junos release notes 10

Juniper Networks® JUNOS® 10.1 SoftwareRelease Notes

Release 10.1R117 February 2010Revision 2

These release notes accompany Release 10.1R1 of the JUNOS Software. They describedevice documentation and known problems with the software. JUNOS Software runson all Juniper Networks M Series, MX Series, and T Series routing platforms, SRXSeries Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.

You can also find these release notes on the Juniper Networks JUNOS SoftwareDocumentation Web page, which is located athttp://www.juniper.net/techpubs/software/junos.

Contents JUNOS Software Release Notes for Juniper Networks M Series MultiserviceEdge Routers, MX Series Ethernet Service Routers, and T Series CoreRouters .....................................................................................................6New Features in JUNOS Release 10.1 for M Series, MX Series, and T

Series Routers ....................................................................................6Class of Service ..................................................................................6High Availability ...............................................................................12Interfaces and Chassis ......................................................................12JUNOS XML API and Scripting ..........................................................18MPLS Applications ............................................................................21Multiplay ..........................................................................................22Routing Policy and Firewall Filters ....................................................23Routing Protocols .............................................................................24Services Applications ........................................................................27Subscriber Access Management .......................................................27System Logging ................................................................................36

■ 1

http://www.juniper.net/techpubs/software/junos.

User Interface and Configuration ......................................................38Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M

Series, MX Series, and T Series Routers ............................................42Class of Service ................................................................................42Forwarding and Sampling ................................................................42Interfaces and Chassis ......................................................................42MPLS Applications ............................................................................46Multiplay ..........................................................................................46Routing Policy and Firewall Filters ....................................................46Routing Protocols .............................................................................47Services Applications ........................................................................48Subscriber Access Management .......................................................50User Interface and Configuration ......................................................50VPNs ................................................................................................51

Issues in JUNOS Release 10.1 for M Series, MX Series, and T SeriesRouters .............................................................................................52Current Software Release .................................................................53Previous Releases .............................................................................64

Errata and Changes in Documentation for JUNOS Software Release 10.1for M Series, MX Series, and T Series Routers ..................................69Changes to the JUNOS Documentation Set .......................................69Errata ...............................................................................................69

Upgrade and Downgrade Instructions for JUNOS Release 10.1 for MSeries, MX Series, and T Series Routers ............................................71Basic Procedure for Upgrading to Release 10.1 ................................72Upgrading a Router with Redundant Routing Engines ......................74Upgrading Juniper Routers Running Draft-Rosen Multicast VPN to

JUNOS Release 10.1 ...................................................................74Upgrading the Software for a Routing Matrix ...................................76Upgrading Using ISSU .......................................................................77Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled

for Both PIM and NSR ................................................................77Downgrade from Release 10.1 .........................................................78

JUNOS Software Release Notes for Juniper Networks SRX Series ServicesGateways and J Series Services Routers ..................................................80New Features in JUNOS Release 10.1 for SRX Series Services Gateways

and J Series Services Routers ............................................................80Software Features .............................................................................81Hardware Features ...........................................................................92

Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRXSeries Services Gateways and J Series Services Routers ....................93Application Layer Gateways (ALGs) ..................................................93Chassis Cluster .................................................................................94Command-Line Interface (CLI) ..........................................................95Configuration ...................................................................................98Flow and Processing .........................................................................99Interfaces and Routing ...................................................................100Intrusion Detection and Prevention (IDP) .......................................100J-Web .............................................................................................101Management and Administration ...................................................101Security ..........................................................................................102

2 ■

JUNOS 10.1 Software Release Notes

Known Limitations in JUNOS Release 10.1 for SRX Series ServicesGateways and J Series Services Routers ..........................................102[accounting-options] Hierarchy ......................................................102AX411 Access Point .......................................................................102Chassis Cluster ...............................................................................102Command-Line Interface (CLI) ........................................................104Dynamic VPN .................................................................................104Flow and Processing .......................................................................104Hardware .......................................................................................105Interfaces and Routing ...................................................................106Intrusion Detection and Prevention (IDP) .......................................108J-Web .............................................................................................109NetScreen-Remote ..........................................................................110Network Address Translation (NAT) ................................................110Performance ..................................................................................111SNMP .............................................................................................111System ...........................................................................................111Unified Threat Management (UTM) ................................................111WLAN .............................................................................................111VPNs ..............................................................................................111

Issues in JUNOS Release 10.1 for SRX Series Services Gateways and JSeries Services Routers ...................................................................112Outstanding Issues In JUNOS Release 10.1 for SRX Series Services

Gateways and J Series Services Routers ...................................112Resolved Issues in JUNOS Release 10.1 for SRX Series Services

Gateways and J Series Services Routers ...................................136Errata and Changes in Documentation for JUNOS Release 10.1 for SRX

Series Services Gateways and J Series Services Routers ..................140Application Layer Gateways (ALGs) ................................................140Attack Detection and Prevention ....................................................141CLI ..................................................................................................141Flow ...............................................................................................141Hardware Documentation ..............................................................142Installing Software Packages ..........................................................143Integrated Convergence Services ....................................................144Interfaces and Routing ...................................................................144Intrusion Detection and Prevention (IDP) .......................................145J-Web .............................................................................................146Screens ...........................................................................................147

Hardware Requirements for JUNOS Release 10.1 for SRX Series ServicesGateways and J Series Services Routers ..........................................147Transceiver Compatibility for SRX Series and J Series Devices .......147Power and Heat Dissipation Requirements for J Series PIMs ..........148Supported Third-Party Hardware for J Series Services Routers .......148J Series CompactFlash and Memory Requirements ........................149

Dual-Root Partitioning Scheme Documentation for SRX Series ServicesGateways ........................................................................................149Dual-Root Partitioning Scheme .......................................................149

Using Dual Chassis Cluster Control Links: Upgrade Instructions for theSecond Routing Engine ..................................................................158

■ 3

Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRXSeries Services Gateways and J Series Services Routers ..................160

JUNOS Software Release Notes for EX Series Switches ................................160New Features in JUNOS Release 10.1 for EX Series Switches ................160

Hardware .......................................................................................161Access Control and Port Security ....................................................162Bridging, VLANs, and Spanning Trees ............................................162Class of Service (CoS) .....................................................................162Infrastructure .................................................................................162Interfaces .......................................................................................163Layer 2 and Layer 3 Protocols ........................................................163Management and RMON ................................................................163MPLS ..............................................................................................163Packet Filters ..................................................................................163

Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EXSeries Switches ...............................................................................164Layer 2 and Layer 3 Protocols ........................................................164Infrastructure .................................................................................164User Interface and Configuration ....................................................164

Limitations in JUNOS Release 10.1 for EX Series Switches ....................165Access Control and Security ...........................................................165Class of Service ..............................................................................165Firewall Filters ................................................................................165Infrastructure .................................................................................166Interfaces .......................................................................................167

Outstanding Issues in JUNOS Release 10.1 for EX Series Switches ........168Access Control and Port Security ....................................................168Bridging, VLANs, and Spanning Trees ............................................168Class of Service ..............................................................................168Firewall Filters ................................................................................168Infrastructure .................................................................................169Interfaces .......................................................................................169J-Web Interface ...............................................................................169

Resolved Issues in JUNOS Release 10.1 for EX Series Switches .............171Access Control and Port Security ....................................................171Bridging, VLANs, and Spanning Trees ............................................171Class of Service ..............................................................................172Firewall Filters ................................................................................172Hardware .......................................................................................172Infrastructure .................................................................................172J-Web Interface ...............................................................................173

Errata in Documentation for JUNOS Release 10.1 for EX SeriesSwitches .........................................................................................174

Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX SeriesSwitches .........................................................................................174Upgrading or Downgrading from JUNOS Release 9.4R1 for EX Series

Switches ..................................................................................174Upgrading from JUNOS Release 9.3R1 to Release 10.1 for EX Series

Switches ..................................................................................175Upgrading from JUNOS Release 9.2 to Release 10.1 for EX Series

Switches ..................................................................................175

4 ■


Downgrading from JUNOS Release 10.1 to Release 9.2 for EX4200Switches ..................................................................................177

JUNOS Documentation and Release Notes ..................................................178Documentation Feedback ............................................................................178Requesting Technical Support .....................................................................178Revision History ..........................................................................................180

■ 5

JUNOS Software Release Notes for Juniper Networks M Series Multiservice EdgeRouters, MX Series Ethernet Service Routers, and T Series Core Routers

■ New Features in JUNOS Release 10.1 for M Series, MX Series, and T SeriesRouters on page 6

■ Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series,MX Series, and T Series Routers on page 42

■ Issues in JUNOS Release 10.1 for M Series, MX Series, and T SeriesRouters on page 52

■ Errata and Changes in Documentation for JUNOS Software Release 10.1 for MSeries, MX Series, and T Series Routers on page 69

■ Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MXSeries, and T Series Routers on page 71

New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers

The following features have been added to JUNOS Release 10.1. Following thedescription is the title of the manual or manuals to consult for further information.

Class of Service

■ Intelligent oversubscription service support (MX Series routers with TrioMPC/MIC interfaces)—Arriving packets are assigned to one of two traffic classes(control and best-effort) based on their header types and destination MAC address.This allows for lower priority packets to be dropped more intelligently whenoversubscription occurs. Only packets mapped to queue 3 are marked as controlpackets. Protocols such as telnet, FTP, and SSH that are mapped to queue 0 areclassified as best-effort. No configuration is necessary, but the queue assignmentscan be altered with a multifield classifier.

[Class of Service]

■ CoS aspects of the MPC/MIC (MX Series routers with Trio MPC/MICinterfaces)—Cover all aspects of CoS configuration for this hardware combination.Support includes shaping rates at the queue level, configurable bandwidth profileswith percentages, dynamic bandwidth allocation among different services,scheduler node scaling, and delay buffer allocation. To configure, include therelevant statements at the [edit class-of-service] hierarchy level and apply themif necessary at other hierarchy levels such as the [edit interfaces] hierarchy level.

[Class of Service, Network Interfaces]

■ Per-priority shaping (MX Series platforms with Trio MPC/MICinterfaces)—Enables you to configure a separate shaping rate for each of thefive priority levels so that higher priority services such as voice and video do notstarve lower priority services such as data. To configure, include theshaping-rate-(excess | priority)-level rate [ burst-size burst ] statement at the [editclass-of-service traffic-control-profiles tcp-name] hierarchy level and apply the trafficcontrol profile at the [edit interfaces] hierarchy level.

[Class of Service]

6 ■ JUNOS Software Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series Ethernet Service Routers,

and T Series Core Routers


■ Distribute excess bandwidth among different services for a subscriber (MXSeries routers with Trio MPC/MIC interfaces)—Service providers often usetiered services that must carry excess bandwidth as traffic patterns vary. Bydefault, excess bandwidth between a configured guaranteed rate and shapingrate is shared equally among all queues, which might not be optimal for allsubscribers to a service. You can control the distribution of this excess bandwidthwith the excess-rate statement. To configure the excess rate for a traffic controlprofile, include the excess-rate statement at the [edit class-of-servicetraffic-control-profiles tcp-name] hierarchy level and apply the traffic control profileat the [edit interfaces] hierarchy level. To configure the excess rate for a queue,include the excess-rate and excess-priority statements at the [edit class-of-servicescheduler scheduler-name] hierarchy level.

[Class of Service]

■ Scheduler node scaling (MX Series routers with Trio MPC/MIC interfaces)—Thehardware supports multiple levels of scheduler nodes. In per-unit-schedulingmode, each logical interface (unit) can have four or eight queues and has adedicated level 3 scheduler node. The logical interfaces share a common level2 node (one per port). In hierarchical-scheduling mode, a set of logical interfaces,each with four or eight queues, has a level 2 CoS profile and one of its logicalinterface children has a level 3 CoS profile. To better control system resourcesin hierarchical-scheduling mode, you can limit the number of hierarchical levelsin the scheduling hierarchy to two. In this case, all logical interfaces and interfacesets with CoS profiles share a single (dummy) level 2 node, thereby increasingthe maximum number of logical interfaces with CoS profiles (the interface setsmust be at level 3). To configure scheduler node scaling, include themaximum-hierarchy-levels statement at the [edit interfaces xe-fpc/pic/porthierarchical-scheduler] hierarchy level. The only supported value is 2.


■ Forwarding-class aliases (M320 and T Series routers)—Enable you to configureup to 16 forwarding classes and 8 queues, with multiple forwarding classesassigned to single queues. To configure, include the class and queue-numstatements at the [edit class-of-service forwarding-classes] hierarchy level.

[Class of Service]

■ VLAN shaping on aggregate devices (MX Series routers with Trio MPC/MICinterfaces)—VLAN shaping (per-unit scheduling) is supported on aggregatedEthernet interfaces when link protection is enabled on the aggregated Ethernetinterface. When VLAN shaping is configured on aggregate Ethernet interfaceswith link protection enabled, the shaping is applied to the active child link. Toconfigure link protection on aggregated Ethernet interfaces, include thelink-protection statement at the [edit interfaces aex aggregated-ether-options]hierarchy level. Traffic passes only through the designated primary link. Thisincludes transit traffic and locally generated traffic on the router. When theprimary link fails, traffic is routed through the backup link. You also can reversetraffic, from the designated backup link to the designated primary link. To revertback to sending traffic to the primary designated link when traffic is passingthrough the designated backup link, use the revert command; for example, requestinterfaces revert ae0. To configure a primary and a backup link, include theprimary and backup statements at the [edit interfaces ge-fpc/pic/portgigether-options 802.3ad aex] hierarchy level or the [edit interfaces xe-fpc/pic/portfastether-options 802.3ad aex] hierarchy level. To disable link protection, delete

New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers ■ 7


the link-protection statement at the [edit interfaces aex aggregated-ether-optionslink-protection] hierarchy level. To display the active, primary, and backup linkfor an aggregated Ethernet interface, use the operational mode command showinterfaces redundancy aex.


■ Re-marking of MVPN GRE encapsulation DCSP at ASBR (MX Series routerswith Trio MPC/MIC interfaces)—Enables you to configure DSCP marking forGRE encapsulated packets that aligns with the service provider core CoS policyfor an MVPN. To configure, include the DSCP rewrite-rule dscp dscp-rule-namewith the values at the [edit class-of-service] hierarchy level and then apply therewrite rule to the core-facing multicast interface at the [edit class-of-serviceinterfaces] hierarchy level.

[Class of Service]

■ PD-5-10XGE-SFPP, 10-port 10-Gigabit Ethernet (Type 4) PIC (T640, T1600,and TX Matrix routers with G-FPC4, ST-FPC4, and ST-FPC4.1)—Supports aWAN bandwidth of 100 Gbps in addition to the following features:

■ Intelligent handling of oversubscribed traffic

■ Line rate operation on up to five 10-Gigabit Ethernet ports

■ Tap features, such as flexible encapsulation, source address (SA) MAClearning, MAC accounting, and MAC policing

■ Stacked virtual LAN (VLAN) tag and VLAN rewrite functionalities

[Network Interfaces, Class of Service, PIC Guide]

■ Intelligent oversubscription services (MX Series with 16-port 10-GigabitEthernet MPC with SFP+)—The 16-port 10–Gigabit Ethernet Modular PortConcentrator (MPC) is an oversubscribed configuration. Consequently, it isnecessary to protect control traffic over best-effort traffic as soon as packetsenter the line card. To do this, packets entering the line card are assigned apreclassifier control traffic class according to the header types (such as destinationMAC addresses, and Layer 4 ports) in the packet. The preclassifier provides agood way to classify and queue important control traffic in a different high-priorityqueue from that used for best-effort traffic.

The preclassifier (control or best effort) is assigned prior to packets being acceptedinto the initial stream and is used by the line card as an early designation (beforeany class-of-service configuration is applied). When oversubscription occurs,control traffic will be queued separately and should not be subject to any droppedpackets.

The Layer 2 protocols supporting the preclassifier are:

■ 802.1ah

■ 802.1g

■ 802.1x

■ 802.3ad

■ ARP

8 ■ New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers


■ GMRP

■ GVRP

■ LACP

■ PVST

■ xSTP


■ IGMP

■ IPv4/IPv6 ICMP

■ IPv4/IPv6 ISIS

■ IPv4/IPv6 OSPF

■ IPv4/IPv6 PIM

■ IPv4 Router Alert

■ IPv4/IPv6 RSVP

■ IPv4/IPv6 VRRP


■ IIPv4/ IPv6 BGP

■ IPv4/ IPv6 LDP

■ IPv4 UDP/L2TP

■ RIP (UDP port checks)

The preclassifier is also supported on label-switching encapsulation PPP.

[Class of Service]

■ Feature support on 16-port 10-Gigabit Ethernet MPC with SFP+ (MX Seriesrouters)—The following features are supported on the 16-port 10-Gigabit EthernetMPC with SFP+:

■ Accepts traffic destined for GRE tunnels or DVMRP (IP-in-IP) tunnels (JUNOSRelease 10.0R2)

■ Bidirectional Forwarding Detection (BFD) protocol (JUNOS Release 10.0R2)

■ Border Gateway Protocol (BGP) (JUNOS Release 10.0R2)

■ BGP/Multiprotocol Label Switching (MPLS) virtual private networks (VPNs)(JUNOS Release 10.0R2)

■ Distance Vector Multicast Routing Protocol (DVMRP) and generic routingencapsulation (GRE) support, access side and server side (JUNOS Release10.0R2)

■ Firewall filters (JUNOS Release 10.0R2)



■ Flexible Ethernet encapsulation (JUNOS Release 10.0R2)

■ Graceful Routing Engine switchover (GRES) (JUNOS Release 10.0R2)

■ Ingress differentiated (JUNOS Release 10.0R2)

■ Differentiated Services code point rewrite (DSCP) (JUNOS Release 10.0R2)

■ Intelligent oversubscription (JUNOS Release 10.0R2)

■ Integrated routing and bridging (IRB) (JUNOS Release 10.1R1)

■ Intermediate System-to-Intermediate System (IS-IS) (JUNOS Release 10.0R2)

■ Internet Group Management Protocol (IGMP) (excludes snooping) (JUNOSRelease 10.0R2)

■ IPv4 (JUNOS Release 10.0R2)

■ IP multicast (JUNOS Release 10.0R2)

■ Label Distribution Protocol (LDP) (JUNOS Release 10.0R2)

■ Labeled-switched path (LSP) accounting, policers, and filtering (JUNOS Release10.0R2)

■ LAN-PHY mode (JUNOS Release 10.0R2)

■ Layer 2 frame filtering (JUNOS Release 10.0R2)

■ IEEE 802.3ad link aggregation (JUNOS Release 10.0R2)

■ Link Aggregation Control Protocol (LACP) (JUNOS Release 10.0R2)

■ Local loopback (JUNOS Release 10.0R2)

■ MAC learning, policing (JUNOS Release 10.0R2)

■ Multiple tag protocol identifiers (TPIDs), accounting, and filtering (JUNOSRelease 10.0R2)

■ Multiprotocol Label Switching (MPLS) (JUNOS Release 10.0R2)

■ Nonstop active routing (NSR) (JUNOS Release 10.0R2)

■ Multitopology routing (MTR) (JUNOS Release 10.0R2)

■ Open Shortest Path First (OSPF) (JUNOS Release 10.0R2)

■ Packet mirroring (JUNOS Release 10.0R2)

■ Quality of service (QoS) per port: (JUNOS Release 10.0R2)

■ Eight queues per port

■ Excess-rate configuration at the traffic-control-profile level

■ Excess-rate and excess-priority configuration at the queue level

■ Shaping at the port level



■ Shaping at the queue level

■ Scheduling of queues based on weighted round-robin (WRR) per priorityclass

■ Tricolor marking

■ Weighted random early detection (WRED)

■ QoS per virtual LAN (VLAN): (JUNOS Release 10.0R2)

■ Accounting, filtering, and policing

■ IEEE 802.1p rewrite

■ Classification

■ Excess-rate configuration at the traffic-control-profile level

■ Tricolor marking

■ Resource Reservation Protocol (RSVP) (JUNOS Release 10.0R2)

■ Routing Information Protocol (RIP) (JUNOS Release 10.0R2)

■ Simple Network Management Protocol (SNMP) (JUNOS Release 10.0R2)

■ IEEE 802.1Q VLANs: (JUNOS Release 10.0R2)

■ VLAN stacking and rewriting

■ Channels defined by two stacked VLAN tags

■ Flexible VLAN tagging

■ IP service for nonstandard TPID and stacked VLAN tags

■ Virtual private LAN service (VPLS) (JUNOS Release 10.0R2)

■ Virtual private network (VPN) (JUNOS Release 10.0R2)

■ Virtual Router Redundancy Protocol (VRRP) for IPv4 (JUNOS Release 10.0R2)

To support these features, some modifications have been made to the followingconfiguration statements:

■ The ability to configure the DSCP as the action of a filter rule is alreadypresent in the JUNOS Software. However, with this line card, the value rangepermitted is modified from 0, to 0 through 63. To include DSCP as the actionof a filter rule, include the dscp value parameter at the [edit firewall filterfilter-name] hierarchy level.

■ To fully leverage the features offered through the new chipset on the linecard, include the enhanced-hash-key option at the [edit forwarding-options]hierarchy level.

[Class of Service]



■ IEEE 802.1ak-2007 MVRP (MX Series routers)—The Multiple VLAN RegistrationProtocol (MVRP) is a standards-based Layer 2 network protocol used amongswitches to dynamically share and update VLAN information with other bridges.VLAN information exchanged includes:

■ The set of VLANs that currently have active members

■ The ports through which the active members can be reached

To operate MVRP, edge ports should have the static VLAN configuration. Theedge ports will not be configured for MVRP. MVRP is only enabled on thecore-facing trunk ports where no static VLANs are configured.

To configure MVRP, include the mvrp statement and desired options at the [editprotocols] hierarchy level.

[Class of Service]

■ Elevated packet drops during oversubscription (MX Series routers with TrioMPC/MIC interfaces)—During periods of oversubscription, the WRED processdrops more packets than expected from relatively full queues. There is noconfiguration for this feature, which transparently applies scaling tooversubscribed queues.

[Class of Service]

High Availability

■ Enhancements to unified ISSU support on PICs (T Series)—JUNOS Release 10.1extends unified ISSU support for the following PICs to T Series routers:

■ PB-1CHOC12-STM4-IQE-SFP, 1-port channelized OC12/STM4 enhanced IQPIC

■ PB-1OC12-STM4-IQE-SFP, 1-port nonchannelized OC12/STM4 enhanced IQPIC

■ PB-4CHDS3-E3-IQE-BNC, 4-port channelized DS3/E3 enhanced IQ PIC

■ PB-4DS3-E3-IQE-BNC, 4-port non-channelized DS3/E3 enhanced IQ PIC

[High Availability]

Interfaces and Chassis

■ New 60-Gigabit Ethernet Queuing MPC (model numberMX-MPC2-3D-Q)—Supported on MX Series routers. For a list of supported MPCs,see the MX Series Line Card Guide.

■ New 60-Gigabit Ethernet MPC (model number MX-MPC2-3D)—Supported onMX Series routers. For a list of supported MPCs, see the MX Series Line CardGuide.

■ New 60-Gigabit Ethernet Enhanced Queuing MPC (model numberMX-MPC2-3D-EQ)—Supported on MX Series routers. For a list of supportedMPCs, see the MX Series Line Card Guide.



■ New 20-port Gigabit Ethernet MIC with SFP (model numberMIC-3D-20GE-SFP)—Supported on MX Series routers. For a list of supportedMPCs, see the MX Series Line Card Guide.

■ New Modular Port Concentrators (MPCs) and Modular Interface Cards(MICs)—Supported on MX Series platforms. Up to two MICs plug into the MPCto provide the physical interface for the MPC line card. The MPCs provideincreased capacity on Gigabit Ethernet and 10-Gigabit Ethernet hardware. For alist of supported MPCs and MICs, see the MX Series Line Card Guide.

[Network Interfaces]

■ New 4-port 10-Gigabit Ethernet MIC with XFP (model numberMIC-3D-4XGE-XFP)—Supported on MX Series routers. For a list of supportedMPCs, see the MX Series Line Card Guide.

■ Layer 2 VPLS, IRB, and mesh group feature parity (MX Series routers withTrio MPC/MIC interfaces)—Support for Layer 2 feature parity with JUNOS Release 9.1 on MX Series routers that include Trio Modular Port Concentrators (MPCs)and Modular Interface Cards (MICs).

Layer 2 feature parity includes:

■ Layer 2 bridging

■ VPLS forwarding

■ MAC address learning, aging, and MAC address limit

■ Mesh group support

■ Implicit VLAN mapping

■ Integrated routing and bridging (IRB)

■ Multicast over IRB

■ MAC statistics

Layer 2 features that are not supported in this release include:

■ Spanning Tree Protocols (xSTP)

■ VLAN Spanning Tree Protocol (VSTP)

■ Multiple Spanning Tree Protocol (MSTP)

■ Rapid Spanning Tree Protocol (RSTP)

■ Layer 2 Tunneling Protocol (L2TP)

■ Upgrading a T1600 router to be the LCC0 of the TX Matrix Plus platform—Youcan now upgrade an operational T1600 router to be the lcc0 in a newly configuredTX Matrix Plus platform. The procedures require JUNOS Release 10.1 on the TXMatrix Plus router and the T1600 router. Reboot is required to transfer controlof the T1600 router to the routing matrix. You can also downgrade the lcc0 toa standalone T1600 router by rolling back to the former configuration. Upgradeand integration of subsequent operational T1600 routers to form lcc1 and lcc2



(and so on) is not supported. Use the offline procedures to upgrade and integratethe remaining T1600 routers into the routing matrix.

[TX Matrix Plus Hardware, System Basics and Services Command Reference]

■ Per-unit scheduling for GRE tunnels using IQ2 PICs (M7i, M10i, M120, M320,T Series, and TX Matrix routers)—Supports enhanced IQ2 PIC and IQ2E PICperformance, adding all functionality of tunnel PICs. The QoS for the GRE tunneltraffic will be applied as the traffic is looped through the IQ2/IQ2E PIC.

Shaping is performed on full packets that pass through the GRE tunnel.

IQ2 and IQ2E PICs support all interfaces that are supported on tunnel PICs, asfollows:

■ gr-fpc/pic/port

■ vt-fpc/pic/port

■ lt-fpc/pic/port

■ ip-fpc/pic/port

■ pe-fpc/pic/port

■ pd-fpc/pic/port

■ mt-fpc/pic/port

The port variable is always zero.

The provided tunnel functionality is the same as that of regular tunnel PICs.

You can specify that IQ2 and IQ2E PICs work exclusively in tunnel mode or workas both a regular and a tunnel PIC. The default setting uses IQ2 and IQ2E PICsas both a regular and a tunnel PIC. To configure exclusive tunnel mode, use thetunnel-only statement at the [chassis fpc number pic number tunnel-services]hierarchy level.

You can use the show interfaces queue gr-fpc/pic/port command to displaystatistics for the specified tunnel.

[Network Interfaces, Class of Service, PIC Guide]

■ RSD configuration of logical interface filters on shared interfaces (JCS1200platform)—Enables RSD configuration support for logical interface filters onshared interfaces. In previous releases, logical interface filters were configuredon each PSD. This release supports configuration on the RSD.

To configure a logical interface filter on the RSD, apply the firewall filter to thelogical interface on the shared interface by including the filter output filter-namestatement at the [edit interfaces interface-name unit logical-unit-number] hierarchylevel on the RSD.

Filtering is performed on the PSD, but logical interface filters configured on theRSD are applied automatically by the PSD. Filters configured on the RSD canco-exist with filters configured on the PSD. Counter statistics related to PSDfiltering are available on the RSD.

