
fpc3 SCHED: %PFE-0: Thread 40 (PFE Manager) ran for 2015 ms without
yielding.” [PR/518714: This issue has been resolved.]
■
When the destination class usage (DCU) is configured with a unicast reverse-path
filter (uRPF) and egress forwarding-table filter within the VRF, a VPN route flap
might trigger a jtree memory leak. [PR/521609: This issue has been resolved.]
■
When a socket connection between the Routing Engine and the FPC is
reestablished, the FPC might run into a software crash because of an invalid
counter being referenced. There is no workaround. [PR/525357: This issue has
been resolved.]
■
On MX Series routers, repeated graceful Routing Engine switchover (GRES) under
certain configurations might result in kernel panics. Three kernel cores are
observed: with a soft update files system trace, with a TCP packet processing
stack trace, and with a trace of IFF configuration write. [PR/525583: This issue
has been resolved.]
■
On some routers, enabling IP-payload-based load balancing for MPLS packets
can cause some pseudowire packets to be reordered. [PR/528657: This issue
has been resolved.]
■
Asp_ifl_update messages might be seen on routers running JUNOS Release 10.0
and higher. Ignore these messages as they do not impact functionality.
[PR/532648: This issue has been resolved.]
■
A router might send raw IPv6 host-generated packets over the Ethernet towards
its BGP IPv6 peers. [PR/536336: This issue has been resolved.]
Routing Policy and Firewall Filters
■
On some M Series, MX Series, and T Series routers, when a family CCC filter is
applied on multiple interfaces that belong to different L2VPN routing instances,
packet loss might occur after the routing instances are deactivated and
reactivated. As a workaround, deactivate and reactivate the CCC filter on the
interfaces. [PR/521357: This issue has been resolved.]
■
The backup Routing Engine might generate routing protocol process and kernel
cores if the BGP damping is configured along with nonstop active routing (NSR).
[PR/452217: This issue has been resolved.]
■
PIM asserts in dense groups can lead to a routing protocol process memory leak.
[PR/462589: This issue has been resolved.]
■
When a PIC with a PIM-enabled interface is brought online, the router might
send the first PIM hello slightly before the interface comes up. This causes the
router to drop the first PIM hello message towards its neighbor. [PR/482903:
This issue has been resolved.]
Routing Protocols
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
103
JUNOS 10.1 Software Release Notes
104
■
■
The Juniper Networks rendezvous point (RP) does not process PIM Register
messages from a first-hop router in an IPv6 embedded RP group when the
Register message does not have the null-bit set. [PR/486902: This issue has been
resolved.]
■
When nonstop active routing (NSR) is running and BGP groups are added (eg a
VRF with a BGP in it), the routing protocol process might crash. As a workaround,
configure the new BGP groups after disabling the NSR. Then. reenable the NSR.
[PR/487305: This issue has been resolved.]
■
When l3vpn-composite-next-hop is configured, it should only be used by Layer
3 VPN routes. However, non-Layer 3 VPN routes are also able to use it.
[PR/496028: This issue has been resolved.]
■
After a graceful Routing Engine switchover (GRES) event with NSR enabled and
a scaled Layer 3 VPN eBGP test, some BGP sessions fail due to an expired
hold-down timer if the hold-down timer is lower than the default 30 seconds.
To avoid this issue, set the hold-down timer to the default value of 30 seconds.
[PR/501796: This issue has been resolved.]
■
When a family inet6 addressing is added to a router configured with multicast
VPN, the routing protocol process might crash and restart. [PR/503296: This
issue has been resolved.]
■
Upon a graceful Routing Engine switchover with NSR, the routing protocol process
will crash due to a wrong process for the PIM instance. [PR/503921: This issue
has been resolved.]
■
Nonstop routing (NSR) does not work correctly if an automatic route distinguisher
is used with a Layer 2 VPN routing-instance. [PR/513949: This issue has been
resolved.]
■
When multiple sham-links are configured with the same remote endpoint IP
address, a commit error occurs and configuration checkout fails. [PR/515343:
This issue has been resolved.]
■
In route reflector and ASBR VPN scenarios, the routing protocol process might
crash as changes occur to a prefix in the primary table at the same time as BGP
tries to send out updates via the secondary table. [PR/515626: This issue has
been resolved.]
■
The mirror receive task variable might not be cleared when the routing protocol
process is heavily scaled. Hence, the NSR replication for RIP status stays in the
"InProgress" state forever. [PR/516003: This issue has been resolved.]
■
A warning message displays when the show igmp snooping interface command
is used with no IGMP snooping configured. [PR/516355: This issue has been
resolved.]
■
The configured robust count value is not applied on the non-querier router when
it receives a robust count value of 0. It uses the default value (2) instead of the
configured value. [PR/520252: This issue has been resolved.]
■
The new NSR master might not send the OSPF hello messages immediately after
a switchover. [PR/522036: This issue has been resolved.]
■
After a graceful restart, the forwarding state of both provider edge routers might
get stuck at the pruned state. However, traffic flow is not affected. [PR/522179:
This issue has been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
Upon an NSR mastership switch or ISSU upgrade, the multicast resolve route for
IPv4 224/4 or inet6 ff00::/8 might be missing within the forwarding table. To
recover from this condition, deactivate and reactivate the protocol pim stanza,
or restart the routing protocol process. [PR/522605: This issue has been resolved.]
■
When an l2circuit ID greater than 2,147,483,647 is configured, and l2circuit
tracing is enabled using the set protocols l2circuit traceoptions command, some
of the trace messages provide the wrong value (a negative number) for the virtual
circuit ID. [PR/523492: This issue has been resolved.]
■
The tag_encoder is unable to handle attempts to stack EXPLICIT_V6_ NULL (label
2) over an existing stack with label 2 on top. Additionally, the BGP module does
not send label 2 when readvertising a prefix from an inet6 unicast session to a
inet6 labeled-unicast session. [PR/523824: This issue has been resolved.]
■
On MX80 routers, non IS-IS fragmented GRE packets are filtered before they are
forwarded to the Routing Engine. [PR/529727: This issue has been resolved.]
■
For JUNOS Release 9.5 and higher, the BGP parse community begins with “0”
as the octal value. This behavior is different in earlier releases. [PR/530086: This
issue has been resolved.]
■
The master routing protocol process crashes three minutes after a graceful Routing
Engine switchover. [PR/533363: This issue has been resolved.]
■
The Overload bit in the ISIS LSP MT-TLV might trigger IS-IS to install a default
route to the overload bit advertiser and the show isis database extensive
command might report an unknown TLV. [PR/533680: This issue has been
resolved.]
■
When the labeled-unicast inet6 route is reflected by route reflectors, the label
might be set to explicit-null. [PR/534150: This issue has been resolved.]
■
The routing protocol process might crash when a BGP connection attempt is met
with an RST from the peer. This is due to an unlikely race condition. [PR/540895:
This issue has been resolved.]
■
For Adaptive Services II PICs, a temporary file might be created every 15 minutes
in the /var/log/flowc/ directory even if flow collector services is not configured.
The file is deleted if there are no clients, and re-created only when a client
connects and attempts to write to the file. [PR/75515: This issue has been
resolved.]
■
If the Juniper-Firewall-Attribute attribute in a RADIUS server configuration file
names a policer that sets a bandwidth limit for Layer 2 Tunneling Protocol (L2TP)
sessions but not an exclude-bandwidth limit, the bandwidth limit might not be
set correctly. [PR/254503: This issue has been resolved.]
■
On M Series routers (M120 and M320) with many service sets configured with
IDP policies, kernel messages are seen in the messages file once traffic passes
through these service sets. These messages stop when the traffic is stopped.
[PR/462580: This issue has been resolved.]
■
In JUNOS Release 10.0R2, a performance related issue is seen when the IDP
plug-in is enabled. The connection per second value for HTTP (64 bytes) with
AACL, AI, and IDP (with Recommended Attacks group) plug-ins have been
Services Applications
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
105
JUNOS 10.1 Software Release Notes
downgraded to 7,600 through 7,900 per second. [PR/476162: This issue has
been resolved.]
■
On an MS-PIC or MS-DPC running NAT functionality, the show services nat pool
detail command might erroneously display positive and negative number of ports
in use. [PR/506880: This issue has been resolved.]
■
On an MS-PIC or MS-DPC running NAT functionality, the NAT ports might not
be released correctly, resulting in the resources being permanently allocated
until a PIC or DPC restart is triggered. [PR/509847: This issue has been resolved.]
■
When a backup gateway is configured in any term under an IPsec stanza, for
any subsequent terms where this backup gateway is now configured as the
primary, IPsec tunnel establishment will fail. [PR/510608: This issue has been
resolved.]
■
The MS-PIC or MS-DPC might restart if a high rate of SIP and RTSP traffic is
processed within the Application Layer Gateways (ALGs). [PR/512909: This issue
has been resolved.]
■
NAT over FTP fails when it receives a SERVER 227 code string "Entering passive
mode" in lowercase. [PR/522029: This issue has been resolved.]
■
L2tpd asserts when short frames are sent. This causes the l2tpd to crash. As per
RFC 1661 and 1662, such packets should be treated as invalid and discarded.
[PR/533057: This issue has been resolved.]
■
When traffic is forwarded in an L2TP session and a teardown request is received,
the ASPIC crashes with a memory access violation in mlppp_output. [PR/537225:
This issue has been resolved.]
Subscriber Access Management
■
BFD sessions and other protocol adjacencies configured with low hello or dead
timers over aggregate or IRB interfaces might flap upon configuration commit,
when the dhcp-local-server or dhcp-relay is used. [PR/507428: This issue has
been resolved.]
User Interface and Configuration
106
■
■
J-Web does not display the USB option under Maintain> Reboot> Reboot from
the media. [PR/464774: This issue has been resolved.]
■
If the time zone is set to “Europe/Berlin,” the command commit at "time-string"
will fail. [PR/483273: This issue has been resolved.]
■
If the user in the Backup Routing Engine with config-private mode activates
graceful Routing Engine switchover (GRES) and uses commit synchronize, a
synchronization error may occur during GRES switchover. [PR/486637: This
issue has been resolved.]
■
In configure private mode, activating or deactivating two consecutive nested
objects can cause a syntax error during commit. [PR/506677: This issue has
been resolved.]
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers
■
The show log xxx | last x command behaves as if the screen length is set to 0,
and the --more xx%-- prompt does not appear. [PR/517023: This issue has been
resolved.]
■
On a router configured with a large number of interfaces, when a few interfaces
are constantly added and deleted, a minor memory leak may occur in the "pfed"
process. [PR/522346: This issue has been resolved.]
■
The group-inherited configuration under the [interface-range] hierarchy level does
not take effect. [PR/522872: This issue has been resolved.]
■
When | last is used with show commands, only the last line is displayed.
[PR/526695: This issue has been resolved.]
■
While upgrading JUNOS Software with l2circuit configuration underthe logical
systems, the validation might fail with an "interface version mismatch" error.
You can ignore this error and upgrade the JUNOS Software using the no-validate
option. [PR/497190: This issue has been resolved.]
■
On an egress PE acting as the leaf of a spmsi p-tunnel, if the ingress PE withdraws
the unicast route towards the source, the routing protocol process crashes when
the c-mcast route is withdrawn. [PR/517183: This issue has been resolved.]
■
The routing protocol process crashes repeatedly on the new master, a few minutes
after a graceful Routing Engine switchover (GRES). [PR/527465: This issue has
been resolved.]
■
When a CE-facing interface in a VPLS instance is deactivated, the routing protocol
process might get stuck in a loop, leading to a high CPU utilization. [PR/531987:
This issue has been resolved.]
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
on page 6
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series,
MX Series, and T Series Routers on page 42
■
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M
Series, MX Series, and T Series Routers on page 107
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX
Series, and T Series Routers on page 113
VPNs
Related Topics
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX
Series, and T Series Routers
Changes to the JUNOS Documentation Set
The title of the JUNOS Hierarchy and RFC Reference is now JUNOS Hierarchy and
Standards Reference.
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers
■
107
JUNOS 10.1 Software Release Notes
Documentation for the extended DHCP relay agent feature is no longer included in
the Policy Framework Configuration Guide. For DHCP relay agent documentation, see
the Subscriber Access Configuration Guide or the documentation for subscriber access
management.
The new JUNOS Technical Documentation index page
(http://www.juniper.net/techpubs/software/junos/index.html ) consolidates documentation
for JUNOS Software features that are common to all platforms that run JUNOS
Software. The new index page provides direct access to core JUNOS information and
links to information for JUNOS features that run on particular platforms.
Errata
This section lists outstanding issues with the documentation.
Class of Service
■
In JUNOS Release 10.1 and 10.2, the topic Example: Configuring Large Delay
Buffers for Slower Interfaces states “Assuming that the sched-best scheduler is
assigned to a T1 interface…” This is an error. The topic should state “Assuming
that the sched-exped scheduler is assigned to a T1 interface…”
[Class of Service]
High Availability
■
TX Matrix Plus routers and T1600 routers that are configured as part of a routing
matrix do not currently support nonstop active routing. [High Availability]
Integrated Multi-Services Gateway (IMSG)
■
Chapter 15, Maintenance and Failover in the IMSG, describes the IMSG high
availability feature. This feature is not supported in this release of the software.
[Multiplay Solutions]
■
The new-transaction-output-policies configuration statement was introduced in
JUNOS Release 10.1R1. The document did not mention the following restriction:
New transaction policies that include route or message-manipulation options
cannot be configured as new-transaction-output-policies.
[Integrated Multi-Service Gateway (IMSG), Multiplay Solutions, Services Interfaces
Configuration]
Interfaces and Chassis
■
The Configuring ECMP Next Hops for RSVP and LDP LSPs for Load Balancing topic
in the System Basics Configuration Guide does not mention the following caveat
for configuring ECMP next hops for RSVP LSPs:
If RSVP LSPs are configured with bandwidth allocation, for ECMP next hops with
more than 16 LSPs, traffic is not distributed optimally based on bandwidths
configured. Some LSPs with smaller allocated bandwidths receive more traffic
108
■
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers
than the ones configured with higher bandwidths. Traffic distribution does not
strictly comply with the configured bandwidth allocation. This caveat is applicable
to the following routers:
■
T1600 and T640 routers with Enhanced Scaling FPC1, Enhanced Scaling
FPC2, Enhanced Scaling FPC3, Enhanced Scaling FPC 4, and all Type 4 FPCs
■
M320 routers with Enhanced III FPC1, Enhanced III FPC2, and Enhanced III
FPC3
■
MX Series routers with all types of FPCs and DPCs, excluding MPCs
NOTE: This caveat is not applicable to MX Series routers with line cards based on
the Junos Trio chipset.
■
M120 routers with Type 1, Type 2, and Type 3 FPCs
■
M10i routers with Enhanced CFEB
[System Basics]
■
On M Series, MX Series, and T Series routing platforms, the targeted-broadcast
statement that is used to forward direct broadcast packets to the targeted subnet
in a network is available in the CLI , but it is not functional for the three platforms
mentioned above in JUNOS Release 9.5 through 10.1.
■
In the Network Interfaces Configuration Guide, Chapter 61, Configuring SONET/SDH
Interfaces, a subsection titled Configuring APS Using a Container Interface with
ATM Encapsulation was included. This information was accidentally included
and should not have been published until JUNOS Release 10.4.
[Network Interfaces]
■
The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces
Configuration Guide states that one way to configure an ATM II interface to enable
a Layer 2 circuit connection across all versions of JUNOS Software is the following:
■
For Layer 2 circuit cell relay and Layer 2 trunk modes, the atm-l2circuit-mode
cell statement at the [edit chassis fpc slot pic slot] hierarchy level and the
encapsulation atm-ccc-cell-relay statement at the [edit interface interface-name]
hierarchy level.
The configuration above is correct and will interoperate with routers running all
versions of JUNOS Software.
However, the chapter does not mention that you can also include the
encapsulation atm-ccc-cell-relay statement at the [edit interface interface-name unit
logical-unit-number] hierarchy level. When you use this configuration, keep the
following points in mind:
■
This configuration interoperates between Juniper Networks routers running
JUNOS Release 8.2 or earlier.
■
This configuration does NOT interoperate with other network equipment,
including a Juniper Networks router running JUNOS Release 8.3 or later.
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers
■
109
JUNOS 10.1 Software Release Notes
■
For a Juniper Networks router running JUNOS Release 8.3 or later to
interoperate with another Juniper Networks router running JUNOS Release
8.2 or earlier, on the router running JUNOS Release 8.3 or later, include the
use-null-cw statement at the [edit interfaces interface-name atm-options]
hierarchy level.
■
The use-null-cw statement inserts (for sending traffic) or strips (for receiving
traffic) an extra null control word in the MPLS packet.
■
The use-null-cw statement is not supported on a router running JUNOS Release
8.2 or earlier.
[Network Interfaces]
JUNOS XML API and Scripting
■
The Junos Configuration and Diagnostic Automation Guide erroneously states that
persistent changes work like the load merge command and transient changes
work like the load update command. Both persistent and transient changes
behave like the load replace command.
In the chapter Summary of JUNOS XML and XSLT Tag Elements Used in Commit
Scripts, the <change> and <transient-change> tag element summaries include
attributes for both tags. Neither the <change> tag nor the <transient-change> tag
have attributes. All references to the attributes in the Description section are not
applicable to these tags.
[Junos Configuration and Diagnostic Automation Guide]
Subscriber Access Management
The Subscriber Access Configuration Guide contains the following dynamic variable
errors:
■
The Configuring a Dynamic Profile for Client Access topic erroneously uses the
$junos-underlying-interface variable when a IGMP interface is configured in the
client access dynamic profile. The following example provides the appropriate
use of the $junos-interface-name variable:
[edit dynamic-profiles access-profile]
user@host# set protocols igmp interface $junos-interface-name
■
Table 25 in the Dynamic Variables Overview topic neglects to define the
$junos-igmp-version predefined dynamic variable. This variable is defined as
follows:
$junos-igmp-version—IGMP version configured in a client access profile. The
JUNOS Software obtains this information from the RADIUS server when a
subscriber accesses the router. The version is applied to the accessing subscriber
when the profile is instantiated. You specify this variable at the [dynamic-profiles
profile-name protocols igmp] hierarchy level for the interface statement.
In addition, the Subscriber Access Configuration Guide erroneously specifies the
use of a colon (:) when you configure the dynamic profile to define the IGMP
110
■
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers
version for client interfaces. The following example provides the appropriate
syntax for setting the IGMP interface to obtain the IGMP version from RADIUS:
[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name]
user@host# set version $junos-igmp-version
■
The Subscriber Access Configuration Guide and the System Basics Configuration
Guide contain information about the override-nas-information statement. This
statement does not appear in the CLI and is not supported.
[Subscriber Access, System Basics]
■
When you modify dynamic CoS parameters with a RADIUS change of
authorization (CoA) message, the JUNOS Software accepts invalid configurations.
For example, if you specify that a transmit rate that exceeds the allowed 100
percent, the system does not reject the configuration and returns unexpected
shaping behavior.
[Subscriber Access]
■
We do not support multicast RIF mapping and ANCP when configured
simultaneously on the same logical interface. For example, we do not support
when a multicast VLAN and ANCP are configured on the same logical interface,
and the subscriber VLANs are the same for both ANCP and multicast.
[Subscriber Access]
■
The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the
Subscriber Access Configuration Guide erroneously states that dynamic CoS is
supported for dynamic VLANs on the Trio MPC/MIC family of products. In the
current release, dynamic CoS is supported only on static VLANs on Trio MPC/MIC
interfaces.
[Subscriber Access]
■
The Subscriber Access Configuration Guide incorrectly describes the
authentication-order statement as it is used for subscriber access management.
When configuring the authentication-order statement for subscriber access
management, you must always specify the radius method. Subscriber access
management does not support the password keyword (the default), and
authentication fails when you do not specify an authentication method.
[Subscriber Access]
■
In the JUNOS Subscriber Access Configuration Guide, Table 26, “RADIUS-Based
Mirroring Attributes” incorrectly indicates that RADIUS VSA 26-10,
Juniper-User-Permissions, is required for subscriber secure policy mirroring. In
fact, this VSA is not used.
[Subscriber Access]
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers
■
111
JUNOS 10.1 Software Release Notes
User Interface and Configuration
■
The show system statistics bridge command displays system statistics on MX
Series routers. [System Basics Command Reference]
■
The mac-tlv-receive and mac-tlv-send statements were removed from Release 10.0
of the JUNOS Software and are no longer visible in the [edit logical-systems
logical-system-name routing-instances routing-instance-name protocols vpls] and
[edit routing-instances routing-instance-name protocols vpls] hierarchy levels.
Although the mac-tlv-receive and mac-tlv-send statements are recognized in the
current release, they will be removed in a future release. We recommend that
you update your configurations and use the mac-flush statement described in
the Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series,
MX Series, and T Series Routers section of the release notes.
VPNs
[VPNs]
■
The JUNOS Software substantially supports the following RFCs for Layer 2 circuits,
as well as the Internet drafts listed in the published documentation:
■
RFC 4447, Pseudowire Setup and Maintenance Using the Label Distribution
Protocol (LDP)
The JUNOS Software does not support Section 5.3, “The Generalized PWid
FEC Element.”
■
RFC 4448, Encapsulation Methods for Transport of Ethernet over MPLS
Networks
[Hierarchy and Standards Reference]
■
In Chapter 19 Configuring VPLS of the VPNs Configuration Guide, an incorrect
statement that caused contradictory information about which platforms support
LDP BGP interworking has been removed. The M7i router was also omitted from
the list of supported platforms. The M7i router does support LDP BGP
interworking.
[VPNs]
Related Topics
112
■
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
on page 6
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series,
MX Series, and T Series Routers on page 42
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers on
page 55
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX
Series, and T Series Routers on page 113
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series,
and T Series Routers
This section discusses the following topics:
■
Basic Procedure for Upgrading to Release 10.1 on page 113
■
Upgrading a Router with Redundant Routing Engines on page 116
■
Upgrading Juniper Routers Running Draft-Rosen Multicast VPN to JUNOS Release
10.1 on page 116
■
Upgrading the Software for a Routing Matrix on page 118
■
Upgrading Using ISSU on page 119
■
Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled for Both PIM
and NSR on page 119
■
Downgrade from Release 10.1 on page 120
Basic Procedure for Upgrading to Release 10.1
In order to upgrade to JUNOS 10.0 or later, you must be running JUNOS 9.0S2, 9.1S1,
9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or you must specify the
no-validate option on the request system software install command.
When upgrading or downgrading the JUNOS Software, always use the jinstall package.
Use other packages (such as the jbundle package) only when so instructed by a Juniper
Networks support representative. For information about the contents of the jinstall
package and details of the installation process, see the Junos OS Installation and
Upgrade Guide.
NOTE: You cannot upgrade by more than three releases at a time. For example, if
your routing platform is running JUNOS Release 9.4 you can upgrade to JUNOS
Release 10.0 but not to JUNOS Release 10.1 As a workaround, first upgrade to JUNOS
Release 10.0 and then upgrade to JUNOS Release 10.1.
NOTE: With JUNOS Release 9.0 and later, the compact flash disk memory requirement
for JUNOS Software is 1 GB. For M7i and M10i routers with only 256 MB memory,
see the Customer Support Center JTAC Technical Bulletin PSN-2007-10-001 at
https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001&actionBtn=Search.
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
113
JUNOS 10.1 Software Release Notes
NOTE: Before upgrading, back up the file system and the currently active JUNOS
configuration so that you can recover to a known, stable environment in case the
upgrade is unsuccessful. Issue the following command:
user@host> request system snapshot
The installation process rebuilds the file system and completely reinstalls the JUNOS
Software. Configuration information from the previous software installation is retained,
but the contents of log files might be erased. Stored files on the routing platform,
such as configuration templates and shell scripts (the only exceptions are the
juniper.conf and ssh files) may be removed. To preserve the stored files, copy them
to another system before upgrading or downgrading the routing platform. For more
information, see the Junos OS System Basics Configuration Guide.
114
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
The download and installation process for JUNOS Release 10.1 is the same as for
previous JUNOS releases.
If you are not familiar with the download and installation process, follow these steps:
1.
Using a Web browser, follow the links to the download URL on the Juniper
Networks Web page. Choose either Canada and U.S. Version or Worldwide
Version:
■
https://www.juniper.net/support/csc/swdist-domestic/ (customers in the United
States and Canada)
■
https://www.juniper.net/support/csc/swdist-ww/ (all other customers)
2.
Log in to the Juniper Networks authentication system using the username
(generally your e-mail address) and password supplied by Juniper Networks
representatives.
3.
Download the software to a local host.
4.
Copy the software to the routing platform or to your internal software distribution
site.
5.
Install the new jinstall package on the routing platform.
NOTE: We recommend that you upgrade all software packages out of band using
the console because in-band connections are lost during the upgrade process.
Customers in the United States and Canada use the following command:
user@host> request system software add validate reboot
source/jinstall-10.1SR4.4-domestic-signed.tgz
All other customers use the following command:
user@host> request system software add validate reboot
source/jinstall-10.1SR4.4-export-signed.tgz
Replace source with one of the following values:
■
/pathname—For a software package that is installed from a local directory
on the router.
■
For software packages that are downloaded and installed from a remote
location:
■
ftp://hostname/pathname
■
http://hostname/pathname
■
scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current
configuration as a prerequisite to adding the software package to ensure that
the router reboots successfully. This is the default behavior when the software
package being added is a different release.
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
115
JUNOS 10.1 Software Release Notes
Adding the reboot command reboots the router after the upgrade is validated
and installed. When the reboot is complete, the router displays the login prompt.
The loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: After you install a JUNOS 10.1 Release jinstall package, you cannot issue the
request system software rollback command to return to the previously installed
software. Instead you must issue the request system software add validate command
and specify the jinstall package that corresponds to the previously installed software.
NOTE: Before you upgrade a router that you are using for voice traffic, you should
monitor call traffic on each virtual BGF. Confirm that no emergency calls are active.
When you have determined that no emergency calls are active, you can wait for
nonemergency call traffic to drain as a result of graceful shutdown, or you can force
a shutdown. For detailed information on how to monitor call traffic before upgrading,
see the JUNOS Multiplay Solutions Guide.
Upgrading a Router with Redundant Routing Engines
If the router has two Routing Engines, perform a JUNOS Software installation on each
Routing Engine separately to avoid disrupting network operation as follows:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
and save the configuration change to both Routing Engines.
2.
Install the new JUNOS Software release on the backup Routing Engine while
keeping the currently running software version on the master Routing Engine.
3.
After making sure that the new software version is running correctly on the
backup Routing Engine, switch over to the backup Routing Engine to activate
the new software.
4.
Install the new software on the original master Routing Engine that is now active
as the backup Routing Engine.
For the detailed procedure, see the Junos OS Installation and Upgrade Guide.
Upgrading Juniper Routers Running Draft-Rosen Multicast VPN to JUNOS
Release 10.1
In releases prior to JUNOS Release 10.1, the draft-rosen multicast VPN feature
implements the unicast lo0.x address configured within that instance as the source
address used to establish PIM neighbors and create the multicast tunnel. In this mode,
the multicast VPN loopback address is used for reverse path forwarding (RPF) route
resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast
VPN loopback address is also used as the source address in outgoing PIM control
messages.
116
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
In JUNOS Release 10.1 and later, you can use the router’s main instance loopback
(lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM
state for the multicast VPN. We strongly recommend that you perform the following
procedure when upgrading to JUNOS Release 10.1 if your draft-rosen multicast VPN
network includes both Juniper Network routers and other vendors’ routers functioning
as provider edge (PE) routers. Doing so preserves multicast VPN connectivity
throughout the upgrade process.
Because JUNOS Release 10.1 supports using the router’s main instance loopback
(lo0.0) address, it is no longer necessary for the multicast VPN loopback address to
match the main instance loopback adddress lo0.0 to maintain interoperability.
NOTE: You might want to maintain a multicast VPN instance lo0.x address to use
for protocol peering (such as IBGP sessions), or as a stable router identifier, or to
support the PIM bootstrap server function within the VPN instance.
Complete the following steps when upgrading routers in your draft-rosen multicast
VPN network to JUNOS Release 10.1 if you want to configure the routers’s main
instance loopback address for draft-rosen multicast VPN:
1.
Upgrade all PE routers to JUNOS Release 10.1 before you configure the loopback
address for draft-rosen Multicast VPN.
NOTE: Do not configure the new feature until all the PE routers in the network have
been upgraded to JUNOS Release 10.1.
2.
After you have upgraded all routers, configure each router’s main instance
loopback address as the source address for multicast interfaces. Include the
default-vpn-source interface-name loopback-interface-name] statement at the [edit
protocols pim] hierarchy level.
3.
After you have configured the router’s main loopback address on each PE router,
delete the multicast VPN loopback address (lo0.x) from all routers.
We also recommend that you remove the multicast VPN loopback address from
all PE routers from other vendors. In JUNOS releases prior to 10.1, to ensure
interoperability with other vendors’ routers in a draft-rosen multicast VPN
network, you had to perform additional configuration. Remove that configuration
from both the Juniper Networks routers and the other vendors’ routers. This
configuration should be on Juniper Networks routers and on the other vendors’
routers where you configured the lo0.mvpn address in each VRF instance as the
same address as the main loopback (lo0.0) address.