[Protected System Domain]



■ Two new AC power supply modules in chassis—The JUNOS Software nowsupports two new AC power supply modules on T640 and T1600 routers: ACPower Entry Module 10kW US and AC Power Entry Module 10kW EMEA (forU.S. and EMEA markets, respectively). The two Power Entry Modules (PEMs)cannot interoperate and the JUNOS Software reports an alarm when they do.The show chassis environment pem command output will show AC Input: statusinstead of DC Input: status and the Temperature will show the actual temperaturereading. Two new power supply descriptions, US and EMEA, are added todistinguish the new modules from existing ones in the output of the show chassishardware command output.

[System Basics and Service Command Reference]

■ Next-hop cloning and permutations disabled in T Series enhanced scalingFPCs (FPC Type 1-ES, FPC Type 2-ES, FPC Type 3-ES, and FPC Type 4-ES)—Thenext-hop cloning and permutations are now disabled in these FPCs with enhancedload-balancing capability. As a result, the memory utilization is reduced for ahighly scaled system with a high number of next hops on ECMP or aggregatedinterfaces.

[System Basics]

■ Fragmentation support for GRE-encapsulated packets (Multiservices DPC)(M120, M7i/M10i with enhanced CFEB, M320 with E3 FPC, and MX Seriesrouters only)—Enables the Packet Forwarding Engine to update the IPidentification field in the outer IP header of packets encapsulated with genericrouting encapsulation (GRE), so that reassembly of the packets is possible afterfragmentation. The previous CLI constraint check that requires you to configureeither the clear-dont-fragment-bit statement or a tunnel key with theallow-fragmentation statement is no longer enforced. There are no associatedchanges to the CLI statements or operational mode commands.

NOTE: For other routers, the earlier configuration constraint check still holds.

[Services Interfaces, MPLS Applications, MX Series Layer 2 Configuration Guide]

■ NAT compliance enhancements—Add modifications to the existing NATfunctionality on the services PICs to achieve compliance with RFCs UDP 4787,TCP 5382, and ICMP 5508. These enhancements apply to IPv4–IPv4, IPv6–IPv6,and IPv4–IPv6 source NAT and are not supported with destination NAT. NewCLI configuration settings associated with RFC 4787 include the mapping-timeoutstatement at the [edit services nat pool pool-name] hierarchy level and theaddress-pooling, filtering-type, and mapping-type statements at the [edit servicesnat rule rule-name term term-name then translated] hierarchy level. There are noassociated changes to the operational mode commands.

[Services Interfaces]

■ Support for VRF in Routing Engine-based sampling on M Series, M320, MXSeries, M120, and T Series routers—For VRF Routing Engine-based sampling,the kernel queries the correct VRF route table based on the ingress interfaceindex for the received packet. For interfaces configured in VRF, the sampledpackets contain the correct input and output interface SNMP index, the sourceand destination AS numbers, and the source and destination mask.



There are two ways to verify the sampled packets. The first is to include the filesampled statement at the [edit forwarding-options sampling traceoptions] hierarchylevel and the local dump statement at the [edit forwarding-options family inet outputflow-server server] hierarchy level, and check the sampled file using the tail –f/var/tmp/sampled command from the router shell. The second is to export andverify the sampled packets to the flow-server.

[Services Interfaces, Feature Guide]

■ New 4-port Channelized OC12 Enhanced Intelligent Queuing (IQE) type 3PIC (M Series and T Series routers)—Provides increased channelization and animproved QoS model; with channelization capabilities and scaling that make itideal for edge aggregation.

Improved QoS functionality supports policing based on DSCP/IPPREC/EXP, fivepriority levels, two shaping rates (CIR and PIR), option to use shared schedulingon set of logical interfaces, DSCP rewrite on ingress, and configurable delaybuffers for queueing. The QoS capabilities provide service differentiation forservice providers.

The interface configuration syntax of existing IQ PICs is retained, butconfiguration limits are changed to match the augmented capabilities of IQEPICs.

All functionality available on the 4-port Channelized OC12 IQ Type 2 PIC issupported by this PIC.


■ Enhanced Intelligent Queuing (IQE) PICs add support for T3 and T1channelization under SDH framing (M40e, M120, and M320 with Sahara-FPC,and T Series routers)—The following IQE PICs are supported:

■ 1-port COC48 IQE



■ 2-port COC3 IQE

The JUNOS Software supports T1 and CT1 interface types under CAU4. Toconfigure T1 and CT1 interfaces under CAU4, use the t1 and ct1 statements atthe [edit interfaces cau4-fpc/pic/port:unit partition number interface-type] hierarchylevel.

With T1 and CT1 interface configurations under CAU4 interfaces, you canconfigure a maximum of 84 T1 or CT1 inerfaces. However, the partition rangeunder CAU4 interfaces was previously restricted to from 1 to 63. This range hasincreased to from 1 to 84 for T1 and CT1 interfaces.

The JUNOS Software supports T1, CT1, T3, and CT3 interfaces under ChannelizedAU4 partitions. To configure T1, CT1, T3, and CT3 interfaces under ChannelizedAU4, use the ct1 and t1 statements at the [edit interfaces cau4-fpc/pic/port:unitpartition partition-number] hierarchy level or the ct3 and t3 statements at the [editinterfaces cau4-fpc/pic/port:unit partition number interface-type] hierarchy level.

The JUNOS Software also supports M13 mapped T1 interfaces under CAU4. Toconfigure a T1 interface under CAU4, use the t1 statement at the [edit interfaces



cau4-fpc/pic/port:unit partition partition-number interface-type t1] or [edit interfacescau4-fpc/pic/port:unit partition partition-number interface-type ct1] hierarchy level.

The JUNOS Software does not allow combined configurations of E1 and E3interfaces together under a CAU4 interface.

Similarly, you cannot mix T1, E1, T3, and E3 interfaces directly under CAU4.

NOTE: The TUG-3 partition is not supported.

ITU-T VT-mapping in combination with TUG3 partition is not supported.

[Network Interfaces, PIC Guide]

■ Stateful firewall chaining for FTP, TFTP, and RTSP data sessions (MX Seriesrouters with Multiservices DPCs, and M120 or M320 routers with Multiservices400 PICs)—Adds support for stateful firewall rule sets in Dynamic ApplicationAwareness for JUNOS Software service chains. New application-level gateways(ALGs) are available for FTP (junos-ftp), TFTP (junos-tftp), and RTSP (junos-rtsp);you can include them as values for the applications statement at the [edit servicesstateful-firewall rule rule-name term term-name from] hierarchy level. In addition,you can include new statement options at the [edit interfaces ms-fpc/pic/portservices-options ignore-errors] hierarchy level to enable stateful firewall sessionsto operate in a no-drop mode and ignore various traffic errors that would normallyresult in dropped packets. There are no CLI changes in the APPID, IDP, AACL,or L-PDF configurations. The associated operational mode commands shouldreport the new applications when identified.




JUNOS XML API and Scripting



■ New JUNOS XML API operational request tag elements—Table 1 on page 19lists the JUNOS Extensible Markup Language (XML) operational request tagelements that are new in JUNOS Release 10.1, along with the corresponding CLIcommand and response tag element for each one.

Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 10.1

Response Tag ElementCLI CommandRequest Tag Element

NONEclear dhcpv6 server binding<clear-dhcpv6-server-binding-information>clear_dhcpv6_server_binding_information

NONEclear dhcpv6 server statistics<clear-dhcpv6-server-statistics-information>clear_dhcpv6_server_statistics_information

NONEclear mpls static-lsp<clear-mpls-static-lsp-information>clear_mpls_static_lsp_information

NONEclear mvrp statistics<clear-mvrp-interface-statistics>clear_mvrp_interface_statistics

NONEclear security idp application-ddos cache<clear-idp-appddos-cache>clear_idp_appddos_cache

<clear-idp-status-information>clear security idp status<clear-idp-status-information>clear_idp_status_information

<vrrp-message>clear vrrp<clear-vrrp-information>clear_vrrp_information

<vrrp-message>clear vrrp interface<clear-vrrp-interface-statistics>clear_vrrp_interface_statistics

NONErequest system scripts refresh-from<request-script-refresh-from>request_script_refresh_from

<dhcpv6-server-binding-information>show dhcpv6 server binding<get-dhcpv6-server-binding-information>get_dhcpv6_server_binding_information

<dhcpv6-server-statistics-information>show dhcpv6 server statistics<get-dhcpv6-server-statistics-information>get_dhcpv6_server_statistics_information

<mpls-static-lsp-information>show mpls static-lsp<get-mpls-static-lsp-information>get_mpls_static_lsp_information

<mvrp-information>show mvrp<get-mvrp-information>get_mvrp_information

<mvrp-applicant-state>show mvrp applicant-state<get-mvrp-applicant-information>get_mvrp_applicant_information

<mvrp-vlan-information>show mvrp dynamic-vlan-memberships<get-mvrp-dynamic-vlan-memberships>get_mvrp_dynamic_vlan_memberships

<mvrp-interface-information>show mvrp interface<get-mvrp-interface-information>get_mvrp_interface_information



Table 1: JUNOS XML Tag Elements and CLI Command Equivalents New in JUNOS 10.1 (continued)

Response Tag ElementCLI CommandRequest Tag Element

<mvrp-registration-information>show mvrp registration-state<get-mvrp-registration-state>get_mvrp_registration_state

<mvrp-interface-statistics>show mvrp statistics<get-mvrp-interface-statistics>get_mvrp_interface_statistics

<idp-subscriber-policy-list>show security idp policies<get-idp-subscriber-policy-list>get_idp_subscriber_policy_list

<idp-policy-template-information>show security idp policy-templates-list<get-idp-policy-template-information>get_idp_policy_template_information

<idp-detail-status-information>show security idp status detail<get-idp-detail-status-information>get_idp_detail_status_information

<service-nat-mapping-information>show services nat mappings<get-service-nat-mapping-information>get_service_nat_mapping_information

<task-memory-information>show task memory<get-task-memory-information>get_task_memory_information

<vrrp-information>show vrrp<get-vrrp-information>get_vrrp_information

<vrrp-information>show vrrp interface<get-vrrp-interface-information>get_vrrp_interface_information

<vrrp-information>show vrrp track<get-vrrp-track-interfaces>get_vrrp_track_interfaces



[JUNOS XML API Operational Reference]

MPLS Applications

■ Static LSPs at the ingress router—You can now configure a named static LSPat the ingress router. This feature allows you to configure multiple static LSPsbetween two specific routers. It is not necessary to configure unique names forstatic versus dynamic LSPs (a static LSP could have the same name as a dynamicLSP configured on the same router). This feature also allows you to configure asingle-hop static LSP by specifying either an explicit null label or no label.

To configure a static LSP on an ingress router, include the ingress statement atthe [edit protocols mpls static-label-switched-path static-lsp-name] hierarchy level.You must also configure the to and next-hop statements at the [edit protocols mplsstatic-label-switched-path static-lsp-name] hierarchy level. You can optionallyconfigure the push statement. If you configure the push statement, you mustspecify a non-reserved label in the range of 0 through 1,048,575.

To display information about ingress static LSPs, issue the show mpls lsp staticingress command. To display routing table entries corresponding to ingress staticLSPs, issue the show route table inet.3 command or the show route next-hopnext-hop-ip-address static-label-switched-path static-lsp-name command.

[MPLS, Routing Protocols and Policies Command Reference]

■ Static LSPs at the transit router—You can now configure a named static LSPon a transit router. To configure a transit static LSP, include the transit statementat the [edit protocols mpls static-label-switched-path path-name] hierarchy leveland include the next-hop statement at the [edit protocols mplsstatic-label-switched-path static-lsp-name] hierarchy level. You must also configureeither the pop or the swap statement at the [edit protocols mplsstatic-label-switched-path static-lsp-name transit] hierarchy level. If you configurethe swap statement, you must specify a non-reserved label in the range of 0through 1,048,575.

The transit static LSP is added to the mpls.0 routing table. You should configureeach static LSP using a unique name and at least a unique incoming label on therouter. Each transit static LSP can have one or more incoming labels configured.If a transit LSP has more than one incoming label, each would effectively operateas an independent LSP, meaning you could configure all of the related LSPattributes for each incoming label. The range of incoming labels available islimited to the standard static LSP range of labels (1,000,000 through 1,048,575).To verify that a static LSP has been added to the routing table, issue the showroute table mpls.0 command.

[MPLS]

■ Bypass static LSPs—You can now configure a named bypass static LSP for ingressand transit static LSPs, to be used if the primary LSP fails. To configure a bypassstatic LSP, include the bypass statement at the [edit protocols mplsstatic-label-switched-path path-name] hierarchy level. You must also configure theto and next-hop statements at the [edit protocols mpls static-label-switched-pathstatic-lsp-name bypass] hierarchy level. You can also configure link and nodeprotection for static LSPs. If you configure both link and node protection for thestatic LSP and the primary link fails, the node protection feature is preferred.



[MPLS]

■ Static LSP revert timer—You can now configure a revert timer for ingress andtransit static LSPs. After traffic has been switched to a bypass static LSP, it istypically switched back to the primary static LSP when it comes back up. Thereis a configurable delay in the time (called the revert timer) between when theprimary static LSP comes up and when traffic is reverted back to it from thebypass static LSP. This delay is needed because when the primary LSP comesback up, it is not certain whether all of the interfaces on the downstream nodeof the primary path have come up yet. The delay range is from 0 through 65,535seconds and is configurable at each interface. If you configure a value of 0, trafficis never automatically reverted to the primary LSP, even if it does come backup. The only exception is if the bypass LSP goes down. The default value is 5seconds. To configure the revert timer for an interface, include theprotection-revert-time statement at the [edit protocols mpls interface interface-namestatic] hierarchy level. You can display the revert timer value for an interfaceusing the show mpls interface detail command.

[MPLS]

■ Static LSP traceoptions—You can now configure the traceoptions statement totrace messages related to ingress and transit static LSPs by including the staticflag at the [edit protocols mpls traceoptions flag] hierarchy level.

[MPLS]

■ Static LSP statistics—You can now display statistics related to MPLS static LSPsby issuing the show mpls static-lsp statistics command and the monitor static-lsplsp-name command. The show mpls static-lsp statistics command includes thefollowing options: ingress, transit, bypass, and name static-lsp-name. This commanddisplays the packet count and byte count for the static LSP. You can clear thestatistics for static LSPs by issuing the clear mpls static-lsp statistics command.You can also log the static LSP statistics to a file by specifying a file for the MPLSstatistics statement. You can configure this file using the set protocols mplsstatistics interval interval file filename command.

[MPLS, Routing Protocols and Policies Command Reference]

Multiplay

■ Border Gateway Function (BGF) RTCP XR reporting—Provides support for theH.248 RECRTCPXR (Received RTCP Extended Reporting) and RECRTCPXRBM(Received RTCP XR Burst Mode) reporting packages. The RECRTCPXR packagedefines properties and statistics that provide extended quality-of-service metricsreceived from the gateway controller. The RECRTCPXRBM package definesproperties and statistics that provide burst metrics received from the gatewaycontroller. Report data is available to the BGF when the gateway controller sendsthe relevant XR reporting packets and RTCP monitoring is active. Not all gatewaycontrollers send the extended reporting packets. When XR packets are notreceived, all XR fields are displayed as 0s (zeroes).

You can use the following existing command to display the RECRTCPXR andRECRTCPXRBM report fields for a given gate-id: show services pgcp gategateway-name statistics gate-id gate-id.

[Multiplay Solutions, System Basics Command Reference]



■ Integrated Multi-Services Gateway (IMSG) failed call reporting—Provides moreextensive statistics on failed calls through improved show command output.

You can use the following existing command to display statistics on failed calls:show services border-signaling-gateway calls-failed gateway gateway-name.

[Multiplay Solutions, System Basics Command Reference]

■ Integrated Multi-Services Gateway (IMSG) media release—Enables the IMSGSIP function to release media resources when handling calls between two entitiesin the same media realm (the virtual interface specified in the PGCPconfiguration). When the new call usage policies for both entities allow mediarelease, media resources are shared instead of being reserved for both entities.This improves the utilization of media resources and prevents latency.

To configure media release, enter the media-release statement at the [edit servicesborder-signaling-gateway gateway-name sip new-call-usage-policy policy-name termterm-name then media-policy] hierarchy level.

[Multiplay Solutions, Services Interfaces]

Routing Policy and Firewall Filters

■ New MPLS firewall filter match conditions (T Series routers)—The JUNOSSoftware now supports filtering MPLS-tagged IPv4 packets based on IP parametersfor up to five MPLS stacked labels.

To configure the filter match conditions for an MPLS family based on IPparameters, include the from statement at the [edit firewall family family-namefilter filter-name term term-name] hierarchy level:

from {match-conditions;

}

NOTE: New filter match conditions are applicable only for MPLS-tagged IPv4 packets.MPLS-tagged IPv6 packets are not supported by this filter.

[Policy Framework, Routing Protocols and Policies Command Reference]



Routing Protocols

■ BGP support for MDT-SAFI updates without a route target—By default, theJUNOS Software requires MDT-SAFI updates to have a route target attached.Some vendors do not support attaching route targets to the MDT-SAFI updates.For interoperability with these vendors, the JUNOS Software allows importingMDT-SAFI updates without a route target being attached. The MDT-SAFI isimported if the MDT default address in the MDT-SAFI prefix matches the MDTdefault address configured within the routing instance.

To configure the MDT default address, include the group-address group-addressstatement at the [edit routing-instances routing-instance-name provider-tunnelpim-ssm] hierarchy level.

[Multicast, Policy Framework]

■ Distributed periodic packet management support for aggregateinterfaces—Extends support for the Bidirectional Forwarding Detection (BFD)protocol to use the periodic packet management daemon (PPMD) to distributeIPv4 sessions over aggregate interfaces. PPMD automatically runs on the RoutingEngine and the Packet Forwarding Engine. To disable PPMD on the PacketForwarding Engine only, include the no-delegate-processing statement at the [editrouting-options ppm] hierarchy level. Only IPv4 BFD sessions over aggregateinterfaces are supported. PPMD does not support IPv6 BFD sessions over anaggregate interface or MPLS BFD sessions over an aggregate interface.

[Routing Protocols]

■ PIM join suppression support—Enables a router to defer sending join messagesto an upstream router when identical join messages are sent on the samemultiaccess network. This improves scalability and efficiency by reducing thenumber of identical messages sent to the same router.

This feature is useful when there are a large number of routers on a multiaccessnetwork that will be receiving traffic for a particular multicast group. Suppressingjoins at each router saves bandwidth and reduces heavy processing at upstreamrouters.

PIM join suppression can be implemented per multiaccess interface and permulticast group. It is only needed on downstream routers, and does not need tobe implemented on upstream routers in order for it to work.

A tracking bit field on the LAN prune delay hello option is used in the CLI toenable join suppression for downstream routers. By default, the tracking bit isset to 1 and PIM join suppression is disabled. This is the default behavior forJUNOS Release 10.0 and earlier for Juniper Networks routers. With joinsuppression disabled (T-bit=1), a downstream receiving router will send joinmessages even if it receives identical joins for the same upstream router, as longas no other router in the network has join suppression enabled. When the trackingbit is set to 0 for at least one neighbor on this interface, join suppression isenabled, and the receiving router will defer sending identical joins. Usereset-tracking-bit in the CLI to enable join suppression.

When an upstream router receives a join message, its behavior is independentof the value of the T-bit in the hello option. When join suppression is triggered,a timer is activated and all sending of joins is deferred for the length of time



specified by the timer. This is a random timer with value ranges between 0 toMax Override Interval. The timer is reset each time join suppression is triggered,and the defer period is dependent on other settings in the LAN prune delay,including propagation-delay and override-interval.

Use the show protocols PIM command to see if the reset-tracking-bit is present,indicating that the T-bit has been changed to 0 and PIM join suppression isenabled.

[Multicast, Routing Protocols and Policies Command Reference]

■ Improve IGMPv3 snooping performance using bulk updates 1a3,14—Wheneveran individual interface joins or leaves a multicast group, a new next-hop entryis installed in the routing table and the forwarding table. This can require a lotof processing time when the frequency and number of IGMP join and leavemessages are high.

A new configuration statement can be used to accumulate outgoing interfacechanges and perform bulk updates to the routing table and forwarding table.This reduces the processing time and memory overhead required when processingjoin and leave messages, thus improving scalability.This is useful for applicationssuch as Internet Protocol television (IPTV), in which users changing channelscan create thousands of interfaces joining or leaving a group in a short periodof time.

To enable bulk updates of join and leave messages, include the next-hop-hold-timestatement and specify the number of milliseconds to wait before processing themessages. The next-hop-hold-time statement can be configured at the [editrouting-instances routing-instance-name] hierarchy level. The hold time can beconfigured from 1 to 1000 milliseconds. The routing instance must be of typeVPLS or virtual-switch.

If the next-hop-hold-time statement is deleted from the router configuration, IGMPbulk updates are disabled. The configuration of the next-hop-hold-time statementcan be verified using the show multicast snooping route command.

[Multicast, Routing Protocols and Policies Command Reference]

■ Hub-and-spoke support for multiprotocol BGP-based multicast VPNs withPIM-SSM GRE S-PMSI transport—Multiprotocol BGP-based (MBGP) multicastVPNs (also referred to as next-generation Layer 3 VPN multicast) can beconfigured using protocol-independent multicast source-specific multicast(PIM-SSM) selective provider multicast service interface (S-PMSI) tunnels in ahub-and-spoke topology.

This feature is useful in the following scenarios:

■ Customer sources and rendezvous points (RPs) are located only in the hubsites and customer receivers are located in spoke sites or other hub sites.

■ Customer sources are located only in spoke sites and customer receivers arelocated only in hub sites.

To configure MBGP MVPNs to use PIM-SSM S-PMSI tunnels in a hub-and-spoketopology:

■ Include the group-range statement and specify the group address range atthe [edit routing-instances routing-instance-name provider-tunnel selective group



group-address source source-address pim-ssm] hierarchy level on all PE routersparticipating in the MVPN.

■ Include the threshold-rate statement and specify zero as the threshold valueat the [edit routing-instances routing-instance-name provider-tunnel selectivegroup group-address source source-address] hierarchy level on all PE routersparticipating in the MVPN.

■ Include the family inet-mvpn statement and family inet6-mvpn statement atthe [edit routing-instances routing-instance-name vrf-advertise-selective] hierarchylevel to selectively advertise routes on PE routers that use one VRF for unicastrouting and a separate VRF for MVPN routing.

[VPNs, Routing Protocols, Routing Protocols and Policies Command Reference]



Services Applications

■ FlowTapLite enhancements—Extend support for interception of IPv6 packetson MX Series, M120, and M320 routers. For IPv6, the global filter taps packetsfrom the default IPv6 routing table and does not tap packets from other VRFs.To tap packets from other VRFs, you can install separate VRF filters. For IPv4,the global filter intercepts all IPv4 packets irrespective of the VRF. The limit forfilters remains 3000, which is now shared between IPv4 and IPv6. For example,you can install 3000 IPv4 filters or 3000 IPv6 filters, or a combination of boththat totals 3000. You cannot install 3000 IPv4 filters and 3000 IPv6 filters.

No new statements are required to configure these enhancements. However,whether you use IPv6 flow tapping or not, you must include the family inet6statement at the [edit interfaces vt-fpc/pic/port unit logical-unit-number] hierarchylevel.


Subscriber Access Management



■ JUNOS subscriber access scaling values (M120, M320, and MX Seriesrouters)—Table 2 on page 28 lists the DHCP, PPP, and PPPoE scaling valuessupported for subscriber access in this release of M120, M320, and MX Seriesrouters. In this table, DPC means only MX Series Enhanced Queuing IP ServicesDPCs (DPCE-R-Q-40GE-SFP and DPCE-R-Q-4XGE-XFP). These DPCs support onlyDHCP subscribers; they do not support PPP subscribers.

Table 2: Subscriber Access Scaling Values for M120, M320, and MX Series Routers

MX480/960MX240M120/M320Subscriber Access Feature

120,000120,000–DHCP client bindings per chassis

DHCP subscriber VLANs

16,00016,000–Per DPC

64,00032,000–Per chassis with DPCs

64,00064,000–Per Trio MPC/MIC

64,00064,000–Per chassis with Trio MPC/MIC

PPP logical interfaces

63,99963,99915,999Dynamic PPPoE interfaces per chassis

––4000Dynamic PPPoE interfaces per IQ2/IQ2E PIC

32,00032,000–Dynamic PPPoE interfaces per Trio MPC/MIC

15,99915,99915,999Static interfaces per chassis

PPPoE subscriber VLANs

––2000Per IQ2/IQ2E PIC

––8000Per chassis with IQ2/IQ2E PIC

32,00032,000–Per Trio MPC/MIC

32,00032,000–Per chassis with Trio MPC/MIC

PPP connections (logical interfaces) are supported in a range of configurations.For example, 63,999 PPP connections per chassis are supported when allsubscribers are configured on the same VLAN. In this case, 63,999 pp0 interfacesare configured under the same VLAN logical interface and the one remaininglogical interface is consumed for the single VLAN.

At the other extreme, when you configure each subscriber on a separate VLAN(using stacked VLANs), up to 32,000 PPP connections per chassis are supported.



In this case, each subscriber connection consumes two logical interfaces: onefor the VLAN logical interface and one for the pp0 logical interface.

The M120, M320, and MX Series routers support a maximum of 2000 differentdynamic profiles per chassis. [Subscriber Access]

■ Support for dynamic CoS for subscriber interfaces on Trio MPC/MIC interfaces(MX Series routers)—Enables you to configure dynamic CoS for subscriberinterfaces on Trio MPC/MIC interfaces that are now available on MX Series routers.In earlier releases, dynamic CoS was supported on EQ DPCs only.

To configure dynamic CoS on Trio MPC/MIC interfaces, you must enable thehierarchical scheduler for an interface at the [edit interfaces] hierarchy level. Youcan then configure dynamic CoS parameters at the [edit dynamic-profilesprofile-name class-of-service] hierarchy level. The CoS parameters are dynamicallyapplied to subscriber’s services when they log in or change services.

Trio MPC/MIC interfaces support CoS for the following interface types: staticVLAN, demux, static and dynamic PPPoE, and aggregated Ethernet subscriberinterfaces.

In this release, hierarchical CoS for aggregated Ethernet interfaces is supportedon the Trio MPC/MIC product when a static VLAN configured over the aggregatedEthernet interface. It is not supported for static or dynamic demux subscriberinterfaces configured over aggregated Ethernet.

[Subscriber Access]

■ Support for CoS on dynamic PPPoE subscriber interfaces (MX Seriesrouters)—Enables you to configure CoS for dynamic PPPoE subscriber interfaceson Trio MPC/MIC interfaces available on MX Series routers and the IntelligentQueuing 2 (IQ2) PIC on M120 and M320 Series routers.

In earlier releases, only static CoS was supported for static PPPoE subscriberinterfaces configured on IQ2 PICs on M120 and M320 Series routers.

To configure CoS for a dynamic PPPoE interface, configure the shaping andscheduling parameters at the [edit dynamic-profiles profile-name class-of-service]hierarchy level. You then attach the traffic control profile to the dynamic PPPoEinterface by including the output-traffic-control-profile profile-name statement atthe [edit dynamic-profiles profile-name class-of-service interfaces$junos-interface-ifd-name unit $junos-underlying-interface-unit] hierarchy level.

When the subscriber logs in, PPP supplies pp0 as the $junos-interface-ifd-namevariable, and supplies the PPPoE logical interface number for the$junos-underlying-interface-unit variable.