This configuration is not required when you upgrade to JUNOS Release 10.1 and
use the main loopback address as the source address for multicast interfaces.
NOTE: To maintain a loopback address for a specific instance, configure a loopback
address value that does not match the main instance address (lo0.0).
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
117
JUNOS 10.1 Software Release Notes
For more information about configuring the draft-rosen Multicast VPN feature, see
the JUNOS Multicast Configuration Guide.
Upgrading the Software for a Routing Matrix
A routing matrix can use either a TX Matrix router as the switch-card chassis (SCC)
or a TX Matrix Plus router as the switch-fabric chassis (SFC). By default, when you
upgrade software for a TX Matrix router or a TX Matrix Plus router, the new image
is loaded onto the TX Matrix or TX Matrix Plus router (specified in the JUNOS CLI by
using the scc or sfc option) and distributed to all T640 routers or T1600 routers in
the routing matrix (specified in the JUNOS CLI by using the lcc option). To avoid
network disruption during the upgrade, ensure the following conditions before
beginning the upgrade process:
■
A minimum of free disk space and DRAM on each Routing Engine. The software
upgrade will fail on any Routing Engine without the required amount of free disk
space and DRAM. To determine the amount of disk space currently available on
all Routing Engines of the routing matrix, use the CLI show system storage
command. To determine the amount of DRAM currently available on all the
Routing Engines in the routing matrix, use the CLI show chassis routing-engine
command.
■
The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or
SFC) and T640 routers or T1600 routers (LCC) are all re0 or are all re1.
■
The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or
SFC) and T640 routers or T1600 routers (LCC) are all re1 or are all re0.
■
All master Routing Engines in all routers run the same version of software. This
is necessary for the routing matrix to operate.
■
All master and backup Routing Engines run the same version of software before
beginning the upgrade procedure. Different versions of the JUNOS Software can
have incompatible message formats especially if you turn on GRES. Because the
steps in the process include changing mastership, running the same version of
software is recommended.
■
For a routing matrix with a TX Matrix router, the same Routing Engine model is
used within a TX Matrix router (SCC) and within a T640 router (LCC) of a routing
matrix. For example, a routing matrix with an SCC using two RE-A-2000s and
an LCC using two RE-1600s is supported. However, an SCC or an LCC with two
different Routing Engine models is not supported. We suggest that all Routing
Engines be the same model throughout all routers in the routing matrix. To
determine the Routing Engine type, use the CLI show chassis hardware | match
routing command.
■
For a routing matrix with a TX Matrix Plus router, the SFC contains two model
RE-DUO-C2600-16G Routing Engines, and each LCC contains two model
RE-DUO-C1800-8G Routing Engines.
NOTE: It is considered best practice to make sure that all master Routing Engines
are re0 and all backup Routing Engines are re1 (or vice versa). For the purposes of
this document, the master Routing Engine is re0 and the backup Routing Engine is
re1.
118
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
To upgrade the software for a routing matrix, perform the following steps:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine
(re0) and save the configuration change to both Routing Engines.
2.
Install the new JUNOS Software release on the backup Routing Engine (re1) while
keeping the currently running software version on the master Routing Engine
(re0).
3.
Load the new JUNOS Software on the backup Routing Engine. After making sure
that the new software version is running correctly on the backup Routing Engine
(re1), switch mastership back to the original master Routing Engine (re0) to
activate the new software.
4.
Install the new software on the new backup Routing Engine (re0).
For the detailed procedure, see the Routing Matrix with a TX Matrix Feature Guide or the
Routing Matrix with a TX Matrix Plus Feature Guide.
Upgrading Using ISSU
Unified in-service software upgrade (ISSU) enables you to upgrade between two
different JUNOS Software releases with no disruption on the control plane and with
minimal disruption of traffic. Unified in-service software upgrade is only supported
by dual Routing Engine platforms. In addition, graceful Routing Engine switchover
(GRES) and nonstop active routing (NSR) must be enabled. For additional information
about using unified in-service software upgrade, see the Junos OS High Availability
Configuration Guide.
Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled for Both
PIM and NSR
JUNOS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the
following PIM features are not currently supported with NSR. The commit operation
fails if the configuration includes both NSR and one or more of these features:
■
Anycast RP
■
Draft-Rosen multicast VPNs (MVPNs)
■
Local RP
■
Next-generation MVPNs with PIM provider tunnels
■
PIM join load balancing
JUNOS 9.3 Release introduced a new configuration statement that disables NSR for
PIM only, so that you can activate incompatible PIM features and continue to use
NSR for the other protocols on the router: the nonstop-routing disable statement at
the [edit protocols pim] hierarchy level. (Note that this statement disables NSR for all
PIM features, not only incompatible features.)
If neither NSR nor PIM is enabled on the router to be upgraded or if one of the
unsupported PIM features is enabled but NSR is not enabled, no additional steps are
necessary and you can use the standard upgrade procedure described in other sections
of these instructions. If NSR is enabled and no NSR-incompatible PIM features are
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
119
JUNOS 10.1 Software Release Notes
enabled, use the standard reboot or ISSU procedures described in the other sections
of these instructions.
Because the nonstop-routing disable statement was not available in JUNOS Release
9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router
to be upgraded from JUNOS Release 9.2 or earlier to a later release, you must disable
PIM before the upgrade and reenable it after the router is running the upgraded
JUNOS Software and you have entered the nonstop-routing disable statement. If your
router is running JUNOS Release 9.3 or later, you can upgrade to a later release
without disabling NSR or PIM–simply use the standard reboot or ISSU procedures
described in the other sections of these instructions.
To disable and reenable PIM:
1.
On the router running JUNOS Release 9.2 or earlier, enter configuration mode
and disable PIM:
[edit]
user@host# deactivate protocols pim
user@host# commit
2.
Upgrade to JUNOS Release 9.3 or later software using the instructions appropriate
for the router type. You can either use the standard procedure with reboot or
use ISSU.
3.
After the router reboots and is running the upgraded JUNOS Software, enter
configuration mode, disable PIM NSR with the nonstop-routing disable statement,
and then reenable PIM:
[edit]
user@host# set protocols pim nonstop-routing disable
user@host# activate protocols pim
user@host# commit
Downgrade from Release 10.1
To downgrade from Release 10.1 to another supported release, follow the procedure
for upgrading, but replace the 10.1 jinstall package with one that corresponds to the
appropriate release.
NOTE: You cannot downgrade more than three releases. For example, if your routing
platform is running JUNOS Release 9.3, you can downgrade the software to
Release 9.0 directly, but not to Release 8.5 or earlier; as a workaround, you can first
downgrade to Release 9.0 and then downgrade to Release 8.5.
For more information, see the Junos OS Installation and Upgrade Guide.
120
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
Related Topics
■
New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
on page 6
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series,
MX Series, and T Series Routers on page 42
■
Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers on
page 55
■
Errata and Changes in Documentation for JUNOS Software Release 10.1 for M
Series, MX Series, and T Series Routers on page 107
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers
■
121
JUNOS 10.1 Software Release Notes
JUNOS Software Release Notes for Juniper Networks SRX Series Services Gateways
and J Series Services Routers
Powered by JUNOS Software, Juniper Networks SRX Series Services Gateways provide
robust networking and security services. SRX Series Services Gateways range from
lower-end devices designed to secure small distributed enterprise locations to high-end
devices designed to secure enterprise infrastructure, data centers, and server farms.
The SRX Series Services Gateways include the SRX100, SRX210, SRX240, SRX650,
SRX3400, SRX3600, SRX5600, and SRX5800 devices.
Juniper Networks J Series Services Routers running JUNOS Software provide stable,
reliable, and efficient IP routing, WAN and LAN connectivity, and management
services for small to medium-sized enterprise networks. These routers also provide
network security features, including a stateful firewall with access control policies
and screens to protect against attacks and intrusions, and IPsec VPNs. The J Series
Services Routers include the J2320, J2350, J4350, and J6350 devices.
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J
Series Services Routers on page 122
■
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series
Services Gateways and J Series Services Routers on page 139
■
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and
J Series Services Routers on page 147
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series
Services Routers on page 157
■
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series
Services Gateways and J Series Services Routers on page 182
■
Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gateways
and J Series Services Routers on page 190
■
Dual-Root Partitioning Scheme Documentation for SRX Series Services
Gateways on page 192
■
Maximizing ALG Sessions on page 201
■
Using Dual Chassis Cluster Control Links: Upgrade Instructions for the Second
Routing Engine on page 201
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX Series
Services Gateways and J Series Services Routers on page 203
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series
Services Routers
The following features have been added to JUNOS Release 10.1. Following the
description is the title of the manual or manuals to consult for further information.
122
■
■
Software Features on page 123
■
Hardware Features on page 138
JUNOS Software Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Software Features
Application Layer Gateways (ALGs)
■
DNS ALG—This feature is supported on SRX3400, SRX3600, SRX5600, and
SRX5800 devices in addition to existing support on SRX100, SRX210, SRX240,
and SRX650 devices. JUNOS Software for SRX Series devices provides Domain
Name System (DNS) support. The DNS ALG monitors DNS query and reply packets
and closes the session if the DNS flag indicates that the packet is a reply message.
To configure the DNS ALG, use the edit security alg dns statement at the [edit
security alg] hierarchy level.
[Junos OS Security Configuration Guide]
■
DNS doctoring support—This feature is supported on all SRX Series and J Series
devices.
Domain Name System (DNS) ALG functionality has been extended to support
static NAT. You should configure static NAT for the DNS server first. Then if the
DNS ALG is enabled, public-to-private and private-to-public static address
translation can occur for A-records in DNS replies.
The DNS ALG also now includes a maximum-message-length command option
with a value range of 512 to 8192 bytes and a default value of 512 bytes. The
DNS ALG will now drop traffic if the DNS message length exceeds the configured
maximum, if the domain name is more than 255 bytes, or if the label length is
more than 63 bytes. The ALG will also decompress domain name compression
pointers and retrieve their related full domain names, and check for the existence
of compression pointer loops and drop the traffic if a loop exists.
Note that the DNS ALG can translate the first 32 A-records in a single DNS reply.
A-records after the first 32 will not be handled. Also note that the DNS ALG
supports only IPv4 addresses and does not support VPN tunnels.
[Junos OS Security Configuration Guide]
■
MS RPC ALG—This feature is now supported on SRX3400, SRX3600, SRX5600,
and SRX5800 devices in addition to existing support on SRX100, SRX210,
SRX240, SRX650, and J Series devices.
The Microsoft remote procedure call (RPC) provides a way for a program running
on one host to call procedures in a program running on another host. Because
of the large number of RPC services and the need to broadcast, the transport
address of an RPC service is dynamically negotiated based on the service
program’s Universal unique iDentifier (UUID). The specific UUID is mapped to
a transport address.
JUNOS Software supports MS RPC as a predefined service to allow and deny
traffic based on a policy you configure. The MS RPC ALG provides the functionality
for all supported devices to handle the dynamic transport address negotiation
mechanism of the MS RPC and to ensure UUID-based security policy enforcement.
You can define a security policy to permit or deny all RPC requests or to permit
or deny by specific UUID number. The ALG also supports route and Network
Address Translation (NAT) mode for incoming and outgoing requests.
[Junos OS Security Configuration Guide]
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
123
JUNOS 10.1 Software Release Notes
■
SQL ALG—This feature is now supported on SRX3400, SRX3600, and SRX5600,
and SRX5800 devices in addition to existing support on SRX100, SRX210,
SRX240, SRX650, and J Series devices.
Enabling the Structured Query Language (SQL) ALG on an SRX Series device or
a J Series device allows SQL*Net traffic in SQL redirect mode to traverse an SRX
Series device by creating a TCP pinhole. If the the SQL*Net traffic is not in redirect
mode, it will not be handled by the SQL ALG and will instead be processed by
configured firewall policies. SQL*Net is a proprietary protocol used by Oracle
databases for data access and sharing over networks. Note that the SQL ALG
supports only IPv4 addresses as of JUNOS Release 10.1.
[Junos OS Security Configuration Guide]
■
Sun RPC ALG—This feature is now supported on SRX3400, SRX3600, SRX5600,
and SRX5800 line devices in addition to existing support on SRX100, SRX210,
SRX240, SRX650, and J Series devices.
Sun Microsystems RPC provides a way for a program running on one host to
call procedures in a program running on another host. Because of the large
number of RPC services and the need to broadcast, the transport address of an
RPC service is dynamically negotiated based on the service’s program number
and version number. Several binding protocols are defined for mapping the RPC
program number and version number to a transport address.
JUNOS Software supports the Sun RPC as a predefined service to allow and deny
traffic, based on a security policy you configure. The Sun RPC ALG provides the
functionality for all supported devices to handle the dynamic transport address
negotiation mechanism of the Sun RPC and to ensure program number-based
security policy enforcement. You can define a security policy to permit or deny
all RPC requests or to permit or deny by specific program number. The ALG also
supports route and NAT mode for incoming and outgoing requests.
[Junos OS Security Configuration Guide]
Chassis Cluster
■
Interface link aggregation in redundant Ethernet interfaces—This feature is
supported on SRX3400, SRX3600, SRX5600, and SRX5800 device chassis clusters.
Link aggregation groups (LAGs) can now be established across nodes in a chassis
cluster. In JUNOS Release 10.1, support for LAGs based on IEEE 802.3ad made
it possible to aggregate physical interface links on a standalone device. LAGs
provide increased interface bandwidth and link availability by linking physical
ports and load-balancing traffic crossing the combined interface. In JUNOS Release
10.1, link aggregation has been extended to chassis cluster configuration, allowing
a redundant Ethernet interface (known as a reth interface in CLI commands) to
add multiple child interfaces from both nodes and thereby create a redundant
Ethernet interface link aggregation group.
Other than adding more child interfaces (up to a maximum of 16, with 8 per
node) to a redundant Ethernet interface, no other configuration on an SRX Series
device beyond the more general chassis cluster, redundancy group, and redundant
Ethernet interface configuration is necessary to use this feature. It is necessary,
however, for the switch used to connect the links from both nodes in the cluster
124
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
to have a LAG link configured and 802.3ad enabled for each redundant Ethernet
interface LAG on both nodes so that the aggregate links will be recognized.
Standalone link aggregation group interfaces (ae) are supported on clustered
devices but cannot be added to redundant Ethernet interfaces. Likewise, any
child interface of an existing LAG cannot be added to a redundant Ethernet
interface, and vice versa. The maximum number of total combined standalone
aggregate interfaces (ae) and redundant Ethernet interfaces (reth) per cluster is
128.
Redundant Ethernet interface configuration also includes a minimum-links setting
that allows you to set a minimum number of physical child links in a redundant
Ethernet interface LAG that must be working on the primary node for the interface
to be up. The default minimum-links value is 1. When the number of physical
links on the primary node in a redundant Ethernet interface falls below the
minimum-links value, the interface will be down even if some links are still
working.
Note that management, control, and fabric interfaces do not support standalone
LAGs or redundant Ethernet interface LAGs in JUNOS Release 10.1.
[Junos OS Security Configuration Guide]
■
Redundancy group IP address monitoring through a secondary interface—This
feature is supported on SRX3400, SRX3600, SRX5600 and SRX5800 devices.
In JUNOS Release 10.1, redundancy group IP address monitoring through a
redundant Ethernet (reth) interface has been extended to include monitoring of
addresses on secondary links as well as on primary links. Redundancy group
failover can thus be tied to the health of both any IP addresses that are currently
important to traffic reliability and to any IP addresses that will become important
to traffic reliability in the event of a failover.
Monitoring can be accomplished only if the IP address is reachable on a redundant
Ethernet interface, and IP addresses cannot be monitored over a tunnel. IP
address monitoring is not supported on redundant Ethernet interface LAGs or
on the child interfaces bound to a redundant Ethernet interface LAG. The feature
also cannot be used on a cluster running in transparent mode. The maximum
number of total monitoring IPs that can be configured per cluster remains 32
for SRX3400 and SRX3600 devices, and 64 for SRX5600 and SRX5800 devices.
[Junos OS Security Configuration Guide]
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
125
JUNOS 10.1 Software Release Notes
Integrated Convergence Services
■
DSCP marking for RTP packets generated by SRX Series Integrated
Convergence Services—This feature is supported on SRX210 and SRX240 devices
that have high memory, power over Ethernet capability, and media gateway
capability.
Configure Differentiated Services (DiffServ) code point (DSCP) marking to set
the desired DSCP bits for Real-Time Transport Protocol (RTP) packets generated
by SRX Series Integrated Convergence Services.
DSCP bits are the 6-bit bit map in the IP header used by devices to determine
the forwarding priority of packet routing. When the DSCP bits of RTP packets
generated by Integrated Convergence Services are configured, the downstream
device can then classify the RTP packets and direct them to a higher priority
queue in order to achieve better voice quality when packet traffic is congested.
Juniper Networks devices provide classification, priority queuing, and other kinds
of class-of-service (CoS) configuration under the Class-of-Service configuration
hierarchy.
Note that the Integrated Convergence Services DSCP marking feature marks only
RTP packets of calls that it terminates, which include calls to peer call servers
and to peer proxy servers that provide SIP trunks. If a call is not terminated by
Integrated Convergence Services, then DSCP marking does not apply.
To configure the DSCP marking bitmap for calls terminated by Integrated
Convergence Services and the address of the peer call server or peer proxy server
to which these calls are routed, use the media-policy statement in the [edit services
converged-services] hierarchy level.
set services convergence-service service-class < name > dscp < bitmap >
set services convergence-service service-class media-policy < name > term
< term-name > from peer-address [< addresses >]
set services convergence-service service-class media-policy < name > term then
service-class < name >
Interfaces and Routing
■
DOCSIS Mini-PIM interface—DOCSIS Mini-PIM is currently supported with
Comcast ISP service.
The Data over Cable Service Interface Specification (DOCSIS) defines the
communications and operation support interface requirements for a
data-over-cable system. It is used by cable operators to provide Internet access
over their existing cable infrastructure for both residential and business
customers. DOCSIS 3.0 is the latest interface standard, allowing channel bonding
to deliver speeds higher than 100 Mbps throughput in either direction, far
surpassing other WAN technologies such as T1/E1, ADSL2+, ISDN, and DS3.
DOCSIS network architecture includes a cable modem on SRX Series Services
Gateways with a DOCSIS Mini-Physical Interface Module (Mini-PIM) located at
customer premises, and a cable modem termination system (CMTS) located at
the head-end or data center locations. The standards-based DOCSIS 3.0 Mini-PIM
is interoperable with CMTS equipment. The DOCSIS Mini-PIM provides backward
compatibility with CMTS equipment based on the following standards:
126
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
DOCSIS 2.0
■
DOCSIS 1.1
■
DOCSIS 1.0
The DOCSIS Mini-PIM is supported on the following SRX Series Services Gateways:
■
SRX210
■
SRX240
The DOCSIS Mini-PIM has the following key features:
■
Provides high data transfer rates of over 150 Mbps downstream
■
Supports 4-downstream and 4-upstream channel bonding
■
Supports quality of service (QoS)
■
Provides interoperability with any DOCSIS-compliant cable modem
termination system CMTS
■
Supports IPv6 and IPv4 for modem management interfaces
■
Supports Baseline Privacy Interface Plus (BPI+)
■
Supports Advanced Encryption Standard (AES)
[Junos OS Security Configuration Guide]
■
Very-high-bit-rate digital subscriber line (VDSL)—VDSL technology is part of
the xDSL family of modem technologies that provide faster data transmission
over a single flat untwisted or twisted pair of copper wires.
The VDSL lines connect service provider networks and customer sites to provide
high bandwidth applications (Triple Play services) such as high-speed Internet
access, telephone services like voice over IP (VoIP), high-definition TV (HDTV),
and interactive gaming services over a single connection. VDSL2 is an
enhancement to VDSL and permits the transmission of asymmetric and
symmetric (full-duplex) aggregate data rates up to 100 Mbps on short copper
loops using a bandwidth of up to 30 MHz. The VDSL2 technology is based on
the ITU-T G.993.2 standard.
The following SRX Series Services Gateways support the VDSL2 Mini-Physical
Interface Module (Mini-PIM) (Annex A):
■
SRX210 Services Gateway
■
SRX240 Services Gateway
The VDSL2 Mini-PIM carries the Ethernet backplane. When the Mini-PIM is
plugged into the chassis, the Mini-PIM connects to one of the ports of the
baseboard switch.
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
127
JUNOS 10.1 Software Release Notes
The VDSL2 Mini-PIM supports the following features:
■
■
■
Asymmetric Digital Subscriber Line (ADSL), ADSL2, and ADSL2+ backward
compatibility with Annex-A, Annex-M Support
■
PTM or EFM [802.3ah] support
■
Operation, Administration, and Maintenance (OAM) support for
ADSL/ADSL/ADSL2+ Asynchronous Transfer Mode (ATM)
■
ATM quality of service (QoS) (supported only when the VDSL2 Mini-PIM is
operating in ADSL2 mode)
■
Multilink Point-to-Point Protocol (MLPPP) (supported only when the VDSL2
Mini-PIM is operating in ADSL2 mode)
■
Maximum Transmission Unit (MTU) size of 1500 bytes
■
Support for maximum of 10 permanent virtual circuits (PVCs) (only in
ADSL/ADSL2/ADSL2+ mode)
■
Dying gasp support (ADSL and VDSL2 mode)
Online insertion and removal (hot swap) for SRX650 GPIMs—Online insertion
and removal (OIR) functionality is supported on CPU-based and CPU-less
Gigabit-Backplane Physical Interface Modules (GPIMs). You can remove or insert
a GPIM without powering off the device. The following GPIMs are supported on
SRX650 devices:
■
24-port Ethernet GPIM (with and without Power over Ethernet [PoE])
■
16-port Ethernet GPIM (with and without PoE)
■
2-port and 4-port CT1/E1 GPIM
Implement the Point-to-Point Protocol over Ethernet (PPPoE)-based
radio-to-router protocol—This feature is supported on SRX Series and J Series
devices.
JUNOS Release 10.1 supports PPPoE-based radio-to-router protocols. These
protocols include messages that define how an external device provides the
router with timely information about the quality of a link’s connection. There is
also a flow control mechanism to indicate how much data the device can forward.
The device can then use the information provided in the PPPoE messages to
dynamically adjust the interface speed of the PPP links. Use the radio-router
statement from the [set interfaces <unit>] hierarchy to indicate that metrics
announcements received on the interface will be processed by the device.
■
Class of service (CoS) for devices operating in transparent mode—This feature
is supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices.
SRX3400, SRX3600, SRX5600, and SRX5800 devices operating in Layer 2
transparent mode support the following CoS functions:
128
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
IEEE 802.1p behavior aggregate (BA) classifiers to determine the forwarding
treatment for packets entering the device
Note that only IEEE 802.1p BA classifier types are supported on devices
operating in transparent mode.
■
Rewrite rules to redefine IEEE 802.1 CoS values in outgoing packets
Note that rewrite rules that redefine IP precedence CoS values and DSCP
CoS values are not supported on devices operating in transparent mode.
■
Shapers to apply rate limiting to an interface
■
Schedulers that define the properties of an output queue
You configure BA classifiers and rewrite rules on transparent mode devices in
the same way as on devices operating in Layer 3 mode. For transparent mode
devices, however, you apply BA classifiers and rewrite rules only to logical
interfaces configured with the family bridge configuration statement.
You configure shapers and schedulers on transparent mode devices in the same
way as on devices operating in Layer 3 mode.
[Junos OS Interfaces and Routing Configuration Guide]
■
Layer 2 Q-in-Q tunneling—This feature is supported on SRX210, SRX240,
SRX650, and J Series devices.
Q-in-Q tunneling, defined by the IEEE 802.1ad standard, allows service providers
on Ethernet access networks to extend a Layer 2 Ethernet connection between
two customer sites.
In Q-in-Q tunneling, as a packet travels from a customer virtual LAN (C-VLAN)
to a service provider's VLAN, a service provider-specific 802.1Q tag is added to
the packet. This additional tag is used to segregate traffic into
service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q
tag of the packet remains and is transmitted transparently, passing through the
service provider's network. As the packet leaves the S-VLAN in the downstream
direction, the extra 802.1Q tag is removed.
There are three ways to map C-VLANs to an S-VLAN:
■
All-in-one bundling—Use the dot1q-tunneling statement at the [edit vlans]
hierarchy to map without specifying customer VLANs. All packets from a
specific access interface are mapped to the S-VLAN.
■
Many-to-one bundling—Use the customer-vlans statement at the [edit vlans]
hierarchy to specify which C-VLANs are mapped to the S-VLAN.
■
Mapping C-VLAN on a specific interface—Use the mapping statement at the
[edit vlans] hierarchy to map a specific C-VLAN on a specified access interface
to the S-VLAN.
Table 3 on page 130 lists the C-VLAN-to-S-VLAN mapping supported on identified
SRX Series and J Series devices.
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
129
JUNOS 10.1 Software Release Notes
Table 3: C-VLAN to S-VLAN Mapping Supported on SRX Series and J Series Devices
Mapping
SRX210
SRX240
SRX650
J Series (PIM)
All-in-one bundling
Yes
Yes
Yes
Yes
Many-to-one bundling
No
No
Yes
No
Mapping C-VLAN on a
specific interface
No
No
Yes
No
Integrated bridging and routing (IRB) interfaces are supported on Q-in-Q VLANs
for SRX210, SRX240, SRX650, and J Series devices. Packets arriving on an IRB
interface on a Q-in-Q virtual LAN (VLAN) are routed regardless of whether the
packet is single or double tagged. The outgoing routed packets contain an S-VLAN
tag only when exiting a trunk interface; the packets exit the interface untagged
when exiting an access interface.
In a Q-in-Q deployment, customer packets from downstream interfaces are
transported without any changes to the source and destination media access
control (MAC) addresses. You can disable MAC address learning at both the
interface level and the VLAN level. Disabling MAC address learning on an interface
disables learning for all the VLANs of which that interface is a member. When
you disable MAC address learning on a VLAN, MAC addresses that have already
been learned are flushed.
[Junos OS Interfaces and Routing Configuration Guide]
■
Layer 2 Link Layer Discovery Protocol (LLDP) and Link Layer Discovery
Protocol–Media Endpoint Discovery (LLDP-MED)—This feature is supported
on SRX100, SRX210, SRX240, SRX650, and J Series devices.
Devices use LLDP and LLDP-MED to learn and distribute device information on
network links. The information allows the device to quickly identify a variety of
systems, resulting in a LAN that interoperates smoothly and efficiently.
LLDP-capable devices transmit information in type length and value (TLV)
messages to neighbor devices. Device information can include specifics such as
chassis and port identification and system name and system capabilities. The
TLVs leverage this information from parameters that have already been configured
in the Juniper Networks JUNOS Software.
LLDP-MED goes one step further, exchanging IP-telephony messages between
the device and the IP telephone. These TLV messages provide detailed information
on PoE policy. The PoE management TLVs let the device ports advertise the
power level and power priority needed. For example, the device can compare
the power needed by an IP telephone running on a PoE interface with available
resources. If the device cannot meet the resources required by the IP telephone,
the device could negotiate with the telephone until a compromise on power is
reached.
LLDP and LLDP-MED must be explicitly configured on universal Physical Interface
Modules (uPIMs) (in enhanced switching mode) on J Series devices, base ports
on SRX100, SRX210, and SRX240 devices, and Gigabit-Backplane Physical
Interface Modules (GPIMs) on SRX650 devices. To configure LLDP on all interfaces
or on a specific interface, use the lldp statement at the [set protocols] hierarchy.
130
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
To configure LLDP-MED on all interfaces or on a specific interface, use the lldp-med
statement at the [set protocols] hierarchy.
[Junos OS Interfaces and Routing Configuration Guide]
■
Promiscuous mode—This feature is supported on SRX3400, SRX3600, SRX5600,
and SRX5800 devices.
When promiscuous mode is enabled on a Layer 3 Ethernet interface, all packets
received on the interface are sent to the CP/Services Processing Unit (SPU)
regardless of the destination MAC address of the packet. You can also enable
promiscuous mode on chassis cluster redundant Ethernet interfaces and
aggregated Ethernet interfaces. If you enable promiscuous mode on a redundant
Ethernet interface, promiscuous mode is then enabled on any child physical
interfaces. If you enable promiscuous mode on an aggregated Ethernet interface,
promiscuous mode is then enabled on all member interfaces.
To enable promiscuous mode on an interface, use the promiscuous-mode
statement at the [edit interfaces] hierarchy.
[Junos OS Interfaces and Routing Configuration Guide]
Intrusion Detection and Prevention (IDP)
■
IDP in an active/active chassis cluster—This feature is supported on SRX3400,
SRX3600, SRX5600, and SRX5800 devices.
Intrusion Detection and Prevention (IDP) can now monitor traffic on active/active
chassis clusters. As in active/passive clusters, sessions already in progress that
fail over or fail back are not inspected by IDP in an active/active cluster. New
sessions created after a failover will, however, be inspected by IDP. There are
no changes to IDP deployment or logging as a result of extending support to
active/active high-end device clusters.
IDP also now supports chassis cluster in-service software upgrades (ISSUs), which
means that new sessions will continue to be inspected during the ISSU. However,
because ISSU requires the nodes to fail over and fail back as the upgrade
proceeds, IDP monitoring of any sessions that fail over will cease. It should not
be necessary to restart IDP once the ISSU is completed. Note that IDP ISSU
support is available on both active/passive and active/active chassis clusters.
[Junos OS Security Configuration Guide]
■
IDP application identification enhancement for extended applications with
threat prevention support—This feature is supported on SRX3400, SRX3600,
SRX5600, and SRX5800 devices.
With the increased use of application protocol encapsulation, the need arises to
support the identification of multiple different applications running on the same
Layer 7 protocols. In order to do this, the current application identification layer
is split into two layers: application and protocol. New extended application
signatures have been added to identify these extended applications.
[Junos OS Security Configuration Guide]
■
Command-line interface (CLI) enhancements supported for J-Web—This
feature is supported on SRX Series and J Series devices.
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
131
JUNOS 10.1 Software Release Notes
Additional functionality has been added to existing IDP J-Web pages for several
new CLI commands that perform tasks such as the following: list detailed security
download status information, list subscriber policies, and add additional IDP
packet counters to differentiate a packet drop that is the result of a policy from
a legitimate drop or an error drop. There are several more newly added
commands.
[JUNOS CLI Reference Guide]
■
SNMP MIB for IDP Monitoring—This feature is now supported on SRX3400,
SRX3600, SRX5600, and SRX5800 devices in addition to existing support on
SRX100, SRX210, SRX240, and SRX650 devices.
[Junos OS Security Configuration Guide]
■
Application-level DDoS logging—This feature is supported on SRX3400,
SRX3600, SRX5600, and SRX5800 devices with IDP enabled.
IDP now provides logging for application-level DDoS events. IDP generates three
types of application-level DDoS event logs: attack, state transition, and ip-action.
These event logs provide visibility into the application-level DDoS state and
provide notifications on occurrences of application-level DDoS attacks for each
protected application server.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
Manual BIOS Upgrade Using JUNOS CLI
■
This feature is supported on SRX100, SRX210, SRX240, and SRX650 devices.
■
For branch SRX Series devices, BIOS is made up of U-boot and JUNOS loader.
Apart from this SRX240 and SRX650 also have U-shell binary as part of the
BIOS.
■
On SRX100, SRX210 and SRX240, there is support of Backup BIOS which
constitutes a backup copy of U-boot in addition to the active copy from which
the system generally boots up.
Table 4 on page 132 provides details of BIOS components supported for different
platforms.
Table 4: Manual BIOS Upgrade Components
BIOS Components
SRX100
SRX210
SRX240
SRX650
Active
U-boot
Yes
Yes
Yes
Yes
Loader
Yes
Yes
Yes
Yes
Yes
Yes
U-shell
Backup
U-boot
Yes
Yes
Yes
Table 5 on page 133 provides you the CLI commands used for manual BIOS upgrade.
132
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Table 5: CLI Commands for Manual BIOS Upgrade
Active BIOS
Backup BIOS
request system firmware upgrade re bios
request system firmware upgrade re bios backup
Procedure for BIOS upgrade
1.
Installing a jloader-srxsme package
1.
Copy the jloader-srxme signed package to the device.
NOTE: Note that this package should be of the same version as that of the
corresponding JUNOS, example, on a device with a 10.2 JUNOS package installed,
the jloader-srxsme package should also be of version 10.2.
2.
Install the package using the request system software add <path to
jloader-srxsme package> no-copy no-validate command.
root> request system software add /var/tmp/jloader-srxsme-10.2B3-signed.tgz
no-copy no-validate
Installing package '/var/tmp/jloader-srxsme-10.2B3-signed.tgz' ...
Verified jloader-srxsme-10.2B3.tgz signed by PackageProduction_10_2_0
Adding jloader-srxsme...
Available space: 427640 require: 2674
Mounted jloader-srxsme package on /dev/md5...
Saving state for rollback ...
root> show version
Model: srx240h
JUNOS Software Release [10.2B3]
JUNOS BIOS Software Suite [10.2B3]
NOTE: Installing the jloader-srxsme package puts the necessary images under
directory/boot.
2.
Verifying that images for upgrade are installed
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
133
JUNOS 10.1 Software Release Notes
■
The show system firmware command can be used to get version of images
available for upgrade. The available version is printed under column Available
version. The user needs to verify that the correct version of BIOS images
available for upgrade.
root> show system firmware
Part
Routing Engine 0
Routing Engine 0
Routing Engine 0
Type
3.
Tag
RE BIOS
0
RE BIOS Backup 1
RE FPGA
11
Current
version
1.5
1.5
12.3.0
Available
version
1.7
1.7
Status
OK
OK
OK
BIOS upgrade
Active BIOS:
1.
Initiate the upgrade using the request system firmware upgade re bios
command.
root> request system firmware upgrade re bios
Part
Type
Tag
Current
Available
version
version
Routing Engine 0 RE BIOS
0
1.5
1.7
Routing Engine 0 RE BIOS Backup 1
1.5
1.7
Perform indicated firmware upgrade ? [yes,no] (no) yes
Status
OK
OK
Firmware upgrade initiated.
2.
Monitor the status of upgrade using the show system firmware command.
root> show system firmware
Part
Routing Engine 0
Routing Engine 0
Routing Engine 0
Type
RE BIOS
RE BIOS Backup
RE FPGA
Tag
0
1
11
Current
version
1.5
1.5
12.3.0
Available
version
1.7
1.7
Status
PROGRAMMING
OK
OK
root> show system firmware
Part
Type
Tag
Routing Engine 0
RE BIOS
0
Current
version
1.5
Routing Engine 0
Routing Engine 0
RE BIOS Backup
RE FPGA
1
11
1.5
12.3.0
Available
Status
version
1.7
UPGRADED
SUCCESSFULLY
1.7
OK
OK
NOTE: The device must be rebooted for the upgraded active BIOS to take effect.
134
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Backup BIOS:
1.
Initiate the upgrade using the request system firmware upgade re bios backup
command.
root> request system firmware upgrade re bios backup
Part
Type
Tag
Current
Available
version
version
Routing Engine 0 RE BIOS
0
1.5
1.7
Routing Engine 0 RE BIOS Backup 1
1.5
1.7
Perform indicated firmware upgrade ? [yes,no] (no) yes
Status
OK
OK
Firmware upgrade initiated.
2.
Monitor the status of upgrade using the show system firmware command.
root> show system firmware
Part
Current
version
RE BIOS
0
1.5
RE BIOS Backup 1
1.5
RE FPGA
11
12.3.0
Routing Engine 0
Routing Engine 0
Routing Engine 0
Type
Tag
Available
version
1.7
1.7
Status
OK
PROGRAMMING
OK
root> show system firmware
Part
Type
Tag
Routing Engine 0
Routing Engine 0
RE BIOS
RE BIOS Backup
0
1
Current
version
1.5
1.7
Routing Engine 0
RE FPGA
11
12.3.0
Available
version
1.7
1.7
Status
OK
UPGRADED
SUCCESSFULLY
OK
Network Address Translation (NAT)
■
Increased maximum number of source NAT rules supported—This feature is
supported on SRX Series and J Series devices.
JUNOS Release 10.1 increases the number of source NAT rules and rule sets that
you can configure on a device. In previous releases, the maximum number of
source NAT rule sets you could configure on a device was 32 and the maximum
number of rules in a source NAT rule set was 8.
JUNOS Release 10.1, the maximum number of source NAT rules that you can
configure on a device are:
■
512 for J Series, SRX100, and SRX210 devices
■
1024 for SRX240 and SRX650 devices
■
8192 for SRX3400, SRX3600, SRX5600, and SRX5800 devices
These are systemwide maximums for total numbers of source NAT rules. There
is no limitation on the number of rules that you can configure in a source NAT
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
135
JUNOS 10.1 Software Release Notes
rule set as long as the maximum number of source NAT rules allowed on the
device is not exceeded.
NOTE: This features does not change the maximum number of rules and rule sets
you can configure on a device for static and destination NAT. For static NAT, you
can configure up to 32 rule sets and up to 256 rules per rule set. For destination NAT,
you can configure up to 32 rule sets and up to 8 rules per rule set.
Point-to-Point Protocol over Ethernet (PPPoE)
■
LN1000 mobile secure router—This feature is supported on J2320, J6350, and
SRX650 devices.
To support the credit-based flow control extensions described in [RFC–4938],
PPPoE peers can now grant each other forwarding credits. The grantee can
forward traffic to the peer only when it has a sufficient number of credits to do
so. When credit-based forwarding is used on both sides of the session, the radio
client can control the flow of traffic by limiting the number of credits it grants
to the router.
The interfaces statement includes a new radio-router attribute that replaces the
resource-component-variables attribute. The radio-router attribute contains the
parameters used for rate-based scheduling and OSPF link cost calculations. It
also includes a new credit attribute to indicate that credit-based packet scheduling
is supported on the PPPoE interfaces that reference this underlying interface.
Interfaces that set the encapsulation attribute support the PPPoE Active Discovery
Grant (PADG) and PPPoE Active Discovery Credit (PADC) messages in the same
way that the attribute provides active support for the PPPoE Active Discovery
Quality (PADQ) message.
The credit interval parameter controls how frequently the router generates credit
announcement messages. For PPPoE this corresponds to the interval between
PADG credit announcements for each session.
For example:
[edit interfaces ge-0/0/1]
unit 0 {
encapsulation ppp-over-ether;
radio-router {
credit {
interval 10;
}
bandwidth 80;
threshold 5;
}
}
NOTE: The resource-component-variables attribute has been deprecated, but has an
alias to the radio-router variable to minimize impact on existing routers that might
have been configured previously.
136
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
To display PPPoE credit-flow information:
user@host> show pppoe interface detail
pp0.51 Index 73
State: Session up, Session ID: 3,
Service name: None,
Configured AC name: None, Session AC name: None,
Remote MAC address: 00:22:83:84:2e:81,
Session uptime: 00:05:48 ago,
Auto-reconnect timeout: Never, Idle timeout: Never,
Underlying interface: ge-0/0/4.1 Index 72
PADG Credits: Local: 12345, Remote: 6789, Scale factor: 128 bytes
PADQ Current bandwidth: 750 Kbps, Maximum 1000 Kbps
Quality: 85, Resources 65, Latency 100 msec.
Dynamic bandwidth: 3 Kbps
pp0.1000 Index 71
State: Down, Session ID: 1,
Service name: None,
Configured AC name: None, Session AC name: None,
Remote MAC address: 00:00:00:00:00:00,
Auto-reconnect timeout: Never, Idle timeout: Never,
Underlying interface: ge-0/0/1.0 Index 70
PADG Credits: enabled
Dynamic bandwidth: enabled
Virtual LANs (VLANs)
■
Flexible Ethernet services—This feature is supported on SRX210, SRX240,
SRX650, and J Series devices.
Use flexible Ethernet services encapsulation when you want to configure multiple
per-unit Ethernet encapsulations. This encapsulation type allows you to configure
any combination of route, TCC, CCC, and VPLS encapsulations on a single physical
port. Aggregated Ethernet bundles cannot use this encapsulation type.
For ports configured with flexible Ethernet services encapsulation, VLAN IDs
from 1 through 511 are no longer reserved for normal VLANs.
VPNs
■
Increased maximum number of VPN tunnels supported—This feature is
supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices.
VPN supports a maximum of 10000 site-to-site VPN tunnels.
WLAN
■
AX411 Access Point clustering—The AX411 Access Point is a Layer 2 device
that connects wireless communication devices together to create a wireless
network. The access point is connected to the wired network and relays data
between the wired and the wireless network. Multiple access points form a part
of a bigger wireless network and can be clustered together.
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
137
JUNOS 10.1 Software Release Notes
The access point cluster is a dynamic, configuration-aware group of access points
in the same subnet of a network. A cluster can have up to sixteen member access
points. Clusters can share various configuration information such as virtual access
point (VAP) settings and quality-of-service (QoS) queue parameters. Any change
in configuration on one access point will propagate to all other access points in
the cluster. Similarly, any new access point introduced to the cluster will adopt
the configuration of other access points in the cluster.
Access points are supported on the following SRX Series Services Gateways:
■
SRX210
■
SRX240
■
SRX650
[JUNOS Software WLAN Configuration and Administration Guide]
Hardware Features
Support for 3G wireless functionality on SRX210 Services Gateways—JUNOS
Software Release 10.1 supports 3G wireless functionality on SRX210 devices to
provide to provide wireless WAN connectivity as backup to primary WAN links.
Third-generation (3G) networks are wide area cellular telephone networks that have
evolved to include high-data rate services of up to 3 Mbps. The SRX210 device has
a 3G ExpressCard slot on the back panel. The SRX210 device supports the Juniper
Networks wireless modems listed in Table 6 on page 138.
Table 6: Juniper Networks Wireless Modems Supported by the SRX210 Device
Wireless Cards
Release Supported
EXPCD-3G-HSPA-T- 3G UMTS ExpressCard Sierra Wireless AC503 ExpressCard
for GSM and UMTS Networks, worldwide.
JUNOS Release 10.1. JUNOS Software Release
10.1 provides untested support for this
modem for LAB testing purposes only.
■
EXPCD-3G-CDMA-V: 3G EVDO ExpressCard for Verizon Wireless.
Currently available from Juniper Networks.
■
EXPCD-3G-CDMA-S: 3G EVDO ExpressCard for Sprint. Currently available
from Juniper Networks.
■
Sierra Wireless AirCard Global System for Mobile Communications (GSM)
High-Speed Downlink Packet Access (HSDPA) ExpressCard - Sierra
Wireless AirCard 880E.
JUNOS Release 9.5 and JUNOS Release 9.6.
For more information on installing 3G ExpressCards, see the SRX210 Services Gateway
Hardware Guide. For more information on configuring the 3G interface, see the JUNOS
Software Interfaces and Routing Configuration Guide.
Related Topics
138
■
■
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and
J Series Services Routers on page 147
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series
Services Routers on page 157
■
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series
Services Gateways and J Series Services Routers on page 182
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services
Gateways and J Series Services Routers
The following current system behavior, configuration statement usage, and operational
mode command usage might not yet be documented in the JUNOS Software
documentation:
Application Layer Gateways (ALGs)
■
The following CLI commands have been removed as part of RPC ALG data
structure cleanup:
■
clear security alg msrpc portmap
■
clear security alg sunrpc portmap
■
show security alg msrpc portmap
■
show security alg sunrpc portmap
■
The show security alg msrpc object-id-map CLI command has a chassis cluster
node option to permit the output to be restricted to a particular node or to query
the entire cluster. The show security alg msrpc object-id-map node CLI command
options are <node-id | all | local | primary>.
■
On SRX650 devices in chassis cluster mode, the T1/E1 PIC goes offline and does
not come online.
■
The automatic pause timer functionality related to IP address monitoring for
redundancy groups has been removed. Instead, a configurable hold-down-interval
timer for all redundancy groups has been instituted. See the “Configuring a
Dampening Time Between Back-to-Back Redundancy Group Failovers” section
of the JUNOS Software Security Configuration Guide.
■
IP address monitoring on redundancy group 0 is now supported.
■
The chassis cluster redundancy-group group-number ip-monitoring threshold CLI
command has been removed. Instead, use the chassis cluster redundancy-group
group-number ip-monitoring global-threshold command.
■
IP address monitoring on virtual routers is now supported.
■
In a chassis cluster configuration on an SRX100, SRX210, SRX240, or SRX650
device, the default values of the heartbeat-threshold and heartbeat-interval options
in the [edit chassis cluster] hierarchy are 8 beats and 2000 ms respectively. These
values cannot be changed on these devices.
Chassis Cluster
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
139
JUNOS 10.1 Software Release Notes
Command-Line Interface (CLI)
■
On SRX Series devices, the show security monitoring fpc 0 command is now
available.
The output of this CLI command on SRX Series devices differs from previous
implementations on other devices. Note the following sample output:
show security monitoring fpc 0
FPC 0
PIC 0
CPU utilization : 0 %
Memory utilization : 65 %
Current flow session : 0
Max flow session : 131072
NOTE: When SRX Series devices operate in packet mode, flow sessions will not be
created and current flow session will remain zero as shown in the sample output
above. The maximum number of sessions will differ from one device to another. On
SRX3400, SRX3600, SRX5600, AND SRX5800 devices, the output will include two
more lines: SPU current cp session and SPU max cp session.
■
On SRX210 devices with Integrated Convergence Services, TDM configuration
change might interrupt existing TDM calls if any MPIMs are configured. The voice
calls through the MPIM do not work. Run the CLI restart rtmd command after
making a configuration change to the MPIM ports.
■
On SRX210 devices with Integrated Convergence Services, registrations do not
work when PCS is configured and removed thorough the CLI. The dial tone
dissappears when the analog station calls the SIP station. As a workaround, either
run the rtmd restart command or restart the device.
■
On SRX5600 and SRX5800 devices, the set security end-to-end-debug CLI hierarchy
command has been changed to set security datapath-debug.
■
On AX411 Access Points, the possible completions available for the CLI command
set wlan access-point mav0 radio 1 radio-options mode? are changed from previous
implementations.
Now this CLI command displays the possible completions as shown below:
■
Example 1:
user@host# set wlan access-point mav0 radio 1 radio-options mode ?
Possible completions:
5GHz Radio Frequency -5GHz-n
a Radio Frequency -a
an Radio Frequency -an
[edit]
■
140
Routers
■
Example 2:
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
user@host# set wlan access-point mav0 radio 2 radio-options mode ?
Possible completions:
2.4GHz Radio Frequency --2.4GHz-n
bg Radio Frequency -bg
bgn Radio Frequency -bgn
■
On SRX Series devices, the show system storage partitions command now displays
the partitioning scheme details on SRX Series devices.
■
Example 1:
show system storage partitions (dual root partitioning)
user@host# show system storage partitions
Boot Media: internal (da0)
Active Partition: da0s2a
Backup Partition: da0s1a
Currently booted from: active (da0s2a)
Partitions Information:
Partition Size Mountpoint
s1a 293M altroot
s2a 293M /
s3e 24M /config
s3f 342M /var
s4a 30M recovery
■
Example 2:
show system storage partitions (single root partitioning)
user@host# show system storage partitions
Boot Media: internal (da0)
Partitions Information:
Partition Size Mountpoint
s1a 898M /
s1e 24M /config
s1f 61M /var
show system storage
partitions (USB)
■
Example 3:
show system storage partitions (usb)
user@host# show system storage partitions
Boot Media: usb (da1)
Active Partition: da1s1a
Backup Partition: da1s2a
Currently booted from: active (da1s1a)
Partitions Information:
Partition Size Mountpoint
s1a 293M /
s2a 293M altroot
s3e 24M /config
s3f 342M /var
s4a 30M recovery
■
On AX411 Access Points, the possible completions available for the CLI command
set wlan access-point < ap_name > radio < radio_num > radio-options channel
number ? have changed from previous Implementations.
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
141
JUNOS 10.1 Software Release Notes
Now this CLI command displays the following possible completions:
Example 1:
user@host# set wlan access-point ap6 radio 1 radio-options channel number ?
Possible completions:
36 Channel 36
40 Channel 40
44 Channel 44
48 Channel 48
52 Channel 52
56 Channel 56
60 Channel 60
64 Channel 64
100 Channel 100
108 Channel 108
112 Channel 112
116 Channel 116
120 Channel 120
124 Channel 124
128 Channel 128
132 Channel 132
136 Channel 136
140 Channel 140
149 Channel 149
153 Channel 153
157 Channel 157
161 Channel 161
165 Channel 165
auto Automatically selected
Example 2:
user@host# set wlan access-point ap6 radio 2 radio-options channel number ?
1 Channel 1
2 Channel 2
3 Channel 3
4 Channel 4
5 Channel 5
6 Channel 6
7 Channel 7
8 Channel 8
9 Channel 9
10 Channel 10
11 Channel 11
12 Channel 12
13 Channel 13
14 Channel 14
auto Automatically selected
Configuration
■
142
Routers
■
J Series devices no longer allow a configuration in which a tunnel's source or
destination address falls under the subnet of the same logical interface’s address.
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
■
On SRX100, SRX210, SRX240 and, SRX650 devices, the current JUNOS Software
default configuration is inconsistent with the one in Secure Services Gateways,
thus causing problems when users migrate to SRX Series devices. As a
workaround, users should ensure the following steps are taken:
■
The ge-0/0/0 interface should be configured as the Untrust port (with the
DHCP client enabled).
■
The rest of the on-board ports should be bridged together, with a VLAN IFL
and DHCP server enabled (where applicable).
■
Default policies should allow trust->untrust traffic.
■
Default NAT rules should apply interface-nat for all trust->untrust traffic.
■
DNS/Wins parameters should be passed from server to client and, if not
available, users should preconfigure a DNS server (required for download of
security packages).
The default values for IKE and IPsec security association (SA) lifetimes for standard
VPNs have been changed in this release:
■
The default value for the lifetime-seconds configuration statement at the [edit
security ike proposal proposal-name] hierarchy level has been changed from
3600 seconds to 28,800 seconds.
■
The default value for the lifetime-seconds configuration statement at the [edit
security ipsec proposal proposal-name] hierarchy level has been changed from
28,800 seconds to 3600 seconds.
Flow and Processing
■
On SRX Series devices, the factory default for the maximum number of backup
configurations allowed is five. Therefore, you can have one active configuration
and a maximum of five rollback configurations. Increasing this backup
configuration number will result in increased memory usage on disk and
increased commit time.
To modify the factory defaults, use the following commands:
root@host# set system max-configurations-on-flash number
root@host# set system max-configuration-rollbacks number
where max-configurations-on-flash indicates backup configurations to be stored
in the configuration partition and max-configuration-rollbacks indicates the
maximum number of backup configurations.
■
On J Series devices, the following configuration changes must be done after
rollback or upgrade from JUNOS Release 10.1 to 9.6 and earlier releases.
■
Rename lsq-0/0/0 to ls-0/0/0 in all its occurrences.
■
Remove fragmentation-map from the [class-of-service] hierarchy level and
from [class-of-service interfaces lsq-0/0/0], if configured.
■
Remove multilink-max-classes from [ls-0/0/0 unit 0], if configured.
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
143
JUNOS 10.1 Software Release Notes
■
Remove link-layer-overhead from [ls-0/0/0 unit 0], if configured.
■
If the LFI forwarding class is mapped to no-fragmentation in fragmentation-map
and the configuration hierarchy is enabled on lsq-0/0/0 in JUNOS Release
10.1, then
■
Add interleave-fragments under [ls-0/0/0 unit 0]
■
Adjust classifier configured for LFI on lsq-0/0/0 under [class-of-service]
to classify packets to Q2
If the aforementioned instructions are not followed, the bundle will be incorrectly
processed.
Interfaces and Routing
■
On SRX Series devices, to minimize the size of system logs, the default logging
level in the factory configuration has been changed from any any to any critical.
■
On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and
set routing-options flow CLI statements are no longer available, because BGP flow
spec functionality is not supported on these devices.
■
On SRX100, SRX210, SRX240, and SRX650 devices, the autoinstallation
functionality on an interface enables a DHCP client on the interface and remains
in the DHCP client mode. In previous releases, after a certain period, the interface
changed from being a DHCP client to a DHCP server.
Intrusion Detection and Prevention (IDP)
■
On SRX5600 and SRX5800 devices, while running commands in IDP, ensure
that you provide the service field values for custom attack definitions in lowercase.
In the following example, the protocol service field value udp is specified in
lowercase:
set security idp custom-attack temp severity info attack-type signature context packet
direction any pattern .* protocol udp destination-port match equal value 1333
144
Routers
■
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, for brute force and
time-binding-related attacks, the logging is to be done only when the match count
is equal to the threshold. That is, only one log is generated within the 60-second
period in which the threshold is measured. This process prevents repetitive logs
from being generated and ensures consistency with other IDP platforms like
IDP-standalone.
■
On SRX Series and J Series devices, the IDP ip-action statement is now supported
on TCP, UDP, and ICMP flows. When the ip-action target is service, the ip-action
flow is applied if the traffic matches the values specified for protocol, destination
port, source address, and destination address. However, for ICMP flows, the
destination port is 0, so that any ICMP flow matching protocol, source address,
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
and destination address is blocked. For more information, see the Junos OS CLI
Reference.
■
On SRX3400 and SRX3600 devices in Layer 2 and Layer 3 integrated mode,
mode, 30 percent to 40 percent of the logs created in IDP are not exited from
IDP. In Layer 2 and Layer 3 dedicated mode, the logs are exited properly.
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, to add the Predefined
Attacks and Predefined Attack Groups, users do not need to type the attack
names. Instead, users can select attacks from the Predefined Attacks and
Predefined Attack Group lists and click the left arrow to add them.
■
On SRX100, SRX210, SRX240, and SRX650 devices, the LED status (Alarm, HA,
ExpressCard, Power Status, and Power) shown in the front panel for Chassis
View does not replicate the exact status of the device.
J-Web
Management and Administration
■
On SRX5600 and SRX5800 devices running a previous release of JUNOS Software,
security logs were always timestamped using the UTC time zone. In JUNOS
Release 10.1, you can use the set system time-zone CLI command to specify the
local time zone that the system should use when timestamping the security logs.
If you want to timestamp logs using the UTC time zone, use the set system
time-zone utc and set security log utc-timestamp CLI statements.
■
Configuring the External CompactFlash card on SRX650 Services Gateways:
The SRX650 Services Gateway includes 2-GB CompactFlash storage devices:
■
The Services and Routing Engine (SRE) contains a hot-pluggable
CompactFlash (external CompactFlash) storage device used to upload and
download files.
■
The chassis contains an internal compact flash used to store the operating
system.
By default, only the internal CompactFlash is enabled, and an option to take a
snapshot of the configuration from the internal CompactFlash to the external
compact flash is not supported. This can be done only by using a USB storage
device.
To take a snapshot on the external CompactFlash:
1.
Take a snapshot from the internal CompactFlash to the USB storage device
using the request system snapshot media usb CLI command.
2.
Reboot the device from the USB storage device by using the request system
reboot media usb command.
3.
Go to the U-boot prompt. For more information, see the "Accessing the
U-Boot Prompt" section in the JUNOS Software Administration Guide.
4.
At the U-boot prompt, set the following variables:
set ext.cf.pref 1
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
145
JUNOS 10.1 Software Release Notes
save
reset
5.
Once the system is booted from the USB storage device, take a snapshot on
the external CompactFlash using the request system snapshot media external
command.
NOTE: Once the snapshot has been taken on the external CompactFlash, we
recommend you to set the ext.cf.pref to 0 at the U-boot prompt.
Security
■
J Series devices do not support the authentication order password radius or
password ldap in the edit access profile profile-name authentication-order command.
Instead, use order radius password or ldap password.
■
While configuring the AX411 Access Point on your SRX Series devices, make
sure to enter the WLAN admin password using the set wlan admin-authentication
password command. This command prompts for the password and the password
entered is stored in encrypted form.
WLAN
NOTE:
■
Without wlan config option enabled, the AX411 Access Points will be managed
with the default password.
146
Routers
■
■
Changing the wlan admin-authentication password when the wlan subsystem option
is disabled might result in mismanagement of Access Points . You might have
to power cycle the Access Points manually to avoid this issue.
■
The SRX Series devices that are not using the AX411 Access Point can optionally
delete the wlan config option.
■
Accessing the AX411 Access Point through SSH is disabled by default. You can
enable the SSH access using the set wlan access-point <name> external system
services enable-ssh command.
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series
Services Routers
[accounting-options] Hierarchy
■
On SRX210 and SRX240 devices, the accounting, source-class, and
destination-class statements in the [accounting-options] hierarchy level are not
supported.
■
On SRX100 devices, there are command-line interface (CLI) commands and
J-Web tabs for wireless LAN configurations related to the AX411 Access Point.
However, at this time the SRX100 devices do not support the AX411 Access
Point.
AX411 Access Point
Chassis Cluster
On SRX Series and J Series devices, the following features are not supported when
chassis clustering is enabled on the device:
■
All packet-based protocols, such as MPLS, Connectionless Network Service (CLNS),
and IP version 6 (IPv6)
■
Any function that depends on the configurable interfaces:
■
lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink
Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP)
■
gr-0/0/0—Generic routing encapsulation (GRE) and tunneling
■
ip-0/0/0—IP-over-IP (IP-IP) encapsulation
■
pd-0/0/0, pe/0/0/0, and mt-0/0/0—All multicast protocols
■
lt-0/0/0—Real-time performance monitoring (RPM)
■
WXC Integrated Services Module (WXC ISM 200)
■
ISDN BRI
■
Layer 2 Ethernet switching
The factory default configuration for SRX100, SRX210, and SRX240 devices
automatically enables Layer 2 Ethernet switching. Because Layer 2 Ethernet
switching is not supported in chassis cluster mode, for these devices, if you
use the factory default configuration, you must delete the Ethernet switching
configuration before you enable chassis clustering.
CAUTION: Enabling chassis clustering while Ethernet switching is enabled is not a
supported configuration. Doing so might result in undesirable behavior from the
devices, leading to possible network instability.
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
147
JUNOS 10.1 Software Release Notes
The default configuration for other SRX Series devices and all J Series devices
does not enable Ethernet switching. However, if you have enabled Ethernet
switching, be sure to disable it before enabling clustering on these devices
too.
For more information, see the “Disabling Switching on SRX100, SRX210,
and SRX240 Devices Before Enabling Chassis Clustering” section in the
JUNOS Software Security Configuration Guide.