[Subscriber Access]

■ Support for IPv6 for dynamic subscriber services (MX Series routers)—Enablesyou to configure IPv6 addressing and prefixes for dynamic subscriber services.In earlier releases, dynamic subscriber services supported IPv4 addressing only.You can now configure both IPv4 and IPv6 addressing in the same dynamicprofile to grant access and services to IPv4 and IPv6 subscribers.

In this release, IPv6 addressing is supported for static and dynamic VLANsubscriber interfaces and dynamic demux subscriber interfaces.



To enable IPv6 addressing for a static VLAN subscriber interface, include thefamily inet6 statement at the [edit dynamic profiles profile-name interfacesinterface-name unit logical-unit-number] hierarchy level.

To enable IPv6 addressing for a demux subscriber interface, include the familyinet6 statement at the [edit dynamic profiles profile-name interfaces demux0]hierarchy level. To enable an IPv6 source address for the interface, specify thenew $junos-subscriber-ipv6–address predefined variable with the demux-sourcestatement at the [edit dynamic profiles profile-name interfaces demux0 unit$junos-interface-unit family inet6] hierarchy level. The values for this variable aresupplied to the interface by DHCP when the subscriber logs in.

This feature enables you to configure dynamic, classic, and fast update firewallfilters for IPv6 families. In addition, you can configure aggregate CoS when IPv4and IPv6 families share a logical interface, and per-family CoS when IPv4 andIPv6 families do not share a logical interface (such as a demux interface).

The following new predefined variables have been added to implement IPv6addressing for subscriber services:

DefinitionDynamic Profile Variable

Route prefix of an IPv6 access route.$junos-framed-route-ipv6-address-prefix

Next-hop address of an IPv6 access route.$junos-framed-route-ipv6-nexthop

Attaches a filter based on RADIUS VSA 26-106 (IPv6-Ingress-Policy-Name)to the interface.

$junos-input-ipv6-filter

IPv6 prefix value used when configuring the Router Advertisementprotocol.

$junos-ipv6-ndra-prefix

Attaches a filter based on RADIUS VSA 26-107 (IPv6-Egress-Policy-Name)to the interface.

$junos-output-ipv6-filter

Selects the preferred IPv6 source address associated with the loopbackaddress used for the subscriber.

$junos-preferred-source-ipv6-address

IPv6 address of the subscriber.$junos-subscriber-ipv6-address

RADIUS supports activation, deactivation, and change of authorization (CoA) forIPv6 services. The following new RADIUS attributes and VSAs have been addedto implement IPv6 addressing for subscriber services:

Attribute NameAttribute Number

Framed-IPv6-Prefix97

Framed-IPv6-Route99

IPv6-Ingress-Policy-Name26-106

IPv6-Egress-Policy-Name26-107



Attribute NameAttribute Number

IPv6-NdRa-Prefix26-129

IPv6-Acct-Input-Octets26-151

IPv6-Acct-Output-Octets26-152

IPv6-Acct-Input-Packets26-153

IPv6-Acct-Output-Packets26-154

IPv6-Acct-Input-Gigawords26-155

IPv6-Acct-Output-Gigawords26-156

IPv6-NdRa-Pool-Name26-157

You can monitor IPv6 statistics by issuing the show subscribers and shownetwork-access aaa subscriber commands.

[Subscriber Access]

■ Support for dynamic PPPoE interfaces (M120, M320, and MX Seriesrouters)—Enables you to configure dynamically created PPPoE logical interfacesover statically created underlying interfaces. For subscriber access purposes, thedynamic PPPoE logical interface represents a dynamic PPPoE subscriber interface.The router automatically and transparently creates the dynamic interface inresponse to an external event, such as the receipt of traffic on an underlyinginterface. For example, the router creates a dynamic PPPoE logical interfacewhen it receives a PPPoE Active Discovery Request (PADR) control packet fromthe client on an underlying interface to which a PPPoE dynamic profile isassigned. The router uses the information configured in the dynamic profile todetermine the properties of the dynamic PPPoE logical interface.

The use of dynamically created PPPoE interfaces gives you the flexibility ofhaving the router create the dynamic PPPoE logical interface only when thesubscriber logs in on the associated underlying interface. By contrast, staticallycreated interfaces always allocate and consume system resources upon interfacecreation, even when no traffic is flowing on the interface. Configuring and usingdynamically created interfaces helps you effectively and conveniently managesubscriber access networks that provide services to large numbers of subscribers.

Configuration of dynamic PPPoE logical interfaces is supported on IntelligentQueuing 2 (IQ2) PICs on M120 and M320 Series routers, and on Trio MPC/MICinterfaces on MX Series routers.

To configure a dynamic PPPoE logical interface:

1. Configure a dynamic profile to define the attributes of the dynamic PPPoElogical interface. To do so, include the following statements at the [editdynamic-profiles profile-name] hierarchy level:

dynamic-profiles {profile-name {



interfaces pp0 {unit $junos-interface-unit {

keepalives interval seconds;no-keepalives;pppoe-options {

underlying-interface "$junos-underlying-interface";server;

}ppp-options {

chap;pap;

}family inet {

unnumbered-address interface-name;address address;service {

input {service-set service-set-name <service-filter filter-name>;

}output {

service-set service-set-name <service-filter filter-name>;}

}filter {

input filter-name;output filter-name;

}}

}}

}}

You can use most of these same statements to configure statically createdPPPoE interfaces, with the following important differences. When youconfigure a profile to dynamically create a PPPoE interface, you must specifythe $junos-interface-unit predefined dynamic variable instead of the actuallogical unit number for the unit statement, and the $junos-underlying-interfacepredefined dynamic variable instead of the actual name of the underlyinginterface for the underlying-interface statement.

2. Assign the dynamic profile to the underlying interface on which the routercreates the dynamic PPPoE interface. To do so, include thepppoe-underlying-options statement at the [edit interfaces interface-name unitlogical-unit-number] hierarchy level, as follows:

interfaces {interface-name {

unit logical-unit-number {encapsulation ppp-over-ethernet;pppoe-underlying-options {

access-concentrator name;dynamic-profile profile-name;duplicate-protection;max-sessions number;

}



}}

}

The statements at the [edit interfaces interface-name unit logical-unit-numberpppoe-underlying-options] hierarchy level define the following PPPoE-specificattributes for the underlying interface:

■ To provide an alternative access concentrator (AC) name in the AC-NAMEtag in a PPPoE control packet, include the access-concentrator statement.

■ To assign a previously configured dynamic profile to the underlyinginterface, include the dynamic-profile statement. This is the only requiredstatement for configuring dynamic PPPoE interfaces at the [edit interfacesinterface-name unit logical-unit-number pppoe-underlying-options] hierarchylevel.

■ To prevent the activation of another dynamic PPPoE logical interfaceon the same underlying interface on which a dynamic PPPoE logicalinterface is already active for the same client, include theduplicate-protection statement.

■ To configure the maximum number of dynamic PPPoE logical interfaces(sessions) that the router can activate on the underlying interface, includethe max-sessions statement.

To display information about the dynamic PPPoE interface configuration, usethe show pppoe underlying-interfaces, show pppoe statistics, and show pppoeinterfaces operational commands. You can also use the clear pppoe statisticscommand to clear packet statistics on the underlying interface.

[Subscriber Access]

■ Support for PPPoE Layer 3 wholesale configuration in a subscriber accessnetwork—Enables you to configure PPPoE Layer 3 wholesaling within asubscriber access network. Wholesale access is the process by which an accessnetwork provider partitions the access network into separately manageable andaccountable subscriber segments for resale to other network providers. An accessnetwork provider may elect to wholesale all or part of its network to one or moreservice providers (retailers).

In a Juniper Networks subscriber access network, you accomplish Layer 3partitioning through the use of logical systems (LSs) and routing instances. Logicalsystems enable you to divide a physical router into separate, distinct, logicaladministrative domains. This method of division enables multiple providers toadminister the router simultaneously and each have access to only the portionsof the configuration that are relevant to their specific logical system. The JUNOSSoftware supports up to 15 named logical systems in addition to the defaultlogical system (inet.0).

Routing instances are typically used in Layer 3 VPN scenarios. A routing instancedoes not have the same level of administrative separation as does a logicalsystem. The routing instance defines a distinct routing table, set of routingpolicies, and set of interfaces, but it does not provide administrative isolation.



When configuring PPPoE Layer 3 wholesale for a subscriber access network,keep the following in mind:

■ PPPoE Layer 3 wholesaling supports the use of only the default logical systemusing multiple routing instances.

■ Each routing instance must contain a loopback with one or more addressesto be used for the unnumbered interface. However, unlike configuring Layer3 wholesale for DHCP, the loopback interface address does not have to bewithin the same subnetwork as the client IP address.

■ The system ignores the preferred-source-address option for theunnumbered-address statement when it is configured. To avoid confusion,we recommend that you do not configure the preferred-source-address optionfor the unnumbered-address statement when configuring an unnumberedinterface. However, the system will function appropriately, regardless ofwhether or not you have configured the preferred-source-address option.

To configure PPPoE Layer 3 wholesale for a subscriber access network:

■ Include the routing-instances statement along with the $junos-routing-instancedynamic variable at the [edit dynamic-profiles profile-name] hierarchy level.

■ Include the interface statement along with the $junos-interface-name dynamicvariable at the [edit dynamic-profiles profile-name routing-instances“$junos-routing-instance”] hierarchy level.

■ Include the unnumbered-address statement along with $junos-loopback-interfacedynamic variable at the [edit dynamic-profiles profile-name interfaces pp0 unit“$junos-interface-unit” family inet] hierarchy level.

To view the logical system and routing instance for each subscriber, use the showsubscriber operational command.

[Subscriber Access, Broadband Subscriber Management]

■ PPP PAP and CHAP enhancements for subscriber management (M120 andM320 routers)—Subscriber management supports both bidirectional andunidirectional PPP PAP and CHAP authentication.

In subscriber management, the router's PPP interface typically authenticates theremote client (the subscriber). Bidirectional authentication is not usually used ina subscriber management environment, even though it is supported for staticinterfaces. Also, subscriber management uses AAA to authenticate subscribers,which removes the need to specify an access profile or a default password forPAP or CHAP authentication.

■ For static interfaces, the router supports bidirectional authentication. If youdo not include the passive statement in the configuration, the router functionsas the authenticator for remote clients. If you include the passive statement,the router is authenticated by the remote client. Also, when you specify thepassive statement for static interfaces, you must specify other attributes, asdescribed in the JUNOS Network Interfaces Guide.

■ For dynamic interfaces, the router supports unidirectional authenticationonly—the router always functions as the authenticator. When you configurePPP authentication in a dynamic profile (at the [edit dynamic-profiles] hierarchy



level), the pap and chap statements do not support any additionalconfiguration options, including the passive statement. PPP dynamicinterfaces are supported only on PPPoE interfaces (interface pp0) for thisrelease.

To configure CHAP or PAP authentication for static interfaces, use the followingstanza:

[edit interfaces interface-name unit logical-unit-number]ppp-options {

chap {access-profile name;default-chap-secret name;local-name name;passive;

}pap {

access-profile namedefault-pap-password password;local-name name;local-password password;passive;

}}

To configure CHAP or PAP authentication for dynamic interfaces, use the followingstanza:

[edit dynamic-profiles profile-name interfaces pp0 unit $junos-interface-unit]ppp-options {

chap;pap;

}

[Subscriber Access, Network Interfaces]

■ Support for input and output filters on the Trio MPC/MIC interfaces on MXSeries routers—Enables you to apply input and output filters to logical interfacesthat are running over the Trio MPC/MIC interfaces on MX Series routers.

To apply input and output filters for logical interfaces, include the inputinput-filter-name and output output-filter-name statements. To apply these filtersstatically, include the statements at the [edit interfaces interface-name unitlogical-unit-number filter] hierarchy level. To apply these filters dynamically, includethe statements at the [edit dynamic-profiles profile-name interfaces interface-nameunit “$junos-interface-unit” filter] hierarchy level. For information about how tocreate filters, see the Policy Framework Configuration Guide.

[Subscriber Access, Network Interfaces, Policy Framework]

■ PPPoE interface support for subscriber secure policy traffic mirroring on TrioMPC/MIC interfaces on MX Series routers—Enables you to configure subscribersecure policy traffic mirroring to provide RADIUS-initiated mirroring forsubscribers on PPPoE interfaces that are running over Trio MPC/MIC interfaceson MX Series routers.



For information about how to configure subscriber secure policy traffic mirroring,see the Subscriber Access Configuration Guide.

[Subscriber Access]

■ Support for PPP/PPPoE subscriber interfaces on the Trio MPC/MIC family ofproducts (MX Series routers)—Enables you to configure PPP/PPPoE subscriberinterfaces that are running over the Trio MPC/MIC family of products when usedon MX Series routers. To configure PPP/PPPoE subscriber interfaces, you usethe statements and procedures that are described in the JUNOS Network InterfacesGuide.

[Subscriber Access, Network Interfaces]

■ Support for demux VLAN interface configuration on Ethernet and aggregateEthernet Trio MPC/MIC interfaces—Enables the static or dynamic creation ofdemux VLAN interfaces with an underlying interface of aggregate Ethernet orGigabit/10–Gigabit Ethernet.

When configuring static VLAN demux interfaces, specify a VLAN ID for the vlan-idstatement at the [edit dynamic-profiles profile-name interfaces demux0 unitunit-number] hierarchy level. You must also specify the underlying device namefor the underlying-interface statement at the [edit dynamic-profiles profile-nameinterfaces demux0 unit unit-number demux-options] hierarchy level.

When configuring dynamic VLAN demux interfaces, specify the VLAN ID variable($junos-vlan-id) for the vlan-id statement at the [edit dynamic-profiles profile-nameinterfaces demux0 unit unit-number] hierarchy level. You must also specify theunderlying device name variable ($junos-interface-ifd-name) for theunderlying-interface statement at the [edit dynamic-profiles profile-name interfacesdemux0 unit unit-number demux-options] hierarchy level.

In addition, keep the following in mind while configuring dynamic VLANs overIP demux interfaces:

■ Only single VLAN and stacked VLAN tag options are supported as VLANselectors.

■ IP demux over IP demux stacking is not supported.

■ This support is limited to Trio MPC/MIC interfaces on MX Series routers.

[Subscriber Access]

System Logging

■ New and deprecated system log families and tags—The following system logfamilies are new in this release:

■ ALARMD—Describes messages with the ALARMD prefix. They are generatedby the alarm process (alarmd).

■ CONNECTION—Describes messages with the CONNECTION prefix. Theyare generated whenever the alarm process is unable to connect to anotherprocess.



■ FCD—Describes messages with the FCD prefix. They are generated by theFibre Channel process (fcd) which connects servers to disks and tape devicesin a storage area network.

■ GPRSD—Describes messages with the GPRSD prefix. They are generated bythe general packet radio service process (gprsd) that integrates with existingGSM networks and offers mobile subscribers with packet-switched dataservices access to corporate networks and the Internet.

■ LIBJSNMP—Describes messages with the LIBJSNMP prefix. They are generatedby the libjsnmp process.

■ UTMD—Describes messages with the UTMD prefix. They are generated bythe unified threat management process (utmd), which protects the networkfrom all types of attack.

■ WEBFILTER—Describes messages with the WEBFILTER prefix. They aregenerated by the Web filtering process (webfilter), which allows you tomanage Internet usage by preventing access to inappropriate Web content.

The following system log messages are new in this release:

■ COSD_NULL_INPUT_ARGUMENT

■ DCD_GRE_CONFIG_INVALID

■ DCD_PARSE_ERROR_MAX_HIER_LEVELS

■ DCD_PARSE_ERR_INCOMPATIBLE_CFG

■ EVENTD_ALARM_CLEAR

■ EVENTD_TEST_ALARM

■ PFE_ANALYZER_CFG_FAILED

■ PFE_ANALYZER_SHIM_CFG_FAILED

■ PFE_ANALYZER_TABLE_WRITE_FAILED

■ PFE_ANALYZER_TASK_FAILED

■ PFE_COS_B2_ONE_CLASS

■ PFE_COS_B2_UNSUPPORTED

■ RPD_RA_CFG_CREATE_ENTRY_FAILED

■ RPD_RA_CFG_INVALID_VALUE

■ RPD_RA_DYN_CFG_ALREADY_BOUND

■ RPD_RA_DYN_CFG_INVALID_STMT

■ RPD_RA_DYN_CFG_SES_ID_ADD_FAIL



■ RPD_RA_DYN_CFG_SES_ID_MISMATCH

■ RPD_RT_CFG_BR_CONFLICT

The following system log messages are no longer documented:

■ DFWD_CONFIG_FW_UNSUPPORTED

■ LLDPD_PARSE_ARGS

■ LLDPD_PARSE_BAD_SWITCH

■ LLDPD_PARSE_CMD_ARG

■ LLDPD_PARSE_CMD_EXTRA

■ LLDPD_PARSE_USAGE

■ LPDFD_DYN_SDB_OPEN_FAILED

User Interface and Configuration

■ Enhanced support for up to 64 ECMP nexthops for load-balancing on M10irouters with Enhanced CFEB, M320, M120, MX Series, and T Series Corerouters—The JUNOS Software supports configurations of 16, 32, or 64 equal-costmultipath (ECMP) next hops for RSVP and LDP LSPs on M10i routers with anEnhanced CFEB, and M320, M120, MX Series, and T Series routers. For networkswith high-volume traffic, this provides more flexibility to load-balance the trafficover as many as 64 LSPs.

To configure the maximum limit for ECMP next hops, include the maximum-ecmpnext-hops statement at the [edit chassis] hierarchy level:

[edit chassis]maximum-ecmp next-hops;

You can configure a maximum ECMP next-hop limit of 16, 32, or 64 using thisstatement. The default limit is 16.

The following types of routes support the ECMP maximum next-hop configurationfor as many as 64 ECMP gateways:

■ Static IPv4 and IPv6 routes with direct and indirect next-hop ECMPs

■ LDP ingress and transit routes learned through associated IGP routes

■ RSVP ECMP next hops created for LSPs

■ OSPF IPv4 and IPv6 route ECMPs

■ ISIS IPv4 and IPv6 route ECMPs

■ EBGP IPv4 and IPv6 route ECMPs

■ IBGP (resolving over IGP routes) IPv4 and IPv6 route ECMPs



The enhanced ECMP limit of up to 64 ECMP next hops is also applicable forLayer 3 VPNs, Layer 2 VPNs, Layer 2 circuits, and VPLS services that resolveover an MPLS route, because the available ECMP paths in the MPLS route canalso be used by such traffic.

NOTE:

The following FPCs on M320, T640, and T1600 routers only support 16 ECMP nexthops:

■ (M320, T640, and T1600 routers only) Enhanced II FPC1

■ (M320, T640, and T1600 routers only) Enhanced II FPC2

■ (M320 and T640 routers only) Enhanced II FPC3

■ (T640 and T1600 routers only) FPC2

■ (T640 and T1600 routers only) FPC3

If a maximum ECMP next-hop limit of 32 or 64 is configured on an M320, T640, orT1600 router with any of these FPCs installed, the Packet Forwarding Engines onthese FPCs use only the first 16 ECMP next hops. For Packet Forwarding Engines onFPCs that support only 16 ECMP next hops, the JUNOS Software generates a systemlog message if a maximum ECMP next-hop limit of 32 or 64 is configured. However,for Packet Forwarding Engines on other FPCs installed on the router, a maximumconfigured ECMP limit of 32 or 64 ECMP next hops is applicable.

To view the details of the ECMP next hops, issue the show route command. Theshow route summary command also shows the current configuration for themaximum ECMP limit. To view details of the ECMP LDP paths, issue the traceroutempls ldp command.

[System Basics, Policy Framework, Routing Protocols Command Reference]

■ Support for configuring time-based user access—The JUNOS Software enablesyou to configure time-based restrictions for user access to log in to a device. Thisis useful for restricting the time and duration of user logins for all users belongingto a login class. You can specify the days of the week when users can log in, theaccess start time, and the access end time.

■ To configure user access on specific days of the week, without any restrictionson the duration of login, include the allowed-days statement only.

[edit system]login {

class class-name {allowed-days days-of-the-week;

}

■ To configure user access on all the days of the week for a specific duration,include the access-start and access-end statements only.

[edit system]



login {class class-name {

access-start HHMM;access-end HHMM;

}}

■ To configure user access on specific days of the week for a specified duration,include the allowed-days, access-start, and access-end statements.

[edit system]login {

class class-name {allowed-days days-of-the-week;access-start HHMM;access-end HHMM;

}}

[System Basics]

■ Dynamic IPv6 filters (MX Series routers)—Subscriber management now supportsdynamic IPv6 filters. The dynamic filter feature supports both classic and fastupdate filters, and both IPv4 and IPv6.

You specify the filters in a dynamic profile, which associates the filter to aninterface. When the dynamic profile is triggered, the profile applies the filter toan interface.

You use the filter statement at the [edit dynamic-profiles profile-name interfacesinterface-name unit logical-unit-number family (inet | inet6)] hierarchy level toassociate a dynamic profile to an interface.

[Subscriber Access, Policy Framework]

■ Support for classifiers and rewrite rules in dynamic subscriber-based CoS(MX Series routers)—You can now associate classifiers and rewrite rules with asubscriber interface in a dynamic profile. You must statically configure theclassifiers and rewrite rules at the static [edit class-of-service] hierarchy level.

To associate a classifier configuration with a subscriber interface in a dynamicprofile, include the classifiers statement at the [edit dynamic profiles profile-nameclass-of-service interfaces interface-name unit logical-unit-number] hierarchy level.The supported classifier types for subscriber interfaces are dscp, dscp-ipv6,ieee-802.1, and inet-precedence.

To associate a rewrite-rule configuration with a subscriber interface in a dynamicprofile, include the rewrite-rules statement at the [edit dynamic profiles profile-nameclass-of-service interfaces interface-name unit logical-unit-number] hierarchy level.The supported rewrite rules for subscriber interfaces are dscp, dscp-ipv6,ieee-802.1, and inet-precedence.

[Subscriber Access]

■ Dynamic configuration of the router advertisement protocol—In a networkdeployment where router interfaces are configured statically, you might needto configure the router advertisement protocol on only a small number of



interfaces on which it might run. However, in a subscriber access network, staticconfiguration of the router advertisement protocol becomes impractical becausethe number of interfaces that potentially need the router advertisement protocolincreases substantially. In addition, deploying services in a dynamic environmentrequires dynamic modifications to interfaces as they are created. To ensure thatdynamic interfaces are created with the ability to use the router advertisementprotocol, this release supports their configuration dynamically at the [editdynamic-profiles profile-name protocols] hierarchy level. The dynamic profile appliesrouter advertisement protocol configuration to dynamic interfaces as they arecreated.

To minimally configure the router advertisement protocol, include therouter-advertisement statement at the [edit dynamic-profiles profile-name protocols]hierarchy level, and the interface statement along with the $junos-interface-namedynamic variable. All other statements are optional.

Optional router advertisement protocol statements include current-hop-limit,default-lifetime, managed-configuration, max-advertisement-interval,min-advertisement-interval, no-managed-configuration, no-other-stateful-configuration,other-stateful-configuration, prefix, reachable-time, and retransmit-timer. All of thesestatements appear at the [edit dynamic-profiles profile-name protocolsrouter-advertisement] hierarchy level.

NOTE: Statements used for router advertisement protocol configuration at the [editdynamic-profiles profile-name protocols] hierarchy level are identical in function to thesame statements used for static router advertisement protocol configuration, withthe exception of the interface and prefix statements which use dynamic variables.

[Subscriber Access]

Related Topics ■ Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series,MX Series, and T Series Routers on page 42

■ Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers onpage 52





Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series,and T Series Routers

Class of Service

■ Forwarding class to queue number maps not supported on Multiservices linkservices intelligent queuing (LSQ) interfaces—If you configure a forwardingclass map associating a forwarding class with a queue number, these maps arenot supported on Multiservices link services intelligent queuing (lsq-) interfaces.

[Class of Service]

Forwarding and Sampling

■ Enhancement to the show firewall command—The show firewall command nowsupports a terse option that enables you to display only the names of firewallfilters. This option displays no other information about the firewall filtersconfigured on your system. Use the show firewall terse command to verify thatall the correct filters are installed.

[Routing Protocols and Policies Command Reference]


■ Disabling MAC address learning of neighbors through ARP or neighbordiscovery for IPv4 and IPv6 traffic for logical interfaces—The JUNOS Softwareprovides the no-neigbhor-learn configuration statement at the [edit interfacesinterface-name unit interface-unit-number family inet] and [edit interfacesinterface-name unit interface-unit-number family inet6] hierarchy levels.

To disable ARP address learning for IPv4 traffic for a logical interface, includethe no-neighbor-learn statement at the [edit interfaces interface-name unitinterface-unit-number family inet] hierarchy level:

[edit interfaces interface-name unit interface-unit-number family inet]no-neighbor-learn;

To disable neighbor discovery for IPv6 traffic for a logical interface, include theno-neighbor-learn statement at the [edit interface interface-name unitlogical-unit-number family inet6] hierarchy level:

[edit interfaces interface-name unit interface-unit-number family inet6]no-neighbor-learn;

[System Basics]

■ Logical and physical Ethernet interface bandwidth—If you configure abandwidth on a logical Ethernet interface greater than the bandwidth configuredfor the corresponding physical Ethernet interface, the commit fails. The bandwidthof the logical interface should always be less than the bandwidth of the physical

42 ■ Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers


interface. If you do not configure a bandwidth for the logical interface, it isautomatically set to the bandwidth configured for the physical interface.


■ Support for linerate mode on 10-port 10-Gigabit Oversubscribed Ethernet(OSE) PIC (T640, T1600, TX Matrix Plus platforms)— Enables you to configurethe T640, T1600, and TX Matrix Plus routers to operate the 10-port 10-GigabitOSE PIC in linerate mode, in which the OSE PIC disables oversubscription andoperates in line rate mode. By default, the 10-port 10-Gigabit OSE PIC operatesin 2:1 oversubscription mode.

[System Basics]

■ New CoS information field added to the show interfaces extensive commandoutput—The output of the show interfaces extensive command now displays theclass-of-service queue allocation information of the physical interfaces (intelligentqueueing PICs such as IQ2 and so on) under the new class-of-service informationcategory. In the previous releases, the class-of-service queue allocationinformation for physical interfaces was listed within the Packet Forwarding Engineconfiguration category:

host@user# show interfaces extensive ge-7/1/3

Packet Forwarding Engine configuration: Destination slot: 7 CoS information: Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit

% bps % usec 0 best-effort 95 950000000 95 0 low none 3 network-control 5 50000000 5 0 low none Direction : Input CoS transmit queue Bandwidth Buffer Priority Limit

% bps % usec 0 best-effort 95 950000000 95 0 low none 3 network-control 5 50000000 5 0 low none

[Interfaces Command Reference]

■ Restriction on compatibility-mode adtran and verilink—On 2-port and 4-portchannelized DS3 (T3) IQ interfaces, you cannot configure compatibility-modeadtran, or verilink at the [edit interfaces interface-name t3-options] hierarchy level.If configured, the default mode is applied on both the interfaces, that is, nosubrating.


■ Support for internal clocking mode on OSE PICs—The 10-port 10-GigabitOversubscribed Ethernet (OSE) PIC supports only internal clocking mode on itsports.

Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers ■ 43

Changes in Default Behavior and Syntax in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers


■ Commit-time warning messages at the [edit interfaces] hierarchy level arenow system logged—CLI commit-time warnings displayed for configuration atthe [edit interfaces] hierarchy level have been removed and are now logged assystem log messages. This change is applicable to JUNOS Release 10.1R1 andlater, 10.0R2, and 9.3R4. [CLI User Guide]

■ Invalid count of queues—The PD-5-10XGE-SFPP PICs in T Series routers do notdisplay ingress control queue statistics as output from the show interfaces queuexe-fpc/pic/port forwarding-class command. However, you can use the followingcommands to display the ingress control queue statistics:

■ show interfaces queue both-ingress-egress xe-fpc/pic/port

■ show interfaces queue xe-fpc/pic/port

■ show interfaces queue xe-fpc/pic/port ingress


■ Support for configuration of a range of interfaces through the interface-rangestatement—Enables you to group a range of identical interfaces and apply acommon configuration for the interfaces using a reduced number of configurationstatements. To configure an interface-range group, include the interface-rangestatement and substatements at the [edit interfaces] hierarchy level. To view aninterface range group in expanded configuration, use the show | display inheritancecommand.

[Network Interfaces, Interfaces Command Reference]

■ Enhancement to the show chassis fabric fpcs command—In JUNOS Release10.1 and later, the show chassis fabric fpcs command issued on a T640 or T1600router displays destination errors in addition to link errors. The command outputdisplays a list of Packet Forwarding Engines that have destination errors, forthose SIBs that are in the Check state. This enhancement is also applicable toJUNOS Release 9.6 and 10.0. The following sample shows the enhanced outputfor this command:

user@host> show chassis fabric fpcs

Fabric management FPC state:

FPC #3 PFE #1 SIB #2 Plane enabled SIB #3 Link error Destination error on PFEs 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 SIB #4 Destination error on PFEs 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19



20 21

[System Basics Command Reference]

■ Modification to the output of the show interfaces extensive commandoutput—For IQ2E interfaces, the show interfaces extensive command output nolonger displays the schedulers field, because there is no static schedulerpartitioning of schedulers among different ports in IQ2E.

[Interfaces Command Reference]

■ Enhancement to the show chassis sibs command—The show chassis sibscommand now displays destination errors for SIBS in the Check state. In JUNOSRelease 10.1 and later and JUNOS Release 9.6 and 10.0, the command displaysthe number of destination errors for SIBS in the Check state:

user@host> show chassis sibs

Slot State Uptime 0 Empty 1 Empty 2 Check (21 destination errors) 1 day, 1 hour, 32 minutes, 55 seconds 3 Check (0 destination errors) 1 day, 1 hour, 32 minutes, 45 seconds 4 Empty

use "show chassis fabric fpcs" to determine which PFEs have destination errors

However, for JUNOS Release 9.3 and 9.5, the command only displays the messagedestination errors or no destination errors for a SIB that is in the Check state, butdoes not display the number of destination errors:

user@host> show chassis sibs

Slot State Uptime 0 Empty 1 Empty 2 Check (destination errors) 1 day, 1 hour, 32 minutes, 55 seconds 3 Check (no destination errors) 1 day, 1 hour, 32 minutes, 45 seconds 4 Empty

use "show chassis fabric fpcs" for more details

In addition, the command also displays a message to use the show chassis fabricfpcs command for more information about the destination errors.



If there are no SIBs in the Check state, there is no change in the output of thiscommand.


MPLS Applications

■ MPLS statistics file now optional—The file statement configured at the [editprotocols mpls statistics] hierarchy level is now optional. You still must configurethe MPLS statistics statement to collect LSP statistics for the MPLS MIBs. Ratherthan accessing the LSP statistics in the MPLS statistics file, you can view thestatistics using SNMP instead. This change helps to reduce disk space usage onthe routing engine, especially on routers on which numerous LSPs have beenconfigured.

[MPLS]

■ NSR tracing flags for MPLS—You can now configure MPLS tracing flags fornonstop active routing (NSR) synchronization events. This enables you to trackthe progress of NSR synchronization between Routing Engines and record theseoperations to a log file. To configure, include the flag nsr-synchronization or flagnsr-synchronization-detail statement at the [edit protocols mpls traceoptions]hierarchy level. The two statements are not mutually exclusive; you can trackthe events at a high level and in detail.

[High Availability, MPLS, Routing Protocols]

Multiplay

■ Border gateway function (BGF) improved efficiency and scalability throughuse of service interface pools—You can now use service interface pools toimprove the maintainability and scalability of your service set configurations.When your service sets handle VPN traffic, you must specify a service interfacepool for the next next-hop-service for the service sets. The interfaces that aremembers of the pool can serve as either inside or outside interfaces.

You should also specify service interface pools as the next-hop service for servicesets that do not currently handle VPN traffic. You gain the immediate benefit ofmore efficient resource utilization and you can add VPNs to the service set inthe future without reconfiguring your service sets.

[Multiplay Solutions]

Routing Policy and Firewall Filters

■ The ipsec-sa sa-name firewall filter action is no longer supported on the MX Seriesrouters. To configure one or more actions for a firewall filter, include the actionsstatement at the [edit firewall family family-name filter filter-name term term-namethen] hierarchy level.

[Policy]

■ Enhanced match-conditions support for VPLS and bridge firewall filters (MXSeries routers and routers with Enhanced IQ2 [IQ2E] PICs only)—The protocolfamilies vpls and bridge now support the interface-set match condition for firewall



filters. To configure, include the interface-set interface-set-name statement at the[edit firewall family bridge filter filter-name term term-name from] or the [edit firewallfamily vpls filter filter-name term term-name from] hierarchy level. The protocolfamily bridge is supported only on MX Series routers.

An interface set is a set of logical interfaces used to configure hierarchical class-of-service schedulers. Previously only the following protocol families supported theinterface-set match condition: ipv4, ipv6, any, and mpls.

[Policy]

Routing Protocols

■ OSPF sham link—An OSPF sham link is now installed in the routing table as ahidden route. Previously, an OSPF sham link was not installed in the routingtable. In addition, a BGP route is no longer exported to OSPF if a correspondingOSPF sham link is available. To configure a sham link, include the sham-link localip-address statement at the [edit routing-instances routing-instance-name protocolsospf] hierarchy level.

[Routing Protocols]

■ Removal of BGP warning message—If a BGP group is created without anydefined peers, the warning message no longer appears when the configurationis committed.

[Routing Protocols]

■ Increase in limit to external paths accepted for BGP route target filtering—Youcan now specify for BGP to accept up to 256 external paths for route targetfiltering. Previously, the maximum number that you could configure was 16.The default value remains one (1). To specify the maximum number of externalpaths for BGP to accept for route target filtering, include the external-paths numberstatement at the [edit protocols bgp family route-target] hierarchy level. Thisstatement is also supported for BGP groups and neighbors.

[Routing Protocols]

■ Support for having the algorithm that determines the single best path evaluateAS numbers in AS paths for VPN routes—By default, the third step of thealgorithm that determines the active route evaluates the length of the AS pathbut not the contents of the AS path. In some VPN scenarios with BGP multiplepath routes, it can also be useful to compare the AS numbers of the AS pathsand to have the algorithm select the route whose AS numbers match. Includethe as-path-compare statement at the [edit routing-instances routing-instance-namerouting-options multipath] hierarchy level.

[Routing Protocols]




■ Option to view APPID counters—Use the option under show servicesapplication-identification counter to view the APPID counters for the specifiedinterface.

[System Basics and Services Command Reference]

■ Session offloading on Multiservices PICs—To enable session offloading on aper-PIC basis for Multiservices PICs, include the session-offload statement at the[edit chassis fpc] hierarchy level.

[System Basics]

■ Option to clear the “do not fragment” bit—To clear the “do not fragment” bitfor IPsec with dynamic endpoints, include the clear-dont-fragment-bit statementat the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level.


■ Option to clear tunnel MTU—To clear the tunnel MTU, include the tunnel-mtustatement at the [edit services ipsec-vpn rule rule-name term term-name then]hierarchy level.


■ M120 router performance with IDP—For M120 routers, the performance numberis 4500 connections per second when IDP is enabled.


■ Enhancement to the output of the show services accounting commands—Theoutput for the show services accounting usage, show services accounting status,show services accounting memory, and show services accounting errors operationalmode commands has been updated to include new fields for use in queryingservice PICs.


■ Default idle timeout value for UDP- and TCP-based applications—Uponidentification by AppID, the default idle timeout value is set to 30 seconds forUDP-based applications and 1 hour for TCP-based applications. These settingscan be overridden by including the idle timeout statement at the [edit servicesapplication-identification application application] hierarchy level.


■ New statement to bypass traffic on exceeding flow limit—If the flow in theservice-set crosses the maximum limit set by the max-flow statement, thebypass-traffic-on-exceeding-flow-limits allows the packets to bypass withoutcreating a new session. Following is the required privilege levels:

■ interface – To view the statement in the configuration

■ interface-control – To add the statement to the configuration


■ Diffie-Hellman group5 added to group1 and group2—The group5 designationspecifies that IKE should use the 1536-bit Diffie-Hellman prime modulus group



when performing the new Diffie-Hellman exchange. To configure theDiffie-Hellman group for an IKE proposal, include the dh-group statement at the[edit services ipsec-vpn ike proposal proposal-name] hierarchy level:

[edit services ipsec-vpn ike proposal proposal-name]dh-group (group1 | group2| group5);


■ Permanent Limitation for session-timeout on APPID— If session-timeout isconfigured for an APPID application, a session for that application will be clearedonce the session-timeout expires. Once the same session is re-created as a newsession, it will not be identified by APPID.


■ Integrated multi-services gateway (IMSG)—The clear servicesborder-signaling-gateway gateway-name statistics command no longer clears theactive calls counter.


■ New configuration statements for assigning policies—The followingconfiguration statements at the [edit services border-signaling-gateway gateway-nameservice-point service-point-name service-policies] hierarchy level have beendeprecated and replaced by new statements:

■ new-call-usage-policies [policy-and-policy-set-names]

■ new-transaction-policies [policy-and-policy-set-names]

Each statement applied policies to calls or transactions entering at the servicepoint. Each is replaced by statements that explicitly apply policies to transactionsor policies entering the service point or exiting from the service point. The newstatements are:

■ new-call-usage-input-policies [policy-and-policy-set-names]

■ new-call-usage-output-policies [policy-and-policy-set-names]

■ new-transaction-input-policies [policy-and-policy-set-names]

■ new-transaction-output-policies [policy-and-policy-set-names]

[Services Interfaces, System Basics and Services Command Reference]

■ Requirement for client-to-servicer and server-to-client signatures—For certainapplications that have signatures for both client-to-server and server-to-clientdirections, APPID (DAA) needs to see the data packets in both directions on thesame session to finish the identification process. For example, for SIP proxycalls, the server may not send the response on the same session (differentdestination port) and that session will not be identified as application junos:sip.





■ Enabling and disabling DHCP snooping support—You can now explicitly enableor disable DHCP snooping support on the router. If you disable DHCP snoopingsupport, the router drops snooped DHCP discover and request messages.

To enable DHCP snooping support, include the allow-snooped-clients statementat the [edit forwarding-options dhcp-relay overrides] hierarchy level. To disableDHCP snooping support, include the no-allow-snooped-clients statement at the[edit forwarding-options dhcp-relay overrides] hierarchy level. Both statements arealso supported at the named group level and per-interface level.

In JUNOS Release 10.0 and earlier, DHCP snooping is enabled by default. Inrelease 10.1 and later, DHCP snooping is disabled by default.

[Subscriber Access]

■ RADIUS interim accounting—When subscriber management receives theRADIUS Acct-Interim-Interval attribute (attribute 85), RADIUS interim accountingis performed based on the value in the attribute. The router uses the followingguidelines:

■ Attribute value is within the acceptable range (10 to 1440minutes)—Accounting is updated at the specified interval.

■ Attribute value of 0—No RADIUS accounting is performed.

■ Attribute value is less than the minimum acceptable value (10minutes)—Accounting is updated at the minimum interval.

■ Attribute value is greater than the maximum acceptable value (1440minutes)—Accounting is updated at the maximum interval.

In previous releases, a RADIUS attribute set to zero (0) prevented subscribersfrom connecting.

[Subscriber Access]


■ Restriction on the usage of the annotate command in the configurationhierarchy—The JUNOS Software supports annotation of the configuration usingthe annotate command up to the last level in the configuration hierarchy.However, annotation of the configuration options or statements within the lastlevel in the hierarchy is not supported. For example, in the following sampleconfiguration hierarchy, annotation is supported up to the level 1 parent hierarchy,but is not supported for the metric child statement:

[edit protocols]isis {

interface ge-0/0/0.0 {level 1 metric 10;

}}

}



[CLI User Guide]

■ Support for accounting is restricted to events and operations on a masterRouting Engine—Starting with JUNOS Release 9.3, accounting for backup RoutingEngine events or operations is not supported on accounting servers such asTACACS+ or RADIUS. Accounting is only supported for events or operations ona master Routing Engine.

[CLI User Guide]

■ Options added to the show arp command—The vpn and logical-system optionshave been added to the show arp command.


■ Change in range of the saved-core-files configuration statement—The rangeof the saved-core-files configuration statement at the [edit system] hierarchy levelhas been revised from 1 through 64, to 1 through 10

[System Basics Configuration Guide]

VPNs

■ Mirroring IRB packets as Layer 2 packets (MX Series router)—If you associatean IRB with the bridge domain (or VPLS routing instance), and also configurewithin the bridge domain (or VPLS routing instance) a forwarding table filter withthe port-mirror or port-mirror-instance action, then the IRB packet is mirrored asa Layer 2 packet. You can disable this behavior by configuring theno-irb-layer-2-copy statement in the bridge domain (or VPLS routing instance).

[MX Series Layer 2 Configuration]

■ Layer 2 circuits, call admission control (CAC), and bypass LSPs—You can nowconfigure CAC on Layer 2 circuit-based LSPs with bandwidth constraints andalso enable link and node protection. However, if the primary LSP fails, CACmight not be applied to the bypass LSP, meaning that the bypass LSP might notmeet the bandwidth constraint for the Layer 2 circuit. To minimize the risk oflosing traffic, the Layer 2 circuit continues to use the non-CAC bypass LSP whilean attempt is made to establish a new Layer 2 circuit route over an LSP that doessupport CAC. Previously, the Layer 2 circuit route was deleted if the bypass LSPdid not have sufficient bandwidth.

[VPNs]

■ Service VLANs and the use of vlan-id all statement in a VPLS routinginstance—If you configure the vlan-id all statement in a VPLS routing instance,we recommend using the input-vlan-map pop and output-vlan-map push statementson the logical interface to pop the service VLAN ID on input and push the serviceVLAN ID on output and in this way limit the impact of doubly-tagged frames onscaling.

[MX Series Layer 2 Configuration]

■ Layer 2.5 VPNs support ISO family and MPLS family over TCC (MX Seriesrouters)—JUNOS Release 8.3 introduced support for M320 and T Series routers.JUNOS Release 10.1 extends support to MX Series routers.

Interfaces supporting TCC (Ethernet, extended VLANs, PPP, HDLC, ATM, andFrame Relay) support ISO traffic and MPLS traffic on Layer 2.5 VPNs. Previously,



Layer 2.5 VPNs configured on MX Series routers supported only inet traffic. Fora protocol to be supported on a Layer 2.5 VPN, you must configure both endsof the VPN with the protocol configuration. IPv6 is not supported.

To enable ISO or MPLS traffic over TCC, include the mpls or iso statement at the[edit interfaces interface-name unit logical-unit-number family tcc protocol] hierarchylevel. To display which protocol is supported for an interface, issue the showinterfaces interface-name extensive operational mode command. The protocol isdisplayed in the Flags field.

To enable ISO over TCC in cases in which the Ethernet interface is on acustomer-edge (CE) router, include the point-to-point statement at the [editprotocols isis interface interface-name] hierarchy level on the CE router. Whenyou include this statement, the IS-IS protocol treats the Ethernet interface aspoint to point, even though the actual interface is a LAN interface.

The M Series routing platforms continue to support only inet traffic for Layer 2.5VPNs.

[Network Interfaces, Translational Cross-Connect and Layer 2.5 VPNs Feature Guide,VPNs]

Related Topics ■ New Features in JUNOS Release 10.1 for M Series, MX Series, and T Series Routerson page 6




Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers

The current software release is Release 10.1R1. For information about obtaining thesoftware packages, see “Upgrade and Downgrade Instructions for JUNOS Release10.1 for M Series, MX Series, and T Series Routers” on page 71.

■ Current Software Release on page 53

■ Previous Releases on page 64

52 ■ Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers


Current Software Release

Outstanding Issues in JUNOS Release 10.1 for M Series, MX Series, and T SeriesRouters

Class of Service

■ If you try to configure a scheduler map containing two forwarding classes thatare mapped to the same queue, the class-of-service scheduler is not applied tothe Packet Forwarding Engine. As a workaround, configure a single forwardingclass for each available queue. [PR/57907]

■ On MX Series routers with Enhanced DPCs, bandwidth sharing between twoschedulers, one with high and the other with strict-high priority, might not beas expected when the schedulers are oversubscribed. That is, only one queuecan use all of the excess bandwidth. This issue occurs when the schedulers areconfigured on logical interfaces. [PR/265603]

■ There is no auto-complete for the show class-of-service scheduler-map command.[PR/469572]

■ There is no auto-complete for the show class-of-service traffic-control-profilecommand. [PR/469574]


■ A JUNOS Software compiler bug in the match combination optimization couldcause an incorrect firewall filter evaluation. [PR/493356]

High Availability

■ A problem occurs during graceful Routing Engine switchover (GRES) when astatic route pointing to a private interface such as fxp0 is created using the passiveretain option. It is recommended to not use the passive option along with thestatic route on the private interface. [PR/412746]

■ When an ISSU upgrade is performed to or from JUNOS Releases 9.6R3 or 10.0R2,the logical interface and logical interface sets that have traffic control profilesconfigured on them will be affected. [PR/491834]


■ On aggregated SONET/SDH interfaces, the counter for drops and errors in theshow interfaces command output does not display the correct value, because thecounter does not collect data from the constituent interfaces within the aggregateinterface. [PR/23577]

■ On a 2-port OC12 ATM2 IQ interface, the total virtual path (VP) downtime mightnot display correctly in the show interfaces command output. [PR/27128]

Issues in JUNOS Release 10.1 for M Series, MX Series, and T Series Routers ■ 53


■ On M20 and M40 routers, when a physical layer problem affects a SONET/SDHinterface, carrier transition statistics might not increment correctly in the outputof the show interfaces extensive command. [PR/33325]

■ When you configure both the bundle link and constituent links at the [edit(logical-routers logical-router-name | logical-systems logical-system-name) interfaces]hierarchy level, the constituent links do not come up. As a workaround, configurethe constituent links at the [edit interfaces] hierarchy level. [PR/35578]

■ When you apply an IPsec firewall filter to match traffic sent across a genericrouting encapsulation (GRE) tunnel and originating from the local routing platform,the local traffic is dropped. Transient traffic is not affected. [PR/44871]

■ If you configure IS-IS, MPLS, and graceful Routing Engine switchover (GRES) anda switchover event occurs, the routing platform might end the PPP IP ControlProtocol (IPCP) sessions and renegotiate them if the remote side has changedinterface MTU settings prior to the switchover event. [PR/61121]

■ If you configure graceful Routing Engine switchover (GRES) and issue the requestchassis routing-engine master acquire command, in rare cases the master RoutingEngine might fail to relinquish control, or the switchover to the backup RoutingEngine might take up to 360 seconds. [PR/61821]

■ For Automatic Protection Switching (APS) on SONET/SDH interfaces, there areno operational mode commands that display the presence of APS modemismatches. An APS mode mismatch occurs when one side is configured to usebidirectional mode, and the other side is configured to use unidirectional mode.[PR/65800]

■ The output of the show interfaces diagnostics optics command includes the "Laserrx power low alarm" field even if the transceiver is a type (such as XENPAK) thatdoes not support this alarm. [PR/103444]

■ On the M120 router, hot swapping the fan tray might cause the Check CB alarmto activate. [PR/268735]

■ On the JCS1200 platform, when you issue the clear -config -T switch[1] commandusing the management module, the switch module returns to its factory defaultsetting instead of the Juniper Networks default setting. As a workaround, do notissue the command. [PR/274399]

■ On the Juniper Control System (JCS) platform, the control and managementtraffic for all Routing Engines shares the same physical link on the same switchmodule. In rare cases, the physical link might become oversubscribed, causingthe management connection to Protected System Domains (PSDs) to be dropped.[PR/293126]

■ On a Protected System Domain (PSD) configured with a large number of BGPpeers and routes (for example, 5000 peers and 1,000,000 routes), FPCs mightrestart during a graceful Routing Engine switchover (GRES). [PR/295464]

■ When two routers are connected via SONET/SDH interfaces that are configuredas container interfaces and the Routing Engine on one router reboots, thecontainer interfaces on the other router might go down and come up again.[PR/302757]

■ When forwarding-options is configured without route-accounting, commit goesthrough with the message, "Could not retrieve the route-accounting." However,no functionality is affected. [PR/312933]



■ Buffered MAC learning notifications (that have not yet been processed) can causenew MACs to be learned even after traffic is stopped and a clear bridge mac-tablecommand is issued, when software and hardware MAC tables are not in sync.This problem should not occur if the MAC tables in the software and hardwareare in sync when the clear command is issued.

The clear command can be issued after the software has learned all the MACentries that are present in the hardware MAC table. [PR/463411]

■ Under line-rate performance, a few packet drops may occur on the PIC on ingressand egress directions. This is due to clock differences between PIC and the far-endinterface. If the far-end interface clock runs slower than the PIC clock, there willbe zero drops on the PIC. However, if the far-end interface clock is faster, therewill be a few packet drops in the PIC under line-rate conditions. This issue isspecific to the 10-port 10-Gigabit Oversubscribed Ethernet (OSE) PICs.[PR/463815]

■ The bridge-domain MAC learn limit on the Packet Forwarding Engine cansometimes become negative if the bridge domain is deleted and addedimmediately as part of a configuration change. If that happens, the MAC learningon that bridge domain can be affected. As a workaround, deactivate and activatethe bridge domain or VPLS routing instance configuration. [PR/467549]

■ While PPPoE subscribers are connected to an interface over a dynamic PPPoEVLAN, the JUNOS Software allows you to set the interface to disable and committhe change. This action results in the loss of all subscriber connections. Use carewhen disabling interfaces. [PR/475111]

■ In some cases during the periodic error status monitoring, error messages suchas “Wi seg ucode discards in fabric stream” may be displayed on adjacentstreams. These messages are cosmetic and can be ignored. [PR/481344]

■ The 10-port 10-Gigabit Oversubscribed Ethernet (OSE) PICs may not generate“pause” frames even when line-rate traffic is sent to its ports. [PR/482142]

■ When services PICs (SP) are bundled using Redundancy Services PIC (RSP)interface hot-standby and if the RSP interface is configured to run on hot-standbymode and if multiple graceful Routing Engine switchovers (GRES) are executed,then the Routing Engine (RE) running as the backup might crash producing acore file. [PR/492127]

■ The ingress filter match does not work when one of the terms in the filter hasforwarding-class as a match and discard as an action. This is because theforwarding class match feature for ingress filters attached at the interface unitlevel is not supported. Behavior aggregate (BA) classification occurs at the unitfamily level in the packet processing order. [PR/492677]

■ The configured TTL set for GRE traffic is set properly for locally generated RoutingEngine packets, but is not set properly for transit packets. There is noworkaround. [PR/502087]

■ In JUNOS Release 10.1, if the Neo MPCs power up while the A-DPCs are offline,and if ISSU is performed, the MPCs will crash. [PR/502837]

■ Under certain circumstances, the E3 IQ PIC might report bogus CCV, CES andCSES alarms. [PR/505921]



Layer 2 Ethernet Services

■ On MX960 routers, i2c messages related to the fan such as the following aredisplayed:

Jan 26 13:32:22 rocky-re0 /kernel: PCF8584(WR): target ack failure on byte 0Jan 26 13:32:22 rocky-re0 /kernel: PCF8584(WR): (i2c_s1=0x08, group=0xe,

device=0x54)

This is a cosmetic issue and has no impact on the router. [PR/500824]

MPLS Applications

■ The rt column in the output of the show mpls lsp command and the active routecounter in the output of the show mpls lsp extensive command are incorrectwhen the per-packet load balancing is configured. [PR/22376]

■ If a circuit cross-connect label-switched path (CCC LSP) traverses a forwardingadjacency LSP, traffic forwarding might be affected. [PR/60088]

■ When you enable per-packet load balancing on parallel label-switched paths(LSPs), the output of the show mpls lsp ingress command might display all theroutes on only one of the LSPs even when traffic is evenly balanced across theLSPs. [PR/70487]

■ For point-to-multipoint label-switched paths configured for VPLS, the ping mplscommand reports a 100 percent packet loss even though the VPLS connectionis active. [PR/287990]

■ A rare condition between the MVPN and RSVP P2MP signaling leads to thecreation of stale flood next hops. [PR/491586]

■ When a l2circuit uses static LSP as the tunnel between the PEs, and traffic isswitched to the ingress bypass LSP, the statistics for both primary LSP and bypassLSP should be updated. But the status are now updated only for the primary LSP.As a workaround, use the set protocols mpls traffic-engineering mpls-forwardingcommand to update the statistics for both primary and bypass LSP. [PR/495002]

■ An incorrectly changed LDP session authentication key causes the LDP sessionto fail, which results in the LDP/IGP syncronization feature not working. The IGPcontinues to advertise the link at normal metric values. [PR/499226]

Platform and Infrastructure

■ On T Series routers, a Layer 2 maximum transmission unit (MTU) check is notsupported for MPLS packets exiting the routing platform. [PR/46238]

■ When you configure a source class usage (SCU) name with an integer (forexample, 100) and use this source class as a firewall filter match condition, theclass identifier might be misinterpreted as an integer, which might cause thefilter to disregard the match. [PR/50247]

■ If you configure 11 or more logical interfaces in a single VPLS instance, VPLSstatistics might not be reported correctly. [PR/65496]



■ When a large number of kernel system log messages are generated, the loginformation might become garbled and the severity level could change. Thisbehavior has no operational impact. [PR/71427]

■ In the situation where a Link Services (LS) interface to a CE router appears inthe VPN routing and forwarding table (VRF table) and a fragmentation is required,Internet Control Message Protocol (ICMP) cannot be forwarded out of the LSinterface from a remote PE router that is in the VRF table. As a workaround,include the vrf-table-label statement at the [edit routing-instancesrouting-instance-name] hierarchy level. [PR/75361]

■ Traceroute does not work when ICMP tunneling is configured. [PR/94310]

■ If you ping a nonexistent IPv6 address that belongs to the same subnet as anexisting point-to-point link, the packet loops between the two point-to-pointinterfaces until the time-to-live expires. [PR/94954]

■ On T Series and M320 routers, multicast traffic with the "do not fragment" bitis being dropped due to configuring a low MTU value. The router might stopforwarding all traffic transiting this interface if the clear pim join command isexecuted. [PR/95272]

■ A firewall filter that matches the forwarding class of incoming packets (that is,includes the forwarding-class statement at the [edit firewall filter filter-name termterm-name from] hierarchy level) might incorrectly discard traffic destined for theRouting Engine. Transit traffic is handled correctly. [PR/97722]

■ The JUNOS Software does not support dynamic ARP resolution on Ethernetinterfaces that are designated for port mirroring. This causes the PacketForwarding Engine to drop mirrored packets. As a workaround, configure thenext-hop address as a static ARP entry by including the arp ip-address statementat the [edit interfaces interface-name] hierarchy level. [PR/237107]

■ When Periodic Packet Management (PPM) delegation for Bidirectional ForwardingDetection (BFD) sessions is disabled (the delegate-processing statement is removedat the [edit routing-options ppm] hierarchy level), the BFD sessions might beterminated (because a "state is down" message is sent) and reestablished.[PR/280233]

■ When you perform an in-service software upgrade (ISSU) on a routing platformwith an FPC3 or an Enhanced FPC3 with 256 MB of memory and the numberof routes in the routing table exceeds 750,000, route loss might occur. If routeloss occurs, as a workaround, perform either of the following tasks:

■ Replace the FPC3 or Enhanced FPC3 with another FPC that has morememory, or

■ After the ISSU is complete, reboot only the FPC3 or Enhanced FPC3.