SRX Series devices have the following limitations:
■
Only two of the 10 ports on each PIC of 40-port 1-Gigabit Ethernet I/O cards
(IOCs) for SRX5600 and SRX5800 devices can simultaneously enable IP address
monitoring. Because there are four PICs per IOC, this permits a total of eight
ports per IOC to be monitored. If more than two ports per PIC on 40-port 1-Gigabit
Ethernet IOCs are configured for IP address monitoring, the commit will succeed
but a log entry will be generated, and the accuracy and stability of IP address
monitoring cannot be ensured. This limitation does not apply to any other IOCs
or devices.
■
SRX3400, SRX3600, SRX5600, and SRX5800 devices have the following
limitations:
■
■
IP address monitoring is not permitted on redundant Ethernet interface LAGs
or on child interfaces of redundant Ethernet interface LAGs.
■
In-service software upgrade (ISSU) does not support version downgrading.
That is, ISSU does not support running an ISSU install of a software release
package earlier or with a smaller release number than the currently installed
version.
■
Only redundant Ethernet interfaces (reth) are supported for IKE external
interface configuration in IPsec VPN. Other interface types can be configured
but IPsec VPN might not work
On SRX3000 and SRX5000 line chassis clusters, screen statistics data can be
gathered on the primary device only.
J Series devices have the following limitations:
■
A Fast Ethernet port from a 4-port Ethernet PIM cannot be used as a fabric link
port in a chassis cluster.
Command-Line Interface (CLI)
On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the
device by using the CLI.
The number of users allowed to access the device is limited as follows:
148
■
■
For SRX210 devices: four CLI users and three J-Web users
■
For SRX240 devices: six CLI users and five J-Web users
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Dynamic VPN
SRX100, SRX210, and SRX240 devices have the following limitations:
■
The IKE configuration for the dynamic VPN client does not support the
hexadecimal preshared key.
■
The dynamic VPN client IPsec does not support the Authentication Header (AH)
protocol and the Encapsulating Security Payload (ESP) protocol with NULL
authentication.
■
When you log in through the Web browser (instead of logging in through the
dynamic VPN client) and a new client is available, you are prompted for a client
upgrade even if the force-upgrade option is configured. Conversely, if you log in
using the dynamic VPN client with the force-upgrade option configured, the client
upgrade occurs automatically (without a prompt).
■
On SRX Series devices, data plane logs generated in event mode or in
configurations using set system syslog can increase CPU utilization dramatically,
impacting the system stability, especially in chassis cluster mode.
■
Maximum concurrent SSH, Telnet, and Web sessions—On SRX210, SRX240,
and SRX650 devices, the maximum number of concurrent sessions is as follows:
Flow and Processing
Sessions
SRX210
SRX240
SRX650
ssh
3
5
5
telnet
3
5
5
Web
3
5
5
NOTE: These defaults are provided for performance reasons.
■
On SRX210 and SRX240 devices, for optimized efficiency, we recommend that
you limit use of CLI and J-Web to the following numbers of sessions:
Device
CLI
J-Web
Console
SRX210
3
3
1
SRX240
5
5
1
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
149
JUNOS 10.1 Software Release Notes
■
On SRX100 devices, Layer 3 control protocols (OSPF, using multicast destination
MAC address) on the VLAN Layer 3 interface work only with access ports.
■
On SRX210, SRX240, and J Series devices, broadcast TFTP is not supported
when flow is enabled on the device.
■
On SRX5800 devices, network processing bundling is not supported in Layer 2
transparent mode.
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, downgrading is not
supported in low-impact in-service software upgrade (ISSU) chassis cluster
upgrades (LICU).
Hardware
This section covers filter and policing limitations.
■
On SRX3400 and SRX3600 devices, the following feature is not supported by a
simple filter:
■
■
■
■
150
■
Forwarding class as match condition
On SRX3400 and SRX3600 devices, the following features are not supported by
a policer or a three-color-policer:
■
Color-aware mode of a three-color-policer
■
Filter-specific policer
■
Forwarding class as action of a policer
■
Logical interface policer
■
Logical interface three-color policer
■
Logical interface bandwidth policer
■
Packet loss priority as action of a policer
■
Packet loss priority as action of a three-color-policer
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following features
are not supported by a firewall filter:
■
Policer action
■
Egress FBF
■
FTF
SRX3400 and SRX3600 devices have the following limitations of a simple filter:
■
In the packet processor on an IOC, up to 100 logical interfaces can be applied
with simple filters.
■
In the packet processor on an IOC, the maximum number of terms of all
simple filters is 4000.
■
In the packet processor on an IOC, the maximum number of policers is
4000.
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
In the packet processor on an IOC, the maximum number of
three-color-policers is 2000.
■
The maximum burst size of a policer or three-color-policer is 16 MB.
■
On SRX650 devices, the T1/E1 GPIMs (2 or 4 port version) do not work in 9.6R1.
This issue is resolved in JUNOS Release 9.6R2 and JUNOS Release 10.1, but if
you roll back to the 9.6R1 image, this issue is still seen.
■
On SRX650 devices, MAC pause frame and FCS error frame counters are not
supported for the interfaces ge-0/0/0 through ge-0/0/3.
■
On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under
the reserved VLAN address range, and the user is not allowed any configured
VLANs from this range.
■
On SRX650 devices, the last 4 ports of a 24-Gigabit Ethernet switch GPIM can
be used either as RJ-45 or SFP ports. If both are present and providing power,
the SFP media is preferred. If the SFP media is removed or the link is brought
down, then the interface will switch to the RJ-45 medium. This can take up to
15 seconds, during which the LED for the RJ-45 port might go up and down
intermittently. Similarly when the RJ-45 medium is active and an SFP link is
brought up, the interface will transition to the SFP medium, and this transition
could also take a few seconds.
■
On SRX Series and J Series devices, the user can use IPsec only on an interface
that resides in the routing instance inet 0. The user will not be able to assign an
internal or external interface to the IKE policy if that interface is placed in a
routing instance other than inet 0.
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following multicast
IPv6 and MVPN CLI commands are not supported. However, if you enter these
commands in the CLI editor, they will appear to succeed and will not display an
error message.
Interfaces and Routing
■
show pim interfaces inet6
■
show pim neighbors inet6
■
show pim source inet6
■
show pim rps inet6
■
show pim join inet6
■
show pim mvpn
■
show multicast next-hops inet6
■
show multicast rpf inet6
■
show multicast route inet6
■
show multicast scope inet6
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
151
JUNOS 10.1 Software Release Notes
■
152
■
■
show multicast pim-to-mld-proxy
■
show multicast statistics inet6
■
show multicast usage inet6
■
show msdp sa group group
■
set protocols pim interface interface family inet6
■
set protocols pim disable interface interface family inet6
■
set protocols pim family inet6
■
set protocols pim disable family inet6
■
set protocols pim apply-groups group disable family inet6
■
set protocols pim apply-groups group family inet6
■
set protocols pim apply-groups-except group disable family inet6
■
set protocols pim apply-groups group interface interface family inet6
■
set protocols pim apply-groups group apply-groups-except group family inet6
■
set protocols pim apply-groups group apply-groups-except group disable family
inet6
■
set protocols pim assert-timeout timeout-value family inet6
■
set protocols pim disable apply-groups group family inet6
■
set protocols pim disable apply-groups-except group family inet6
■
set protocols pim disable export export-join-policy family inet6
■
set protocols pim disable dr-election-on-p2p family inet6
■
set protocols pim dr-election-on-p2p family inet6
■
set protocols pim export export-join-policy family inet6
■
set protocols pim import export-join-policy family inet6
■
set protocols pim disable import export-join-policy family inet6
On SRX210 devices, the USB modem interface can handle bidirectional traffic
of up to 19 kbps. On oversubscription of this amount (that is, bidirection traffic
of 20 kbps or above), keepalives not get exchanged, and the interface goes down.
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Intrusion Detection and Prevention (IDP)
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, application-level
distributed denial-of-service (application-level DDoS) detection does not work if
two rules with different application-level DDoS applications process traffic going
to a single destination application server. When setting up application-level DDoS
rules, make sure you do not configure rulebase-ddos rules that have two different
application-ddos objects while the traffic destined to one application server can
process more than one rule. Essentially, for each protected application server,
you have to configure the (application-level DDoS rules so that traffic destined
for one protected server only processes one application-level DDoS rule.
NOTE: Application-level DDoS rules are terminal, which means that once traffic is
processed by one rule, it will not be processed by other rules.
The following configuration options can be committed, but they will not work
properly:
source-zone
destination-zone
destination-ip
service
application-ddos
Application Server
source–zone-1
dst-1
any
http
http-appddos1
1.1.1.1:80
source-zone-2
dst-1
any
http
http-appddos2
1.1.1.1:80
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-level
denial-of-service (application-level DDoS) rulebase (rulebase-ddos) does not
support port mapping. If you configure an application other than default, and if
the application is from either predefined JUNOS Software applications or a custom
application that maps an application service to a nonstandard port,
application-level DDoS detection will not work.
When you configure the application setting as default, IDP uses application
identification to detect applications running on standard and nonstandard ports,
hence the application-level DDoS detection would work properly.
■
On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions
supported is 16,000.
■
On SRX Series devices, all IDP policy templates are supported except All Attacks.
There is a 100-MB policy size limit for integrated mode and a 150-MB policy size
limit for dedicated mode, and the current IDP policy templates supported are
dynamic, based on the attack signatures being added. Therefore, be aware that
supported templates might eventually grow past the policy-size limit.
On SRX Series devices, the following IDP policies are supported:
■
DMZ_Services
■
DNS_Service
■
File_Server
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
153
JUNOS 10.1 Software Release Notes
■
■
■
Getting_Started
■
IDP_Default
■
Recommended
■
Web_Server
IDP deployed in both active/active and active/passive chassis clusters has the
following limitations:
■
No inspection of sessions that fail over or fail back.
■
The IP address action table is not synchronized across nodes.
■
The Routing Engine (RE) on the secondary node might not be able to reach
networks that are reachable only through a Packet Forwarding Engine (PFE).
■
The SSL session-ID cache is not synchronized across nodes. If an SSL session
reuses a session-ID and it happens to be processed on a node other than the
one on which the session-ID is cached, the SSL session cannot be decrypted
and will be bypassed for IDP inspection.
IDP deployed in active/active chassis clusters has the following limitation:
■
For time-binding scope source traffic, if attacks from a source with more
than one destination have active sessions distributed across nodes, the attack
might not be detected because time-binding counting has a local-node-only
view. Detecting this sort of attack requires an RTO synchronization of the
time-binding state that is not currently supported.
■
On SRX100, SRX210, SRX240, and SRX650 devices, maximum supported entries
in ACS table for is 100,000 entries. However, since the user land buffer has fix
size of 1MB as a limitation, therefore it displays maximum 38837 cache entries.
■
IDP does not allow header checks for nonpacket contexts.
■
On J Series devices, some J-Web pages for new features (for example, the Quick
Configuration page for the switching features on J Series devices) display content
in one or more modal pop-up windows. In the modal pop-up windows, you can
interact only with the content in the window and not with the rest of the J-Web
page. As a result, online Help is not available when modal pop-up windows are
displayed. You can access the online Help for a feature only by clicking the Help
button on a J-Web page.
■
On SRX Series devices, you cannot use J-Web to configure a VLAN interface for
an IKE gateway. VLAN interfaces are not currently supported to be used as IKE
external-interfaces.
J-Web
154
■
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
NetScreen-Remote
■
On SRX Series devices, NetScreen-Remote is not supported in JUNOS Release
10.1.
Network Address Translation (NAT)
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKE negotiations
involving NAT traversal do not work if the IKE peer is behind a NAT device that
will change the source IP address of the IKE packets during the negotiation. For
example, if the NAT device is configured with DIP, it changes the source IP
because the IKE protocol switches the UDP port from 500 to 4500.
■
The following describes the maximum numbers of NAT rules and rule sets
supported:
■
For static NAT, up to 32 rule sets and up to 256 rules per rule set can be
configured on a device.
■
For destination NAT, up to 32 rule sets and up to 8 rules per rule set can be
configured on a device.
■
For source NAT, the following are the maximum numbers of source NAT
rules that can be configured on a device:
■
512 for J Series, SRX100, and SRX210 devices
■
1024 for SRX240 and SRX650 devices
■
8192 for SRX3400, SRX3600, SRX5600, and SRX5800 devices
These are systemwide maximums for total numbers of source NAT rules.
There is no limitation on the number of rules that you can configure in a
source NAT rule set as long as the maximum number of source NAT rules
allowed on the device is not exceeded.
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
155
JUNOS 10.1 Software Release Notes
Performance
■
J Series devices now support IDP and UTM functionality. Under heavy network
traffic in a few areas of functionality, such as NAT and IPsec VPN, performance
is still being improved to reach the high levels to which Juniper Networks is
consistently committed.
■
On J Series devices, the SNMP NAT-related MIB is not supported in JUNOS Release
10.1.
■
On SRX650 devices, if one of the four Gigabit Ethernet ports (ge-0/0/0 through
ge-0/0/3) is linked up at 10 or 100 Mbps, it will not support jumbo frames.
Frames greater than 1500 bytes are dropped.
SNMP
System
Unified Threat Management (UTM)
■
UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only
512 MB of memory, you must upgrade the memory to 1 GB to run UTM.
■
On SRX100, SRX210, SRX240, SRX650, and J Series devices, the IRB (VLAN)
interface cannot be used as the underlying interface for Point-to-Point Protocol
over Ethernet (PPPoE).
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the IPsec NAT-T tunnels
scaling and sustaining issues are as follows:
VLAN
VPNs
■
For a given private IP address, the NAT device should translate both 500
and 4500 private ports to same public IP address.
■
The total number of tunnels from a given public translated IP cannot exceed
1000 tunnels.
WLAN
■
156
■
The following are the maximum numbers of access points that can be configured
and managed from SRX Series devices:
■
SRX210—4 access points
■
SRX240—8 access points
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
SRX650—16 access points
NOTE: The number of licensed access points can exceed the maximum number of
supported access points. However, you can only configure and manage the maximum
number of access points.
Related Topics
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J
Series Services Routers on page 122
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series
Services Routers on page 157
■
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series
Services Gateways and J Series Services Routers on page 182
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
Outstanding Issues In JUNOS Release 10.1 for SRX Series Services Gateways and
J Series Services Routers on page 157
■
Resolved Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J
Series Services Routers on page 176
Outstanding Issues In JUNOS Release 10.1 for SRX Series Services
Gateways and J Series Services Routers
The following problems currently exist in SRX Series and J Series devices. The
identifier following the description is the tracking number in our bug database.
Application Layer Gateways (ALGs)
■
On SRX5600 devices, if you run the show security alg sip counters command
while doing a bulk call generation, it might bring down the SPU with a flowd
core file error. [PR/292956]
■
On SRX210 devices, the Skinny Client Control Protocol (SCCP)call cannot be set
up after disabling and enabling the SCCP ALG. The call does not go through.
[PR/409586]
■
On SRX3400 and SRX3600 devices, Real-Time Streaming Protocol (RTSP),, TFTP,
and FTP ALG at scale in Layer 2 mode with A/P is not supported in JUNOS Release
10.1. [PR/474140]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, ALGs are enabled by
default. When security policies are configured with IDP service, there might be
packet drops. When IDP service is enabled through security policy configuration,
we recommend that you disable some or all the ALGs through configuration to
avoid packet drops. For example: set security alg rtsp disable. [PR/474629]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
157
JUNOS 10.1 Software Release Notes
NOTE: Disabling ALGs will prevent auxiliary or pinhole session creation, and those
sessions might not be permitted based on security policy. The choice depends on
the customer network and what services are being run, whether ALGs need to be
enabled, and whether IDP inspection is required for all or a subset of the traffic.
Authentication
■
On J Series devices, your attempt to log in to the router from a management
device through FTP or Telnet might fail if you type your username and password
in quick succession before the prompt is displayed, in some operating systems.
As a workaround, type your username and password after you see the prompts.
[PR/255024]
■
On J Series devices, after the user is authenticated, if the webauth-policy is deleted
or changed and an entry exists in the firewall authentication table, then an
authentication entry created as a result of webauth will be deleted only if a traffic
flow session exists for that entry. Otherwise, the webauth entry will not be deleted
and will only age out. This behavior will not cause a security breach. [PR/309534]
■
On SRX210 PoE devices, the access point reboots when 100 clients are associated
simultaneously and each one is transmitting 512 bytes packets at 100 pps.
[PR/469418]
■
On SRX650 devices, when an access point is part of a default cluster and you
change the default cluster after the access point is connected to it, the changes
might not be reflected. As a workaround, restart the wireless LAN service.
[PR/497752]
■
On J Series devices in a chassis cluster, the show interface terse command on
the secondary Routing Engine does not display the same details as that of the
primary Routing Engine. [PR/237982]
■
On J4350 Services Routers, because the clear security alg sip call command
triggers a SIP RTO to synchronize sessions in a chassis cluster, use of the
command on one node with the node-id, local, or primary option might result in
a SIP call being removed from both nodes. [PR/263976]
■
On J Series devices, when a new redundancy group is added to a chassis cluster,
the node with lower priority might be elected as primary when the preempt
option is not enabled for the nodes in the redundancy group. [PR/265340]
■
On J Series devices, when you commit a configuration for a node belonging to
a chassis cluster, all the redundancy groups might fail over to node 0. If graceful
protocol restart is not configured, the failover can destabilize routing protocol
adjacencies and disrupt traffic forwarding. To allow the commit operation to
take place without causing a failover, we recommend that you use the set chassis
cluster heartbeat-threshold 5 command on the cluster. [PR/265801]
AX411 Access Point
Chassis Cluster
158
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
On J Series devices in a chassis cluster, a high load of SIP ALG traffic might result
in some call leaks in active resource manager groups and gates on the backup
router. [PR/268613]
■
On SRX Series devices in a chassis cluster, configuring the set system process
jsrp-service disable command only on the primary node causes the cluster to go
into an incorrect state. [PR/292411]
■
On SRX Series devices in a chassis cluster, using the set system processes
chassis-control disable command for 4 to 5 minutes and then enabling it causes
the device to crash. Do not use this command on an SRX Series device in a
chassis cluster. [PR/296022]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, 8-queue configurations
are not reflected on the chassis cluster interface. [PR/389451]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the iflset functionality
is not supported for aggregated interfaces such as reth. [PR/391377]
■
On an SRX210 device in a chassis cluster, when you upgrade the nodes,
sometimes the forwarding process might crash and be restarted. [PR/396728]
■
On an SRX210 device in a chassis cluster, when you upgrade to the latest software
image, the interface links do not come up and are not seen in the Packet
Forwarding Engine. As a workaround, you can reboot the device to bring up the
interface. [PR/399564]
■
On an SRX210 device in a chassis cluster, sometimes the reth interface MAC
address might not make it to the switch filter table. This results in the dropping
of traffic sent to the reth interface. As a workaround, restart the Packet
Forwarding Engine. [PR/401139]
■
On an SRX210 device in a chassis cluster, the fabric-monitoring option is enabled
by default. This can cause one of the nodes to move to a disabled state. You can
disable fabric monitoring by using the following CLI command:
set chassis cluster fabric-monitoring disable
[PR/404866]
■
On an SRX210 Low Memory device in a chassis cluster, the firewall filter does
not work on the reth interfaces. [PR/407336]
■
On an SRX210 device in a chassis cluster, the restart forwarding method is not
recommended because when the control link goes through forwarding, the restart
forwarding process causes disruption in the control traffic. [PR/408436]
■
On an SRX210 device in a chassis cluster, there might be a loss of about 5 packets
with 20 Mbps of UDP traffic on an RG0 failover. [PR/413642]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, no trap is generated
for redundancy group 0 failover. You can check on the redundancy group 0 state
only when you log in to the device. The nonavailability of this information is
caused by a failure of the SNMP walk on the backup (secondary) node. As a
workaround, use a master-only IP address across the cluster so that you can
query a single IP address and that IP address will always be the master for
redundancy group 0. [PR/413719]
■
On an SRX210 device with an FTP session ramp-up rate of 70, either of the
following might disable the secondary node:
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
159
JUNOS 10.1 Software Release Notes
■
Back-to-back redundancy group 0 failover
■
Back-to-back primary node reboot
[PR/414663]
■
If an SRX210 device receives more traffic than it can handle, node 1 either
disappears or is disabled. [PR/416087]
■
On SRX3400, SRX3600, SRX5600, SRX5800, and J Series devices in an
active/active chassis cluster, when the fabric link fails and then recovers, services
with a short time-to-live (such as ALG FTP) stop working. [PR/419095]
■
On SRX5800 devices, SNMP traps might not be generated for the
ineligible-primary state. [PR/434144]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices in chassis cluster
active/active mode, the J-Flow samplings do not occur and the records are not
exported to the cflowd server. [PR/436739]
■
On SRX240 Low Memory and High Memory devices, binding the same IKE policy
to a dynamic gateway and a site-to-site gateway is not allowed. [PR/440833]
■
On SRX650 devices, the following message appears on the new primary node
after a reboot or an RG0 failover:
WARNING: cli has been replaced by an updated version:
CLI release 9.6B1.5 built by builder on 2009-04-29 08:24:20 UTC
Restart cli using the new version ? [yes,no] (yes) yes
[PR/444470]
160
■
■
On SRX240 devices, the cluster might be destabilized when the file system is
full and logging is configured on JSRPD and chassisd. The log file size for the
various modules should be appropriately set to prevent the file system from
getting full. [PR/454926]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster,
the ping operation to the redundant Ethernet interface (reth) fails when the cluster
ID changes. [PR/458729]
■
On SRX100 devices, after primary node reboot and cold synchronization are
finished, the chassis cluster auth session timeout age and application name
cannot synchronize with the chassis cluster peers. [PR/460181]
■
On SRX5600 devices, low-impact in-service software upgrade (ISSU) chassis
cluster upgrade does not succeed with the no-old-master-upgrade option when
you upgrade from JUNOS Release 9.6R2 to JUNOS Release 10.1. [PR/471235]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the secondary node
displays incorrect interface status after a low-impact in-service software upgrade
(ISSU) from JUNOS Release 9.6R2 to JUNOS Release 10.1R1. [PR/482566]
■
On SRX3400 and SRX3600 devices, chassis cluster upgrades (LICU) with
no-old-master-upgrade from JUNOS Release 9.6R2.11 to 10.0R1.x and from
JUNOS Release 10.0R1.8 to 10.1x.x do not work. [PR/483485]
■
On SRX3600 devices, after you disable and enable the secondary node track,
the IP status remains unreachable. [PR/488890]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
On SRX5600, SRX5800 devices, the shaping rate doubles during LICU upgrades
after the secondary node becomes the primary node and continues to be the
same doubled value after LICU, when the LICU upgrade is performed for JUNOS
Release 10.0R2 to 10.1R2. [PR/491834]
■
On SRX5600 and SRX5800 devices, the shaping rate is not honored during LICU
upgrades. During LICU upgrades, when the secondary node is upgraded to the
primary node, the shaping rate is doubled and continues to be the same doubled
value after the LICU upgrade is finished. [PR/499481]
■
J4350 and J6350 devices might not have the requisite data buffers needed to
meet expected delay-bandwidth requirements. Lack of data buffers might degrade
CoS performance with smaller (500 bytes or less) packets. [PR/73054]
■
On J Series devices, with a CoS configuration, when you try to delete all the flow
sessions using the clear security flow session command, the WXC application
acceleration platform might fail over with heavy traffic. [PR/273843]
■
On SRX Series devices, class-of-service-based forwarding (CBF) does not work.
[PR/304830]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you change the
scheduler type on the Layer 2 aggregated Ethernet interface, the clear interface
statistics command does not work for the aggregated Ethernet bundle.
[PR/485904]
Class of Service (CoS)
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
161
JUNOS 10.1 Software Release Notes
Dynamic Host Configuration Protocol (DHCP)
■
On SRX210 and SRX240 devices, when autoinstallation is configured to run on
a particular interface and the default static route is set with options discard,
retain and no-advertise, then the DHCP client running on the interface tries
fetching the configuration files from the TFTP server. During this process, the
UDP data port on the TFTP server might be unreachable. Because of the TFTP
server being unreachable, the autoinstallation process might remain in the
configuration acquisition state. When autoinstallation is disabled, the TFTP might
fail. In this case, you should manually fetch the file from the server or the client
through the relay.
As a workaround, remove the static route options: Discard, Retain, and
no-advertise from the configuration. [PR/454189]
Enhanced Switching
■
On J Series devices, if the access port is tagged with the same VLAN that is
configured at the port, the access port accepts tagged packets and determines
the MAC. [PR/302635]
■
On J Series devices, even when forwarding options are set to drop packets for
the ISO protocol family, the device forms End System-to-Intermediate System
(ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2
terminating packets. [PR/252957]
■
On SRX Series devices, the show security flow session command currently does
not display aggregate session information. Instead, it displays sessions on a
per-SPU basis. [PR/264439]
■
On J Series devices, OSPF over a multipoint interface connected as a
hub-and-spoke network does not restart when a new path is found to the same
destination. [PR/280771]
■
On SRX Series devices, when traffic matches a deny policy, sessions will not be
created successfully. However, sessions are still consumed, and the
unicast-sessions and sessions-in-use fields shown by the show security flow session
summary command will reflect this. [PR/284299] [PR/397300]
■
On J Series devices, outbound filters will be applied twice for host-generated
IPv4 traffic. [PR/301199]
■
On SRX Series devices, configuring the flow filter with the all flag might result
in traces that are not related to the configured filter. As a workaround, use the
flow trace flag basic with the command set security flow traceoptions flag.
[PR/304083]
■
On SRX210, SRX240, and SRX650 devices, after the device fragments packets,
the FTP over a GRE link might not perform properly because of packet
serialization. [PR/412055]
Flow and Processing
162
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
On SRX240 devices, traffic flooding occurs when multiple multicast IP group
addresses are mapped to the same multicast MAC address because multicast
switching is based on the Layer 2 address. [PR/418519]
■
On SRX650 devices, the input DA errors are not updated when packets are
dropped because of MAC filtering on the following:
■
SRX240 device
■
SRX210 device
■
16-port and 24-port GPIMs
■
SRX650 front-end port
This is due to MAC filtering implemented in hardware.
[PR/423777]
■
On SRX5600 and SRX5800 devices, the network processing bundle configuration
CLI does not check if PICs in the bundle are valid. [PR/429780]
■
On SRX650 devices, packet loss is observed when the device interoperates with
an SSG20 with AMI line encoding. [PR/430475]
■
On an SRX210 on-board Ethernet port, an IPv6 multicast packet received gets
duplicated at the ingress. This happens only for IPv6 multicast traffic in ingress.
[PR/432834]
■
On SRX3400 and SRX3600 devices, the ramp rate of session creation is slow at
times for fragmented UDP traffic. [PR/434508]
■
On SRX5800 devices, when there are nonexistent PICs in the network processing
bundle, the traffic is sent out to the PICs and is lost. [PR/434976]
■
The SRX5600 and SRX5800 devices create more than the expected number of
flow sessions with NAT traffic. [PR/437481]
■
On J Series devices, NAT traffic that goes to the WXC ISM 200 and return back
clear (that is, not accelerated by the WXC ISM 200) does not work. [PR/438152]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, there is missing
information in the jnxJsFwAuthMultipleFailure trap message. The trap message is
required to contain the username, IP address, application, and trap name, but
the username is missing. [PR/439314]
■
On SRX5800 devices, for any network processing bundle configuration change
to take effect, a reboot is needed. Currently there is no message displayed after
a bundle configuration change. [PR/441546]
■
On SRX5800 devices, the IOC hot swap is not supported with network processing
bundling. If an IOC that has network processing bundling configured gets
unplugged, all traffic to that network processor bundle will be lost. [PR/441961]
■
On SRX5800 devices with interfaces in a network processing bundle, the ICMP
flood or UDP flood cannot be detected at the threshold rate. However, it can be
detected at a higher rate when the per-network processor rate reaches the
threshold. [PR/442376]
■
On SRX5600 devices, equal-cost multipath (ECMP) does not work at Layer 4
when transit traffic is passed. [PR/444054]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
163
JUNOS 10.1 Software Release Notes
■
On an SRX3400 device in combo mode with two SPCs and one NPC, not all
sessions are created under the stress test. [PR/450482]
■
On J Series devices, there is a drop in throughput on 64-byte packet size T3 links
when bidirectional traffic is directed. [PR/452652]
■
On SRX240 PoE and J4350 devices, the first packet on each multilink class gets
dropped on reassembly. [PR/455023]
■
On SRX5600 and SRX5800 devices, system log messages are not generated
when CPU utilization returns to normal. [PR/456304]
■
On SRX210, SRX240, and J6350 devices, the serial interface goes down for long
duration traffic when FPGA 2.3 version is loaded in the device. As a result, the
multilink goes down. This issue is not seen when downgrading the FPGA version
from 2.3 to 1.14. [PR/461471]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in end-to-end
debugging, the cp-lbt event actions are not working. There is no change in
behavior with or without the cp-lbt event. [PR/462288]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, during end-to-end
debugging with the jexec event, packet summary trace messages have unknown
IP addresses in the packet summary field. [PR/463534]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, data path-debug rate-limit
does not work properly.When users configure a low rate limit for a large number
of trace messages, the system should suspend the trace messages after the
configured maximum is reached. The system is not suspending the trace
messages. [PR/464151]
■
GPRS tunneling protocol (GTP) application is supported on well-known ports
only. Customized application on other ports is not supported. [PR/464357]
■
On J Series devices, interfaces with different bandwidths (even if they are of
same interface type, for example, serial interfaces with different clock rates or
channelized T1/E1 interfaces with different timeslots) should not be bundled
under one ML bundle. [PR/464410]
■
SRX3400 and SRX3600 devices with one Services Processing Card and two
Network Processing Cards operating under heavy traffic produce fewer flow
sessions. [PR/478939]
■
On SRX210 devices, the MTU size is limited to 1518 bytes for the 1-port SFP
Mini-PIM. [PR/296498]
■
On SRX240 and SRX650 devices and 16-port or 24-port GPIMs, the 1G half-duplex
mode of operation is not supported in the autonegotiation mode. [PR/424008]
■
On SRX240 devices, the Mini-PIM LEDs glow red for a short duration (1 second)
when the device is powered on. [PR/429942]
■
On SRX240 devices, the file installation fails on the right USB slot when both of
the USB slots have USB storage devices attached. [PR/437563]
Hardware
164
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
On SRX240 devices, the combinations of Mini-PIMs cause SFP-Copper links to
go down in some instances during bootup, restarting fwdd, and restarting
chassisd. As a workaround, reboot the device and the link will be up. [PR/437788]
■
On SRX5600 devices, during a Routing Engine reboot when processes are being
shut down, a rare race condition occurs that can lead to a Routing Engine kernel
crash. [PR/488484]
■
On J Series devices, you cannot use a USB device that provides U3 features (such
as the U3 Titanium device from SanDisk Corporation) as the media device during
system boot. You must remove the U3 support before using the device as a boot
medium. For the U3 Titanium device, you can use the U3 Launchpad Removal
Tool on a Windows-based system to remove the U3 features. The tool is available
for download at http://www.sandisk.com/Retail/Default.aspx?CatID=1415. (To restore
the U3 features, use the U3 Launchpad Installer Tool accessible at
http://www.sandisk.com/Retail/Default.aspx?CatID=1411). [PR/102645]
■
On J Series devices, if the device does not have an ARP entry for an IP address,
it drops the first packet from itself to that IP address. [PR/233867]
■
On J Series devices, when you press the F10 key to save and exit from BIOS
configuration mode, the operation might not work as expected. As a workaround,
use the Save and Exit option from the Exit menu. This issue can be seen on the
J4350 and J6350 routers with BIOS Version 080011 and on the J2320 and J2350
routers with BIOS Version 080012. [PR/237721]
■
On J Series devices, the Clear NVRAM option in the BIOS configuration mode
does not work as expected. This issue can be seen on the J4350 and J6350 routers
with BIOS Version 080011 and on the J2320 and J2350 routers with BIOS Version
080012. To help mitigate this issue, note any changes you make to the BIOS
configuration so that you can revert to the default BIOS configuration as needed.
[PR/237722]
■
On J Series devices, If you enable security trace options, the log file might not
be created in the default location at /var/log/security-trace. As a workaround,
manually set the log file to the directory /var/log/security-trace. [PR/254563]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the SNMP set for the
MIB object usmUserPrivKeyChange does not work. [PR/482475]
■
On J4350 devices, SSH keys do not get regenerated when switching between an
export edition of Junos and a domestic edition of Junos, in either direction. As
a workaround, the user should regenerate their SSH keys (e.g., 'rm
/var/etc/ssh/ssh_host_*key*' and reboot) when switching between an export
edition of Junos and a domestic edition of Junos in either direction. [PR/445688]
Infrastructure
Integrated Convergence Services
The following issues currently exist in SRX210 and SRX240 devices with Integrated
Convergence Services:
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
165
JUNOS 10.1 Software Release Notes
■
On SRX210 devices with Integrated Convergence Services, the call hold feature
does not work for Xlite softphones. [PR/432725]
■
At least one time slot must be configured for data for voice channels on T1 lines
to work. [PR/442932]
■
On SRX240 devices with Integrated Convergence Services, T1 configuration does
not support all the 24 time slots for voice calls. It is limited to 5 time slots or line
channels currently. [PR/442934]
■
The music-on-hold feature is not supported for SIP phones. [PR/443681]
■
The peer call server configuration for the media gateway page in J-Web does not
correctly display the port number field when TCP is used as the transport.
[PR/445734]
■
When you click the trunk-group field in J-Web, the configured trunk values are
not displayed. [PR/445765]
■
Comfort noise packets are not generated when both voice activity detection
(VAD) and comfort noise generation are enabled for an FXS station. [PR/448191]
■
In J-Web, if you do not configure the class of restriction and a station template,
you cannot configure a station. [PR/452439]
■
J-Web does not provide support for the SIP template extension inheritance feature.
[PR/455787]
■
SNMP does not provide support for survivable call server (SRX Series SCS)
statistics. [PR/456454]
■
When T1 lines for stations or trunks are configured, you might hear a momentary
burst of noise on the phone. [PR/467334]
■
You must restart the flow daemon to commit runtime T1 configuration changes.
[PR/468594]
■
The SIP-to-SIP simultaneous call capacity is limited to 10 calls. [PR/478485]
■
On J4350 and J6350 devices, the link status of the onboard Gigabit Ethernet
interfaces (ge-0/0/0 through ge-0/0/3) or the 1-port Gigabit Ethernet ePIM
interface fails when you configure these interfaces in loopback mode. [PR/72381]
■
On J Series Routers, asymmetric routing, such as tracing a route to a destination
behind J Series devices with Virtual Router Redundancy Protocol (VRRP), does
not work. [PR/237589]
■
On SRX5600 and SRX5800 devices, ping to far-end reth interfaces does not work
for different routing instances. [PR/408500]
■
On SRX240 and SRX650 devices, when you are configuring the link options on
an interface, only the following scenarios are supported:
Interfaces and Routing
166
■
■
Autonegotiation is enabled on both sides.
■
Autonegotiation is disabled on both sides (forced speed), and both sides are
set to the same speed and duplex.
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
If one side is set to autonegotiation mode and the other side is set to forced
speed, the behavior is indeterminate and not supported. [PR/423632]
■
On SRX and J Series devices, the RPM operation will not work for the probe-type
tcp-ping when the probe is configured with the option destination-interface.
[PR/424925]
■
On SRX650 devices, the following loopback features are not implemented for
T1/E1 GPIMs:
■
Line
■
FDL payload
■
Inband line
■
Inband payload
[PR/425040]
■
In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported.
If the user configures IP CoS in conjunction with ATM CoS, the logical interface
level shaper matching ATM CoS rate must be configured to avoid congestion
drops in SAR.
Example:
set interfaces at-5/0/0 unit 0 vci 1.110
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS
set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS
set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER
[PR/430756]
■
On SRX650 devices, configuring dual and quad T1/E1 framing at the chassis
level has no effect. [PR/432071]
■
On SRX240 devices, the serial interface maximum speed in extensive output is
displayed as 16384 Kbps instead of 8.0 Mbps. [PR/437530]
■
On SRX Series devices, incorrect Layer 2 circuit replication on the backup Routing
Engine might occur when you:
■
Configure nonstop active routing (NSR) and Layer 2 circuit standby
simultaneously and commit them
■
Delete the NSR configuration and then add the configuration back when
both the NSR and Layer 2 circuits are up
As a workaround:
1.
Configure the Layer 2 circuit for a nonstandby connection.
2.
Change the configuration to a standby connection.
3.
Add the NSR configuration.
[PR/440743]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
167
JUNOS 10.1 Software Release Notes
168
■
■
On SRX210 Low Memory devices, the E1 interface will flap and traffic will not
pass through the interface if you restart forwarding while traffic is passing through
the interface. [PR/441312]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you configure
the SAP listen option using the protocol sap listen command in the CLI, listening
fails in both sparse and sparse-dense modes. [PR/441833]
■
On J Series devices, one member link goes down in a multilink bundle during
bidirectional traffic with Multilink Frame Relay (MLFR). [PR/445679]
■
On SRX 240 Low Memory devices and SRX 240 High Memory devices, the RPM
Server operation does not work when the probe is configured with the option
destination-interface.[PR/450266]
■
On J Series devices, the DS3 interface does not have an option to configure
multilink-frame-relay-uni-nni (MLFR). [PR/453289]
■
On SRX210 devices, the modem moves to the dial-out pending state while
connecting or disconnecting the call. [PR/454996]
■
On SRX100, SRX210, and J Series devices, out-of-band dial-in access using a
serial modem does not work. [PR/458114]
■
On SRX210 PoE devices, the G.SHDSL link does not come up with an octal port
line card of total access 1000 ADTRAN digital subscriber line access multiplexer
(DSLAM). [PR/459554]
■
On SRX100 and SRX200 devices with the VDLS2, multiple carrier transitions
(three to four) are seen during long duration traffic testing with ALU 7302 DSLAM.
There is no impact on traffic except for the packet loss after long duration traffic
testing, which is also seen in the vendor CPE. [PR/467912]
■
On SRX210 devices with VDLS2, remote end ping fails to go above the packet
size of 1480 as the packets are get dropped for the default MTU which is 1496
on an interface and the default MTU of the remote host ethernet intf is 1514.
[PR/469651]
■
On SRX210 devices, the G.SHDSL ATM logical interface goes down when ATM
CoS is enabled on the interface with OAM. As a workaround, restart the FPC to
bring up the logical interface. [PR/472198]
■
On SRX210 devices with VDLS2, ATM COS VBR related functionality cannot be
tested because of lack of support from the vendor. [PR/474297]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show datapath-debug
counter command gives error messages from the secondary node. [PR/477017]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you change the
multicast scoping to a different multicast address, traffic other than which is
configured for multicast scoping will not be received. [PR/482957]
■
On SRX210 High Memory devices, IGMP v2 JOINS messages are dropped on an
integrated routing and bridging (IRB) interface. As a workaround, enable IGMP
snooping to use IGMP over IRB interfaces. [PR/492564]
■
On SRX100 and SRX210 devices, every time the VDSL2 PIM is restarted in the
ADSL mode, the first packet passing through the PIM will be dropped. This occurs
because there is a bug in the SAR engine, which will not set the ATM connection
until the first packet has been dropped due to no ATM connection. [PR/493099]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
The destination and destination-profile options for address and
unnumbered-address within family inet and inet6 are allowed to be specified
within a dynamic profile but not supported. [PR/493279]
■
On SRX 210 High Memory devices, the physical interface module (PIM) shows
time in ADSL2+ ANNEX-M, even though it is configured for ANNEX-M ADSL2.
[PR/497129]
■
On SRX5600 and SRX5800 devices, load balance does not happen within the
aggregated Ethernet (ae) interface when you prefix length with /24 while
incrementing the dst ip. [PR/505840]
Intrusion Detection and Prevention (IDP)
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when the firewall and
IDP policy both enable diffServ marking with a different DSCP value for the same
traffic, the firewall DSCP value takes precedence and the traffic is marked using
the firewall DSCP value. [PR/297437]
■
On SRX5600 and SRX5800 devices, when the device is processing heavy traffic,
the show security idp status operational command might fail. As a result, IDP
flow, session, and packet statistics do not match firewall statistics. [PR/389501]
[PR/388048]
■
The SRX210 device supports only one IDP policy at any given time. When you
make changes to the IDP policy and commit, the current policy is completely
removed before the new policy becomes effective. During the update, IDP will
not inspect the traffic that is passing through the device for attacks. As a result,
there is no IDP policy enforcement. [PR/392421]
■
On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web
selecting Configuration>Quick Configuration>Security Policies>IDP
Policies>Security Package Update>Help brings up the IDP policy Help page
instead of the Signature update Help page. To access the corresponding Help
page, select Configuration>Quick Configuration>IDP
Policies>Signature/Policies Update and then click Help. [PR/409127]
■
On SRX3400, SRX3600, SRX5600 and SRX5800 devices, if you want to change
to dedicated mode, the configuration of the security forwarding-process
application-services maximize-idp-sessions command should be done right before
rebooting the device. This should be done to avoid recompiling IDP policies
during every commit. [PR/426575]
■
On SRX3400, SRX3600, and SRX5600 devices, when you configure IDP to run
in decoupled mode using the set security forwarding-process application-services
maximize-idp-sessions command, network address translation (NAT) information
will not be shown in the event log. [PR/445908]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you configure a
policy containing more than 200 rules, with each rule containing the predefined
attack groups (Critical, Major, and Minor), the memory constraint of the Routing
Engine (500 MB) is reached. [PR/449731]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices in
maximize-idp-sessions mode, there is an IPC channel between two data plane
processes. The channel is responsible for transferring the "close session" message
(and other messages) from the firewall process to the IDP process. Under stress
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
169
JUNOS 10.1 Software Release Notes
conditions, the channel becomes full and extra messages might get lost. This
causes IDP sessions in the IDP process to hang for longer than necessary, and
they will time out eventually. [PR/458900]
■
When an SRX Series device running JUNOS Release 10.1 (Layer 2
access-integrated mode) is rolled back to the JUNOS Release 9.6 image, the DUT
comes up in JUNOS Release 9.6 with Layer 2 access-integrated mode, which was
not supported in JUNOS Release 9.6. [PR/469069]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-level
distributed denial-of-service (application-level DDoS) rulebase (rulebase-ddos)
does not support port mapping. If you configure an application other than default,
and if the application is from either predefined JUNOS Software applications or
a custom application that maps an application service to a nonstandard port,
application-level DDoS detection will not work. When you configure the
application setting as default, IDP uses application identification to detect
applications running on standard and nonstandard ports, hence the
application-level DDoS detection works properly. [PR/472522]
■
SRX3400, SRX3600, SRX5600, and SRX5800 devices support 4-byte autonomous
system (AS) for BGP configuration. However, the J-Flow template versions 5 and
8 do not support 4-byte AS, because these J-Flow templates have 2 bytes for the
SRC/DST AS field. [PR/416497]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, J-Flow sampling on
the virtual router interface does not show the values of autonomous system (AS)
and mask length values. The AS and mask length values of cflowd packets show
0 while sampling the packet on the virtual router interface. [PR/419563]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the LEDs on the Routing
Engine and PICs are not shown as green when they are up and online on the
J-Web Chassis View. [PR/297693]
■
On SRX Series devices, when the user adds LACP interface details, a pop-up
window appears in which there are two buttons to move the interface left and
right. The LACP page currently does not have images incorporated with these
two buttons. [PR/305885]
■
On SRX210 devices, there is no maximum length limit when the user commits
the hostname in CLI mode; however, only a maximum of 58 characters are
displayed in the J-Web System Identification panel. [PR/390887]
■
On SRX210, SRX240, and SRX650 devices, the complete contents of the ToolTips
are not displayed in the J-Web Chassis View. As a workaround, drag the Chassis
View image down to see the complete ToolTip. [PR/396016]
■
On SRX100, SRX210, SRX240, and SRX650 devices, the LED status in the Chassis
View is not in sync with the LED status on the device. [PR/397392]
■
On SRX Series devices, when you right-click Configure Interface on an interface
in the J-Web Chassis View, the Configure>Interfaces page for all interfaces is
displayed instead of the configuration page for the selected interface. [PR/405392]
J-Flow
J-Web
170
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
On SRX210 Low Memory devices, in the rear view of the Chassis viewer image,
the image of ExpressCard remains the same whether a 3G card is present or
not. [PR/407916]
■
On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices, selecting
Configure>Security>Policy>IDP Policies>Security Package Update>Help
in the J-Web user interface brings up the IDP policy Help page instead of the
Signature update Help page. To access the corresponding Help page, select
Configure>IDP>Signature Update and then click Help. [PR/409127]
■
On SRX Series devices, the CLI Terminal feature does not work in J-Web over
IPv6. [PR/409939]
■
On SRX210 High Memory, SRX240 PoE, and J Series devices, IDP custom attacks
and dynamic attack groups cannot be configured using J-Web. [PR/416885]
■
On J2350, J4350, and J6350 devices, users cannot configure firewall filters using
J-Web. The Firewall Filters menu was removed because it was not functioning
properly. [PR/422898]
■
On SRX210, SRX240, J2350, J4350, and J6350 devices, when J-Web users select
the tabs on the bottom-left menu, the corresponding screen is not displayed
fully, so users must scroll the page to see all the content. This issue occurs when
the computer is set to a low resolution. As a workaround, set the computer
resolution to 1280 x 1024. [PR/423555]
■
On SRX Series and J Series devices, users cannot differentiate between Active
and Inactive configurations on the System Identity, Management Access, User
Management, and Date & Time pages. [PR/433353]
■
On SRX210 device, in Chassis View, right-clicking any port and then clicking
Configure Port takes the user to the Link aggregation page. [PR/433623]
■
On SRX100 devices, in J-Web users can configure the scheduler without entering
any stop date. The device submits the scheduler successfully, but the submitted
value is not displayed on the screen or saved in the device. [PR/439636]
■
On SRX100, SRX210, SRX240, and SRX650 devices, in J-Web the associated
dscp and dscpv6 classifiers for a logical interface might not be mapped properly
when the user edits the classifiers of a logical interface. This can affect the Delete
functionality as well. [PR/455670]
■
On SRX Series and J Series devices, when J-Web is used to configure a VLAN,
the option to add an IPv6 address appears. Only IPv4 addresses are supported.
[PR/459530]
■
On SRX100, SRX210, SRX240, SRX650, and J Series devices, in J-Web, the
options Input filter and Output Filter are displayed in VLAN configuration page.
This feature is not supported, and the user cannot obtain or configure any value
under these filter options. [PR/460244]
■
On J2350, J4350, J6350, SRX100 Low Memory and High Memory, SRX210 Low
Memory and High Memory, SRX210 PoE, SRX240 Low Memory and High
Memory, and SRX 650 devices, in the J-Web interface, in the OSPF Global Settings
table in the OSPF Configuration page, the Global Information table in the BGP
Configuration page, or the Add Interface window in the LACP Configuration page,
if you try to change the position of columns using the drag-and-drop method,
only the column header moves to the new position instead of the entire column.
[PR/465030]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
171
JUNOS 10.1 Software Release Notes
■
On SRX100, SRX210, SRX240, SRX650, and J Series devices, when you have a
large number of static routes configured, and if you have navigated to pages
other than to page 1 in the Route Information table in the J-Web interface
(Monitor>Routing>Route Information), changing the Route Table to query other
routes refreshes the page but does not return you to page 1. For example, if you
run the query from page 3 and the new query returns very few results, the Route
Information table continues to display page 3 with no results. As a workaround,
navigate to page 1 manually to view the results. [PR/476338]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the J-Web interface
Static Routing page might not display details on entries registered in the routing
table. [PR/483885]
■
On SRX210 Low Memory, SRX210 High Memory, and SRX210 PoE devices, in
the J-Web interface, Configuration>Routing>Static Routing does not display
the IPv4 static route configured in rib inet.0. [PR/487597]
■
On SRX100 (low memory and high memory), SRX210 (low memory, high
memory, and PoE), SRX240 (low memory and high memory), SRX650, J2350,
J4350, and J6350 devices, CoS feature commits occur without validation
messages, even if you have not made any changes. [PR/495603]
■
On SRX100, SRX210, SRX240, and SRX650 devices, J-web shows switching
pages in HA mode but switching is not supported in HA mode.
Management and Administration
172
■
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the queue statistics
are not correct after deletion and re-creation of a logical interface (IFL) or creation
of a new IFL. IFL statistics are not cleared for 15 minutes after chassis-control is
restarted. [PR/417947]
■
On SRX5600 devices, when the system is in an unstable state (for example SPU
reboot), NFS might generate residual.nfs files under the /var/tmp directory,
which can occupy the disk space for a very long time. As a workaround, run the
request sys storage cleanup command to clean up when the system has low disk
space. [PR/420553]
■
On SRX650 devices, the kernel crashes when the link goes down during TFTP
installation of the srxsme image. [PR/425419]
■
On SRX650 devices, continuous messages are displayed from syslogd when ports
are in switching mode. [PR/426815]
■
On SRX240 devices, if a timeout occurs during the TFTP installation, booting the
existing kernel using the boot command might crash the kernel. As a workaround,
use the reboot command from the loader prompt. [PR/431955]
■
On SRX240 devices, when you configure the system log hostname as 1 or 2, the
device goes to the shell prompt. [PR/435570]
■
On SRX240 devices, the Scheduler Oinker messages are seen on the console at
various instances with various Mini-PIM combinations. These messages are seen
during bootup, restarting fwdd, restarting chassisd, and configuration commits.
[PR/437553]
■
On SRX5800 devices, rebooting is required for any NP bundle configuration
change to take effect. Currently there is no notification displayed after the bundle
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
configuration change to notify that a reboot is required for the change to take
effect. [PR/441546]
■
On SRX5600 and SRX5800 devices, data path debug trace messages are getting
dropped at above 1000 packets per second (pps). [PR/446098]
■
On J2350, J4350, and J6350 devices, extended bit error rate test (BERT) takes
an additional 3 hours to complete even though a BERT-period of 24 hours is set.
[PR/447636]
Network Address Translation (NAT)
■
On J4350 devices, when you place internal calls, interface-based persistent NAT
displays only one active hairpinning session instead of two, even after the call
is established. [PR/504932]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, NAT behavior in event
logs is incorrect for JUNOS Release 10.1. Because of a bug, the log output shows
both source and destination IP from the client/server instead of only the IP
address with NAT. The output incorrectly shows 4.0.0.0->5.0.0.1.
The correct output should be as follows:
■
For destination NAT, the IP address in the log should be 0.0.0.0->5.0.0.1.
■
For source NAT, the ip address displayed in log should be 4.0.0.0->0.0.0.0.
[PR:505454 / PR:562620]
Power over Ethernet (PoE)
■
On SRX240 and SRX210 devices, the output of the PoE operational commands
takes roughly 20 seconds to reflect a new configuration or a change in status of
the ports. [PR/419920]
■
On SRX210 and SRX240 devices, the deactivate poe interface all command does
not deactivate the PoE ports. Instead, the PoE feature can be turned off by using
the disable configuration option. Otherwise, the device must be rebooted for the
deactivate setting to take effect. [PR/426772]
■
On SRX210 and SRX240 devices, reset of the PoE controller fails when the restart
chassis-control command is issued and also after system reboot. PoE functionality
is not negatively impacted by this failure. [PR/441798]
■
On SRX210 PoE devices managing AX411 Access Points, the devices might not
be able to synchronize time with the configured NTP Server. [PR/460111]
■
On SRX210 devices, the fourth access point connected to the services gateway
fails to boot with the default Power over Ethernet (PoE) configuration. As a
workaround, configure all the PoE ports to a maximum power of 12.4 watts.
Use the following command to configure the ports:
root#set poe interface all maximum-power 12.4
[PR/465307]
■
On SRX100, SRX210, SRX240, and SRX650 devices, with factory default
configurations the device is not able to manage the AX411 Acess Point. This
might be due to the DHCP default gateway not being set. [PR/468090]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
173
JUNOS 10.1 Software Release Notes
■
On SRX210 PoE devices, high latencies might be observed for the Internet Control
Message Protocol (ICMP) pings between two wireless clients when 32 virtual
access points (VAPs) are configured. [PR/472131]
■
On SRX210 PoE devices, when AX411 Access Points managed by the SRX Series
devices reboot, the configuration might not be reflected onto the AX411 Access
Points. As a result, the Ax411 Access Points retain the factory default
configuration. [PR/476850]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the egress filter-based
forwarding (FBF) feature is not supported. [PR/396849]
■
On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis
cluster, if the Infranet Controller auth table mapping action is configured as
provision auth table as needed, UAC terminates the existing sessions after Routing
Engine failover. You might have to initiate new sessions. Existing sessions will
not get affected after Routing Engine failover if the Infranet Controller auth table
mapping action is configured as always provision auth table. [PR/416843]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, you should not
configure rulebase-DDoS rules that have two different application-DDoS objects
to run on one destination service because the traffic destined to one application
server can encounter more than one rule. Essentially, for each protected
application server, you have to configure a single application-level DDoS rule.
[PR/467326]
Security
Unified Access Control (UAC)
■
On J Series devices, MAC address-based authentication does not work when the
router is configured as a UAC Layer 2 Enforcer. [PR/431595]
Unified Threat Management (UTM)
174
■
■
On SRX210 High Memory devices, content filtering provides the ability to block
protocol commands. In some cases, blocking these commands interferes with
protocol continuity, causing the session to hang. For instance, blocking the FETCH
command for the IMAP protocol causes the client to hang without receiving any
response. [PR/303584]
■
On SRX210 High Memory devices, when the content filtering message type is
set to protocol-only, customized messages appear in the log file. [PR/403602]
■
On SRX210 High Memory devices, the express antivirus feature does not send
a replacement block message for HTTP upload (POST) transactions if the current
antivirus status is engine-not-ready and the fallback setting for this state is block.
An empty file is generated on the HTTP server without any block message
contained within it. [PR/412632]
■
On SRX240, SRX650, and J Series devices, Outlook Express is sending infected
mail (with an EICAR test file) to the mail server (directly, not through DUT).
Eudora 7 uses the IMAP protocol to download this mail (through DUT). Mail
retrieval is slow, and the EICAR test file is not detected. [PR/424797]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
On SRX650 devices operating under stress conditions, the UTM subsystem file
partition might fill up faster than UTM can process and clean up existing
temporary files. In that case, the user might see error messages. As a workaround,
reboot the system [PR/435124]
■
On SRX240 High Memory devices, FTP download for>4 MB files does not work
in a two-device topology. [PR/435366]
■
On SRX210, SRX240, and SRX650 devices, the Websense server stops taking
new connections after HTTP stress. All new sessions get blocked. As a
workaround, reboot the Websense server. [PR/435425]
■
On SRX240 devices, if the device is under UTM stress traffic for several hours,
users might get the following error while using a UTM command:
the utmd subsystem is not responding to management requests.
As a workaround, restart the utmd process. [PR/436029]
USB Modem
■
On SRX210 High Memory devices and J6350 devices, packet loss is seen during
rapid ping operations between the dialer interfaces when packet size is more
than 512 Kbps. [PR/484507]
■
On SRX210 High Memory devices, the modem interface can handle bidirectional
traffic of up to 19 Kbps. During oversubscription of 20-Kbps or more traffic, the
keepalive packets are not exchanged and the interface goes down. [PR/487258]
■
On SRX210 High Memory devices, IPv6 is not supported on dialer interfaces
with a USB modem. [PR/489960]
■
On SRX210 High Memory devices, http traffic is very slow through the umd0
interface. [PR/489961]
■
On SRX210 High Memory devices, on multiple resets of the umd0 interface, the
umd0 interface keeps flapping if the d10 (dialer) interface on either the dial-in
or dial-out interface goes down because no keepalive packets are exchanged. As
a workaround, increase the ATS0 value to 4 or greater. [PR/492970]
■
On SRX210 High Memory devices and J6350 devices, the D10 link flaps during
long-duration traffic of 15 Kbps and also when packet size is 256 Kbps or more.
[PR/493943]
■
On SRX650 devices, when VLAN tagging is configured and traffic is sent, the
output of show interfaces ge-0/0/1 media detail VLAN tagged frame count is not
shown. [PR/397849]
■
On SRX240, SRX650, J4350, and J6350 devices, tagged frames on an access
port with the same VLAN tag are not dropped. [PR/414856]
■
On SRX100, SRX210, and SRX240 devices, the packets are not being sent out
of the physical interface when the VLAN ID associated with the VLAN interface
is changed. As a workaround, you need to clear the ARP. [PR/438151]
Virtual LANs (VLANs)
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
175
JUNOS 10.1 Software Release Notes
■
On SRX100 Low Memory, SRX100 High Memory, SRX210 Low Memory, SRX210
High Memory, SRX240 High Memory, and SRX650 devices, the Link Layer
Discovery Protocol (LLDP) organization-specific Type Length Value (TLV), medium
attachment unit (MAU) information always propagates as "Unknown".
[PR/480361]
■
On SRX100 High Memory devices and SRX210 Low Memory devices, dot1x
unauthenticated ports accept Link Layer Discovery Protocol (LLDP) protocol data
units (PDUs) from neighbors. [PR/485845]
■
For SRX210 High Memory devices, during configuration of access and trunk
ports, the individual VLANs from the vlan-range are not listed. [PR/489872]
■
On SRX5600 devices, the shared IKE limit for IKE users is not currently enforced.
More users than are specified in the shared IKE limit are able to establish
IKE/IPsec tunnels. [PR/288551]
■
On SRX210 and SRX240 devices, concurrent login to the device from a different
management systems (for example, laptop or computers) are not supported.
The first user session will get disconnected when a second user session is started
from a different management system. Also, the status in the first user system is
displayed incorrectly as “Connected”. [PR/434447]
■
On SRX Series and J Series devices, the site-to-site policy-based VPNs in a three
or more zone scenario will not work if the policies match the address “any”,
instead of specific addresses, and all cross-zone traffic policies are pointing to
the single site-to-site VPN tunnel. As a workaround, configure address books in
different zones to match the source and destination, and use the address book
name in the policy to match the source and destination. [PR/441967]
■
On SRX210, SRX240 and SRX650 devices, J-Web online Help displays the list
of all the countries and is not based on the regulatory domain within which the
access point is deployed. [PR/469941]
VPNs
WLAN
WXC Integrated Services Module
■
When two J Series devices with WXC Integrated Services Modules (WXC ISM
200s) installed are configured as peers, traceroute fails if redirect-wx is configured
on both peers. [PR/227958]
■
On J6350 devices, JUNOS Software does not support policy-based VPN with WXC
Integrated Services Modules (WXC ISM 200s). [PR/281822]
Resolved Issues in JUNOS Release 10.1 for SRX Series Services Gateways
and J Series Services Routers
The following are the issues that have been resolved since Junos OS Release 10.1 R3
for Juniper Networks SRX Series Services Gateways and J Series Services Routers.