[PR/282146]

■ For Routing Engines rated at 850 MHz (which appear as RE-850 in the output ofthe show chassis hardware command), messages like the following might bewritten to the system log when you insert a PC Card: “bad Vcc request” and“Device does not support APM.” Despite the messages, operations that involvethe PC card work properly. [PR/293301]



■ On a Protected System Domain, an FPC might generate a core file and stopoperating under the following conditions:

■ A firewall policer with a large number of counters (for example, 20,000) isapplied to a shared uplink interface, and

■ The FPC that houses the interface does not have a sufficiently powerful CPU.

As a workaround, reduce the number of counters or install a more powerful FPC.[PR/311906]

■ When a CFEB failover occurs on an M10i or M7i router that has had 4000 ormore IFLs, the following message appears:

IFRT: 'IFD ioctl' (opcode 10) failedifd 153; does not existIFRT: 'IFD Ether autonegotiation config' (opcode 163) failed

The message has no operational impact. When the backup CFEB becomes theactive CFEB, the message will not display. [PR/400774]

■ In order to install JUNOS 10.0 or later, you must be running JUNOS 9.0S2, 9.1S1,9.2R4, 9.3R3, 9.4R3, 9.5R1, 9.6B1 or later minor versions. [PR/436019]

■ When certain FPCs (T1600-FPC4-ES, T640-FPC4-1P-ES, T640-FPC1-ES,T640-FPC2-ES, and T640-FPC3-ES) receive corrupted cells via high-speed links,they might unnecessarily reboot and report the following system log errormessage: "Unrecoverable Error: Flist gtop bit toggled !." No reset is needed torecover from this condition. [PR/441844]

■ In some cases, the alarms displayed in FPM and the alarms shown using theshow chassis alarms sfc 0 command mismatch. [PR/445895]

■ The SFC management interface em0 is often displayed as fxp0 in several warningmessages. [PR/454074]

■ The VPN label does not get pushed on the label stack for RoutingEngine–generated traffic with l3vpn-composite-next-hop activated. As aworkaround, configure per-packet load balancing to push the VPN/tunnel labelscorrectly. [PR/472707]

■ An invalid IP protocol version is served as a valid version. The JUNOS routerforwards IP packets with version field set to values other than 4 and 6, forexample, 11 or any (unassigned). [PR/481071]

■ The output of the show arp command does not display the entire demux interfaceidentifier, making it impossible to determine which specific demux sub-interfacea given ARP entry is associated with. [PR/482008]

■ During a Routing Engine reboot when processes are being shut down, a rarerace condition can lead to a Routing Engine kernel crash. [PR/488484]

■ Swapping out eight FPC cards and replacing them with a different FPC typecauses the kernel to crash when the last FPC is powered on. [PR/502075]



Routing Protocols

■ When you configure damping globally and use the import policy to preventdamping for specific routes, and a new route is received from a peer with thelocal interface address as the next hop, the route is added to the routing tablewith default damping parameters, even though the import policy has a non-defaultsetting. As a result, damping settings do not change appropriately when the routeattributes change. [PR/51975]

■ When you issue the show ldp traffic-statistics command, the following systemlog message might be generated for all forwarding equivalence classes (FECs)with an ingress counter set to zero: "send rnhstats GET: error: ENOENT — Itemnot found." [PR/67647]

■ If ICMP tunneling is enabled on the router and you configure a new logical systemthat does not have ICMP tunneling enabled, the feature is globally disabled.[PR/81884]

■ When the flow of multicast traffic changes because an OSPFv3 link goes down,the output from the show multicast statistics inet6 command reports incorrectvalues in the In kbytes and In packets fields for the new ingress interface.[PR/234969]

■ When you commit a new configuration for nonstop active routing (NSR) on aprimary Routing Engine that differs from the configuration for NSR that is alreadyrunning on the backup Routing Engine, the routing protocol process stopsfunctioning on the backup Routing Engine only. Traffic forwarding is not affected.[PR/254379]

■ The keepalive timeout counter for multicast sessions may not display after youdeactivate and activate the pim protocol. This is a cosmetic issue and there is nointerruption to the multicast traffic flow. [PR/419509]

■ The routing protocol process dumps core due to a soft assertion failed:"rt_notbest_sanity: Path selection failure" in rt_table.c. As a workaround, usethe bgp path-selection external-router-id statement or the bgp path-selectionalways-compare-med statement. [PR/451021]

■ When a PIC with a PIM-enabled interface is brought online, the router may sendthe first PIM hello slightly before the interface comes up. This causes the routerto drop the first PIM hello message towards its neighbor. [PR/482903]

■ During transient periods where both a secondary and primary LSP exist in arouting table, and the number of LSP NHs is greater than 16 in a multigatewayscenario, IS-IS may remove the preferred LSP NH. For example, IS-IS couldremove an HIPRI LSP. [PR/485748]

■ On MX Series routers, the routing protocol process may crash after an IPv6routing loop is detected. [PR/490447]




■ The show services accounting flow-detail extensive command sometimes displaysincorrect information about input and output interfaces. [PR/40446]

■ When a routing platform is configured for graceful Routing Engine switchover(GRES) and Adaptive Services (AS) PIC redundancy, and a switchover to thebackup Routing Engine occurs, the redundant services interface (rsp-) alwaysactivates the primary services interface (sp-), even if the secondary interface wasactive before the switchover. [PR/59070]

■ For Adaptive Services II PICs, even if you do not configure flow collector services,a temporary file might be created every 15 minutes in the /var/log/flowc/directory. The file is deleted if there are no clients, and re-created only when aclient connects and attempts to write to the file. [PR/75515]

■ When the Border Signaling Gateway (BSG) configuration contains a policy thathas a term with regular expressions, configuration changes might not take effectimmediately after the commit process is complete. In most cases, the new policytakes effect immediately. However, complex policies may take longer to takeeffect depending on how many regular expressions they contain.

For example, if you have a term with four regular expressions, configurationchanges do not take effect until 50 seconds after you receive the message thatthe commit process is complete. This behavior occurs whether you have a listor regular expressions (for example, regular-expression [sip:88824.* sip:88821.*sip:88822.sip:88823.*]), or you group regular expressions using the | symbol(for example, "sip:88821.*|sip:88822.*|sip:88823.*|sip:88824.*").

The time taken for the software to apply the configuration changes increasesexponentially with the number of regular expressions in your configuration.[PR/448474]

■ The error message "appid_init_shm: Appid shmem could not be created oralready exists. Errno:17" displays during the switchover process even thoughthe graceful Routing Engine switchover (GRES) completes successfully.[PR/457143]

■ On M Series routers (M120 and M320) with many service sets configured withIDP policies, kernel messages are seen in the messages file once traffic passesthrough these service sets. These messages stop when the traffic is stopped.[PR/462580]

■ Under some failure scenarios, a switchover of the active BSG from a master toa backup MS-PIC/MS-DPC may take more than two seconds. [PR/467837]

■ The clear services stateful-firewall flows command can cause the MS-DPC to fail.This command should be avoided. There is no workaround. [PR/472386]

■ A performance-related issue may occur when the IDP plug-in is enabled. Theconnection per second for HTTP (64 bytes) with AACL, AI, and IDP (withRecommended Attacks group) plug-ins has been downgraded to 7.6K through7.9K per second. [PR/476162]

■ A static route pointing to a destination is incorrectly added for a source NATwhen a next-hop type service set is used. [PR/476165]



■ When a standard application is specified under the [edit security idp idp-policypolicy-name rulebase-ips rule rule-name match application] hierarchy level, the IDPdoes not detect the attack on the non-standard port (for example, junos:ftp onport 85). [PR/477748]

■ AACL/LLPDF/LPDF do not handle APPID's "best-effort" application determination.[PR/486930]

■ The SIP ALG on the services PIC may cause NAT port leaks in some call scenarios.[PR/491220]

■ In the export version of the JUNOS Software, the signature download does notwork for AppID and IDP features in the Dynamic Application Awareness (DAA)suite. In order to resolve this, install the Crypto software suite. [PR/499395]


■ The revert-interval value configured in the [edit access profile] hierarchy level isignored. [PR/454040]

■ For a dynamic PPPoE interface in which the subscriber is assigned to anon-default routing-instance (via the LSRI-Name or redirect-LSRI-Name RADIUSVSAs), the IP address assigned to the subscriber must be specified via theframed-ip-address RADIUS attribute. An IP address can not be allocated from alocal pool defined in the assigned routing-instance, either when RADIUS returnsno address attributes or when the RADIUS framed-pool attribute is returned.[PR/471677]

■ The DHCP clients may not get bound after a filter action under a firewall filtercontext is deactivated and deleted. [PR/488627]

■ On an MX Series router configured for PPP subscriber access, configuring a largenumber of PPP subscribers on a single MPC may result in a long boot time forthe MPC. Distributing subscribers over multiple MPCs will improve boot times.[PR/490987]

■ Upon a graceful Routing Engine switchover (GRES), forwarding may temporarilystop for PPP sessions under scaling conditions. During this time, theaccess-internal routes for the subscribers are temporarily not present but aresubsequently restored, at which point forwarding resumes. [PR/492022]

■ The destination and destination-profile options for address andunnumbered-address within the family inet and inet6 are allowed to be specifiedwithin a dynamic profile, but are not supported. [PR/493279]

■ On an MX Series router configured for PPP subscriber access, subscribers willexperience slow login times as the number of subscriber sessions increases.[PR/502756]


■ Deletion of configuration groups cannot be prevented with the allow-configurationand deny-configuration statements. [PR/59187]

■ Performance is considerably slower for users who have permissions controlledby Juniper-Allow-Commands and/or Juniper-Deny-Commands expressions andhave complex regular expressions configured under these same commands. To



help avoid this problem, define the expressions in the allow-configuration anddeny-configuration commands in a restrictive manner. [PR/63248]

■ On M20 routers, after a Routing Engine mastership switchover, it might not bepossible to enter CLI configuration mode on the new master Routing Engine.Also, the request system reboot and request system halt commands do not clearlyfail but do not return the CLI prompt either. [PR/64899]

■ The JUNOScript perl module for NETCONF does not support configuration-text.[PR/82004]

■ The logical system administrator can modify and delete master administrator-onlyconfigurations by performing local operations such as issuing the load override,load replace, and load update commands. [PR/238991]

■ The “replace:” tag is missing from the output of the save terminal command frominside a configuration object.

Example:

edit systemsave terminalsystem { host-name blue;}

[PR/269736]

■ The user can still commit an invalid configuration successfully, even when DDLchecks exist. [PR/282896]

■ Users who have superuser privileges will sometimes have their access restrictedto view permission only when they log in through TACACS. [PR/388053]

■ The wildcard apply groups do not work properly in JUNOS Release 9.1 and above.[PR/425355]

■ On M Series, MX Series, and T Series routers, the user cannot differentiatebetween active and inactive configurations for system identity, managementaccess, user management, and date and time pages. [PR/433353]

■ Selecting the monitor port for any port in the Chassis Viewer page displays thecommon Port Monitoring page instead of the corresponding Monitoring page ofthe selected port. [PR/446890]

■ In J-Web, the associated DSCP and DSCPv6 for a logical interface might not bemapped properly while editing the classifiers of a logical interface. This mightalso affect the delete functionality. [PR/455670]

■ J-Web does not display the USB option under Maintain>Reboot>Reboot fromthe media. [PR/464774]

■ On MX Series routers, J-Web does not display the USB related information underMonitor>SystemView>System Information>Storage. [PR/465147]

■ In the J-Web interface, the options Access Concentrator, Idle Timeout, and ServiceName for PPPoE logical interfaces are not supported on MX Series routers.[PR/493451]



■ Commit fails when the commit scripts are used and the configuration containsa policy which uses an apply-group with a then action of 'then community +export.' [PR/501876]

■ The load replace command does not consider the allow-configurationconfiguration. [PR/501992]

VPNs

■ When you modify the frame-relay-tcc statement at the [edit interfacesinterface-name unit logical-unit-number] hierarchy level of a Layer 2 VPN, theconnection for the second logical interface might not come up. As a workaround,restart the chassis process (chassisd) or reboot the router. [PR/32763]

■ Traffic might not flow when an ATM interface is used as the access circuit on anM120 router. [PR/255160]

■ For a VRF instance configured for PIM, MVPN, and provider tunnels (the pim andmvpn statements are included at the [edit routing-instances vpn-name protocols]hierarchy level and the provider-tunnel statement is included at the [editrouting-instances vpn-name] hierarchy level), when PIM is deactivated andreactivated, it fails to install type-5 (source-active) routes in theinstance-name.mvpn.0 routing table. This issue arises only when remote c-multicastjoins are configured on the ingress PE router (as displayed by the show mvpnc-multicast command). [PR/306983]

■ When you configure inter-AS VPLS with MAC processing at the autonomoussystem (AS) boundary router along with multihoming, and if a designatedforwarding AS boundary router fails and then comes back up again, traffic flowingto the local AS from the other AS’s boundary router might be lost. The loss occursin the time period (tenths of a second) during which the old designated forwardingAS boundary router is taking back the role of designated forwarder. [PR/312730]

■ On a router configured for nonstop active routing (NSR) (the nonstop-routingstatement is included at the [edit routing-options] hierarchy level), if a nonstopactive routing switchover occurs after the configuration for routing instanceschanges in certain ways, the BGP sessions between PE and CE routers might notbe established after the switchover. [PR/399275]

■ On MX Series, M120, and new EIII FPCs on M320 routers, the ISO/ConnectionlessNetwork Service (CLNS) packets over the translational cross-connect (TCC) aredropped in the case of Frame Relay, even though the family TCC has beenconfigured to switch family iso on the Frame Relay interface. [PR/462052]

■ When different prefixes are advertised to the same source by different PE routers,an egress PE router is prevented from picking the lower prefix route for RPFwhen the PR advertising the higher prefix loses its route to the source.[PR/493835]

■ In vlan-tagging, stacked-vlan-tagging, and flexible-vlan-tagging modes, untaggedpackets or mismatching Tag Protocol ID (TPID) packets may be dropped. Thesedropped packets are not accounted for and are not visible in the CLI. This issueis specific to the 10-port 10-Gigabit Oversubscribed Ethernet (OSE) PICs.[PR/496190]



Previous Releases

Release 10.0R2

The following issues have been resolved since JUNOS Release 10.0R2. The identifierfollowing the description is the tracking number in our bug database.

Class of Service

■ The structure of inter-component data traffic is changed for the MX Series XDPC.This change increases the inter-component traffic rate and causes performanceproblems typically at 10x1G XDPC. Each component has enough headroom tohandle increased traffic. However, actual performance is restricted to meetoptimal performance. This problem occurs because this performance restrictionvalue is not increased after increasing the inter-component data rate. [PR/469135:This issue has been resolved.]


■ Using the IPv4 template to collect NetFlow version 9 statistics on the ingressL3VPN PE devices may result in the BGP IP next-hop address not being includedin the report. [PR/467403: This issue has been resolved.]

■ Some ranges of burst sizes may result in unexpected packet drops when thetraffic rates are close to the policing rate. Increase the burst size to resolve thisproblem. [PR/478659: This issue has been resolved.]


■ Under certain circumstances, after a GRES switchover, the new master RoutingEngine sends an invalid LACP frame. As a result, the aggregated interface fails.[PR/314855: This issue has been resolved.]

■ When the show interfaces extensive command is used, some interfaces may notdisplay the correct value for the Oversized Frames counter. [PR/437176: Thisissue has been resolved.]

■ When configured for WAN-PHY framing, the ports on the 4-port 10–GigabitEthernet PIC (SAUZA) always report zero for path-level errors (BIP-B3) in theoutput of the show interfaces extensive command.

After the fix, the BIP-B3 counter increments when path-level errors occur.However, this counter is an approximation and not an accurate accounting ofthe path-level errors that actually occur on the link. [PR/447653: This issue hasbeen resolved.]

■ On an MX960 router, when more than eight Dense Port Concentrators (DPCs)(including unconfigured DPCs) are loaded, the output of the show interfaceextensive command can be very slow if the source class usage/destination classusage (SCU/DCU) is configured for some units. [PR/449034: This issue has beenresolved.]



■ Interrupts that occur from links (non-zero) that are not configured or enabled inthe PIC due to a hardware issue in the DFPGA cause the syslog to overload andeventually cause the FPC to core. [PR/455877: This issue has been resolved.]

■ The master Routing Engine fails to establish a connection with the backup RoutingEngine due to an autonegotiation issue with the em1 interface. [PR/461469: Thisissue has been resolved.]

■ For AnnexB, the force command may not work as expected when loss of signalis present. This is because the previous command does not complete for boththe protect and the working circuit, and priority comparison does not considerthe signal fail condition. [PR/465906: This issue has been resolved.]

■ Both the working and protect circuit are stuck in the “disabled” state when theTX cable is unplugged and RX cable is plugged for protect circuit after anAutomatic Protection Switching (APS) switchover. [PR/466649: This issue hasbeen resolved.]

■ When an untagged aggregated Ethernet interface is configured with LACP andGE IQ2 PICs as the child interface, the input packet count might be constantlydecremented to zero when no data packets arrive on the interface. The decreasein packet count is equal to the incoming LACP packet count. [PR/471177: Thisissue has been resolved.]

■ With a default configuration, when a Tri-Rate copper small form-factor pluggabletransceiver (SFP) installed in a DPCE-R-20GE-2XGE board is replaced with anSFP-LX/SFP-SX, the link stays down. Activate and deactivate the SFP to restorethe link. [PR/473127: This issue has been resolved.]

■ On JUNOS Trio chipset platforms, the forwarding table filter (FTF) is not supportedfor family VPLS. [PR/476611: This issue has been resolved.]

■ On a 4x CHOC3 SONET CE SFP PIC and 12x T1/E1 CE PIC, if a T1 or E1 interfaceis deleted and re-created, the t1 or e1 interface that is connected to the 4x CHOC3SONET CE SFP PIC or 12x T1/E1 CE PIC will observe framing error and traffichalts.

As a workaround, after the T1 or E1 interface is deleted and re-created on the4x CHOC3 SONET CE SFP PIC or 12x T1/E1 CE PIC, deactivate and activate thee1 interface encapsulation. The deactivate/activate will make the framing errorsdisappear. [PR/482491: This issue has been resolved.]

■ The show aps group group-name commands do not work for container groupnames. [PR/483440: This issue has been resolved.]

■ Under certain conditions, when aggregate interfaces are used, and the memberlinks are located on more that one FPC, multicast traffic will not use one or moreof the aggregate child links. This can happen after an FPC reboot.

If the aggregate member links are located on the same FPC, this problem is nottriggered. To recover from this condition, deactivate and activate the aggregateinterface. [PR/484007: This issue has been resolved.]

■ Traffic may be sent out on a child link of an aggregated Ethernet (AE) bundleeven when it is not in the Collecting-Distributing Link Aggregation Control Protocol(LACP) state if and only if the following conditions are met:

■ The remote end configured one link to be primary and the other to bebackup.



■ On the System Under Test (SUT), a unit of the AE bundle is disabled thensubsequently enabled.

As a workaround, deactivate and activate the child link that is not in theCollecting-Distributing LACP state. [PR/487786: This issue has been resolved.]

■ With GRES configured, a container interface (CI) configuration can trigger akernel core on the backup Routing Engine. [PR/488679: This issue has beenresolved.]

■ Container interfaces with ATM children with OAM may not initiate sending ofOAM cells after Automatic Protection Switching (APS) switchovers. [PR/489250:This issue has been resolved.]

■ Commit fails with IEEE 802.1p config when applied to container interfaces.[PR/489400: This issue has been resolved.]

■ Kernel panic may occur if the child ATM interfaces are removed or disabledunder the container. [PR/490196: This issue has been resolved.]

■ The CI logical interface state may go out of sync when OAM is configured andthe logical interface flaps due to OAM. [PR/491866: This issue has been resolved.]

■ The chassis cell relay mode might not be set properly for CI interfaces.[PR/492197: This issue has been resolved.]

Layer 2 Ethernet Services

■ In a combo DPC, the physical link stays up when an interface with the SFP-T isdisabled. However, port 0 of the combo DPC is not impacted by this issue.[PR/477848: This issue has been resolved.]

MPLS Applications

■ Constrained Shortest Path First (CSPF) fails to calculate a P2MP point-to-multipointLSP reroute path that is merging with a user configuration change. [PR/454692:This issue has been resolved.]

■ When a large number (more than 100) of NGEN-MVPN P2MP LSPs based on anLSP template are active, the routing protocol process might crash if the LSPtemplate is deleted and added back. [PR/477376: This issue has been resolved.]

Network Management

■ A problem with the IPv6 n2m add routine causes the mib2d to fail at thevlogging_event. [PR/472453: This issue has been resolved.]

■ The SNMP MIB walk on jnxFWCounterDisplayName may miss certain policercounters of firewall filters applied with respect to logical interfaces (subinterfaces).[PR/485477: This issue has been resolved.]



Platform and Infrastructure

■ Under some circumstances, the interface process (physical interface) mayinterfere with the operation of an LSI interface. [PR/102431: This issue has beenresolved.]

■ When certain FPCs (T1600-FPC4-ES, T640-FPC4-1P-ES, T640-FPC1-ES,T640-FPC2-ES, and T640-FPC3-ES) receive corrupted cells via high-speed links,they might unnecessarily reboot and report the following system log errormessage: "Unrecoverable Error: Flist gtop bit toggled !." No reset is needed torecover from this condition. [PR/441844: This issue has been resolved.]

■ On M Series routers, if you disable and enable IPv6 on an interface, routing onthat interface will no longer work. [PR/459781: This issue has been resolved.]

■ An FPC may stop forwarding traffic when an aggregate interface flaps and therouter uses per-prefix load balancing (default configuration) for some prefixes.A more likely scenario under which this issue can occur is when an aggregateinterface is configured with just a single link (that flaps), and per-prefix loadbalancing is used.

As a workaround, use a load-balancing per-packet policy for all prefixes (per-flowload balancing) and/or do not have aggregate interfaces flap. [PR/477326: Thisissue has been resolved.]

■ With JUNOS Release 9.3 or later, configuring policer or SCU/DCU on interfacesbelonging to FPC-ES may cause memory corruption, leading to either traffic lossor FPC to restart unexpectedly. [PR/481185: This issue has been resolved.]

Routing Protocols

■ The BGP strip confederation logic does not include the number of memorysegments to check, resulting in it running on random data and causing the routingprotocol process (RPD) to core. [PR/465624: This issue has been resolved.]

■ When nonstop routing is configured on the router, the routing protocol processmay restart with a core dump. [PR/472701: This issue has been resolved.]

■ When the routing protocol process (rpd) fails after an rpd restart, the daemonmay be unable to install new LSI logical interfaces. The following error is returned:ENOMEM. [PR/473774: This issue has been resolved.]

■ During an ISSU upgrade, the BGP session might flap due to differences in thenegotiation of keepalive messages between versions. [PR/476285: This issue hasbeen resolved.]

■ After a mastership switchover, incorrect BFD packets may be sent out due tostale information within the ppmd. This may result in the BFD sessions flappingrepeatedly. [PR/478447: This issue has been resolved.]

■ Under certain circumstances, the Juniper Networks PIM implementation mightsend (S,G,rpt) prune message towards the RP too early after receiving the (S,G,rpt)prune message from a downstream router. [PR/478589: This issue has beenresolved.]



■ The routing protocol process (RPD) CPU usage may be high if both BGP multipathand family inet-mpvn are configured under BGP. [PR/479574: This issue hasbeen resolved.]

■ If multipath is enabled between two AS boundary routers running InterAS OptionB, and there are multiple external neighbors advertising a VPN prefix on provideredge (PE) routers, when the routing protocol process (RPD) generates new routesBGP will generate a different label from the VPN prefix that was previouslyadvertised to the peers that are part of the AS. [PR/479754: This issue has beenresolved.]

■ The MVPN c-multicast traffic is duplicated onto the LAN segment as the interfacemismatch is not processed within the PIM. Interface mismatch is needed totrigger an assert to prevent traffic duplication. As a workaround, configure PIMunder the main instance. [PR/481467: This issue has been resolved.]

■ The routing protocol process fails and generates a core file because of malformedBGP update generated by the JUNOS Software. This failure may be due to thetotal and the path attribute length. [PR/489891: This issue has been resolved.]


■ The service DPCs may crash during conversation timeout cleanup for theDCE-RPC. [PR/475436: This issue has been resolved.]

■ When a malformed RTSP packet not conforming to an RTSP RFC syntax isprocessed by the RTSP Application Layer Gateway (ALG ) within the Service PIC(or Service DPC), the PIC might fail and generate a core file. [PR/476321: Thisissue has been resolved.]

■ Via header translation may be incorrectly performed by the SIP ALG when itcontains only an IP address and no port. [PR/482998: This issue has beenresolved.]

■ The SIP ALG does not translate the route header properly, which leads to the SIPcalls being dropped after 20 seconds. [PR/483014: This issue has been resolved.]

■ The SIP parser may drop 200 “OK for REGISTER” messages if the contact hasmultiple entries. [PR/483030: This issue has been resolved.]


■ When the get-configuration or load-configuration commands are run usingJUNOScript, these events are not recorded in the system log. [PR/64544: Thisissue has been resolved.]

VPNs

■ On an MX960 router, the VPLS instance may not learn the remote CE MACaddress when the clear vpls mac-address command is used. [PR/476020: Thisissue has been resolved.]

■ P2MP point-to-multipoint LSP cannot be recovered when the P router (which isalso configured as the BGP reflector) goes down. [PR/481441: This issue hasbeen resolved.]



■ In an MLAN scenario where two PEs are connected to the multicast receiver,when the PE acting as the designated router (DR) has a link failure on the MLAN,the backup PE which becomes the DR is unable to forward traffic. [PR/490153:This issue has been resolved.]





Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MXSeries, and T Series Routers

Changes to the JUNOS Documentation Set

The title of the JUNOS Hierarchy and RFC Reference is now JUNOS Hierarchy andStandards Reference.

Documentation for the extended DHCP relay agent feature is no longer included inthe Policy Framework Configuration Guide. For DHCP relay agent documentation, seethe Subscriber Access Configuration Guide or the documentation for subscriber accessmanagement.

The new JUNOS Technical Documentation index page(http://www.juniper.net/techpubs/software/junos/index.html ) consolidates documentationfor JUNOS Software features that are common to all platforms that run JUNOSSoftware. The new index page provides direct access to core JUNOS information andlinks to information for JUNOS features that run on particular platforms.

Errata

This section lists outstanding issues with the documentation.

Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers ■ 69

Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers

http://www.juniper.net/techpubs/software/junos/index.html

High Availability

■ TX Matrix Plus routers and T1600 routers that are configured as part of a routingmatrix do not currently support nonstop active routing. [High Availability]

Integrated Multi-Services Gateway (IMSG)

■ Chapter 15, Maintenance and Failover in the IMSG, describes the IMSG highavailability feature. This feature is not supported in this release of the software.