The identifier following the descriptions is the tracking number in our bug database.
176
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Application Identification (AI)
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when doing Application
Identification signature database upgrade/downgrade, either through CLI
command request service application-identification download or request security
idp security-package install, the system was merging the new database with the
old one, potentially causing problems with port-mapping fields that were required
to be unique. [PR/521482: This issue has been resolved.]
Application Layer Gateways (ALGs)
■
On SRX3400 devices, the FTP ALG crashed when the
flow_tcp_proxy_stack_send_data2 command was used. [PR/ 525607: This issue
has been resolved.]
■
On SRX650 devices, the SQL ALG did not function when data was transmitted
over the control session. [PR/524444 This issue has been resolved.]
■
On SRX650 devices, Dot1p bits of Layer 2 packet traffic across XPIMs changed.
[PR/534064: This issue has been resolved.]
■
On SRX5800 devices, incorrect high jitter messages were displayed. [PR/526975:
This issue has been resolved.]
■
On SRX650 devices, SNMP walk to the device would randomly timeout.
[PR/524629: This issue has been resolved.]
■
On J6350 devices in chassis cluster mode, self traffic such as OSPF did not work
correctly when a node of the cluster was rebooted. [PR/528812: This issue has
been resolved.]
■
On SRX650 devices, SNMP MIB OID (.1.3.6.1.4.1.2636.1.1.1.2.40) showed fan
instead of fan-tray. [PR/533112: This issue has been resolved.]
■
On SRX3400 and SRX3600 devices, when you did RG0 failover, the CPP status
LED was set to blinking green and failed to remain steadily on. [PR/539921: This
issue has been resolved.]
Chassis Cluster
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
177
JUNOS 10.1 Software Release Notes
Class of Service
■
On SRX650 devices, show class-of-service virtual-channel-group did not show the
configured shaping rate. [PR/536778: This issue has been resolved.]
■
On SRX650 devices, the uplinks to the CPU could be exhausted and the system
could be limited to 2.5 GB throughput traffic when the device was using similar
kinds of source MAC addresses. [PR/428526: This issue has been resolved.]
■
On SRX240 PoE and J Series devices, packet drops were seen on the lsq interface
when transit traffic with a frame length of 128 bytes was sent. [PR/455714: This
issue has been resolved.]
■
On SRX3600 devices, when you enabled source-ip-based session limiting, the
destination-ip-based session limiting was also enabled by default. [PR/501666:
This issue has been resolved.]
■
On SRX650 devices, because of a memory corruption issue, the flow daemon
generated a core file, and the device stopped passing traffic. [PR/534887: This
issue has been resolved.]
■
On SRX3400 devices, IPsec proxy ID reverted to 0.0.0.0 when IKE or IPSec
proposals were changed. [PR/536354: This issue has been resolved.]
■
On SRX240 High Memory devices, under continuous high HTTP traffic load, the
forwarding daemon generated a core. This core file was seen after more than
24 hours of continuous high load. [PR/538383: This issue has been resolved.]
■
On SRX5800 devices, when multiple fragment packets were processed at the
same time, the processing threads locked each other, triggering restart of
forwarding. [PR/539296: This issue has been resolved.]
■
On SRX650 devices, packets traveling over the HA fabric link contained an invalid
IP header checksum, and some switches dropped these packets. [PR/541245:
This issue has been resolved.]
■
On SRX3600 devices, a crash occurred there was a crash when very high rates
of GTP packets were handled. [PR/544448: This issue has been resolved.]
■
On SRX3600 devices, when GPRS inspection was enabled, it failed to create a
GTP tunnel. [PR/545354: This issue has been resolved.]
■
On SRX5800 devices, under certain conditions, the session ager got stuck causing
momentary traffic outage. [PR/545948: This issue has been resolved.]
■
On J4350 devices, multicast traffic was not received when the source and the
receiver were connected to the same PE routers. [PR/429130: This issue has
been resolved.]
■
On J Series devices, tail drops were seen on a bundle for traffic with a bigger
packet size and smaller fragmentation threshold. [PR/461417: This issue has
been resolved.]
Flow and Processing
Interfaces and Routing
178
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
On J2350 devices, the T1 interface dropped after 49 days and never recovered.
[PR/477777: This issue has been resolved.]
■
On SRX5800 devices, the clock on SPCs drifted a few seconds from the clock
on the routing engine, even when NTP was used. When this deviation was
detected, it was corrected and a “time reset” message was logged. [PR/537543:
This issue has been resolved.]
Intrusion Detection and Prevention (IDP)
■
On SRX3400 and SRX3600 devices, the logging rate was slightly less in SPUs
operating in combo mode as compared to SPUs operating in non-combo mode.
[PR/457251: This issue has been resolved.]
■
On SRX650 devices, IDP detector and IDP attack database update caused chassis
cluster instability, and the secondary node went to a disabled state. [PR/523494:
This issue has been resolved.]
■
On SRX650 devices, the source-address option for J-Flow did not remain
persistent. [PR/ 530620: This issue has been resolved.]
■
On SRX100, SRX210, SRX240, SRX650, and J Series devices, in the J-Web
interface, the Traceoptions tab in the Edit Global Settings window of the OSPF
Configuration page (Configuration>Routing>OSPF Configuration) did not display
the available flags (tracing parameters). [PR/475313: This issue has been
resolved.]
■
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, CPU utilization on the
J-Web dashboard did not match CPU utilization of the routing engine. [PR/527344:
This issue has been resolved.]
■
On SRX5600 and SRX5800 devices, in certain ISIS configurations, rpd crashed
when ISIS inserted routes into the routing table. [PR/531292: This issue has been
resolved.]
■
On SRX Series devices, when you authenticated using TACACS+ through J-Web,
J-Web waited for the password prompt to be ’Password’ and failed to authenticate
if prompt sent was ’password’. [PR/540217: This issue has been resolved.]
J-Flow
J-Web
Management and Administration
■
On SRX Series and J Series devices with session-init and session-close enabled,
you should not clear sessions manually when too many sessions were in status
"used". [PR/445730: This issue has been resolved.]
■
On SRX5800 devices, when the local-identity hostname configuration was
changed, these changes were not propagated to KMD, and the proxy IDs also
were mismatched. [PR/540667: This issue has been resolved.]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
179
JUNOS 10.1 Software Release Notes
Network Address Translation (NAT)
■
On SRX240 High Memory devices in a chassis cluster, the secondary node could
go to DB> mode when there were many policies configured and TCP, UDP, and
ICMP traffic matched the policies. [PR/493095: This issue has been resolved.]
■
On SRX240 High Memory devices, the device stopped sending logs to NSM after
a few days. [PR/517969: This issue has been resolved.]
■
On SRX5600 and SRX5800 devices, the NAT hit counter was not increased for
overflow NAT pools. [PR/534578: This issue has been resolved.]
■
On SRX100 and SRX210 High Memory devices, h323/h245 OLC could not pass
whether src nat or dst nat was used. [PR/538764: This issue has been resolved.]
■
On SRX100 High Memory devices, for nat source with port no-translation the
configured source-pool IP addresses were divided into half and they were
exclusively used on each node. However, when multiple groups of source-pool
IP addresses were configured, the half-divided logic did not work properly, and
it resulted in an unexpectedly insufficient IP address (from source-pool) for a
node. [PR/538769: This issue has been resolved.]
■
On SRX210 PoE devices managing AX411 Access Points, traffic of 64 bytes at
speeds more than 45 megabits per second (Mbps) resulted in loss of keepalives
and reboot of the AX411 Access Point. [PR/471357: This issue has been resolved.]
■
On SRX3600 devices, screen names with 24 characters did not function properly.
[PR/520299: This issue has been resolved.]
Power over Ethernet (PoE)
Screens
Unified Threat Management (UTM)
180
■
■
On SRX210 High Memory devices, the forwarding daemon ran out of memory
with large UTM configurations such as 30,000 objects configured including 15,000
URLs in the blacklist. As a result, the forwarding daemon generated a core file
and stopped forwarding. [PR/518490: This issue has been resolved.]
■
On SRX210 High Memory devices, problems occurred because of an invalid
assert on the sizes of two data structures. [PR/518511: This issue has been
resolved]
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
USB Modem
■
On SRX210, SRX100, SRX240, and SRX650 devices, when you restarted fwdd
at the dial-out side, the umd interface went down and the call never got
connected. [PR/480206: This issue has been resolved.]
■
On SRX240 Low Memory and High Memory devices, and SRX650 devices,
sometimes the VLAN entry was not created while MSTP regression was running.
[PR/518997: This issue has been resolved.]
■
On SRX5800 devices, when a large number of zones used the same screen,
some zones were not able to pass traffic. [PR/526082: This issue has been
resolved.]
■
On SRX100, SRX210, SRX220, SRX240, SRX650 and all J Series devices, in a
VPLS environment, CE learnt same MAC from multiple CEs that caused traffic
disruption. [[PR/531846: This issue has been resolved.]
■
On SRX210 High Memory devices, native-vlan-id was configured only when either
flexible-vlan-tagging mode or interface-mode trunk was configured. [PR/536585:
This issue has been resolved.]
■
On SRX240 devices with voice capability, Layer 3 traffic with VLAN ID 4093 was
not allowed. [PR/539580: This issue has been resolved.]
■
On SRX210 Low Memory devices, IKE negotiation failed when an IKE-ID longer
than 31 bytes was configured. [PR/523796: This issue has been resolved.]
■
On SRX3000 and SRX5000 line devices, in a route-based VPN, VPN traffic failed
to pass when the remote peer IP address changed. [PR/529018: This issue has
been resolved.]
■
On SRX3600 devices, when you used vpn-monitor for route-based VPNs, the
ST0.x tunnel was not disabled when the VPN was down. [PR/552369: This issue
has been resolved.]
■
On SRX210 PoE devices, when you swapped an already managed AP with a new
one and changed the WLAN access-point configuration to reflect the MAC address
of the new access point, it resulted in the new access point not being managed.
[PR/539873: This issue has been resolved.]
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J
Series Services Routers on page 122
■
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and
J Series Services Routers on page 147
Virtual LANs (VLANs)
VPNs
WLAN
Related Topics
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
181
JUNOS 10.1 Software Release Notes
■
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series
Services Gateways and J Series Services Routers on page 182
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services
Gateways and J Series Services Routers
This section lists outstanding issues with the documentation.
Application Layer Gateways (ALGs)
■
The following section has been removed from the JUNOS Software Security
Configuration Guide to reflect RPC ALG data structure cleanup: “Display the Sun
RPC Port Mapping Table.”
■
The “Verifying the RPC ALG Tables” section of the JUNOS Software Security
Configuration Guide has been renamed to “Verifying the Microsoft RPC ALG
Tables” to reflect RPC ALG data structure cleanup.
■
ALG configuration examples in the JUNOS Software Security Configuration Guide
incorrectly show policy-based NAT configurations. NAT configurations are now
rule-based.
■
The JUNOS Software Security Configuration Guide incorrectly states that ALGs are
not supported in transparent mode on SRX3400, SRX3600, SRX5600, and
SRX5800 devices. The FTP, TFTP, RTSP, and DNS ALGs are supported in
transparent mode on those devices. Other ALGs are not.
■
In the section "Example: Using NAT and the H.323 ALG to Enable Incoming Calls
(CLI)" in the Junos OS Security Configuration Guide, the following text is incorrect:
user@host# set security policy from-zone zone1 to-zone zone2 policy
zone1_to_zone2 then permit source-nat pool p1
The correct text is as follows:
user@host# set security policy from-zone zone1 to-zone zone2 policy
zone1_to_zone2 then permit
Attack Detection and Prevention
The default parameters documented in the firewall/NAT screen configuration options
table in the JUNOS Software Security Configuration Guide and the J-Web online Help
do not match the default parameters in the CLI. The correct default parameters are:
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
}
[edit security screen ids-option untrust-screen]
182
Routers
■
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
CLI Reference
The “Services Configuration Statement Hierarchy” section in the JUNOS® Software
CLI Reference refers to the JUNOS Services Interfaces Configuration Guide, which has
the following error in the sections “Data Size” and “Configuring the Probe”:
■
The minimum data size required by the UDP timestamp probe is identified as 44
bytes. This is incorrect: the minimum data size required by the UDP timestamp probe
is 52 bytes.
Command-Line Interface (CLI)
■
The following sections have been removed from the JUNOS Software CLI Reference
to reflect RPC ALG data structure cleanup:
■
show security alg sunrpc portmap
■
clear security alg sunrpc portmap
■
In the “Example: Configuring an IPsec Phase 2 Proposal (CLI)” section of the
Junos OS Security Configuration Guide, the second paragraph of the first example
states that the SA, “. . . terminates after 1800 KB of data pass through it.” It
should instead say, “. . . after 1800 seconds.” The same error is present in the
“Example: Configuring an IPsec Phase 2 Proposal (J-Web Point and Click CLI)”
section.
■
In the “Example: Accommodating End-to-End TCP Communication for J Series
Services Routers” section of the Junos OS Security Configuration Guide, one CLI
command given in the example in both the CLI Quick Configuration and
Step-by-Step Procedure is incomplete. The set security flow tcp-mss all-tcp
command must be followed by the keyword mss value. Therefore, the CLI
example in both cases should read set security flow tcp-mss all-tcp mss 1400.
The same error is present in the “Example: Setting the Maximum Segment Size
for All TCP Sessions for SRX Series Services Gateways (CLI)” section.
■
The JUNOS Software Administration Guide incorrectly states that JUNOS Software
supports a 256-MB CompactFlash card size. JUNOS Software supports only
512-MB and 1024-MB CompactFlash card sizes.
■
The Junos OS CLI Reference and Junos OS Security Configuration Guide state that
the following aggressive aging statements are supported on all SRX Series devices
when in fact they are not supported on SRX3400, SRX3600, SRX5600, and
SRX5800 devices:
CompactFlash Card Support
Flow and Processing
■
[edit security flow aging early-ageout]
■
[edit security flow aging high-watermark]
■
[edit security flow aging low-watermark
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
183
JUNOS 10.1 Software Release Notes
■
The “Understanding Selective Stateless Packet-Based Services” section in the
JUNOS Software Administration Guide states: “The following security features are
not supported with selective stateless packet-based services—stateful firewall
NAT, IPsec VPN, DOS screens, J-flow traffic analysis, WXC integrated security
module, security policies, zones, attack detection and prevention, PKI, ALGs,
and chassis cluster.” This statement is not correct. With selective packet-mode,
traffic that is sent through flow is able to use all of those services, even in a single
VR scenario.
■
Information about secure context and router context has been removed from
the JUNOS Software Administration Guide and the JUNOS Software Security
Configuration Guide. If you want to use both flow-based and packet-based
forwarding simultaneously on a system, use the selective stateless packet-based
services feature instead. For more information, see “Configuring Selective
Stateless Packet-Based Services” in the JUNOS Software Administration Guide.
■
For a J Series Services Router, if the buffer size percentage is set to zero for T1
interfaces, traffic does not pass.
■
On SRX100 devices, the Alarm LED is off, indicating that the device is starting
up.
Hardware Documentation
Note that when the device is on, if the Alarm LED is off, it indicates that no
alarms are present on the device.
■
The “Configuring Basic Settings for the SRX100 Services Gateway with a
Configuration Editor” section in the SRX100 Services Gateway Hardware Guide
contains the following inaccuracies:
■
The documentation incorrectly implies that the management port and
loopback address must be defined for the device.
■
The documentation should indicate that the SSH remote access can be
enabled.
■
The documentation indicates the CLI command set services ssh, which is
incorrect. The correct command is set system services ssh.
■
The J-Web Initial Set Up screenshot shown in the SRX210 Services Gateway Getting
Started Guide and the SRX240 Services Gateway Getting Started Guide contains
the following inaccuracies: The J-Web screenshot incorrectly shows the “Enable
DHCP on ge-0/0/0.0” check box as disabled in factory default settings. The J-Web
screenshot should indicate the “Enable DHCP on ge-0/0/0.0” check box as enabled
in factory default settings.
■
The show chassis environment cb 0 command mentioned in the SRX5600 Services
Gateway Hardware Guide is modified to show chassis environment cb node 0.
■
The Power over Ethernet section in the SRX210 Services Gateway Hardware Guide
incorrectly states that PoE+ support (IEEE 802.3at standard) is available on all
models of SRX210 devices.
The guide should state that
184
Routers
■
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
■
PoE (IEEE 802.3 af) support is enabled only on the SRX210 Services Gateway
PoE model.
■
PoE+ (IEEE802.3 at) support is enabled only on the SRX210 Services
Gateway with Integrated Convergence Services model.
The DOCSIS Mini-Physical Interface Module chapter in the SRX Series Services
Gateways for the Branch Physical Interface Modules Hardware Guide erroneously
states that EuroDOCSIS 3.0 and DOCSIS J (Japan) models of the DOCSIS Mini-PIM
are supported. The guide should state that only DOCSIS 3.0 US model of DOCSIS
Mini-PIM is supported.
Installing Software Packages
■
The current SRX210 documentation does not include the following information:
On SRX210 devices, the /var hierarchy is hosted in a separate partition (instead
of the root partition). If JUNOS Software installation fails as a result of insufficient
space:
■
1.
Use the request system storage cleanup command to delete temporary files.
2.
Delete any user-created files in both the root partition and under the /var
hierarchy.
The “Installing Software using the TFTPBOOT Method on the SRX100, SRX210,
and SRX650 Services Gateway” section in the JUNOS Software Administration
Guide contains the following inaccuracies:
■
The documentation incorrectly implies that the TFTPBOOT method requires
a separate secondary device to retrieve software from the TFTP server.
■
The documentation should indicate that the TFTPBOOT method does not
work reliably over slow speeds or large latency networks.
■
The documentation indicates that before starting the installation, you only
need to configure the gateway IP, device IP address, and device IP netmask
manually in some cases, when actually you need to configure them manually
in all cases.
■
The documentation should indicate that on the SRX100, SRX210, and SRX240
devices, only the ge-0/0/0 port supports TFTP in uboot, and on the SRX650
device, all front-end ports support TFTP in uboot.
■
Step 2 of the “Installing JUNOS Software Using TFTPBOOT” instructions
should mention that the URL path is relative to the TFTP server’s TFTP root
directory. The instructions should also mention that you should store the
JUNOS Software image file in the TFTP server’s TFTP root directory.
■
The documentation should indicate that the TFTPBOOT method installs
software on the internal flash on SRX100, SRX210, and SRX240 devices,
whereas on SRX650 devices, the TFTP method can install software on the
internal or external CompactFlash card.
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
185
JUNOS 10.1 Software Release Notes
■
The JUNOS Software Administration Guide is missing the following information
about installing software using USB on SRX100, SRX210, SRX240, and SRX650
devices:
You can install or recover the JUNOS Software using USB on SRX100, SRX210,
SRX240, and SRX650 devices. During the installation process, the installation
package from the USB is installed on the specified boot media.
Before you begin the installation, ensure the following prerequisites are met:
■
U-boot and Loader are up and running on the device.
■
USB is available with the JUNOS Software package to be installed on the
device.
To install the software image on the specified boot media:
1.
Go to the Loader prompt. For more information on accessing the Loader
prompt, see “Accessing the Loader Prompt” on page 260 of the JUNOS
Software Administration Guide.
2.
Enter the following command at the Loader prompt:
Loader>install URL
Where URL is file:///package
Example:
Loader>install file:///junos-srxsme-9.4-200811.0-domestic.tgz
When you are done, the file reads the package from the USB and installs the
software package. After the software installation is complete, the device boots
from the specified boot media.
NOTE: USB to USB installation is not supported. Also, on SRX100, SRX210, and
SRX240 devices, the software image will always be installed on NAND flash, but on
SRX650 devices, the software image can be installed either on the internal or external
CompactFlash card based on the boot media specified.
Integrated Convergence Services
186
Routers
■
■
The JUNOS Software Integrated Convergence Services Configuration and
Administration Guide does not include show commands for JUNOS Release 10.1.
■
On SRX210 and SRX240 devices with Integrated Convergence Services, the
Transport Layer Security (TLS) option for the SIP protocol transport is not
supported in JUNOS Release 10.1. However, it is documented in the Integrated
Convergence Services entries of the JUNOS Software CLI Reference.
■
The JUNOS Software CLI Reference contains Integrated Convergence Services
statement entries for the music-on-hold feature, which is not supported for JUNOS
release 10.1.
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Interfaces and Routing
■
In the JUNOS Interfaces and Routing Configuration Guide, the “Configuring VDSL2
Interface” chapter incorrectly states that J-Web support for configuring the VDSL2
interface is not available in JUNOS Release 10.1. The J-Web support is available
for VDSL2 interfaces in JUNOS Release 10.1.
■
In the JUNOS Interfaces and Routing Configuration Guide, the “Configuring G.SHDSL
Interface” chapter incorrectly states that J-Web support for configuring the
G.SHDSL Interface is not available in JUNOS Release 10.1. The J-Web support is
available for G.SHDSL interfaces in JUNOS Release 10.1.
■
The JUNOS Interfaces and Routing Configuration Guide is missing the following
information about Q-in-Q VLAN tagging:
When Q-in-Q tunneling is configured for a service provider’s VLAN, all routing
engine packets, including packets from the routed VLAN interface, that are
transmitted from the customer-facing access port of that VLAN will always be
untagged
■
The “Transmit Rate” section of the Class of Service Overview chapter incorrectly
states that SRX Series devices do not support an exact value transmit rate. Only
the SRX3400, SRX3600, SRX5600, and SRX5800 Series devices do not support
an exact value transmit rate.
Intrusion Detection and Prevention (IDP)
■
The JUNOS Software Security Configuration Guide does not state that custom
attacks and custom attack groups in IDP policies can now be configured and
installed even when a valid license and signature database are not installed on
the device.
■
The JUNOS Software CLI Reference is missing information about the following
IDP policy template commands:
■
Use this command to display the download status of a policy template:
user@host>request security idp security-package download status
Done; Successfully downloaded from
(https://devdb.secteam.juniper.net/xmlexport.cgi).
■
Use this command to display the installation status of a policy template:
user@host>request security idp security-package install status
Done;policy-templates has been successfully updated into internal
repository
(=>/var/db/scripts/commit/templates.xsl)!
■
The ip-action definition on SRX3400, SRX3600, SRX5600, and SRX5800 in the
JUNOS Software Security Configuration Guide on page 504 Table 73 is incorrect.
The correct definition should be as follows: Enables you to implicitly block a
source address to protect the network from future intrusions while permitting
legitimate traffic. You can configure one of the following IP action options in
application-level DDoS: ip-block, ip-close, and ip-notify.
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
187
JUNOS 10.1 Software Release Notes
■
The exclude-context-values option in the JUNOS Software Security Configuration
Guide on page 810 Table 101 is missing. The definition for exclude-context-values
should be as follows: Configure a list of common context value patterns that
should be excluded from application-level DDoS detection. For example, if you
have a Web server that receives a high number of HTTP requests on home/landing
page, you can exclude it from application-level DDoS detection.
■
The JUNOS Software CLI Reference and the JUNOS Security Configuration Guide
states that the maximum acceptable range for the timeout (IDP Policy) is 65,535
seconds, whereas the ip-action timeout range has been modified to 0-64800
seconds.
■
The JUNOS Software CLI Reference and the JUNOS Security Configuration Guide
are missing information about the new CLI option download-timeout, which has
been introduced to set security idp security-package automatic download-timeout
< value >, to configure the download timeout in minutes. The default value for
download-timeout is one minute. If download is completed before the
download-timeout, signature is automatically updated after the download. If the
download takes longer than download-timeout, auto signature update is aborted.
Syntax:
user@host# set security idp security-package automatic download-timeout ?
Possible completions: < download-timeout >
Maximum time for download to complete (1 - 60 minutes)
[edit]
user@host# set security idp security-package automatic download-timeout
Range: 1 – 60 minutes
Default: 1 minute
■
The JUNOS Software CLI Reference incorrectly states the show security idp status
and clear security idp status logs, whereas the logs should be as follows:
■
Correct show security idp status log
user@host> show security idp status
State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:15:02 ago)
Packets/second: 5 Peak: 11 @ 2010-02-05 06:51:58 UTC
KBits/second : 2 Peak: 5 @ 2010-02-05 06:52:06 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 82] [UDP: 0] [Other: 0]
Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
TCP: [Current: 2] [Max: 6 @ 2010-02-05 06:52:08 UTC]
UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Session Statistics: [ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
Policy Name : sample
Running Detector Version : 10.2.160091104
■
Correct clear security idp status log
user@host> clear security idp status
State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:13:45 ago)
Packets/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC
KBits/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
188
Routers
■
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
TCP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]
Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Policy Name: sample
Running Detector Version: 10.2.160091104
■
■
The Verifying the Policy Compilation and Load Status section of the JUNOS
Software Security Configuration Guide has a missing empty/new line before
the IDPD Trace file heading, in the second sample output.
■
The JUNOS Software Security Configuration Guide incorrectly states that IDP
is not supported in transparent mode on SRX3400, SRX3600, SRX5600, and
SRX5800 devices. IDP is supported in transparent mode on those devices.
The IDP rule notification options listed in the JUNOS Software Security
Configuration Guide incorrectly include the Send Emails and Run Scripts options,
which are not supported in JUNOS Release 10.1.
J-Web
The following information pertains to SRX Series and J Series devices:
■
J-Web security package update Help page—The J-Web Security Package Update
Help page does not contain information about download status.
■
J-Web pages for stateless firewall filters—There is no documentation describing
the J-Web pages for stateless firewall filters. To find these pages in J-Web, go to
Configure>Security>Firewall Filters, then select IPv4 Firewall Filters or IPv6
Firewall Filters. After configuring filters, select Assign to Interfaces to assign
your configured filters to interfaces.
■
There is no documentation describing the J-Web pages for media gateways. To
find these pages in J-Web, go to Monitor>Media Gateway.
Screens
The following information pertains to SRX Series and J Series devices:
■
In the JUNOS Software Design and Implementation Guide, the “Implementing
Firewall Deployments for Branch Offices” chapter contains incorrect screen
configuration instructions.
Examples throughout this guide describe how to configure screen options using
the set security screen screen-name CLI statements. Instead, you should use the
set security screen ids-option screen-name CLI statements. All screen configuration
options are located at the [set security screen ids-option screen-name] level of the
configuration hierarchy.
Related Topics
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J
Series Services Routers on page 122
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
189
JUNOS 10.1 Software Release Notes
■
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and
J Series Services Routers on page 147
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series
Services Routers on page 157
Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gateways and J
Series Services Routers
■
Transceiver Compatibility for SRX Series and J Series Devices on page 190
■
Power and Heat Dissipation Requirements for J Series PIMs on page 190
■
Supported Third-Party Hardware on page 190
■
J Series CompactFlash and Memory Requirements on page 191
Transceiver Compatibility for SRX Series and J Series Devices
We strongly recommend that only transceivers provided by Juniper Networks be
used on SRX Series and J Series interface modules. Different transceiver types
(long-range, short-range, copper, and others) can be used together on multiport SFP
interface modules as long as they are provided by Juniper Networks. We cannot
guarantee that the interface module will operate correctly if third-party transceivers
are used.
Please contact Juniper Networks for the correct transceiver part number for your
device.
Power and Heat Dissipation Requirements for J Series PIMs
On J Series Services Routers, the system monitors the PIMs and verifies that the PIMs
fall within the power and heat dissipation capacity of the chassis. If power
management is enabled and the capacity is exceeded, the system prevents one or
more of the PIMs from becoming active.
CAUTION: Disabling power management can result in hardware damage if you
overload the chassis capacities.
You can also use CLI commands to choose which PIMs are disabled. For details about
calculating the power and heat dissipation capacity of each PIM and troubleshooting
procedures, see the J Series Services Routers Hardware Guide.
Supported Third-Party Hardware
The following third-party hardware is supported for use with J Series Services Routers
running Junos OS.
USB Modem
190
■
We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR
5637.
Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Storage Devices
The USB slots on J Series Services Routers accept a USB storage device or USB storage
device adapter with a CompactFlash card installed, as defined in the CompactFlash
Specification published by the CompactFlash Association. When the USB device is
installed and configured, it automatically acts as a secondary boot device if the
primary CompactFlash card fails on startup. Depending on the size of the USB storage
device, you can also configure it to receive any core files generated during a router
failure. The USB device must have a storage capacity of at least 256 MB.
Table 7 on page 191 lists the USB and CompactFlash card devices supported for use
with the J Series Services Routers.
Table 7: Supported Storage Devices on the J Series Services Routers
Manufacturer
Storage Capacity
Third-Party Part Number
SanDisk—Cruzer Mini 2.0
256 MB
SDCZ2-256-A10
SanDisk
512 MB
SDCZ3-512-A10
SanDisk
1024 MB
SDCZ7-1024-A10
Kingston
512 MB
DTI/512KR
Kingston
1024 MB
DTI/1GBKR
SanDisk—ImageMate USB 2.0
Reader/Writer for CompactFlash Type I
and II
N/A
SDDR-91-A15
SanDisk CompactFlash
512 MB
SDCFB-512-455
SanDisk CompactFlash
1 GB
SDCFB-1000.A10
J Series CompactFlash and Memory Requirements
Table 8 on page 191 lists the CompactFlash card and DRAM requirements for J Series
Services Routers.
Table 8: J Series CompactFlash Card and DRAM Requirements
Model
Minimum CompactFlash
Card Required
Minimum DRAM
Required
Maximum DRAM
Supported
J2320
512 MB
512 MB
1 GB
J2350
512 MB
512 MB
1 GB
J4350
512 MB
512 MB
2 GB
J6350
512 MB
1 GB
2 GB
Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
■
191
JUNOS 10.1 Software Release Notes
Related Topics
■
New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J
Series Services Routers on page 122
■
Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and
J Series Services Routers on page 147
■
Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series
Services Gateways and J Series Services Routers on page 139
■
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series
Services Routers on page 157
■
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX Series
Services Gateways and J Series Services Routers on page 203
■
Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series
Services Gateways and J Series Services Routers on page 182
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
Dual-Root Partitioning Scheme
JUNOS Release 10.1 supports dual-root partitions on SRX100, SRX210, SRX240, and
SRX650 devices. Dual-root partition allow the SRX Series devices to remain functional
if there is file system corruption and facilitate easy recovery of the corrupted file
system.
SRX Series devices running JUNOS Release 9.6 or earlier support a single-root
partitioning scheme where there is only one root partition. Because both the primary
and backup JUNOS Software images are located on the same root partition, the
system fails to boot if there is corruption in the root file system. The dual-root
partitioning scheme guards against this scenario by keeping the primary and backup
JUNOS Software images in two independently bootable root partitions. If the primary
root partition becomes corrupted, the system will be able to boot from the backup
JUNOS Software image located in the other root partition and remain fully functional.
SRX Series devices that ship with JUNOS Release 10.1 are formatted with dual-root
partitions from the factory. SRX Series devices that are running JUNOS Release 9.6
or earlier can be formatted with dual-root partitions when upgrading to JUNOS Release
10.1.
NOTE: The dual-root partitioning scheme allows the SRX Series devices to remain
functional if there is file system corruption and facilitates easy recovery of the
corrupted file system. Although you can install JUNOS Release 10.1 on SRX100,
SRX210, SRX240, and SRX650 devices with the single-root partitioning scheme, we
strongly recommend the use of the dual-root partitioning scheme.
192
■
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
Selection of Boot Media and Boot Partition
When the SRX Series device powers on, it tries to boot the JUNOS Software from the
default storage media. If the device fails to boot from the default storage media, it
tries to boot from the alternate storage media.
SRX100, SRX210, SRX240 devices boot from the following storage media (in order
of priority):
1.
Internal NAND flash (default; always present)
2.
USB storage device (alternate)
SRX650 devices boot from the following storage media (in order of priority):
1.
Internal CompactFlash card (default; always present)
2.
External CompactFlash card (alternate)
3.
USB storage device (alternate)
With the dual-root partitioning scheme, the SRX Series device first tries to boot the
JUNOS Software from the primary root partition and then from the backup root
partition on the default storage media. If both primary and backup root partitions of
a media fail to boot, then the SRX Series device tries to boot from the next available
type of storage media. The SRX Series device remains fully functional even if it boots
the JUNOS Software from the backup root partition of storage media.
Important Differences Between Single-Root and Dual-Root Partitioning Schemes
Note the following important differences in how SRX Series devices use the two types
of partitioning systems.
■
With the single-root partitioning scheme, there is one root partition that contains
both the primary and backup JUNOS Software images. With the dual-root
partitioning scheme, the primary and backup copies of JUNOS Software are in
different partitions. The partition containing the backup copy is mounted only
when required.
■
With the dual-root partitioning scheme, when the request system software add
command is performed for a JUNOS Software package, the contents of the other
root partition are erased. The contents of the other root partition will not be valid
unless the installation is completed successfully.
■
With the dual-root partitioning scheme, after a new JUNOS Software image is
installed, add-on packages like jais or jfirmware should be reinstalled as required.
■
With the dual-root partitioning scheme, the request system software rollback CLI
command does not delete the current JUNOS Software image. It is possible to
switch back to the image by using the rollback command again.
■
With the dual-root partitioning scheme, the request system software delete-backup
CLI command does not take any action. The JUNOS Software image in the other
root partition will not be deleted.
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
■
193
JUNOS 10.1 Software Release Notes
Upgrade Methods
SRX Series devices that ship from the factory with JUNOS Release 10.1 are formatted
with the dual-root partitioning scheme.
Existing SRX Series devices that are running JUNOS Release 9.6 or earlier use the
single-root partitioning scheme. While upgrading these routers to JUNOS Release
10.1, you can choose to format the storage media with dual-root partitions (strongly
recommended) or retain the existing single-root partitioning.
Certain JUNOS Software upgrade methods format the internal media before
installation, whereas other methods do not. To install JUNOS Release 10.1 with the
dual-root partitioning scheme, you must use an upgrade method that formats the
internal media before installation.
The following upgrade methods format the internal media before installation:
■
Installation from the boot loader using a TFTP server
■
Installation from the boot loader using a USB storage device
■
Installation from the CLI using the special partition option (available in JUNOS
Release 10.1)
The following upgrade methods retain the existing partitioning scheme:
■
Installation using the CLI
■
Installation using J-Web
WARNING: Upgrade methods that format the internal media before installation wipe
out the existing contents of the media. Only the current configuration will be
preserved. Any important data should be backed up before starting the process.
NOTE: Once the media has been formatted with the dual-root partitioning scheme,
you can use conventional CLI or J-Web installation methods, which retain the existing
partitioning and contents of the media, for subsequent upgrades.
Upgrading to JUNOS Release 10.1 Without Transitioning to Dual-Root Partitioning
If dual-root partitioning is not desired, use the conventional CLI and J-Web installation
methods, as described in the Junos OS Administration Guide for Security Devices.
Upgrading to JUNOS Release 10.1 with Dual-Root Partitioning
To format the media with dual-root partitioning while upgrading to JUNOS Release
10.1, use one of the following installation methods:
194
■
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
■
Installation from the boot loader using a TFTP server. This method is preferable
if console access to the system is available and a TFTP server is available in the
network.
■
Installation from the boot loader using a USB storage device. This method is
preferable if console access to the system is available and the system can be
physically accessed to plug in a USB storage device.
■
Installation from CLI using the special partition option. This method is
recommended only when console access is not available. This installation can
be performed remotely.
NOTE: After upgrading to JUNOS Release 10.1, the U-boot and boot loader must be
upgraded for the dual-root partitioning scheme to work properly.
Each of the aforementioned methods of installing JUNOS 10.1 with dual-root
partitioning is described in detail in the following sections:
■
Installing from the Boot Loader Using a TFTP Server on page 195
■
Installing from the Boot Loader Using a USB Storage Device on page 196
■
Installing from the CLI Using the partition Option on page 196
■
Upgrading the Boot Loader on page 197
Installing from the Boot Loader Using a TFTP Server
See the Junos OS Administration Guide for Security Devices for detailed information
on installing JUNOS Software using a TFTP server.
To install JUNOS Release 10.1 from the boot loader using a TFTP server:
1.
Upload the JUNOS Software image to a TFTP server.
2.
Stop the device at the loader prompt and set the following variables:
■
ipaddr
loader> set ipaddr=<IP-address-of-the-device>
■
netmask
loader> set netmask=<netmask>
■
gatewayip
loader> set gatewayip=<gateway-IP-address>
■
serverip
loader> set severip=<TFTP-server-IP-address>
3.
Install the image using the following command at the loader prompt:
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
■
195
JUNOS 10.1 Software Release Notes
loader> install tftp://<server-ip>/<image-path-on-server>
For example:
loader> install tftp://10.77.25.12/junos-srxsme-10.1R1-domestic.tgz
This will format the internal media and install the new JUNOS Software image
on the media with dual-root partitioning.
4.
Once the system boots up with JUNOS Release 10.1, upgrade the U-boot and
boot loader immediately. See “Upgrading the Boot Loader” on page 197.
Installing from the Boot Loader Using a USB Storage Device
To install JUNOS Release 10.1 from the boot loader using a USB storage device:
1.
Format a USB storage device in MS-DOS format.
2.
Copy the JUNOS Software image onto the USB storage device.
3.
Plug the USB storage device into the SRX Series device.
4.
Stop the device at the loader prompt and use the following command:
loader> install file:///<image-path-on-usb>
For example:
loader> install file:///junos-srxsme-10.1R1-domestic.tgz
This will format the internal media and install the new JUNOS Software image
on the media with dual-root partitioning.
5.
Once the system boots up with JUNOS Release 10.1, upgrade the U-boot and
boot loader immediately. See “Upgrading the Boot Loader” on page 197.
Installing from the CLI Using the partition Option
To install JUNOS Release 10.1 with the partition option:
1.
Upgrade the device to JUNOS Release 10.1 or later using the CLI or J-Web. This
will install the new image with the older single-root partitioning scheme.
2.
After the device reboots with JUNOS Release 10.1, upgrade the boot loader to
version 1.5. See “Upgrading the Boot Loader” on page 197.
3.
Reinstall the 10.1 image from JUNOS CLI using the request system software add
command with the partition option. This will copy the image to the device, then
reboot the device for installation. The device will boot up with the 10.1 image
installed with the dual-root partitioning scheme.
NOTE: This process might take 15–20 minutes. The system will not be accessible
over the network during this time.
196
■
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
Upgrading the Boot Loader
To upgrade the boot loader to version 1.5:
1.
Upgrade to JUNOS Release 10.1 (with or without dual-root support enabled).
The JUNOS 10.1 image contains the latest boot loader binaries in the following
path: /boot/uboot, /boot/loader.
2.
Enter the shell prompt.
3.
Run the following command from the shell prompt:
bootupgrade –u /boot/uboot –l /boot/loader
Installing JUNOS Release 9.6 or Earlier Release on Systems with Dual-Root
Partitioning
JUNOS Release 9.6 and earlier is not compatible with the dual-root partitioning
scheme. These releases can only be installed if the media is reformatted with
single-root partitioning. Any attempt to install JUNOS Release 9.6 or earlier on a
device with dual-root partitioning without reformatting the media will fail with an
error. You must install the JUNOS Release 9.6 or earlier image from the boot loader
using a TFTP server, USB storage device or CLI partition.
NOTE: You do not need to reinstall the earlier version of the boot loader.
Reinstalling the Single-Root Partition Release Over TFTP
To reinstall JUNOS Software from the boot loader using a TFTP server:
1.
Upload the JUNOS Software image to a TFTP server.
2.
Stop the device at the loader prompt and set the following variables:
■
ipaddr
loader> set ipaddr=<IP-address-of-the-device>
■
netmask
loader> set netmask=<netmask>
■
gatewayip
loader> set gatewayip=<gateway-IP-address>
■
serverip
loader> set severip=<TFTP-server-IP-address>
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
■
197
JUNOS 10.1 Software Release Notes
3.
Install the image using the following command at the loader prompt:
user@host> install tftp://<server-ip>/<image-path-on-server>
For example:
loader> install tftp://10.77.25.12/junos-srxsme-9.6R1-domestic.tgz
This will format the internal media and install the JUNOS Software image on the
media with single-root partitioning.
Reinstalling the Single-Root Partition Release Using USB
To reinstall JUNOS Software from the boot loader using a USB storage device:
1.
Format a USB storage device in MS-DOS format.
2.
Copy the JUNOS Software image onto the USB storage device.
3.
Plug the USB storage device into the SRX Series device.
4.
Stop the device at the loader prompt and use the following command:
user@host> install file://<image-path-on-usb>
For example:
loader> install file:///junos-srxsme-9.6R1-domestic.tgz
This will format the internal media and install the JUNOS Software image on the
media with single-root partitioning.
Installing from the CLI Using the partition Option
To reinstall JUNOS Release 9.6 with the partition option:
1.
Upgrade the boot loader to version 1.5 if your boot loader is older than it. See
“Upgrading the Boot Loader” on page 197
2.
Reinstall the 9.6 image from JUNOS CLI using the request system software add
command with the partition option. This will copy the image to the device, then
reboot the device for installation. The device will boot up with the 9.6 image
installed with the single-root partitioning scheme.
NOTE: This process might take 15–20 minutes. The system will not be accessible
over the network during this time.
Recovery of the Primary JUNOS Software Image with Dual-Root Partitioning Scheme
If the SRX Series Services Gateway is unable to boot from the primary JUNOS Software
image, and boots up from the backup JUNOS Software image in the backup root
198
■
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
partition, a message is displayed on the console at the time of login indicating that
the device has booted from the backup JUNOS Software image:
login: user
Password:
***********************************************************************
**
**
**
WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE
**
**
**
**
It is possible that the active copy of JUNOS failed to boot up
**
**
properly, and so this device has booted from the backup copy.
**
**
**
**
Please re-install JUNOS to recover the active copy in case
**
**
it has been corrupted.
**
**
**
***********************************************************************
Because the system is left with only one functional root partition, you should
immediately restore the primary JUNOS Software image. This can be done by installing
a new image using the CLI or J-Web. The newly installed image will become the
primary image, and the device will boot from it on the next reboot.
CLI Changes
This section describes CLI changes when the SRX Series device runs JUNOS Release
10.1 with the dual-root partitioning scheme.
■
Changes to the Snapshot CLI on page 199
■
partition Option with the request system software add Command on page 200
Changes to the Snapshot CLI
On an SRX Series device, you can configure the primary or secondary boot device
with a “snapshot” of the current configuration, default factory configuration, or rescue
configuration. The snapshot feature is modified to support dual-root partitioning.
The options as-primary, swap-size, config-size, root-size, var-size, and data-size are not
supported on SRX Series devices.
With the dual-root partitioning scheme, performing a snapshot to a USB storage
device that is less than 1 GB is not supported.
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
■
199
JUNOS 10.1 Software Release Notes
With the dual-root partitioning scheme, you must use the partition option when
performing a snapshot. If the partition option is not specified, the snapshot operation
fails with a message that the media needs to be partitioned for snapshot.
The output for the show system snapshot CLI command is changed in devices with
dual-root partitions to show the snapshot information for both root partitions:
user@host> show system snapshot media usb
Information for snapshot on
usb (/dev/da1s1a) (primary)
Creation date: Jul 24 16:16:01 2009
JUNOS version on snapshot:
junos
: 10.1I20090723_1017-domestic
Information for snapshot on
usb (/dev/da1s2a) (backup)
Creation date: Jul 24 16:17:13 2009
JUNOS version on snapshot:
junos
: 10.1I20090724_0719-domestic
NOTE: You can use the show system snapshot media internal command to determine
the partitioning scheme present on the internal media. Information for only one root
is displayed for single-root partitioning, whereas information for both roots is
displayed for dual-root partitioning.
NOTE: Any removable media that has been formatted with dual-root partitioning
will not be recognized correctly by the show system snapshot CLI command on
systems that have single-root partitioning. Intermixing dual-root and single-root
formatted media on the same system is strongly discouraged.
partition Option with the request system software add Command
A new partition option is available with the request system software add CLI command.
Using this option will cause the media to be formatted and repartitioned before the
software is installed.
When the partition option is used, the format and install process is scheduled to run
on the next reboot. Therefore, it is recommended that this option be used together
with the reboot option.
For example:
user@host>request system software add junos-srxsme-10.1R1-domestic.tgz no-copy
no-validate partition reboot
Copying package junos-srxsme-10.01R1-domestic.tgz to var/tmp/install
200
■
Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways
Maximizing ALG Sessions
Rebooting ...
The system will reboot and complete the installation.
WARNING: Using the partition option with the request system software add CLI
command erases the existing contents of the media. Only the current configuration
is preserved. Any important data should be backed up before starting the process.
Maximizing ALG Sessions
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, by default, the session
capacity number for RTSP, FTP, and TFTP ALG sessions is 10,000 per flow SPU. The
maximize-alg-sessions option enables you to increase defaults as follows:
■
RTSP, FTP, and TFTP ALG session capacity: 25,000 sessions per flow SPU
■
TCP Proxy connection capacity: 40,000 sessions per flow SPU
NOTE: Flow session capacity will be reduced to half per flow SPU and the above
capacity numbers will not change on the central point SPU.
You can configure maximum ALG sessions as follows:
security {
forwarding-process {
application-services {
maximize-alg-sessions;
}
}
}
You must reboot the device (and its peer in the chassis cluster) for the configuration
to take effect.
Using Dual Chassis Cluster Control Links: Upgrade Instructions for the Second Routing
Engine
A second Routing Engine is required for each device in a cluster if you are using the
dual control links feature (SRX5000 line only). The second Routing Engine does not
provide backup functionality; its purpose is only to initialize the switch on the Switch
Control Board (SCB). The second Routing Engine must be running JUNOS Release
10.1 or later.
Because you cannot run the CLI or enter configuration mode on the second Routing
Engine, you cannot upgrade the JUNOS Software image with the usual upgrade
commands. Instead, use the master Routing Engine (RE0) to create a bootable USB
storage device, which you can then use to install a software image on the second
Routing Engine (RE1).
Maximizing ALG Sessions
■
201
JUNOS 10.1 Software Release Notes
To upgrade the software image on the second Routing Engine (RE1):
1.
Use FTP to copy the installation media into the /var/tmp directory of the master
Routing Engine (RE0).
2.
Insert a USB storage device into the USB port on the master Routing Engine
(RE0).
3.
In the UNIX shell, navigate to the /var/tmp directory:
start shell
cd /var/tmp
4.
Log in as root or superuser:
su [enter]
password: [enter SU password]
5.
Use the following command;
dd if=installMedia of=/dev/externalDrive bs=64k
where
■
externalDrive—Refers to the removable media name. For example, the
removable media name on an SRX5000 line device is da0 for both Routing
Engines.
■
installMedia—Refers to the installation media downloaded into the /var/tmp
directory. For example, install-media-srx5000-10.1R1-domestic.tgz.
The following code example can be used to write the image that you copied to
the master Routing Engine (RE0) in step 1 onto the USB storage device:
dd if=install-media-srx5000-10.1R1-domestic.tgz of=/dev/da0 bs=64k
6.
Log out as root or superuser:
exit
7.
After the software image is written to the USB storage device, remove the device
and insert it into the USB port on the second Routing Engine (RE1).
8.
Move the console connection from the master Routing Engine (RE0) to the second
Routing Engine (RE1), if you do not already have a connection.
9.
Reboot the second Routing Engine (RE1). Use the following command:
# reboot
■
When the following system output appears, press y:
WARNING: The installation will erase the contents of your disks.
Do you wish to continue (y/n)?
■
202
■
When the following system output appears, remove the USB storage device
and press Enter:
Using Dual Chassis Cluster Control Links: Upgrade Instructions for the Second Routing Engine
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
Eject the installation media and hit [Enter] to reboot?
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX Series Services
Gateways and J Series Services Routers
To upgrade to JUNOS Release 10.1 or later, your device must be running one of the
following JUNOS Software releases:
■
9.1S1
■
9.2R4
■
9.3R3
■
9.4R3
■
9.5R1 or later
If your device is running an earlier release, upgrade to one of these releases and then
to the 10.1 release. For example, to upgrade from Release 9.2R1, first upgrade to
Release 9.2R4 and then to Release 10.1R2.
For additional upgrade and download information, see the JUNOS Software
Administration Guide and the JUNOS Software Migration Guide.
JUNOS Software Release Notes for EX Series Switches
■
New Features in JUNOS Release 10.1 for EX Series Switches on page 203
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series
Switches on page 207
■
Limitations in JUNOS Release 10.1 for EX Series Switches on page 208
■
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches on page 211
■
Resolved Issues in JUNOS Release 10.1 for EX Series Switches on page 213
■
Errata in Documentation for JUNOS Release 10.1 for EX Series
Switches on page 217
■
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series
Switches on page 218
New Features in JUNOS Release 10.1 for EX Series Switches
New features in Release 10.1 of JUNOS Software for EX Series switches are described
in this section.
Not all EX Series software features are supported on all EX Series platforms in the
current release. For a list of all EX Series software features and their platform support,
see EX Series Switch Software Features Overview.
Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services
Routers
■
203
JUNOS 10.1 Software Release Notes
New features are described on the following pages:
■
Hardware on page 204
■
Access Control and Port Security on page 205
■
Bridging, VLANs, and Spanning Trees on page 205
■
Class of Service (CoS) on page 205
■
Infrastructure on page 205
■
Interfaces on page 206
■
Layer 2 and Layer 3 Protocols on page 206
■
Management and RMON on page 206
■
MPLS on page 206
■
Packet Filters on page 206
Hardware
■
EX2200 switch—The EX2200 switch is a fixed-configuration switch that is
available in four models—24-port or 48-port models with either all ports equipped
for Power over Ethernet (PoE) or none of the ports equipped for PoE.
All EX2200 models provide network ports that have 10/100/1000BASE-T Gigabit
Ethernet connectors and uplink ports that support 1-gigabit small form-factor
pluggable (SFP) transceivers for use with fiber connections and copper
connections. For information about software features supported on the EX2200
switch, see EX Series Switch Software Features Overview.
The following optical interfaces are supported on the EX2200 switch:
■
204
■
■
EX-SFP-1GE-T (1000BASE-T, 100 m)
■
EX-SFP-1GE-SX (1000BASE-SX, 220 m, 275 m, 500 m, or 550 m)
■
EX-SFP-1GE-LX (1000BASE-LX, 10 km)
■
EX-SFP-1GE-LH (1000BASE-LH or 1000Base-LH, 70 km)
■
EX-SFP-1FE-FX (100BASE-FX, 2 km)
■
EX-SFP-FE20KT13R15 (100BASE-BX-U, 20 km)
■
EX-SFP-FE20KT15R13 (100BASE-BX-D, 20 km)
New optical transceiver support—The 8-port 10-Gigabit Ethernet SFP+ line
card in EX8200 switches now supports one new optical transceiver:
EX-SFP-10GE-ER (10GBase-ER, 40 km).
New Features in JUNOS Release 10.1 for EX Series Switches
New Features in JUNOS Release 10.1 for EX Series Switches
Access Control and Port Security
■
Captive portal authentication—Captive portal authentication allows you to
authenticate users on EX Series switches by redirecting Web browser requests
to a login page that requires users to input a username and password before
they are allowed access to the network. In addition to using the feature to control
network access by requiring users to provide information that is authenticated
against a RADIUS server database, you can use it to display an acceptable-use
policy to users before they access your network. An authentication whitelist
allows you to specify MAC addresses that are allowed to bypass authentication.
Bridging, VLANs, and Spanning Trees
■
Proxy ARP—Proxy ARP can be configured on a per-VLAN basis, in either
restricted or unrestricted mode.
■
IPv6 unicast VRF support—EX Series switches now support IPv6 unicast virtual
routing and forwarding (VRF) traffic.
■
Private VLANs—Private VLANs (PVLANs) are now supported on EX8200 switches.
Class of Service (CoS)
■
Port shaping and queue shaping—Port shaping and queue shaping (the
shaping-rate configuration statement) is now available on EX8200 switches.
Infrastructure
■
IPv6 support on EX8200 switches—EX8200 switches now support configuration
of IPv6 addresses.
■
Automatic refreshing of scripts—You can refresh commit, event, and op scripts
automatically using operational mode commands such as request system scripts
refresh-from commit, request system scripts refresh-from event, or request system
scripts refresh-from op.
■
Source gateway IP address selection for relayed DHCP packets—The source
gateway IP address selection for relayed DHCP packets feature allows you to use
the gateway IP address (giaddr) as the source IP address of the switch for relayed
DHCP packets when an EX Series switch is used as the DHCP relay agent.
New Features in JUNOS Release 10.1 for EX Series Switches
■
205
JUNOS 10.1 Software Release Notes
Interfaces
■
Unicast reverse-path forwarding support—Unicast reverse-path forwarding
(RPF) is available on EX8200 switches. The unicast RPF feature can be enabled
on specific interfaces on EX8200 switches and supports ECMP traffic.
Layer 2 and Layer 3 Protocols
■
IPv6 Layer 3 multicast routing and forwarding—EX3200 and EX4200 switches
now support IPv6 Layer 3 multicast routing and forwarding, which includes
Multicast Listener Discovery (MLD) version 1 and version 2 to manage multicast
group membership; reverse-path forwarding (RPF) to enable multicast routers
to correctly forward multicast traffic to other multicast routers; Protocol
Independent Multicast sparse mode (PIM SM) and PIM source-specific multicast
(PIM SSM) protocols; and static rendezvous point (RP), bootstrap RP, and
embedded RP to manage RP information for multicast groups.
Management and RMON
■
Real-time performance monitoring (RPM) support on EX8200 switches—RPM
is supported on EX8208 and EX8216 switches.
■
SNMP MIB enhancements—On EX2200 switches, the SNMP agent polls and
gets details of all MIBs.
MPLS
■
MPLS enhancements—On EX3200 and EX4200 switches, MPLS supports class
of service (CoS), IP over MPLS, and fast reroute to reroute the label-switched
path in cases of link failure.
Packet Filters
■
IPv6 support for firewall filters on EX3200 and EX4200 switches—On EX3200
and EX4200 switches, you can apply match conditions to IPv6 traffic on Layer
3 interfaces, aggregated Ethernet interfaces, and loopback interfaces.
The following are the match conditions applicable to IPv6 traffic:
destination-address, destination-port, destination-prefix-list, icmp-code, icmp-type,
interface, next-header, packet-length, source-address, source-port, source-prefix-list,
tcp-established, tcp-flags, tcp-initial, and traffic-class.
The following are the actions and action modifiers applicable to IPv6 traffic:
accept, discard, routing-instance, analyzer, count, forwarding-class, loss-priority, and
policer.
■
206
■
Enhancement to the interface match condition on EX8200 switches—On
EX8200 switches, you can now specify aggregated Ethernet interfaces as match
conditions using the interface match condition. You can configure an ingress or
New Features in JUNOS Release 10.1 for EX Series Switches
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series Switches
egress firewall filter with an aggregated Ethernet interface as a match condition
and apply the firewall filter to ports, VLANs, and Layer 3 interfaces.
Related Topics
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series
Switches on page 207
■
Limitations in JUNOS Release 10.1 for EX Series Switches on page 208
■
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches on page 211
■
Resolved Issues in JUNOS Release 10.1 for EX Series Switches on page 213
■
Errata in Documentation for JUNOS Release 10.1 for EX Series Switches on
page 217
■
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
on page 218
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series Switches
The following changes in system behavior, configuration statement usage, or
operational mode command usage have occurred since the previous release and
might not yet be documented in the JUNOS Software for EX Series switches
documentation:
Layer 2 and Layer 3 Protocols
■
EX Series switches now support the show multicast rpf instance instance-name
command.
■
The iso option is not available in the show pfe route command because it is not
supported on EX Series switches.
■
On EX Series switches, the sip-server statement in the [edit system services dhcp]
hierarchy is now supported, allowing explicit configuration of SIP server addresses
for DHCP servers.
Infrastructure
User Interface and Configuration
■
On EX3200 switches and EX4200 switches, the request system power-off
other-routing-engine and the request system power-off both-routing-engines
commands are disabled.
■
The output of the show chassis hardware command for EX3200 switches and
EX4200 switches has been changed. The Description field in the output now
displays SFP-100-LX40 for the 100Base-LH interface and SFP-100-LH for the
100Base-ZX interface.
■
If you enable PIM on all interfaces using the interface all command, it is not
enabled on the me0 and vme interfaces by default. Therefore you do not need
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series Switches
■
207
JUNOS 10.1 Software Release Notes
to explicitly disable PIM on these management interfaces. Previously, enabling
PIM on all interfaces caused it to be enabled on these management interfaces.
Related Topics
■
New Features in JUNOS Release 10.1 for EX Series Switches on page 203
■
Limitations in JUNOS Release 10.1 for EX Series Switches on page 208
■
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches on page 211
■
Resolved Issues in JUNOS Release 10.1 for EX Series Switches on page 213
■
Errata in Documentation for JUNOS Release 10.1 for EX Series Switches on
page 217
■
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
on page 218
Limitations in JUNOS Release 10.1 for EX Series Switches
This section lists the limitations in JUNOS Release 10.1R4 for EX Series switches.
Access Control and Security
■
When you have configured more than 1024 supplicants on a single interface,
802.1X authentication might not work as expected and the 802.1X process
(dot1xd) might fail.
■
On EX8200 switches, classification of packets using ingress firewall filter rules
with forwarding-class and loss-priority configurations does not rewrite the DSCP
or 802.1p bits. Rewriting of packets is determined by the forwarding-class and
loss-priority values set in the DSCP classifier applied on the interface.
■
On EX4200 switches, the traffic is shaped at rates above 500 kbps, even when
the shaping rate configured is less than 500 kbps.
■
When the scheduler map bound to an interface is changed, there might be packet
drops temporarily on all the interfaces bound to the scheduler map while the
configuration change is being implemented.
■
On EX Series switches, when interface ranges or VLAN ranges are used in
configuring firewall filters, egress firewall filter rules take more than 5 minutes
to take effect.
■
IGMP packets are not matched by user-configured firewall filters.