[Multiplay Solutions]


The Subscriber Access Configuration Guide contains the following dynamic variableerrors:

■ The Configuring a Dynamic Profile for Client Access topic erroneously uses the$junos-underlying-interface variable when a IGMP interface is configured in theclient access dynamic profile. The following example provides the appropriateuse of the $junos-interface-name variable:

[edit dynamic-profiles access-profile]user@host# set protocols igmp interface $junos-interface-name

■ Table 25 in the Dynamic Variables Overview topic neglects to define the$junos-igmp-version predefined dynamic variable. This variable is defined asfollows:

$junos-igmp-version—IGMP version configured in a client access profile. TheJUNOS Software obtains this information from the RADIUS server when asubscriber accesses the router. The version is applied to the accessing subscriberwhen the profile is instantiated. You specify this variable at the [dynamic-profilesprofile-name protocols igmp] hierarchy level for the interface statement.

In addition, the Subscriber Access Configuration Guide erroneously specifies theuse of a colon (:) when you configure the dynamic profile to define the IGMPversion for client interfaces. The following example provides the appropriatesyntax for setting the IGMP interface to obtain the IGMP version from RADIUS:

[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name]user@host# set version $junos-igmp-version

■ The Subscriber Access Configuration Guide and the System Basics ConfigurationGuide contain information about the override-nas-information statement. Thisstatement does not appear in the CLI and is not supported.

[Subscriber Access, System Basics]

■ When you modify dynamic CoS parameters with a RADIUS change ofauthorization (CoA) message, the JUNOS Software accepts invalid configurations.For example, if you specify that a transmit rate that exceeds the allowed 100percent, the system does not reject the configuration and returns unexpectedshaping behavior.

70 ■ Errata and Changes in Documentation for JUNOS Software Release 10.1 for M Series, MX Series, and T Series Routers


[Subscriber Access]

■ We do not support multicast RIF mapping and ANCP when configuredsimultaneously on the same logical interface. For example, we do not supportwhen a multicast VLAN and ANCP are configured on the same logical interface,and the subscriber VLANs are the same for both ANCP and multicast.

[Subscriber Access]

■ The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in theSubscriber Access Configuration Guide erroneously states that dynamic CoS issupported for dynamic VLANs on the Trio MPC/MIC family of products. In thecurrent release, dynamic CoS is supported only on static VLANs on Trio MPC/MICinterfaces.

[Subscriber Access]

■ The Subscriber Access Configuration Guide incorrectly describes theauthentication-order statement as it is used for subscriber access management.When configuring the authentication-order statement for subscriber accessmanagement, you must always specify the radius method. Subscriber accessmanagement does not support the password keyword (the default), andauthentication fails when you do not specify an authentication method.

[Subscriber Access]


■ The show system statistics bridge command displays system statistics on MXSeries routers. [System Basics Command Reference]





Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series,and T Series Routers

This section discusses the following topics:

■ Basic Procedure for Upgrading to Release 10.1 on page 72

■ Upgrading a Router with Redundant Routing Engines on page 74

■ Upgrading Juniper Routers Running Draft-Rosen Multicast VPN to JUNOS Release10.1 on page 74

■ Upgrading the Software for a Routing Matrix on page 76

Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers ■ 71

Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers

■ Upgrading Using ISSU on page 77

■ Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled for Both PIMand NSR on page 77

■ Downgrade from Release 10.1 on page 78

Basic Procedure for Upgrading to Release 10.1

In order to upgrade to JUNOS 10.0 or later, you must be running JUNOS 9.0S2, 9.1S1,9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or you must specify theno-validate option on the request system software install command.

When upgrading or downgrading the JUNOS Software, always use the jinstall package.Use other packages (such as the jbundle package) only when so instructed by a JuniperNetworks support representative. For information about the contents of the jinstallpackage and details of the installation process, see the JUNOS Software Installationand Upgrade Guide.

NOTE: You cannot upgrade by more than three releases at a time. For example, ifyour routing platform is running JUNOS Release 9.4 you can upgrade to JUNOSRelease 10.0 but not to JUNOS Release 10.1 As a workaround, first upgrade to JUNOSRelease 10.0 and then upgrade to JUNOS Release 10.1.

NOTE: With JUNOS Release 9.0 and later, the compact flash disk memory requirementfor JUNOS Software is 1 GB. For M7i and M10i routers with only 256 MB memory,see the Customer Support Center JTAC Technical Bulletin PSN-2007-10-001 athttps://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001&actionBtn=Search.

NOTE: Before upgrading, back up the file system and the currently active JUNOSconfiguration so that you can recover to a known, stable environment in case theupgrade is unsuccessful. Issue the following command:

user@host> request system snapshot

The installation process rebuilds the file system and completely reinstalls the JUNOSSoftware. Configuration information from the previous software installation is retained,but the contents of log files might be erased. Stored files on the routing platform,such as configuration templates and shell scripts (the only exceptions are thejuniper.conf and ssh files) may be removed. To preserve the stored files, copy themto another system before upgrading or downgrading the routing platform. For moreinformation, see the JUNOS System Basics Configuration Guide.

72 ■ Upgrade and Downgrade Instructions for JUNOS Release 10.1 for M Series, MX Series, and T Series Routers


The download and installation process for JUNOS Release 10.1 is the same as forprevious JUNOS releases.

If you are not familiar with the download and installation process, follow these steps:

1. Using a Web browser, follow the links to the download URL on the JuniperNetworks Web page. Choose either Canada and U.S. Version or WorldwideVersion:

■ https://www.juniper.net/support/csc/swdist-domestic/ (customers in the UnitedStates and Canada)

■ https://www.juniper.net/support/csc/swdist-ww/ (all other customers)

2. Log in to the Juniper Networks authentication system using the username(generally your e-mail address) and password supplied by Juniper Networksrepresentatives.

3. Download the software to a local host.

4. Copy the software to the routing platform or to your internal software distributionsite.

5. Install the new jinstall package on the routing platform.

NOTE: We recommend that you upgrade all software packages out of band usingthe console because in-band connections are lost during the upgrade process.

Customers in the United States and Canada use the following command:

user@host> request system software add validate rebootsource/jinstall-10.1R1.8-domestic-signed.tgz

All other customers use the following command:

user@host> request system software add validate rebootsource/jinstall-10.1R1.8-export-signed.tgz

Replace source with one of the following values:

■ /pathname—For a software package that is installed from a local directoryon the router.

■ For software packages that are downloaded and installed from a remotelocation:

■ ftp://hostname/pathname

■ http://hostname/pathname

■ scp://hostname/pathname (available only for Canada and U.S. version)

The validate option validates the software package against the currentconfiguration as a prerequisite to adding the software package to ensure thatthe router reboots successfully. This is the default behavior when the softwarepackage being added is a different release.



https://www.juniper.net/support/csc/swdist-domestic/

https://www.juniper.net/support/csc/swdist-ww/

Adding the reboot command reboots the router after the upgrade is validatedand installed. When the reboot is complete, the router displays the login prompt.The loading process can take 5 to 10 minutes.

Rebooting occurs only if the upgrade is successful.

NOTE: After you install a JUNOS 10.1 Release jinstall package, you cannot issue therequest system software rollback command to return to the previously installedsoftware. Instead you must issue the request system software add validate commandand specify the jinstall package that corresponds to the previously installed software.

NOTE: Before you upgrade a router that you are using for voice traffic, you shouldmonitor call traffic on each virtual BGF. Confirm that no emergency calls are active.When you have determined that no emergency calls are active, you can wait fornonemergency call traffic to drain as a result of graceful shutdown, or you can forcea shutdown. For detailed information on how to monitor call traffic before upgrading,see the JUNOS Multiplay Solutions Guide.

Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform a JUNOS Software installation on eachRouting Engine separately to avoid disrupting network operation as follows:

1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engineand save the configuration change to both Routing Engines.

2. Install the new JUNOS Software release on the backup Routing Engine whilekeeping the currently running software version on the master Routing Engine.

3. After making sure that the new software version is running correctly on thebackup Routing Engine, switch over to the backup Routing Engine to activatethe new software.

4. Install the new software on the original master Routing Engine that is now activeas the backup Routing Engine.

For the detailed procedure, see the JUNOS Software Installation and Upgrade Guide.

Upgrading Juniper Routers Running Draft-Rosen Multicast VPN to JUNOSRelease 10.1

In releases prior to JUNOS Release 10.1, the draft-rosen multicast VPN featureimplements the unicast lo0.x address configured within that instance as the sourceaddress used to establish PIM neighbors and create the multicast tunnel. In this mode,the multicast VPN loopback address is used for reverse path forwarding (RPF) routeresolution to create the reverse path tree (RPT), or multicast tunnel. The multicastVPN loopback address is also used as the source address in outgoing PIM controlmessages.



In JUNOS Release 10.1 and later, you can use the router’s main instance loopback(lo0.0) address (rather than the multicast VPN loopback address) to establish the PIMstate for the multicast VPN. We strongly recommend that you perform the followingprocedure when upgrading to JUNOS Release 10.1 if your draft-rosen multicast VPNnetwork includes both Juniper Network routers and other vendors’ routers functioningas provider edge (PE) routers. Doing so preserves multicast VPN connectivitythroughout the upgrade process.

Because JUNOS Release 10.1 supports using the router’s main instance loopback(lo0.0) address, it is no longer necessary for the multicast VPN loopback address tomatch the main instance loopback adddress lo0.0 to maintain interoperability.

NOTE: You might want to maintain a multicast VPN instance lo0.x address to usefor protocol peering (such as IBGP sessions), or as a stable router identifier, or tosupport the PIM bootstrap server function within the VPN instance.

Complete the following steps when upgrading routers in your draft-rosen multicastVPN network to JUNOS Release 10.1 if you want to configure the routers’s maininstance loopback address for draft-rosen multicast VPN:

1. Upgrade all PE routers to JUNOS Release 10.1 before you configure the loopbackaddress for draft-rosen Multicast VPN.

NOTE: Do not configure the new feature until all the PE routers in the network havebeen upgraded to JUNOS Release 10.1.

2. After you have upgraded all routers, configure each router’s main instanceloopback address as the source address for multicast interfaces. Include thedefault-vpn-source interface-name loopback-interface-name] statement at the [editprotocols pim] hierarchy level.

3. After you have configured the router’s main loopback address on each PE router,delete the multicast VPN loopback address (lo0.x) from all routers.

We also recommend that you remove the multicast VPN loopback address fromall PE routers from other vendors. In JUNOS releases prior to 10.1, to ensureinteroperability with other vendors’ routers in a draft-rosen multicast VPNnetwork, you had to perform additional configuration. Remove that configurationfrom both the Juniper Networks routers and the other vendors’ routers. Thisconfiguration should be on Juniper Networks routers and on the other vendors’routers where you configured the lo0.mvpn address in each VRF instance as thesame address as the main loopback (lo0.0) address.

This configuration is not required when you upgrade to JUNOS Release 10.1 anduse the main loopback address as the source address for multicast interfaces.

NOTE: To maintain a loopback address for a specific instance, configure a loopbackaddress value that does not match the main instance address (lo0.0).



For more information about configuring the draft-rosen Multicast VPN feature, seethe JUNOS Multicast Configuration Guide.

Upgrading the Software for a Routing Matrix

A routing matrix can use either a TX Matrix router as the switch-card chassis (SCC)or a TX Matrix Plus router as the switch-fabric chassis (SFC). By default, when youupgrade software for a TX Matrix router or a TX Matrix Plus router, the new imageis loaded onto the TX Matrix or TX Matrix Plus router (specified in the JUNOS CLI byusing the scc or sfc option) and distributed to all T640 routers or T1600 routers inthe routing matrix (specified in the JUNOS CLI by using the lcc option). To avoidnetwork disruption during the upgrade, ensure the following conditions beforebeginning the upgrade process:

■ A minimum of free disk space and DRAM on each Routing Engine. The softwareupgrade will fail on any Routing Engine without the required amount of free diskspace and DRAM. To determine the amount of disk space currently available onall Routing Engines of the routing matrix, use the CLI show system storagecommand. To determine the amount of DRAM currently available on all theRouting Engines in the routing matrix, use the CLI show chassis routing-enginecommand.

■ The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC orSFC) and T640 routers or T1600 routers (LCC) are all re0 or are all re1.

■ The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC orSFC) and T640 routers or T1600 routers (LCC) are all re1 or are all re0.

■ All master Routing Engines in all routers run the same version of software. Thisis necessary for the routing matrix to operate.

■ All master and backup Routing Engines run the same version of software beforebeginning the upgrade procedure. Different versions of the JUNOS Software canhave incompatible message formats especially if you turn on GRES. Because thesteps in the process include changing mastership, running the same version ofsoftware is recommended.

■ For a routing matrix with a TX Matrix router, the same Routing Engine model isused within a TX Matrix router (SCC) and within a T640 router (LCC) of a routingmatrix. For example, a routing matrix with an SCC using two RE-A-2000s andan LCC using two RE-1600s is supported. However, an SCC or an LCC with twodifferent Routing Engine models is not supported. We suggest that all RoutingEngines be the same model throughout all routers in the routing matrix. Todetermine the Routing Engine type, use the CLI show chassis hardware | matchrouting command.

■ For a routing matrix with a TX Matrix Plus router, the SFC contains two modelRE-DUO-C2600-16G Routing Engines, and each LCC contains two modelRE-DUO-C1800-8G Routing Engines.

NOTE: It is considered best practice to make sure that all master Routing Enginesare re0 and all backup Routing Engines are re1 (or vice versa). For the purposes ofthis document, the master Routing Engine is re0 and the backup Routing Engine isre1.



To upgrade the software for a routing matrix, perform the following steps:

1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine(re0) and save the configuration change to both Routing Engines.

2. Install the new JUNOS Software release on the backup Routing Engine (re1) whilekeeping the currently running software version on the master Routing Engine(re0).

3. Load the new JUNOS Software on the backup Routing Engine. After making surethat the new software version is running correctly on the backup Routing Engine(re1), switch mastership back to the original master Routing Engine (re0) toactivate the new software.

4. Install the new software on the new backup Routing Engine (re0).

For the detailed procedure, see the Routing Matrix with a TX Matrix Feature Guide or theRouting Matrix with a TX Matrix Plus Feature Guide.

Upgrading Using ISSU

Unified in-service software upgrade (ISSU) enables you to upgrade between twodifferent JUNOS Software releases with no disruption on the control plane and withminimal disruption of traffic. Unified in-service software upgrade is only supportedby dual Routing Engine platforms. In addition, graceful Routing Engine switchover(GRES) and nonstop active routing (NSR) must be enabled. For additional informationabout using unified in-service software upgrade, see the JUNOS High AvailabilityConfiguration Guide.

Upgrading from JUNOS Release 9.2 or Earlier on a Router Enabled for BothPIM and NSR

JUNOS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, thefollowing PIM features are not currently supported with NSR. The commit operationfails if the configuration includes both NSR and one or more of these features:

■ Anycast RP

■ Draft-Rosen multicast VPNs (MVPNs)

■ Local RP

■ Next-generation MVPNs with PIM provider tunnels

■ PIM join load balancing

JUNOS 9.3 Release introduced a new configuration statement that disables NSR forPIM only, so that you can activate incompatible PIM features and continue to useNSR for the other protocols on the router: the nonstop-routing disable statement atthe [edit protocols pim] hierarchy level. (Note that this statement disables NSR for allPIM features, not only incompatible features.)

If neither NSR nor PIM is enabled on the router to be upgraded or if one of theunsupported PIM features is enabled but NSR is not enabled, no additional steps arenecessary and you can use the standard upgrade procedure described in other sectionsof these instructions. If NSR is enabled and no NSR-incompatible PIM features are



../,,/,,/topic-collections/feature-guide-routing-matrix/routing-matrix-feature-guide.pdf

../,,/,,/topic-collections/feature-guide-routing-matrix-tx-matrix-plus/routing-matrix-tx-matrix-plus-feature-guide.pdf

enabled, use the standard reboot or ISSU procedures described in the other sectionsof these instructions.

Because the nonstop-routing disable statement was not available in JUNOS Release9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a routerto be upgraded from JUNOS Release 9.2 or earlier to a later release, you must disablePIM before the upgrade and reenable it after the router is running the upgradedJUNOS Software and you have entered the nonstop-routing disable statement. If yourrouter is running JUNOS Release 9.3 or later, you can upgrade to a later releasewithout disabling NSR or PIM–simply use the standard reboot or ISSU proceduresdescribed in the other sections of these instructions.

To disable and reenable PIM:

1. On the router running JUNOS Release 9.2 or earlier, enter configuration modeand disable PIM:

[edit]

user@host# deactivate protocols pim

user@host# commit

2. Upgrade to JUNOS Release 9.3 or later software using the instructions appropriatefor the router type. You can either use the standard procedure with reboot oruse ISSU.

3. After the router reboots and is running the upgraded JUNOS Software, enterconfiguration mode, disable PIM NSR with the nonstop-routing disable statement,and then reenable PIM:

[edit]

user@host# set protocols pim nonstop-routing disable

user@host# activate protocols pim

user@host# commit

Downgrade from Release 10.1

To downgrade from Release 10.1 to another supported release, follow the procedurefor upgrading, but replace the 10.1 jinstall package with one that corresponds to theappropriate release.

NOTE: You cannot downgrade more than three releases. For example, if your routingplatform is running JUNOS Release 9.3, you can downgrade the software toRelease 9.0 directly, but not to Release 8.5 or earlier; as a workaround, you can firstdowngrade to Release 9.0 and then downgrade to Release 8.5.

For more information, see the JUNOS Software Installation and Upgrade Guide.



JUNOS Software Release Notes for Juniper Networks SRX Series Services Gatewaysand J Series Services Routers

Powered by JUNOS Software, Juniper Networks SRX Series Services Gateways providerobust networking and security services. SRX Series Services Gateways range fromlower-end devices designed to secure small distributed enterprise locations to high-enddevices designed to secure enterprise infrastructure, data centers, and server farms.The SRX Series Services Gateways include the SRX100, SRX210, SRX240, SRX650,SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Juniper Networks J Series Services Routers running JUNOS Software provide stable,reliable, and efficient IP routing, WAN and LAN connectivity, and managementservices for small to medium-sized enterprise networks. These routers also providenetwork security features, including a stateful firewall with access control policiesand screens to protect against attacks and intrusions, and IPsec VPNs. The J SeriesServices Routers include the J2320, J2350, J4350, and J6350 devices.

■ New Features in JUNOS Release 10.1 for SRX Series Services Gateways and JSeries Services Routers on page 80

■ Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX SeriesServices Gateways and J Series Services Routers on page 93

■ Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways andJ Series Services Routers on page 102

■ Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J SeriesServices Routers on page 112

■ Errata and Changes in Documentation for JUNOS Release 10.1 for SRX SeriesServices Gateways and J Series Services Routers on page 140

■ Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gatewaysand J Series Services Routers on page 147

■ Dual-Root Partitioning Scheme Documentation for SRX Series ServicesGateways on page 149

■ Using Dual Chassis Cluster Control Links: Upgrade Instructions for the SecondRouting Engine on page 158

■ Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX SeriesServices Gateways and J Series Services Routers on page 160

New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J SeriesServices Routers

The following features have been added to JUNOS Release 10.1. Following thedescription is the title of the manual or manuals to consult for further information.

■ Software Features on page 81

■ Hardware Features on page 92

80 ■ JUNOS Software Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers


Software Features

Application Layer Gateways (ALGs)

■ DNS ALG—This feature is supported on SRX3400, SRX3600, SRX5600, andSRX5800 devices in addition to existing support on SRX100, SRX210, SRX240,SRX650. JUNOS Software for SRX Series devices provides Domain Name System(DNS) support. The DNS ALG monitors DNS query and reply packets and closesthe session if the DNS flag indicates that the packet is a reply message. Toconfigure the DNS ALG, use the edit security alg dns statement at the [edit securityalg] hierarchy level.

[JUNOS Software Security Configuration Guide]

■ DNS doctoring support—This feature is supported on all SRX Series and J Seriesdevices.

Domain Name System (DNS) ALG functionality has been extended to supportstatic NAT. You should configure static NAT for the DNS server first. Then if theDNS ALG is enabled, public-to-private and private-to-public static addresstranslation can occur for A-records in DNS replies.

The DNS ALG also now includes a maximum-message-length command optionwith a value range of 512 to 8192 bytes and a default value of 512 bytes. TheDNS ALG will now drop traffic if the DNS message length exceeds the configuredmaximum, if the domain name is more than 255 bytes, or if the label length ismore than 63 bytes. The ALG will also decompress domain name compressionpointers and retrieve their related full domain names, and check for the existenceof compression pointer loops and drop the traffic if one exists.

Note that the DNS ALG can translate the first 32 A-records in a single DNS reply.A-records after the first 32 will not be handled. Also note that the DNS ALGsupports only IPv4 addresses and does not support VPN tunnels.


■ MS RPC ALG—This feature is now supported on SRX3400, SRX3600, SRX5600,and SRX5800 devices in addition to existing support on SRX100, SRX210,SRX240, SRX650, and J Series devices.

The Microsoft RPC (MS RPC) provides a way for a program running on one hostto call procedures in a program running on another host. Because of the largenumber of RPC services and the need to broadcast, the transport address of anRPC service is dynamically negotiated based on the service program's UniversalUnique IDentifier (UUID). The specific UUID is mapped to a transport address.

JUNOS Software supports MS RPC as a predefined service to allow and denytraffic based on a policy you configure. The MS RPC ALG provides the functionalityfor all supported devices to handle the dynamic transport address negotiationmechanism of the MS RPC and to ensure UUID-based security policy enforcement.You can define a security policy to permit or deny all RPC requests or to permitor deny by specific UUID number. The ALG also supports route and NAT modefor incoming and outgoing requests.


New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers ■ 81

New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

■ SQL ALG—This feature is now supported on SRX3400, SRX3600, and SRX5600,and SRX5800 devices in addition to existing support on SRX100, SRX210,SRX240, SRX650, and J Series devices.

Enabling the Structured Query Language (SQL) ALG on an SRX Series or J Seriesdevice allows SQL*Net traffic in SQL redirect mode to traverse an SRX Seriesdevice by creating a TCP pinhole. If the the SQL*Net traffic is not in redirectmode, it will not be handled by the SQL ALG and will instead be processed byconfigured firewall policies. SQL*Net is a proprietary protocol used by Oracledatabases for data access and sharing over networks. Note that the SQL ALGonly supports IPv4 addresses as of JUNOS Release 10.1.


■ Sun RPC ALG—This feature is now supported on SRX3400, SRX3600, SRX5600,and SRX5800 line devices in addition to existing support on SRX100, SRX210,SRX240, SRX650, and J Series devices.

Sun Microsystems RPC provides a way for a program running on one host tocall procedures in a program running on another host. Because of the largenumber of RPC services and the need to broadcast, the transport address of anRPC service is dynamically negotiated based on the service's program numberand version number. Several binding protocols are defined for mapping the RPCprogram number and version number to a transport address.

JUNOS Software supports the Sun RPC as a predefined service to allow and denytraffic based on a security policy you configure. The Sun RPC ALG provides thefunctionality for all supported devices to handle the dynamic transport addressnegotiation mechanism of the Sun RPC and to ensure program number-basedsecurity policy enforcement. You can define a security policy to permit or denyall RPC requests or to permit or deny by specific program number. The ALG alsosupports route and NAT mode for incoming and outgoing requests.


Chassis Cluster

■ Interface link aggregation in redundant Ethernet interfaces—This feature issupported on SRX3400, SRX3600, SRX5600, and SRX5800 device chassis clusters.

Link aggregation groups (LAGs) can now be established across nodes in a chassiscluster. In JUNOS Release 10.1, support for LAGs based on IEEE 802.3ad madeit possible to aggregate physical interface links on a standalone device. LAGsprovide increased interface bandwidth and link availability by linking physicalports and load-balancing traffic crossing the combined interface. In JUNOS Release10.1, link aggregation has been extended to chassis cluster configuration allowinga redundant Ethernet interface (known as a reth interface in CLI commands) toadd multiple child interfaces from both nodes and thereby create a redundantEthernet interface link aggregation group.

Other than adding more child interfaces (up to a maximum of 16; 8 per node)to a redundant Ethernet interface, no other configuration on an SRX Series devicebeyond the more general chassis cluster, redundancy group, and redundantEthernet interface configuration is necessary to use this feature. It is necessary,however, for the switch used to connect the links from both nodes in the cluster

82 ■ New Features in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers


to have a LAG link configured and 802.3ad enabled for each redundant Ethernetinterface LAG on both nodes so that the aggregate links will be recognized.

Standalone link aggregation group interfaces (ae) are supported on clustereddevices but cannot be added to redundant Ethernet interfaces. Likewise anychild interface of an existing LAG cannot be added to a redundant Ethernetinterface and vice versa. The maximum number of total combined standaloneaggregate interfaces (ae) and redundant Ethernet interfaces (reth) per cluster is128.

Redundant Ethernet interface configuration also includes a minimum-links settingthat allows you to set a minimum number of physical child links in a redundantEthernet interface LAG that must be working on the primary node for the interfaceto be up. The default minimum-links value is 1. When the number of physicallinks on the primary node in a redundant Ethernet interface falls below theminimum-links value, the interface will be down even if some links are stillworking.

Note that management, control, and fabric interfaces do not support standaloneLAGs or redundant Ethernet interface LAGs in JUNOS Release 10.1.


■ Redundancy group IP address monitoring through a secondary interface—Thisfeature is supported on SRX3400, SRX3600, SRX5600 and SRX5800 devices.

In JUNOS Release 10.1, redundancy group IP address monitoring through aredundant Ethernet (reth) interface has been extended to include monitoring ofaddresses on secondary links as well as on primary links. Redundancy groupfailover can thus be tied to the health of both any IP addresses that are currentlyimportant to traffic reliability and to any IP addresses that will become importantto traffic reliability in the event of a failover.

Monitoring can be accomplished only if the IP address is reachable on a redundantEthernet interface, and IP addresses cannot be monitored over a tunnel. IPaddress monitoring is not supported on redundant Ethernet interface LAGs orthe child interfaces bound to a redundant Ethernet interface LAG. The featurealso cannot be used on a cluster running in transparent mode. The maximumnumber of total monitoring IPs that can be configured per cluster remains 32for SRX3400 and SRX3600 devices, and 64 for SRX5600 and SRX5800 devices.




Integrated Convergence Services

■ DSCP marking for RTP packets generated by SRX Series IntegratedConvergence Services—This feature is supported on SRX210 and SRX240 devicesthat have high memory, power over Ethernet capability, and media gatewaycapability.

Configure DSCP marking to set the desired DSCP bits for RTP packets generatedby SRX Series Integrated Convergence Services.

DSCP bits are the 6-bit bitmap in the IP header used by devices to decide theforwarding priority of packet routing. When the DSCP bits of RTP packetsgenerated by Integrated Convergence Services are configured, the downstreamdevice can then classify the RTP packets and direct them to a higher priorityqueue in order to achieve better voice quality when packet traffic is congested.Juniper Networks devices provide classification, priority queuing, and other kindsof CoS configuration under the Class-of-Service configuration hierarchy.

Note that the Integrated Convergence Services DSCP marking feature marks onlyRTP packets of calls that it terminates, which include calls to peer call serversand to peer proxy servers that provide SIP trunks. If a call is not terminated byIntegrated Convergence Services, then DSCP marking does not apply.

To configure the DSCP marking bitmap for calls terminated by IntegratedConvergence Services and the address of the peer call server or peer proxy serverto which these calls are routed, use the media-policy statement in the [edit servicesconverged-services] hierarchy level.set services convergence-service service-class < name > dscp < bitmap >set services convergence-service service-class media-policy < name > term <term-name > from peer-address [< addresses >]set services convergence-service service-class media-policy < name > term thenservice-class < name >

Intrusion Detection and Prevention (IDP)

■ IDP in an active/active chassis cluster—This feature is supported on SRX3400,SRX3600, SRX5600, and SRX5800 devices.

Intrusion Detection and Prevention (IDP) can now monitor traffic on active/activechassis clusters. As in active/passive clusters, sessions already in progress thatfail over or fail back are not inspected by IDP in an active/active cluster. Newsessions created after a failover will, however, be inspected by IDP. There areno changes to IDP deployment or logging as a result of extending support toactive/active high-end device clusters.

IDP also now supports chassis cluster in-service software upgrades (ISSUs), whichmeans that new sessions will continue to be inspected during the ISSU. However,because ISSU requires the nodes to fail over and fail back as the upgradeproceeds, IDP monitoring of any sessions that fail over will cease. It should notbe necessary to restart IDP once the ISSU is completed. Note that IDP ISSUsupport is available on both active/passive and active/active chassis clusters.


■ IDP application identification enhancement for extended applications with



threat prevention support—This feature is supported on SRX3400, SRX3600,SRX5600, and SRX5800 devices.

With the increased use of application protocol encapsulation, the need arises tosupport the identification of multiple different applications running on the sameLayer 7 protocols. In order to do this, the current application identification layeris split into two layers: application and protocol. New extended applicationsignatures have been added to identify these extended applications.


■ CLI enhancements supported for J-Web—This feature is supported on SRXSeries and J Series devices.

Additional functionality has been added to existing IDP J-Web pages for severalnew CLI commands that perform tasks such as the following: list detailed securitydownload status information, list subscriber policies, add additional IDP packetcounters to differentiate a packet drop that is the result of a policy from alegitimate drop or an error drop. There are several more newly added commands.

[JUNOS CLI Reference Guide]

■ SNMP MIB for IDP Monitoring—This feature is now supported on SRX3400,SRX3600, SRX5600, and SRX5800 devices in addition to existing support onSRX100, SRX210, SRX240, and SRX650 devices.


■ Application-level DDoS logging—This feature is supported on SRX3400,SRX3600, SRX5600, and SRX5800 devices with IDP enabled.

IDP now provides logging for application-level DDoS events. IDP generates threetypes of application-level DDoS event logs: attack, state transition, and ip-action.These event logs provide visibility into the application-level DDoS state andprovide notifications on occurrences of application-level DDoS attacks for eachprotected application server.

[JUNOS Software Security Configuration Guide, JUNOS Software CLI Reference]

Interfaces and Routing

■ DOCSIS Mini-PIM Interface—Data over Cable Service Interface Specification(DOCSIS) defines the communications and operation support interfacerequirements for a data-over-cable system. It is used by cable operators to provideInternet access over their existing cable infrastructure for both residential andbusiness customers. DOCSIS 3.0 is the latest Interface standard allowing channelbonding to deliver speeds higher than 100 Mbps throughput in either direction,far surpassing other WAN technologies such as T1/E1, ADSL2+, ISDN, and DS3.

DOCSIS network architecture includes a cable modem on SRX Series ServicesGateways with a DOCSIS Mini-Physical Interface Module (Mini-PIM) located atcustomer premises, and a Cable Modem Termination System (CMTS) located atthe head-end or data center locations. Standards-based DOCSIS 3.0 Mini-PIM isinteroperable with CMTS equipment. The DOCSIS Mini-PIM provides backwardcompatibility with CMTS equipment based on the following standards:

■ DOCSIS 2.0

■ DOCSIS 1.1



■ DOCSIS 1.0

The DOCSIS Mini-PIM is supported on the following SRX Series Services Gateways:

■ SRX210

■ SRX240

The DOCSIS Mini-PIM has the following key features:

■ Provides high data transfer rates of over 150 Mbps downstream

■ Supports four downstream and four upstream channel bonding

■ Supports quality of service (QoS)

■ Provides interoperability with any DOCSIS-compliant cable modemtermination system (CMTS)

■ Supports IPv6 and IPv4 for modem management interfaces

■ Supports Baseline Privacy Interface Plus (BPI+)

■ Supports Advanced Encryption Standard (AES)


■ Very-high-bit-rate digital subscriber line (VDSL)—VDSL technology is part ofthe xDSL family of modem technologies that provide faster data transmissionover a single flat untwisted or twisted pair of copper wires.

The VDSL lines connect service provider networks and customer sites to providehigh bandwidth applications (Triple Play services) such as high-speed Internetaccess, telephone services like voice over IP (VoIP), high-definition TV (HDTV),and interactive gaming services over a single connection. VDSL2 is anenhancement to VDSL and permits the transmission of asymmetric andsymmetric (full-duplex) aggregate data rates up to 100 Mbps on short copperloops using a bandwidth up to 30 MHz. The VDSL2 technology is based on theITU-T G.993.2 standard.

The following SRX Series Services Gateways support the VDSL2 Mini-PhysicalInterface Module (Mini-PIM) (Annex A):

■ SRX210 Services Gateway

■ SRX240 Services Gateway

The VDSL2 Mini-PIM carries the Ethernet backplane. When the Mini-PIM isplugged into the chassis, the Mini-PIM connects to one of the ports of thebaseboard switch.

The VDSL2 Mini-PIM supports following features:

■ ADSL/ADSL2/ADSL2+ backward compatibility with Annex-A, Annex-MSupport

■ PTM or EFM [802.3ah] support

■ Operation, Administration, and Maintenance (OAM) support forADSL/ADSL/ADSL2+ ATM mode



■ ATM QoS (supported only when the VDSL2 Mini-PIM is operating in ADSL2mode)

■ MLPPP (supported only when the VDSL2 Mini-PIM is operating in ADSL2mode)

■ MTU size of 1500 bytes (maximum)

■ Support for maximum of 10 PVCs (only in ADSL/ADSL2/ADSL2+ mode)

■ Dying gasp support (ADSL and VDSL2 mode)

■ Online insertion and removal (hot swap) for SRX650 GPIMs—Online insertionand removal (OIR) functionality is supported on CPU-based and CPU-lessGigabit-Backplane Physical Interface Modules (GPIMs). You can remove or inserta GPIM without powering off the device. The following GPIMs are supported onSRX650 devices:

■ 24-port Ethernet GPIM (with and without PoE)

■ 16-port Ethernet GPIM (with and without PoE)

■ 2-port and 4-port CT1/E1 GPIM

■ Implement the PPPoE-based radio-to-router protocol—This feature is supportedon SRX Series and J Series devices.

JUNOS Release 10.1 supports PPPoE-based radio-to-router protocols. Theseprotocols include messages that define how an external device provides therouter with timely information about the quality of a link's connection. There isalso a flow control mechanism to indicate how much data the device can forward.The device can then use the information provided in the PPPoE messages todynamically adjust the interface speed of the PPP links. Use the radio-routerstatement from the [set interfaces <unit>] hierarchy to indicate that metricsannouncements received on the interface will be processed by the device.

■ Class of service (CoS) for devices operating in transparent mode—This featureis supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices.

SRX3400, SRX3600, SRX5600, and SRX5800 devices operating in Layer 2transparent mode support the following CoS functions:

■ IEEE 802.1p behavior aggregate (BA) classifiers to determine the forwardingtreatment for packets entering the device

Note that only IEEE 802.1p BA classifier types are supported on devicesoperating in transparent mode.

■ Rewrite rules to redefine IEEE 802.1 CoS values in outgoing packets

Note that rewrite rules that redefine IP precedence CoS values andDifferentiated Services Code Point (DSCP) CoS values are not supported ondevices operating in transparent mode.

■ Shapers to apply rate limiting to an interface

■ Schedulers that define the properties of an output queue

You configure BA classifiers and rewrite rules on transparent mode devices inthe same way as on devices operating in Layer 3 mode. For transparent mode



devices, however, you apply BA classifiers and rewrite rules only to logicalinterfaces configured with the family bridge configuration statement.

You configure shapers and schedulers on transparent mode devices in the sameway as on devices operating in Layer 3 mode.

[JUNOS Software Interfaces and Routing Configuration Guide]

■ Layer 2 Q-in-Q tunneling—This feature is supported on SRX210, SRX240,SRX650, and J Series devices.

Q-in-Q tunneling, defined by the IEEE 802.1ad standard, allows service providerson Ethernet access networks to extend a Layer 2 Ethernet connection betweentwo customer sites.

In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to aservice provider's VLAN, a service provider-specific 802.1Q tag is added to thepacket. This additional tag is used to segregate traffic into service-provider-definedservice VLANs (S-VLANs). The original customer 802.1Q tag of the packet remainsand is transmitted transparently, passing through the service provider's network.As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Qtag is removed.

There are three ways to map C-VLANs to an S-VLAN:

■ All-in-one bundling—Use the dot1q-tunneling statement at the [edit vlans]hierarchy to map without specifying customer VLANs. All packets from aspecific access interface are mapped to the S-VLAN.

■ Many-to-one bundling—Use the customer-vlans statement at the [edit vlans]hierarchy to specify which C-VLANs are mapped to the S-VLAN.

■ Mapping C-VLAN on a specific interface—Use the mapping statement at the[edit vlans] hierarchy to map a specific C-VLAN on a specified access interfaceto the S-VLAN.

Table 3 on page 88 lists the C-VLAN to S-VLAN mapping supported on SRX Seriesand J Series devices.

Table 3: C-VLAN to S-VLAN Mapping Supported on SRX Series and J Series Devices

J Series (PIM)SRX650SRX240SRX210Mapping

YesYesYesYesAll-in-one bundling

NoYesNoNoMany-to-one bundling

NoYesNoNoMapping C-VLAN on aspecific interface

Integrated bridging and routing (IRB) interfaces are supported on Q-in-Q VLANsfor SRX210, SRX240, SRX650, and J Series devices. Packets arriving on an IRBinterface on a Q-in-Q VLAN are routed regardless of whether the packet is singleor double tagged. The outgoing routed packets contain an S-VLAN tag only whenexiting a trunk interface; the packets exit the interface untagged when exitingan access interface.



In a Q-in-Q deployment, customer packets from downstream interfaces aretransported without any changes to source and destination MAC addresses. Youcan disable MAC address learning at both the interface level and the VLAN level.Disabling MAC address learning on an interface disables learning for all theVLANs of which that interface is a member. When you disable MAC addresslearning on a VLAN, MAC addresses that have already been learned are flushed.


■ Layer 2 Link Layer Discovery Protocol (LLDP) and Link Layer DiscoveryProtocol–Media Endpoint Discovery (LLDP-MED)—This feature is supportedon SRX100, SRX210, SRX240, SRX650, and J Series devices.

Devices use LLDP and LLDP-MED to learn and distribute device information onnetwork links. The information allows the device to quickly identify a variety ofsystems, resulting in a LAN that interoperates smoothly and efficiently.

LLDP-capable devices transmit information in Type Length Value (TLV) messagesto neighbor devices. Device information can include specifics, such as chassisand port identification and system name and system capabilities. The TLVsleverage this information from parameters that have already been configured inthe Juniper Networks JUNOS Software.

LLDP-MED goes one step further, exchanging IP-telephony messages betweenthe device and the IP telephone. These TLV messages provide detailed informationon PoE policy. The PoE Management TLVs let the device ports advertise thepower level and power priority needed. For example, the device can comparethe power needed by an IP telephone running on a PoE interface with availableresources. If the device cannot meet the resources required by the IP telephone,the device could negotiate with the telephone until a compromise on power isreached.

LLDP and LLDP-MED must be explicitly configured on uPIMs (in enhancedswitching mode) on J Series devices, base ports on SRX100, SRX210, and SRX240devices, and Gigabit-Backplane Physical Interface Modules (GPIMs) on SRX650devices. To configure LLDP on all interfaces or on a specific interface, use thelldp statement at the [set protocols] hierarchy. To configure LLDP-MED on allinterfaces or on a specific interface, use the lldp-med statement at the [setprotocols] hierarchy.


■ Promiscuous mode—This feature is supported on SRX3400, SRX3600, SRX5600,and SRX5800 devices.

When promiscuous mode is enabled on a Layer 3 Ethernet interface, all packetsreceived on the interface are sent to the CP/SPU regardless of the destinationMAC address of the packet. You can also enable promiscuous mode on chassiscluster redundant Ethernet interfaces and aggregated Ethernet interfaces. If youenable promiscuous mode on a redundant Ethernet interface, promiscuous modeis then enabled on any child physical interfaces. If you enable promiscuous modeon an aggregated Ethernet interface, promiscuous mode is then enabled on allmember interfaces.

To enable promiscuous mode on an interface, use the promiscuous-modestatement at the [edit interfaces] hierarchy.




Network Address Translation (NAT)

■ Increased maximum number of source NAT rules supported—This feature issupported on SRX Series and J Series devices.

JUNOS Release 10.1 increases the number of source NAT rules and rule sets thatyou can configure on a device. In previous releases, the maximum number ofsource NAT rule sets you could configure on a device was 32 and the maximumnumber of rules in a source NAT rule set was 8.

JUNOS Release 10.1, the maximum number of source NAT rules that you canconfigure on a device are:

■ 512 for J Series, SRX100, and SRX210 devices

■ 1024 for SRX240 and SRX650 devices

■ 8192 for SRX3400, SRX3600, SRX5600, and SRX5800 devices

These are systemwide maximums for total numbers of source NAT rules. Thereis no limitation on the number of rules that you can configure in a source NATrule set as long as the maximum number of source NAT rules allowed on thedevice is not exceeded.

NOTE: This features does not change the maximum number of rules and rule setsyou can configure on a device for static and destination NAT. For static NAT, youcan configure up to 32 rule sets and up to 256 rules per rule set. For destination NAT,you can configure up to 32 rule sets and up to 8 rules per rule set.

PPPoE

■ LN1000 Mobile Secure Router—This feature is supported on J2320, J6350, andSRX650 devices.

To support the credit-based flow control extensions described in [RFC–4938],PPPoE peers can now grant each other forwarding credits. The grantee canforward traffic to the peer only when it has a sufficient number of credits to doso. When credit-based forwarding is used on both sides of the session, the radioclient can control the flow of traffic by limiting the number of credits it grantsto the router.

The interfaces statement includes a new radio-router attribute that replaces theresource-component-variables attribute. The radio-router attribute contains theparameters used for rate-based scheduling and OSPF link cost calculations. Italso includes a new credit attribute to indicate that credit-based packet schedulingis supported on the PPPoE interfaces that reference this underlying interface.Interfaces that set the encapsulation attribute support the PPPoE Active DiscoveryGrant (PADG) and PPPoE Active Discovery Credit (PADC) messages in the sameway that the attribute provides active support for the PPPoE Active DiscoveryQuality (PADQ) message.



The credit interval parameter controls how frequently the router generates creditannouncement messages. For PPPoE this corresponds to the interval betweenPADG credit announcements for each session.

For example:

[edit interfaces ge-0/0/1]unit 0 {

encapsulation ppp-over-ether;radio-router {

credit {interval 10;

}bandwidth 80;threshold 5;

}}

NOTE: The resource-component-variables attribute has been deprecated, but has analias to the radio-router variable to minimize impact on existing routers that mayhave been configured previously.

To display PPPoE credit-flow information:

user@host> show pppoe interface detail

pp0.51 Index 73 State: Session up, Session ID: 3, Service name: None, Configured AC name: None, Session AC name: None, Remote MAC address: 00:22:83:84:2e:81, Session uptime: 00:05:48 ago, Auto-reconnect timeout: Never, Idle timeout: Never, Underlying interface: ge-0/0/4.1 Index 72 PADG Credits: Local: 12345, Remote: 6789, Scale factor: 128 bytes PADQ Current bandwidth: 750 Kbps, Maximum 1000 Kbps Quality: 85, Resources 65, Latency 100 msec. Dynamic bandwidth: 3 Kbps

pp0.1000 Index 71 State: Down, Session ID: 1, Service name: None, Configured AC name: None, Session AC name: None, Remote MAC address: 00:00:00:00:00:00, Auto-reconnect timeout: Never, Idle timeout: Never, Underlying interface: ge-0/0/1.0 Index 70 PADG Credits: enabled Dynamic bandwidth: enabled



Virtual LANs (VLANs)

■ Flexible Ethernet services—This feature is supported on SRX210, SRX240,SRX650, and J Series devices.

Use flexible Ethernet services encapsulation when you want to configure multipleper-unit Ethernet encapsulations. This encapsulation type allows you to configureany combination of route, TCC, CCC, and VPLS encapsulations on a single physicalport. Aggregated Ethernet bundles cannot use this encapsulation type.

For ports configured with flexible Ethernet services encapsulation, VLAN IDsfrom 1 through 511 are no longer reserved for normal VLANs.

VPNs

■ Increased maximum number of VPN tunnels supported—This feature issupported on SRX3400, SRX3600, SRX5600, and SRX5800 devices.

VPN supports a maximum of 10000 site-to-site VPN tunnels.

WLAN

■ AX411 Access Point clustering—The AX411 Access Point is a Layer 2 devicethat connects wireless communication devices together to create a wirelessnetwork. The access point is connected to the wired network and relays databetween the wired and the wireless network. Multiple access points form a partof a bigger wireless network and can be clustered together.

The access point cluster is a dynamic, configuration-aware group of access pointsin the same subnet of a network. A cluster can have up to sixteen member accesspoints. Clusters can share various configuration information such as virtual accesspoint (VAP) settings and quality-of-service (QoS) queue parameters. Any changein configuration on one access point will propagate to all other access points inthe cluster. Similarly, any new access point introduced to the cluster will adoptthe configuration of other access points in the cluster.

Access points are supported on the following SRX Series Services Gateways:

■ SRX210

■ SRX240

■ SRX650

[JUNOS Software WLAN Configuration and Administration Guide]

Hardware Features

Support for 3G wireless functionality on SRX210 Services Gateways—JUNOSSoftware Release 10.1 supports 3G wireless functionality on SRX210 devices toprovide to provide wireless WAN connectivity as backup to primary WAN links.Third-generation (3G) networks are wide area cellular telephone networks that haveevolved to include high-data rate services of up to 3 Mbps. The SRX210 device has



a 3G ExpressCard slot on the back panel. The SRX210 device supports the JuniperNetworks wireless modems listed in Table 4 on page 93.

Table 4: Juniper Networks Wireless Modems Supported by the SRX210 Device

Release SupportedWireless Cards

JUNOS Release 10.1. JUNOS SoftwareRelease 10.1 provides untested support forthis modem for LAB testing purposes only.

EXPCD-3G-HSPA-T- 3G UMTS ExpressCard for GSM and UMTS Networks,specifically with 850-MHz band support. Available from Juniper Networks startingFebruary 15, 2010.

JUNOS Release 9.5 and JUNOS Release 9.6.■ EXPCD-3G-CDMA-V: 3G EVDO ExpressCard for Verizon Wireless. Currentlyavailable from Juniper Networks.

■ EXPCD-3G-CDMA-S: 3G EVDO ExpressCard for Sprint. Currently availablefrom Juniper Networks.

■ Sierra Wireless AirCard Global System for Mobile Communications (GSM)High-Speed Downlink Packet Access (HSDPA) ExpressCard - Sierra WirelessAirCard 880E. Currently available from Juniper Networks.

For more information on installing 3G ExpressCards, see the SRX210 Services GatewayHardware Guide. For more information on configuring the 3G interface, see the JUNOSSoftware Interfaces and Routing Configuration Guide.

Related Topics Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways andJ Series Services Routers on page 102

■



Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series ServicesGateways and J Series Services Routers

The following current system behavior, configuration statement usage, and operationalmode command usage might not yet be documented in the JUNOS Softwaredocumentation:


■ The following CLI commands have been removed as part of RPC ALG datastructure cleanup:

■ clear security alg msrpc portmap

■ clear security alg sunrpc portmap

■ show security alg msrpc portmap

■ show security alg sunrpc portmap

Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services

Routers ■ 93

Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

■ The show security alg msrpc object-id-map CLI command has a chassis clusternode option to permit the output to be restricted to a particular node or to querythe entire cluster. The show security alg msrpc object-id-map node CLI commandoptions are <node-id | all | local | primary>.

Chassis Cluster

■ On SRX650 devices in chassis cluster mode, the T1/E1 PIC goes offline and doesnot come online.

■ The automatic pause timer functionality related to IP address monitoring forredundancy groups has been removed. Instead, a configurable hold-down-intervaltimer for all redundancy groups has been instituted. See the “Configuring aDampening Time Between Back-to-Back Redundancy Group Failovers” sectionof the JUNOS Software Security Configuration Guide.

■ IP address monitoring on redundancy group 0 is now supported.

■ The chassis cluster redundancy-group group-number ip-monitoring threshold CLIcommand has been removed. Instead, use the chassis cluster redundancy-groupgroup-number ip-monitoring global-threshold command.

■ IP address monitoring on virtual routers is now supported.

94 ■ Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services

Routers


Command-Line Interface (CLI)


Routers ■ 95


■ On AX411 Access Points, the possible completions available for the CLI commandset wlan access-point < ap_name > radio < radio_num > radio-options channelnumber ? have changed from previous Implementations.

Now this CLI command displays the following possible completions:

Example 1:user@host# set wlan access-point ap6 radio 1 radio-options channel number ?Possible completions:36 Channel 3640 Channel 4044 Channel 4448 Channel 4852 Channel 5256 Channel 5660 Channel 6064 Channel 64100 Channel 100108 Channel 108112 Channel 112116 Channel 116120 Channel 120124 Channel 124128 Channel 128132 Channel 132136 Channel 136140 Channel 140149 Channel 149153 Channel 153157 Channel 157161 Channel 161165 Channel 165auto Automatically selected

Example 2:user@host# set wlan access-point ap6 radio 2 radio-options channel number ?1 Channel 12 Channel 23 Channel 34 Channel 45 Channel 56 Channel 67 Channel 78 Channel 89 Channel 910 Channel 1011 Channel 1112 Channel 1213 Channel 1314 Channel 14auto Automatically selected

■ On SRX Series devices, the show security monitoring fpc 0 command is nowavailable.


Routers


The output of this CLI command on SRX Series devices differs from previousimplementations on other devices. Note the following sample output:

show security monitoring fpc 0

FPC 0

PIC 0

CPU utilization : 0 %

Memory utilization : 65 %

Current flow session : 0

Max flow session : 131072

NOTE: When SRX Series devices operate in packet mode, flow sessions will not becreated and current flow session will remain zero as shown in the sample outputabove. The maximum number of sessions will differ from one device to another. OnSRX3400, SRX3600, SRX5600, AND SRX5800 devices, the output will include twomore lines: SPU current cp session and SPU max cp session.

■ On SRX210 devices with Integrated Convergence Services, TDM configurationchange might interrupt existing TDM calls if any MPIMs are configured. The voicecalls through the MPIM do not work. Run the CLI restart rtmd command aftermaking a configuration change to the MPIM ports.

■ On SRX210 devices with Integrated Convergence Services, registrations do notwork when PCS is configured and removed thorough the CLI. The dial tonedissappears when the analog station calls the SIP station. As a workaround, eitherrun the rtmd restart command or restart the device.

■ On SRX5600 and SRX5800 devices, the set security end-to-end-debug CLI hierarchycommand has been changed to set security datapath-debug.

■ On AX411 Access Points, the possible completions available for the CLI commandset wlan access-point mav0 radio 1 radio-options mode? are changed from previousimplementations.

Now this CLI command displays the possible completions as shown below:

■ Example 1:user@host# set wlan access-point mav0 radio 1 radio-options mode ?Possible completions:5GHz Radio Frequency -5GHz-na Radio Frequency -aan Radio Frequency -an[edit]

■ Example 2:user@host# set wlan access-point mav0 radio 2 radio-options mode ?Possible completions:2.4GHz Radio Frequency --2.4GHz-nbg Radio Frequency -bgbgn Radio Frequency -bgn


Routers ■ 97


■ On SRX Series devices, the show system storage partitions command now displaysthe partitioning scheme details on SRX Series devices.

■ Example 1:show system storage partitions (dual root partitioning)user@host# show system storage partitionsBoot Media: internal (da0)Active Partition: da0s2aBackup Partition: da0s1aCurrently booted from: active (da0s2a)Partitions Information:Partition Size Mountpoints1a 293M altroots2a 293M /s3e 24M /configs3f 342M /vars4a 30M recovery

■ Example 2:show system storage partitions (single root partitioning)user@host# show system storage partitionsBoot Media: internal (da0)Partitions Information:Partition Size Mountpoints1a 898M /s1e 24M /configs1f 61M /varshow system storagepartitions (USB)

■ Example 3:show system storage partitions (usb)user@host# show system storage partitionsBoot Media: usb (da1)Active Partition: da1s1aBackup Partition: da1s2aCurrently booted from: active (da1s1a)Partitions Information:Partition Size Mountpoints1a 293M /s2a 293M altroots3e 24M /configs3f 342M /vars4a 30M recovery

Configuration

■ J Series devices no longer allow a configuration in which a tunnel's source ordestination address falls under the subnet of the same logical interface’s address.


Routers


■ On SRX100, SRX210, SRX240 and, SRX650 devices, the current JUNOS Softwaredefault configuration is inconsistent with the one in Secure Services Gateways,thus causing problems when users migrate to SRX Series devices. As aworkaround, users should ensure the following steps are taken:

■ The ge-0/0/0 interface should be configured as the Untrust port (with theDHCP client enabled).

■ The rest of the on-board ports should be bridged together, with a VLAN IFLand DHCP server enabled (where applicable).

■ Default policies should allow trust->untrust traffic.

■ Default NAT rules should apply interface-nat for all trust->untrust traffic.

■ DNS/Wins parameters should be passed from server to client and, if notavailable, users should preconfigure a DNS server (required for download ofsecurity packages).

Flow and Processing

■ On SRX Series devices, the factory default for the maximum number of backupconfigurations allowed is five. Therefore, you can have one active configurationand a maximum of five rollback configurations. Increasing this backupconfiguration number will result in increased memory usage on disk andincreased commit time.

To modify the factory defaults, use the following commands:

root@host# set system max-configurations-on-flash number

root@host# set system max-configuration-rollbacks number

where max-configurations-on-flash indicates backup configurations to be storedin the configuration partition and max-configuration-rollbacks indicates themaximum number of backup configurations.

■ On J Series devices, the following configuration changes must be done afterrollback or upgrade from JUNOS Release 10.1 to 9.6 and earlier releases.

■ Rename lsq-0/0/0 to ls-0/0/0 in all its occurrences.

■ Remove fragmentation-map from the [class-of-service] hierarchy level andfrom [class-of-service interfaces lsq-0/0/0], if configured.

■ Remove multilink-max-classes from [ls-0/0/0 unit 0], if configured.

■ Remove link-layer-overhead from [ls-0/0/0 unit 0], if configured.

■ If the LFI forwarding class is mapped to no-fragmentation in fragmentation-mapand the configuration hierarchy is enabled on lsq-0/0/0 in JUNOS Release10.1, then

■ Add interleave-fragments under [ls-0/0/0 unit 0]

■ Adjust classifier configured for LFI on lsq-0/0/0 under [class-of-service]to classify packets to Q2


Routers ■ 99


If the aforementioned instructions are not followed, the bundle will be incorrectlyprocessed.


■ On SRX Series devices, to minimize the size of system logs, the default logginglevel in the factory configuration has been changed from any any to any critical.

■ On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow andset routing-options flow CLI statements are no longer available, because BGP flowspec functionality is not supported on these devices.