Class of Service
Firewall Filters
208
■
Limitations in JUNOS Release 10.1 for EX Series Switches
Limitations in JUNOS Release 10.1 for EX Series Switches
Infrastructure
■
If you configure interface parameters on an EX3200 or EX4200 switch running
JUNOS Release 9.2 or Release 9.3 for EX Series switches and then attempt to
upgrade to a later release or a later version of Release 9.3 than the one that is
currently installed, the switch might display the following error message: init:
interface-control is thrashing , not restarted. As a workaround, on the interfaces
you had previously configured, configure no-auto-negotiation and set the link
mode to full-duplex, then commit the revised configuration.
■
The RADIUS request sent by an EX Series switch contains both Extensible
Authentication Protocol (EAP) Identity Response and State attributes.
■
On EX Series switches, an SNMP query fails when the SNMP index size of a table
is greater than 128 bytes, because the Net SNMP tool does not support SNMP
index sizes greater than 128 bytes.
■
Spanning-tree, GVRP, or IGMP snooping configuration windows might load slowly
in the J-Web interface. Wait till the windows load completely before entering
information, or some information might get lost.
■
On EX Series switches, the show snmp mib walk etherMIB does not display any
output, even though the etherMIB is supported. This occurs because the values
are not populated at the module level—they are populated at the table level only.
You can issue show snmp mib walk dot3StatsTable, show snmp mib walk
dot3PauseTable, and show snmp mib walk dot3ControlTable commands to display
the output at the table level.
■
When you issue the request system power-off command, the switch halts instead
of turning off power.
■
In the J-Web interface, the Ethernet Switching monitoring page might not display
monitoring details if there are more than 13,000 MAC entries on the switch.
■
In the J-Web interface, changing the port role from Desktop, Desktop and Phone,
or Layer 2 Uplink to another port role might not remove the configurations for
enabling dynamic ARP inspection and DHCP snooping.
■
On EX8200 switches, if IS-IS is enabled on routed VLAN interfaces (RVIs), IS-IS
adjacency states go down and come up after a graceful Routing Engine switchover
(GRES).
■
When an external RADIUS server goes offline and comes back online after some
time, subsequent captive portal authentication requests might fail until the authd
daemon is restarted. As a workaround, configure the revert interval—the time
after which to revert to the primary server—and restart the authd daemon.
■
Momentary loss of an inter-Routing Engine IPC message might trigger the alarm
that displays the message Loss of communication with Backup RE. There is no
functionality affected.
Limitations in JUNOS Release 10.1 for EX Series Switches
■
209
JUNOS 10.1 Software Release Notes
Interfaces
■
EX Series switches do not support queued packet counters. Therefore, the queued
packet counter in the output of the show interfaces interface-name extensive
command always displays a count of 0 and is never updated.
■
The following message might appear in the system log:
Resolve request came for an address matching on Wrong nh nh:355,
type:Unicast...?
You can ignore this message.
Related Topics
210
■
■
On EX3200 and EX4200 switches, when port mirroring is configured on any
interface, the mirrored packets leaving a tagged interface might contain an
incorrect VLAN ID.
■
On EX8200 switches, port mirroring configuration on a Layer 3 interface with
the output configured to a VLAN is not supported.
■
On EX8200 switches, when an egress VLAN that belongs to a routed VLAN
interface (RVI) is configured as the input for a port mirroring analyzer, the
analyzer incorrectly appends a dot1q (802.1Q) header to the mirrored packets
or does not mirror any packets at all. As a workaround, configure a port mirroring
analyzer with each port of the VLAN as egress input.
■
The following interface counters are not supported on routed VLAN interfaces
(RVIs): local statistics, traffic statistics, and transit statistics.
■
EX Series switches do not support IPv6 interface statistics. Therefore, all values
in the output of the show snmp mib walk ipv6IfStatsTable command always display
a count of 0.
■
The show interface detail | extensive command might display double counting of
packets or bytes for the transit statistics and traffic statistics counters. You can
use the counter information displayed under the Physical interface section of the
output.
■
When a virtual management Ethernet (VME) interface is used as a default gateway
and the VME interface is the indirect next hop for any route, the route might not
change dynamically and could always point to the VME interface.
■
New Features in JUNOS Release 10.1 for EX Series Switches on page 203
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series
Switches on page 207
■
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches on page 211
■
Resolved Issues in JUNOS Release 10.1 for EX Series Switches on page 213
■
Errata in Documentation for JUNOS Release 10.1 for EX Series Switches on
page 217
■
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
on page 218
Limitations in JUNOS Release 10.1 for EX Series Switches
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches
The following are outstanding issues in JUNOS Release 10.1R3 for EX Series switches.
The identifier following the description is the tracking number in our bug database.
NOTE: PRs 300576, 403842, 409934, 415569, 415748, 416976, 429589, 440611,
455670, 488318, and 490542 which were included in the earlier release notes as
outstanding issues, have been removed, because these issues are not applicable to
JUNOS Release 10.1R4 for EX Series switches.
Access Control and Port Security
■
If you configure the RADIUS server revert-interval interval option, the switch does
not attempt to reconnect to the unreachable server after the revert interval has
elapsed. [PR/304637]
■
If you change the value of lldp management-address before configuring the IP
address on the physical interface, the SNMP MIB might not be updated correctly
on the remote station (lldpRemManAddr). As a workaround, either configure the
new address on the interface before setting lldp management-address, or bounce
the interface. [PR/534138]
Bridging, VLANs, and Spanning Trees
■
There might be traffic loss on VLANs learned through MVRP during GRES. After
the GRES, there will not be any traffic loss. [PR/458303]
■
On EX2200 switches, CoS might yield different shaping results on uplink ports
than on built-in network ports when the same shaping rate is used. [PR/453660]
■
On EX8200 switches, when IGMP snooping is enabled on an interface, the IPv6
multicast Layer 2 control frame is not forwarded to other interfaces in the same
VLAN. [PR/456700]
■
The jnxFirewallMIB might not be populated in a firewall filter configuration. As a
workaround, set up the following configuration to skip the firewall MIB:
Class of Service
Infrastructure
user@switch# show snmp
view firewall_exclude {
oid .1.3.6.1.4.1.2636.3.5 exclude;
oid .1;
}
community public {
view firewall_exclude;
authorization read-only;
}
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches
■
211
JUNOS 10.1 Software Release Notes
[PR/464061]
■
If you try to commit a configuration that has 4000 VLANs and a few aggregated
Ethernet interfaces at the same time, the forwarding process (PFEM) usage might
be high, and might remain high for more than 60 minutes. [PR/544433]
■
In the J-Web interface, you cannot commit some configuration changes in the
Ports Configuration page and VLAN Configuration page because of the following
limitations for port mirroring ports and port mirroring VLANs:
J-Web Interface
■
A port configured as the output port for an analyzer cannot be a member of
any VLAN other than the default VLAN.
■
A VLAN configured to receive analyzer output can be associated with only
one port.
[PR/400814]
212
■
■
If an SRE module, RE module, SF module, line card, or Virtual Chassis member
is in offline mode, the J-Web interface might not update the dashboard image
accordingly. [PR/431441]
■
In the J-Web interface, in the Port Security Configuration page, you are required
to configure action when you configure MAC limit even though configuring an
action value is not mandatory in the CLI. [PR/434836]
■
In the J-Web interface, in the OSPF Global Settings table in the OSPF Configuration
page, the Global Information table in the BGP Configuration page, or the Add
Interface window in the LACP Configuration page, if you try to change the position
of columns using the drag-and-drop method, only the column header moves to
the new position instead of the entire column. [PR/465030]
■
When you have a large number of static routes configured and if you have
navigated to pages other than page 1 in the Route Information table in the J-Web
interface (Monitor > Routing > Route Information), changing the Route Table
to query other routes refreshes the page but does not return to page 1. For
example, if you run the query from page 3 and the new query returns very few
results, the Results table continues to display page 3 and shows no results. To
view the results, navigate to page 1 manually. [PR/476338]
■
In the J-Web interface, the dashboard does not display the uplink ports when
transceivers are not plugged into the ports. [PR/477549]
■
The J-Web interface Static Routing page might not display details on entries
registered in the routing table. [PR/483885]
■
An IPv4 static route configured using the CLI might not be displayed when you
select Configure > Routing > Static Routing in the J-Web interface. [PR/487597]
■
In the J-Web interface, the auto-complete feature might not be disabled in the
password field. As a workaround, you can disable the auto-complete feature in
the browser. [PR/508425]
■
In the J-Web interface, warning messages related to pending commits might not
be triggered while uploading a software package, installing a software package,
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches
Resolved Issues in JUNOS Release 10.1 for EX Series Switches
or rebooting the switch. As a workaround, commit all pending configuration
changes before performing these operations. [PR/514853]
Related Topics
■
When you use an HTTPS connection in the Microsoft Internet Explorer Web
browser to save a report from the View Events page (Monitor > Events and Alarms
> View events) in the J-Web interface, the following error message is displayed:
Internet Explorer was not able to open the Internet site. [PR/542887]
■
When you use an HTTPS connection to access the J-Web interface, uploading or
downloading a configuration file using the Config Management Upload page
(Maintain > Config Management > Upload) might not succeed. As a workaround,
use an HTTP connection to access the J-Web interface to upload or download a
configuration file. [PR/551200]
■
If you have accessed the J-Web interface using Microsoft Internet Explorer, you
might not be able to commit a configuration when an SSL certificate has been
added to the switch using the CLI editor (Configure >CLI tools > CLI Editor).
As a workaround, you can use Firefox to commit configurations. [PR/552629]
■
New Features in JUNOS Release 10.1 for EX Series Switches on page 203
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series
Switches on page 207
■
Limitations in JUNOS Release 10.1 for EX Series Switches on page 208
■
Resolved Issues in JUNOS Release 10.1 for EX Series Switches on page 213
■
Errata in Documentation for JUNOS Release 10.1 for EX Series Switches on
page 217
■
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
on page 218
Resolved Issues in JUNOS Release 10.1 for EX Series Switches
The following are the issues that have been resolved since JUNOS Release 10.1R1
for EX Series switches. The identifier following the descriptions is the tracking number
in our bug database.
Access Control and Port Security
■
When both DHCP relay and DHCP snooping are configured on an EX2200 switch,
the DHCP snooping database might not be built on the switch. [PR/480682: This
issue has been resolved.]
Bridging, VLANs, and Spanning Trees
■
When Multiple VLAN Registration Protocol (MVRP) and MSTP are enabled together
on EX Series switches, convergence does not occur between MVRP and MSTP.
[PR/449248: This issue has been resolved.]
■
On EX4200 switches, with the access interface through which traffic enters the
switch configured as trusted (secure-access-port interface interface-name
Resolved Issues in JUNOS Release 10.1 for EX Series Switches
■
213
JUNOS 10.1 Software Release Notes
dhcp-trusted), VLAN Spanning Tree Protocol (VSTP) bridge protocol data units
(BPDUs) are sent to the Routing Engine with the learning CPU code 37 instead
of the reserved learning CPU code 306. [PR/468095: This issue has been resolved.]
■
On EX3200 and EX4200 switches with large VLAN configurations (more than
1024 VLANs), stale dynamic VLAN entries might be found in the Ethernet
switching process (eswd) after you delete VLANs or deactivate the Multiple VLAN
Registration Protocol (MVRP). [PR/471647: This issue has been resolved.]
■
On an EX2200 switch, when there is no spanning-tree protocol or redundant
trunk group configured in the network and there is traffic looping, after the
network loop is broken, sometimes MAC learning might not occur. As a
workaround, restart the forwarding (pfem) process. [PR/473454: This issue has
been resolved.]
■
On EX Series switches, in a scaled environment with more than 4000 VLANs,
MVRP advertisements might not be sent intermittently when the VLAN
membership is modified. [PR/475701: This issue has been resolved.]
■
When MVRP and VSTP are enabled together on EX Series switches, convergence
does not occur between MVRP and VSTP. [PR/477019: This issue has been
resolved.]
■
On EX3200 and EX4200 switches, when MVRP dynamic VLAN creation is
disabled, deregistration of VLANs on trunk interfaces does not occur even after
the tag associated with the VLAN has been modified. [PR/479636: This issue has
been resolved.]
■
On EX3200 and EX4200 switches, stale MVRP VLAN membership entries might
be found on blocked interfaces even after MVRP has been deactivated on the
peer switch. [PR/482126: This issue has been resolved.]
■
On an EX2200 switch, when a queue is oversubscribed and you modify a
scheduler with the buffer-size exact option on it such that it reduces the allocated
buffers on the queue, the queue can stop dequeueing packets. As a workaround,
stop traffic going out on the port, and deactivate and reactivate class of service
(CoS). You can also reboot the switch. [PR/481401: This issue has been resolved.]
■
The accept action and the log and syslog action modifiers in the firewall filter
configuration might not work as expected for packets destined for the switch.
[PR/406714: This issue has been resolved.]
■
If an ingress firewall has been configured with a LAG interface match condition
and you delete this firewall configuration, the forwarding (pfem) process might
create a core file. When the pfem process is restarted, it works as expected.
[PR/504273: This issue has been resolved.]
■
On EX3200 and EX4200 switches, if you configure an egress firewall filter with
the match condition source-address or destination-address on a VLAN and its
Class of Service
Firewall Filters
214
■
Resolved Issues in JUNOS Release 10.1 for EX Series Switches
Resolved Issues in JUNOS Release 10.1 for EX Series Switches
routed VLAN interface (RVI), the firewall filter might not work properly.
[PR/476626: This issue has been resolved.]
■
On an EX2200 switch, when you add a syslog action modifier to the firewall
filter, the forwarding (pfem) process might create a core file when the filter
binding is changed from an egress VLAN to an ingress VLAN. [PR/495572: This
issue has been resolved.]
■
On 48-port SFP line cards used in EX8200 switches, do not install a transceiver
in the first or last port on the bottom row (ports 1 and 47). Transceivers installed
in these ports are difficult to remove. As a workaround, remove the transceiver
by using a small flathead screwdriver or other tool to lift the lock on the
transceiver. [PR/423694: This issue has been resolved.]
■
On an EX2200 switch, if the following message is displayed when the switch is
booting, the installed package might be corrupted:
Hardware
Infrastructure
mount_check: SHA1 (/packages/jkernel-ex-10.1-20090925.0) =
f45dd191b053b608dafecc0ef3ea329c9f85693b
!=5fe72546eed0c0cb83e6addc6709720f56e8b6da
As a workaround, reinstall the image from the loader prompt with the -- format
option set. [PR/433663: This issue has been resolved.]
■
On EX Series switches, MAC addresses not present in the forwarding database
(FDB) because of hash collision are not removed from the Ethernet switching
process (eswd). These MAC addresses do not age out of the Ethernet switching
table even if traffic is stopped completely and are never relearned when traffic
is sent to these MAC addresses, even when there is no hash collision. As a
workaround, clear those MAC addresses from the Ethernet switching table.
[PR/451431: This issue has been resolved.]
■
Though the interface-range configuration statement is not supported under the
[edit groups] hierarchy, an error message might not be displayed when you use
the interface-range statement. [PR/453538: This issue has been resolved.]
■
The DHCP snooping database is not built after graceful Routing Engine switchover
(GRES) is performed twice. Even though packets are coming from the DHCP
server, they are not inserted in the DHCP relay. [PR/461318: This issue has been
resolved.]
■
If an interface is assigned to a VLAN before the interface's stg state is set, loops
might form in the network if a VLAN ID is assigned to the VLAN while the
interface is active in a redundant topology. [PR/472617: This issue has been
resolved.]
■
On EX2200 switches, the MIB OID ipv6Forwarding indicates that IPv6 is supported
even though IPv6 is not supported. The value of the ipv6Forwarding.0 MIB object
is 1. [PR/473128: This issue has been resolved.]
■
On EX8200 switches, after a graceful Routing Engine switchover (GRES), you
can navigate through the Maintenance menu in the LCD even after the
Resolved Issues in JUNOS Release 10.1 for EX Series Switches
■
215
JUNOS 10.1 Software Release Notes
Maintenance menu in the LCD has been disabled using the set chassis lcd
maintenance-menu disable command. As a workaround, delete the LCD
Maintenance menu configuration using the CLI on the new master switch, and
then disable the LCD Maintenance menu using the set chassis lcd
maintenance-menu disable command. [PR/473597: This issue has been resolved.]
■
In some rare cases, switch bootup fails when the JUNOS Software is loading. The
message Device not ready displays because the NAND flash is not responding.
Workaround: Power cycle the switch. [PR/482026: This issue has been resolved.]
■
If you attempt to set the time zone to Europe/Berlin on a switch with dual Routing
Engines, the commit command might fail. [PR/483273: This issue has been
resolved.]
■
The name of the ethernet-switching-options authentication-whitelist statement will
be changed. The new name is correct in the documentation but is shown in the
CLI as ethernet-switching-options white-list. [PR/487167: This issue has been
resolved.]
■
A memory leak might be present in the pfem SPF database. As a workaround,
you can restart the forwarding (pfem) process. [PR/493197: This issue has been
resolved.]
■
In the J-Web interface, uploading a software package to the switch might not
work properly if you are using Microsoft Internet Explorer Web browser version
7. [PR/424859: This issue has been resolved.]
■
In the J-Web interface, the Edit MSTI window in the Spanning Tree Configuration
page might not display details of an uncommitted interface configuration.
[PR/433506: This issue has been resolved.]
■
In the J-Web interface, the menu on the left side of the J-Web pages and contents
of the J-Web pages might disappear when you double-click the Troubleshoot tab.
As a workaround, click the Dashboard tab or the Configure tab, and then click
the Troubleshoot tab to display the menu and contents of the page. [PR/459936:
This issue has been resolved]
■
In the J-Web interface, in the OSPF Configuration page, no flags are displayed
for the Traceoptions tab in OSPF Global Settings. [PR/461558: This issue has
been resolved.]
■
In the J-Web interface, in the BGP Configuration page (Configuration > Routing
> BGP), if the values entered in the text boxes (for protocols, filename, and
description) contain double quotation marks, the J-Web interface does not allow
you to delete those values. If the value in the Group Name field contains double
quotation marks, the J-Web interface allows you to delete the BGP group name,
but the deleted value reappears when you refresh the BGP Configuration page.
As a workaround, delete the values that contain double quotation marks using
the CLI. [PR/464030: This issue has been resolved.]
■
When you access the J-Web interface using the Mozilla Firefox Web browser and
move a J-Web window (for example, the Add Interface window) over the browser
toolbars, the window appears behind the browser toolbars. After this problem
occurs, the window cannot be moved, because the title bar of the window is not
J-Web Interface
216
■
Resolved Issues in JUNOS Release 10.1 for EX Series Switches
Errata in Documentation for JUNOS Release 10.1 for EX Series Switches
visible. If you cancel and reopen the window, the window continues to appear
behind the browser toolbars. [PR/473238: This issue has been resolved.]
Related Topics
■
In the J-Web interface, in the OSPF Configuration page (Configuration > Routing
> OSPF), the Traceoptions tab in the Edit Global Settings window does not
display the available flags (tracing parameters). As a workaround, use the CLI to
view the available flags. [PR/475313: This issue has been resolved.]
■
In the J-Web interface Static Routing Configuration page, you might not be able
to delete a configured next-hop address because the Delete button is disabled.
[PR/476572: This issue has been resolved.]
■
In the J-Web interface, the OSPF Monitoring page might display an error message
if there are multiple interfaces or neighbors detected in an autonomous system.
[PR/502132: This issue has been resolved.]
■
When you navigate from the Monitor RIP Information page to the Monitor Route
Information page, the J-Web interface might display an error. [PR/536255: This
issue has been resolved.]
■
New Features in JUNOS Release 10.1 for EX Series Switches on page 203
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series
Switches on page 207
■
Limitations in JUNOS Release 10.1 for EX Series Switches on page 208
■
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches on page 211
■
Errata in Documentation for JUNOS Release 10.1 for EX Series Switches on
page 217
■
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
on page 218
Errata in Documentation for JUNOS Release 10.1 for EX Series Switches
There are no outstanding documentation issues in this release.
Related Topics
■
New Features in JUNOS Release 10.1 for EX Series Switches on page 203
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series
Switches on page 207
■
Limitations in JUNOS Release 10.1 for EX Series Switches on page 208
■
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches on page 211
■
Resolved Issues in JUNOS Release 10.1 for EX Series Switches on page 213
■
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
on page 218
Errata in Documentation for JUNOS Release 10.1 for EX Series Switches
■
217
JUNOS 10.1 Software Release Notes
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
The following pages list the issues in JUNOS Release 10.1R4 for EX Series switches
regarding software upgrade or downgrade:
■
Upgrading or Downgrading from JUNOS Release 9.4R1 for EX Series
Switches on page 218
■
Upgrading from JUNOS Release 9.3R1 to Release 10.1 for EX Series
Switches on page 218
■
Upgrading from JUNOS Release 9.2 to Release 10.1 for EX Series
Switches on page 218
■
Downgrading from JUNOS Release 10.1 to Release 9.2 for EX4200
Switches on page 220
Upgrading or Downgrading from JUNOS Release 9.4R1 for EX Series
Switches
The ARP aging time configuration in the system configuration stanza in JUNOS Release
9.4R1 is incompatible with the ARP aging time configuration in JUNOS Release 9.3R1
or earlier and JUNOS Release 9.4R2 or later. If you have configured system arp
aging-timer aging-time on EX Series switches running JUNOS Release 9.4R1 and upgrade
to JUNOS Release 9.4R2 or later or downgrade to JUNOS Release 9.3R1 or earlier,
the switch will display configuration errors on booting up after the upgrade or
downgrade. As a workaround, delete the arp aging-timer aging-time configuration in
the system configuration stanza and reapply the configuration after you complete
the upgrade or downgrade.
The format of the file in which the Virtual Chassis topology information is stored was
changed in JUNOS Release 9.4. When you downgrade JUNOS Release 9.4 or later
running on EX4200 switches in a Virtual Chassis to JUNOS Release 9.3 or earlier,
make topology changes, and then upgrade to JUNOS Release 9.4 or later, the topology
changes you have made using JUNOS Release 9.3 or earlier are not retained. The
switch restores the last topology change you have made using JUNOS Release 9.4.
Upgrading from JUNOS Release 9.3R1 to Release 10.1 for EX Series
Switches
If you are upgrading from JUNOS Release 9.3R1 and have voice over IP (VoIP) enabled
on a private VLAN (PVLAN), you must remove this configuration before upgrading,
to prevent upgrade problems. VoIP on PVLAN interfaces is not supported in releases
later than JUNOS Release 9.3R1.
Upgrading from JUNOS Release 9.2 to Release 10.1 for EX Series Switches
For JUNOS Release 9.3 and later for EX Series switches, during the upgrade process,
the switch performs reference checks on VLANs and interfaces in the 802.1X
configuration stanza. If there are references in the 802.1X stanza to names or tags
of VLANs that are not currently configured on the switch or to interfaces that are not
218
■
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
configured or do not belong to the ethernet-switching family, the upgrade will fail. In
addition, static MAC addresses on single-supplicant mode interfaces are not supported.
CAUTION: If your Release 9.2 configuration includes any of the following conditions,
revise the configuration before upgrading to Release 10.1. If you do not take these
actions, the upgrade will fail:
■
Ensure that all VLAN names and tags in the 802.1X configuration stanza are
configured on the switch and that all interfaces are configured on the switch and
assigned to the ethernet-switching family. If the VLAN or the interface is not
configured and you try to commit the configuration, the commit will fail.
■
Remove static MAC addresses on single-supplicant mode interfaces. If they exist
and you try to commit the configuration, the commit will fail.
■
In an 802.1X configuration stanza, if authentication-profile-name does not exist
and you try to commit the configuration, the commit will fail.
■
In an 802.1X configuration stanza, broadcast and multicast MAC addresses are
not supported in a static MAC configuration. If they exist and you try to commit
the configuration, the commit will fail.
■
Support for static MAC bypass in single or single-secure mode has been removed.
If static MAC bypass exists and you try to commit the configuration, the commit
will fail.
■
In an 802.1X configuration stanza, the switch will not accept the option vrange
as an assigned VLAN name. If it exists and you try to commit the configuration,
the commit will fail.
■
Enabling 802.1X and the port mirroring feature on the same interface is not
supported. If you enable 802.1X and port mirroring on the same interface and
then attempt to commit the configuration, the commit will fail.
■
In an 802.1X configuration stanza, if the VLAN name or tag specified under dot1x
authenticator static does not exist and you try to commit the configuration, the
commit will fail.
■
If the MSTP configuration contains a VLAN (under protocols mstp msti msti-id)
that does not exist on the switch and you try to commit the configuration, the
commit will fail. Remove the VLAN from the MSTP configuration before you
perform an upgrade.
■
In the interfaces configuration stanza, if no-auto-negotiation is configured but
speed and link duplex settings are not configured under ether-options and you
try to commit the configuration, the commit will fail. If no-auto-negotiation is
configured under ether-options, you must configure speed and link duplex settings.
■
In the ethernet-switching-options configuration, if action is not configured for the
number of MAC addresses allowed on the interface (under secure-access-port
interface interface-name mac-limit in the CLI or in the Port Security Configuration
page in the J-Web interface), and you try to commit the configuration, the commit
will fail. You must configure an action for the MAC address limit before upgrading
from Release 9.2 to Release 10.1.
■
If you have configured a tagged interface on logical interface 0 (unit 0), configure
a tagged interface on a logical interface other than unit 0 before upgrading from
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
■
219
JUNOS 10.1 Software Release Notes
Release 9.2 to Release 10.1. If you have not done this and you try to commit
the configuration, the commit will fail. Beginning with JUNOS Release 9.3 for EX
Series switches, untagged packets, BPDUs (such as in LACP and STP), and
priority-tagged packets are processed on logical interface 0 and not on logical
interface 32767. In addition, if you have not configured any untagged interfaces,
the switch creates a default logical interface 0.
■
On EX4200 switches, if you have installed advanced licenses for features such
as BGP, rename the /config/license directory to /config/.license_priv before
upgrading from Release 9.2 to Release 9.3 or later. If the switch does not have
a /config/license directory, create the /config/.license_priv directory manually
before you upgrade. If you do not rename the /config/license directory or create
the /config/.license_priv directory manually, the licenses installed will be deleted
after you upgrade from Release 9.2 to Release 9.3 or later.
Downgrading from JUNOS Release 10.1 to Release 9.2 for EX4200
Switches
When you downgrade a Virtual Chassis configuration from JUNOS Release 10.1 to
Release 9.2 for EX Series switches, member switches might not retain the mastership
priorities that had been configured previously. To restore the previously configured
mastership priorities, commit the configuration by issuing the commit command.
Related Topics
220
■
■
New Features in JUNOS Release 10.1 for EX Series Switches on page 203
■
Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series
Switches on page 207
■
Limitations in JUNOS Release 10.1 for EX Series Switches on page 208
■
Outstanding Issues in JUNOS Release 10.1 for EX Series Switches on page 211
■
Resolved Issues in JUNOS Release 10.1 for EX Series Switches on page 213
■
Errata in Documentation for JUNOS Release 10.1 for EX Series Switches on
page 217
Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches
JUNOS Documentation and Release Notes
JUNOS Documentation and Release Notes
For a list of related JUNOS documentation, see
http://www.juniper.net/techpubs/software/junos/ .
If the information in the latest release notes differs from the information in the
documentation, follow the JUNOS Release Notes.
To obtain the most current version of all Juniper Networks® technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
Juniper Networks supports a technical book program to publish books by Juniper
Networks engineers and subject matter experts with book publishers around the
world. These books go beyond the technical documentation to explore the nuances
of network architecture, deployment, and administration using the Junos operating
system (Junos OS) and Juniper Networks devices. In addition, the Juniper Networks
Technical Library, published in conjunction with O'Reilly Media, explores improving
network security, reliability, and availability using Junos OS configuration techniques.
All the books are for sale at technical bookstores and book outlets around the world.
The current list can be viewed at http://www.juniper.net/books .
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
■
Document name
■
Document part number
■
Page number
■
Software release version
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need postsales technical support, you
can access our tools and resources online or open a case with JTAC.
■
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
■
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
JUNOS Documentation and Release Notes
■
221
JUNOS 10.1 Software Release Notes
■
JTAC Hours of Operation —The JTAC centers have resources available 24 hours
a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:
■
Find CSC offerings: http://www.juniper.net/customers/support/
■
Search for known bugs: http://www2.juniper.net/kb/
■
Find product documentation: http://www.juniper.net/techpubs/
■
Find solutions and answer questions using our Knowledge Base:
http://kb.juniper.net/
■
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
■
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
■
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
■
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
■
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
■
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit
us at http://www.juniper.net/support/requesting-support.html.
If you are reporting a hardware or software problem, issue the following command
from the CLI before contacting support:
user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the
gzip utility, rename the file to include your company name, and copy it to
ftp.juniper.net:pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
support@juniper.net. For documentation issues, fill out the bug report form located at
https://www.juniper.net/cgi-bin/docbugreport/.
222
■
Requesting Technical Support
Requesting Technical Support
Revision History
15 February 2010—Revision 1, JUNOS Release 10.1R1
17 February 2010—Revision 2, JUNOS Release 10.1R1
13 May 2010—Revision 3, JUNOS Release 10.1R2
13 July 2010—Revision 4, JUNOS Release 10.1R3
17 November 2010—Revision 5, JUNOS Release 10.1R4
Copyright © 2010, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Requesting Technical Support
■
223