■ On SRX100, SRX210, SRX240, and SRX650 devices, the autoinstallationfunctionality on an interface enables a DHCP client on the interface and remainsin the DHCP client mode. In previous releases, after a certain period, the interfacechanged from being a DHCP client to a DHCP server.

■ On SRX240 High Memory devices, when you activate or deactivate the ATMinterface for the VDSL PIM inserted on slots two, three, or four, it might resultin a flowd crash due to a bug in the VDSL driver. This problem might not benoticed on SRX210 devices or slot one of SRX 240 devices.


■ On SRX5600 and SRX5800 devices, while running commands in IDP, ensurethat you provide the service field values for custom attack definitions in lowercase.

In the following example, the protocol service field value udp is specified inlowercase:

set security idp custom-attack temp severity info attack-type signature context packetdirection any pattern .* protocol udp destination-port match equal value 1333

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, for brute force andtime-binding-related attacks, the logging is to be done only when the match countis equal to the threshold. That is, only one log is generated within the 60-secondperiod in which the threshold is measured. This process prevents repetitive logsfrom being generated and ensures consistency with other IDP platforms likeIDP-standalone.

■ On SRX Series and J Series devices, the IDP ip-action statement is now supportedon TCP, UDP, and ICMP flows. When the ip-action target is service, the ip-actionflow is applied if the traffic matches the values specified for source port,destination port, source address, and destination address. However, for ICMPflows, the destination port is 0, so that any ICMP flow matching source port,source address, and destination address is blocked. For more information, seethe JUNOS Software CLI Reference.

■ On SRX3400 and SRX3600 devices in Layer 2 and Layer 3 integrated mode,mode, 30 percent to 40 percent of the logs created in IDP are not exited fromIDP. In Layer 2 and Layer 3 dedicated mode, the logs are exited properly.


Routers


J-Web

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, to add the PredefinedAttacks and Predefined Attack Groups, users do not need to type the attacknames. Instead, users can select attacks from the Predefined Attacks andPredefined Attack Group lists and click the left arrow to add them.

■ On SRX100, SRX210, SRX240, and SRX650 devices, the LED status (Alarm, HA,ExpressCard, Power Status, and Power) shown in the front panel for ChassisView does not replicate the exact status of the device.

Management and Administration

■ On SRX5600 and SRX5800 devices running a previous release of JUNOS Software,security logs were always timestamped using the UTC time zone. In JUNOSRelease 10.1, you can use the set system time-zone CLI command to specify thelocal time zone that the system should use when timestamping the security logs.If you want to timestamp logs using the UTC time zone, use the set systemtime-zone utc and set security log utc-timestamp CLI statements.

■ Configuring the External CompactFlash card on SRX650 Services Gateways:

The SRX650 Services Gateway includes 2–GB CompactFlash storage devices:

■ The Services and Routing Engine (SRE) contains a hot-pluggableCompactFlash (external CompactFlash) storage device used to upload anddownload files.

■ The chassis contains an internal compact flash used to store the operatingsystem.

By default, only the internal CompactFlash is enabled, and an option to take asnapshot of the configuration from the internal CompactFlash to the externalcompact flash is not supported. This can be done only by using a USB storagedevice.

To take a snapshot on the external CompactFlash:

1. Take a snapshot from the internal CompactFlash to the USB storage deviceusing the request system snapshot media usb CLI command.

2. Reboot the device from the USB storage device by using the request systemreboot media usb command.

3. Go to the U-boot prompt. For more information, see the "Accessing theU-Boot Prompt" section in the JUNOS Software Administration Guide.

4. At the U-boot prompt, set the following variables:set ext.cf.pref 1savereset

5. Once the system is booted from the USB storage device, take a snapshot onthe external CompactFlash using the request system snapshot media externalcommand.


Routers ■ 101


NOTE: Once the snapshot has been taken on the external CompactFlash, werecommend you to set the ext.cf.pref to 0 at the U-boot prompt.

Security

■ J Series devices do not support the authentication order password radius orpassword ldap in the edit access profile profile-name authentication-order command.Instead, use the order radius password or ldap password.

Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J SeriesServices Routers

[accounting-options] Hierarchy

■ On SRX210 and SRX240 devices, the accounting, source-class, anddestination-class statements in the [accounting-options] hierarchy level are notsupported.

AX411 Access Point

■ On SRX100 devices, there are command-line interface (CLI) commands andJ-Web tabs for wireless LAN configurations related to the AX411 Access Point.However, at this time the SRX100 devices do not support the AX411 AccessPoint.

Chassis Cluster

On SRX Series and J Series devices, the following features are not supported whenchassis clustering is enabled on the device:

■ All packet-based protocols, such as MPLS, Connectionless Network Service (CLNS),and IP version 6 (IPv6)

■ Any function that depends on the configurable interfaces:

■ lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), MultilinkFrame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP)

■ gr-0/0/0—Generic routing encapsulation (GRE) and tunneling

■ ip-0/0/0—IP-over-IP (IP-IP) encapsulation

■ pd-0/0/0, pe/0/0/0, and mt-0/0/0—All multicast protocols

■ lt-0/0/0—Real-time performance monitoring (RPM)

■ WXC Integrated Services Module (WXC ISM 200)

102 ■ Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers


■ ISDN BRI

■ Layer 2 Ethernet switching

The factory default configuration for SRX100, SRX210, and SRX240 devicesautomatically enables Layer 2 Ethernet switching. Because Layer 2 Ethernetswitching is not supported in chassis cluster mode, for these devices, if youuse the factory default configuration, you must delete the Ethernet switchingconfiguration before you enable chassis clustering.

CAUTION: Enabling chassis clustering while Ethernet switching is enabled is not asupported configuration. Doing so might result in undesirable behavior from thedevices, leading to possible network instability.

The default configuration for other SRX Series devices and all J Series devicesdoes not enable Ethernet switching. However, if you have enabled Ethernetswitching, be sure to disable it before enabling clustering on these devicestoo.

For more information, see the “Disabling Switching on SRX100, SRX210,and SRX240 Devices Before Enabling Chassis Clustering” section in theJUNOS Software Security Configuration Guide.

SRX Series devices have the following limitations:

■ Only two of the 10 ports on each PIC of 40-port 1-Gigabit Ethernet I/O cards(IOCs) for SRX5600 and SRX5800 devices can simultaneously enable IP addressmonitoring. Because there are four PICs per IOC, this permits a total of eightports per IOC to be monitored. If more than two ports per PIC on 40-port 1-GigabitEthernet IOCs are configured for IP address monitoring, the commit will succeedbut a log entry will be generated, and the accuracy and stability of IP addressmonitoring cannot be ensured. This limitation does not apply to any other IOCsor devices.

■ SRX3400, SRX3600, SRX5600, and SRX5800 devices have the followinglimitations:

■ IP address monitoring is not permitted on redundant Ethernet interface LAGsor on child interfaces of redundant Ethernet interface LAGs.

■ In-service software upgrade (ISSU) does not support version downgrading.That is, ISSU does not support running an ISSU install of a software releasepackage earlier or with a smaller release number than the currently installedversion.

■ On SRX3000 and SRX5000 line chassis clusters, screen statistics data can begathered on the primary device only.

J Series devices have the following limitations:

■ A Fast Ethernet port from a 4-port Ethernet PIM cannot be used as a fabric linkport in a chassis cluster.

Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers ■ 103

Known Limitations in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in-service softwareupgrade (ISSU) does not support version downgrading. That is, ISSU does notsupport running an ISSU install of a JUNOS Software version that is earlier thanthe currently installed version.

Command-Line Interface (CLI)

On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to thedevice by using the CLI.

The number of users allowed to access the device is limited as follows:

■ For SRX210 devices: four CLI users and three J-Web users

■ For SRX240 devices: six CLI users and five J-Web users

Dynamic VPN

SRX100, SRX210, and SRX240 devices have the following limitations:

■ The IKE configuration for the dynamic VPN client does not support thehexadecimal preshared key.

■ The dynamic VPN client IPsec does not support the Authentication Header (AH)protocol and the Encapsulating Security Payload (ESP) protocol with NULLauthentication.

■ When you log in through the Web browser (instead of logging in through thedynamic VPN client) and a new client is available, you are prompted for a clientupgrade even if the force-upgrade option is configured. Conversely, if you log inusing the dynamic VPN client with the force-upgrade option configured, the clientupgrade occurs automatically (without a prompt).

Flow and Processing

■ Maximum concurrent SSH, Telnet, and Web sessions—On SRX210, SRX240,and SRX650 devices, the maximum number of concurrent sessions is as follows:

SRX650SRX240SRX210Sessions

553ssh

553telnet

553Web

NOTE: These defaults are provided for performance reasons.



■ On SRX210 and SRX240 devices, for optimized efficiency, we recommend thatyou limit use of CLI and J-Web to the following numbers of sessions:

ConsoleJ-WebCLIDevice

133SRX210

155SRX240

■ On SRX100 devices, Layer 3 control protocols (OSPF, using multicast destinationMAC address) on the VLAN Layer 3 interface work only with access ports.

Hardware

This section covers filter and policing limitations.

■ On SRX3400 and SRX3600 devices, the following feature is not supported by asimple filter:

■ Forwarding class as match condition

■ On SRX3400 and SRX3600 devices, the following features are not supported bya policer or a three-color-policer:

■ Color-aware mode of a three-color-policer

■ Filter-specific policer

■ Forwarding class as action of a policer

■ Logical interface policer

■ Logical interface three-color policer

■ Logical interface bandwidth policer

■ Packet loss priority as action of a policer

■ Packet loss priority as action of a three-color-policer

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following featuresare not supported by a firewall filter:

■ Policer action

■ Egress FBF

■ FTF

■ SRX3400 and SRX3600 devices have the following limitations of a simple filter:

■ In the packet processor on an IOC, up to 100 logical interfaces can be appliedwith simple filters.

■ In the packet processor on an IOC, the maximum number of terms of allsimple filters is 4000.



■ In the packet processor on an IOC, the maximum number of policers is4000.

■ In the packet processor on an IOC, the maximum number ofthree-color-policers is 2000.

■ The maximum burst size of a policer or three-color-policer is 16 MB.

■ On SRX650 devices, the T1/E1 GPIMs (2 or 4 port version) do not work in 9.6R1.This issue is resolved in JUNOS Release 9.6R2 and JUNOS Release 10.1, but ifyou roll back to the 9.6R1 image, this issue is still seen.


■ On SRX650 devices, MAC pause frame and FCS error frame counters are notsupported for the interfaces ge-0/0/0 through ge-0/0/3.

■ On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls underthe reserved VLAN address range, and the user is not allowed any configuredVLANs from this range.

■ On SRX650 devices, the last 4 ports of a 24-Gigabit Ethernet switch GPIM canbe used either as RJ-45 or SFP ports. If both are present and providing power,the SFP media is preferred. If the SFP media is removed or the link is broughtdown, then the interface will switch to the RJ-45 medium. This can take up to15 seconds, during which the LED for the RJ-45 port might go up and downintermittently. Similarly when the RJ-45 medium is active and an SFP link isbrought up, the interface will transition to the SFP medium, and this transitioncould also take a few seconds.

■ On SRX Series and J Series devices, the user can use IPsec only on an interfacethat resides in the routing instance inet 0. The user will not be able to assign aninternal or external interface to the IKE policy if that interface is placed in arouting instance other than inet 0.

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following multicastIPv6 and MVPN CLI commands are not supported. However, if you enter thesecommands in the CLI editor, they will appear to succeed and will not display anerror message.

■ show pim interfaces inet6

■ show pim neighbors inet6

■ show pim source inet6

■ show pim rps inet6

■ show pim join inet6

■ show pim mvpn

■ show multicast next-hops inet6

■ show multicast rpf inet6

■ show multicast route inet6



■ show multicast scope inet6

■ show multicast pim-to-mld-proxy

■ show multicast statistics inet6

■ show multicast usage inet6

■ show msdp sa group <group>

■ set protocols pim interface interface family inet6

■ set protocols pim disable interface interface family inet6

■ set protocols pim family inet6

■ set protocols pim disable family inet6

■ set protocols pim apply-groups group disable family inet6

■ set protocols pim apply-groups group family inet6

■ set protocols pim apply-groups-except group disable family inet6

■ set protocols pim apply-groups group interface interface family inet 6

■ set protocols pim apply-groups group apply-groups-except group family inet 6

■ set protocols pim apply-groups group apply-groups-except group disable familyinet 6

■ set protocols pim assert-timeout timeout-value family inet6

■ set protocols pim disable apply-groups group family inet 6

■ set protocols pim disable apply-groups-except group family inet 6

■ set protocols pim disable export export-join-policy family inet 6

■ set protocols pim disable dr-election-on-p2p family inet 6

■ set protocols pim dr-election-on-p2p family inet 6

■ set protocols pim export export-join-policy family inet 6

■ set protocols pim import export-join-policy family inet 6

■ set protocols pim disable import export-join-policy family inet 6

■ On SRX210 devices, the USB modem interface can handle bidirectional trafficof up to 19 kbps. On oversubscription of this amount (that is, bidirection trafficof 20 kbps or above), keepalives not get exchanged, and the interface goes down.




■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, application-leveldistributed denial-of-service (application-level DDoS) detection does not work iftwo rules with different application-level DDoS applications process traffic goingto a single destination application server. When setting up application-level DDoSrules, make sure you do not configure rulebase-ddos rules that have two differentapplication-ddos objects while the traffic destined to one application server canprocess more than one rule. Essentially, for each protected application server,you have to configure the (application-level DDoS rules so that traffic destinedfor one protected server only processes one application-level DDoS rule.

NOTE: Application-level DDoS rules are terminal, which means that once traffic isprocessed by one rule, it will not be processed by other rules.

The following configuration options can be committed, but they will not workproperly:

Application Serverapplication-ddosservicedestination-ipdestination-zonesource-zone

1.1.1.1:80http-appddos1httpanydst-1source–zone-1

1.1.1.1:80http-appddos2httpanydst-1source-zone-2

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-leveldenial-of-service (application-level DDoS) rulebase (rulebase-ddos) does notsupport port mapping. If you configure an application other than default, and ifthe application is from either predefined JUNOS Software applications or a customapplication that maps an application service to a nonstandard port,application-level DDoS detection will not work.

When you configure the application setting as default, IDP uses applicationidentification to detect applications running on standard and nonstandard ports,hence the application-level DDoS detection would work properly.

■ On SRX Series and J Series devices, IP actions do not work when you select atimeout value greater than 65,535 in the IDP policy.

■ On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessionssupported is 16,000.

■ On SRX Series devices, all IDP policy templates are supported except All Attacks.There is a 100-MB policy size limit for integrated mode and a 150-MB policy sizelimit for dedicated mode, and the current IDP policy templates supported aredynamic, based on the attack signatures being added. Therefore, be aware thatsupported templates might eventually grow past the policy-size limit.



On SRX Series devices, the following IDP policies are supported:

■ DMZ_Services

■ DNS_Service

■ File_Server

■ Getting_Started

■ IDP_Default

■ Recommended

■ Web_Server

■ IDP deployed in both active/active and active/passive chassis clusters has thefollowing limitations:

■ No inspection of sessions that fail over or fail back.

■ The IP address action table is not synchronized across nodes.

■ The Routing Engine (RE) on the secondary node might not be able to reachnetworks that are reachable only through a Packet Forwarding Engine (PFE).

■ The SSL session-ID cache is not synchronized across nodes. If an SSL sessionreuses a session-ID and it happens to be processed on a node other than theone on which the session-ID is cached, the SSL session cannot be decryptedand will be bypassed for IDP inspection.

■ IDP deployed in active/active chassis clusters has the following limitation:

■ For time-binding scope source traffic, if attacks from a source with morethan one destination have active sessions distributed across nodes, the attackmight not be detected because time-binding counting has a local-node-onlyview. Detecting this sort of attack requires an RTO synchronization of thetime-binding state that is not currently supported.

J-Web

■ On J Series devices, some J-Web pages for new features (for example, the QuickConfiguration page for the switching features on J Series devices) display contentin one or more modal pop-up windows. In the modal pop-up windows, you caninteract only with the content in the window and not with the rest of the J-Webpage. As a result, online Help is not available when modal pop-up windows aredisplayed. You can access the online Help for a feature only by clicking the Helpbutton on a J-Web page.

■ On SRX650 devices, you cannot use J-Web to configure a VLAN interface for anIKE gateway. To configure a VLAN interface for an IKE gateway, use the CLI.



NetScreen-Remote

■ On SRX Series devices, NetScreen-Remote is not supported in JUNOS Release10.1.


■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKE negotiationsinvolving NAT traversal do not work if the IKE peer is behind a NAT device thatwill change the source IP address of the IKE packets during the negotiation. Forexample, if the NAT device is configured with DIP, it changes the source IPbecause the IKE protocol switches the UDP port from 500 to 4500.

■ The following describes the maximum numbers of NAT rules and rule setssupported:

■ For static NAT, up to 32 rule sets and up to 256 rules per rule set can beconfigured on a device.

■ For destination NAT, up to 32 rule sets and up to 8 rules per rule set can beconfigured on a device.

■ For source NAT, the following are the maximum numbers of source NATrules that can be configured on a device:

■ 512 for J Series, SRX100, and SRX210 devices

■ 1024 for SRX240 and SRX650 devices

■ 8192 for SRX3400, SRX3600, SRX5600, and SRX5800 devices

These are systemwide maximums for total numbers of source NAT rules.There is no limitation on the number of rules that you can configure in asource NAT rule set as long as the maximum number of source NAT rulesallowed on the device is not exceeded.



Performance

■ J Series devices now support IDP and UTM functionality. Under heavy networktraffic in a few areas of functionality, such as NAT and IPsec VPN, performanceis still being improved to reach the high levels to which Juniper Networks isconsistently committed.

SNMP

■ On J Series devices, the SNMP NAT-related MIB is not supported in JUNOS Release10.1.

System

■ On SRX650 devices, if one of the four Gigabit Ethernet ports (ge-0/0/0 throughge-0/0/3) is linked up at 10 or 100 Mbps, it will not support jumbo frames.Frames greater than 1500 bytes are dropped.

Unified Threat Management (UTM)

■ UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only512 MB of memory, you must upgrade the memory to 1 GB to run UTM.

WLAN

■ The following are the maximum numbers of access points that can be configuredand managed from SRX Series devices:

■ SRX210—4 access points



NOTE: The number of licensed access points can exceed the maximum number ofsupported access points. However, you can only configure and manage the maximumnumber of access points.

VPNs

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the IPsec NAT-T tunnelsscaling and sustaining issues are as follows:

■ For a given private IP address, the NAT device should translate both 500and 4500 private ports to same public IP address.



■ The total number of tunnels from a given public translated IP cannot exceed1000 tunnels.

Related Topics New Features in JUNOS Release 10.1 for SRX Series Services Gateways and JSeries Services Routers on page 80

■



Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series ServicesRouters

■ Outstanding Issues In JUNOS Release 10.1 for SRX Series Services Gateways andJ Series Services Routers on page 112

■ Resolved Issues in JUNOS Release 10.1 for SRX Series Services Gateways and JSeries Services Routers on page 136

Outstanding Issues In JUNOS Release 10.1 for SRX Series ServicesGateways and J Series Services Routers

The following problems currently exist in SRX Series and J Series devices. Theidentifier following the description is the tracking number in our bug database.


■ On SRX5600 devices, if you run the show security alg sip counters commandwhile doing a bulk call generation, it might bring down the SPU with a flowdcore file error. [PR/292956]

■ On SRX210 devices, the SCCP call cannot be set up after disabling and enablingthe SCCP ALG. The call does not go through. [PR/409586]

■ On SRX3400 and SRX3600 devices, RTSP, TFTP, and FTP ALG at scale in Layer2 mode with A/P is not supported in JUNOS Release 10.1. [PR/474140]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, by default ALGs areenabled. When security policies are configured with IDP service, there might bepacket drops. When IDP service is enabled through security policy configuration,we recommend that you disable some or all ALGs through configuration to avoidpacket drops. For example: set security alg rtsp disable.[PR/474629] .

NOTE: Disabling ALGs will prevent auxiliary or pinholes session creation and thosesessions might not be permitted based on security policy. The choice depends onthe customer network and what services are being run, whether ALGs need to beenabled and whether IDP inspection is required for all or a subset of traffic.

112 ■ Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers


Authentication

■ On J Series devices, your attempt to log in to the router from a managementdevice through FTP or Telnet might fail if you type your username and passwordin quick succession before the prompt is displayed, in some operating systems.As a workaround, type your username and password after getting the prompts.[PR/255024]

■ On J Series devices, after the user is authenticated, if the webauth-policy is deletedor changed and an entry exists in the firewall authentication table, then anauthentication entry created as a result of webauth will be deleted only if a trafficflow session exists for that entry. Otherwise, the webauth entry will not getdeleted and will only age out. This behavior will not cause a security breach.[PR/309534]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when a firewallauthentication session is initiated, the authentication entry will be created on allthe SPUs. However, in JUNOS Release 10.1 when multiple firewall authenticationsessions are initiated by the same user simultaneously, authentication entriesare not created in all the SPUs. As a result, some sessions might time out, andthe user will have to reconnect or retry to reach the server. [PR/475706]

AX411 Access Point

■ On SRX210 PoE devices, the access point reboots when 100 clients are associatedsimultaneously and each one is transmitting 512 bytes packets at 100 pps.[PR/469418]

■ On SRX 650 devices, when an access point is part of default cluster and youchange the default cluster after the access point is connected to it, the changesmight not be reflected. As a workaround, restart the wireless LAN service.[PR/497752]

■ On AX411 Access Points, an access point might not synchronize with newlyassociated configuration (by changing or swapping the MAC address ) and alsomight not join the changed cluster when it is associated to new config block inthe WLAN access-point configuration. As a workaround, deactivate and activatethe access point with the following CLI commands:#deactivate wlan access-point < ap-name >#commit#activate wlan access-point < ap-name >#commit

[PR/504581]

Chassis Cluster

■ On J Series devices in a chassis cluster, the show interface terse command onthe secondary Routing Engine does not display the same details as that of theprimary Routing Engine. [PR/237982]

■ On J4350 Services Routers, because the clear security alg sip call commandtriggers a SIP RTO to synchronize sessions in a chassis cluster, use of the

Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers ■ 113

Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

command on one node with the node-id, local, or primary option might result ina SIP call being removed from both nodes. [PR/263976]

■ On J Series devices, when a new redundancy group is added to a chassis cluster,the node with lower priority might be elected as primary when the preemptoption is not enabled for the nodes in the redundancy group. [PR/265340]

■ On J Series devices, when you commit a configuration for a node belonging toa chassis cluster, all the redundancy groups might fail over to node 0. If gracefulprotocol restart is not configured, the failover can destabilize routing protocoladjacencies and disrupt traffic forwarding. To allow the commit operation totake place without causing a failover, we recommend that you use the set chassiscluster heartbeat-threshold 5 command on the cluster. [PR/265801]

■ On J Series devices in a chassis cluster, a high load of SIP ALG traffic might resultin some call leaks in active resource manager groups and gates on the backuprouter. [PR/268613]

■ On SRX Series devices in a chassis cluster, configuring the set system processjsrp-service disable command only on the primary node causes the cluster to gointo an incorrect state. [PR/292411]

■ On SRX Series devices in a chassis cluster, using the set system processeschassis-control disable command for 4 to 5 minutes and then enabling it causesthe device to crash. Do not use this command on an SRX Series device in achassis cluster. [PR/296022]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, 8-queue configurationsare not reflected on the chassis cluster interface. [PR/389451]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the iflset functionalityis not supported for aggregated interfaces like reth. [PR/391377]

■ On an SRX210 device in a chassis cluster, when you upgrade the nodes,sometimes the forwarding process might crash and get restarted. [PR/396728]

■ On an SRX210 device in a chassis cluster, when you upgrade to the latest softwareimage, the interface links do not come up and are not seen in the PacketForwarding Engine. As a workaround, you can reboot the device to bring up theinterface. [PR/399564]

■ On an SRX210 device in a chassis cluster, sometimes the reth interface MACaddress might not make it to the switch filter table. This results in the droppingof traffic sent to the reth interface. As a workaround, restart the Packet ForwardingEngine. [PR/401139]

■ On an SRX210 device in a chassis cluster, the fabric monitoring option is enabledby default. This can cause one of the nodes to move to a disabled state. You candisable fabric monitoring by using the following CLI command:

set chassis cluster fabric-monitoring disable

[PR/404866]

■ On an SRX210 Low Memory device in a chassis cluster, the firewall filter doesnot work on the reth interfaces. [PR/407336]

■ On an SRX210 device in a chassis cluster, the restart forwarding method is notrecommended because when the control link goes through forwarding, the restartforwarding process causes disruption in the control traffic. [PR/408436]



■ On an SRX210 device in a chassis cluster, there might be a loss of about 5 packetswith 20 Mbps of UDP traffic on an RG0 failover. [PR/413642]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, no trap is generatedfor redundancy group 0 failover. You can check on the redundancy group 0 stateonly when you log in to the device. The nonavailability of this information iscaused by a failure of the SNMP walk on the backup (secondary) node. As aworkaround, use a master-only IP address across the cluster so that you canquery a single IP address and that IP address will always be the master forredundancy group 0. [PR/413719]

■ On an SRX210 device with an FTP session ramp-up rate of 70, either of thefollowing might disable the secondary node:

■ Back-to-back redundancy group 0 failover

■ Back-to-back primary node reboot

[PR/414663]

■ If an SRX210 device receives more traffic than it can handle, node 1 eitherdisappears or gets disabled. [PR/416087]

■ On SRX3400, SRX3600, SRX5600, SRX5800, J2300, J2320, J2350, J4350, andJ6350 devices in an active/active chassis cluster, when the fabric link fails andthen recovers, services with a short time-to-live (such as ALG FTP) stop working.[PR/419095]

■ On SRX3400 and SRX3600 devices in a chassis cluster, ESP authentication errorsoccur while traffic is sent through 4000 site-to-site IPsec tunnels. [PR/426073]

■ On SRX650, J2300, J2320, J2350, J4350, and J6350 devices, doing a redundancygroup 0 failover with 1000 logical interfaces on the reth interface causesreplication errors. As a result, the ksyncd process generates a core file.[PR/428636]

■ On SRX5800 devices, SNMP traps might not be generated for theineligible-primary state. [PR/434144]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices in chassis clusteractive/active mode, the J-Flow samplings do not occur and the records are notexported to the cflowd server. [PR/436739]

■ On SRX240 Low Memory and High Memory devices, binding the same IKE policyto a dynamic gateway and a site-to-site gateway is not allowed. [PR/440833]

■ On SRX650 devices, the following message appears on the new primary nodeafter a reboot or a RG0 failover:

WARNING: cli has been replaced by an updated version: CLI release 9.6B1.5 built by builder on 2009-04-29 08:24:20 UTC Restart cli using the new version ? [yes,no] (yes) yes

[PR/444470]

■ On SRX240 and SRX650 devices in chassis cluster active/active preempt mode,the RTSP session breaks after a primary node reboot and preempt failover. Thefollowing common ALGs will be broken: RSH, TALK, PPTP, MSRPC, RTSP,SUNRPC, and SQL. [PR/448870]



■ On SRX240 devices, the cluster might get destabilized when the file system isfull and logging is configured on JSRPD and chassisd. The log file size for thevarious modules should be appropriately set to prevent the file system fromgetting full. [PR/454926]

■ On SRX5600 and SRX5800 devices in a chassis cluster whenever the reth interfacewith static MAC address is configured, the ping operation fails from the directlyconnected device to the chassis cluster. [PR/455051]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster,the ping operation to the redundant Ethernet interface (reth) fails when thecluster ID changes. [PR/458729]

■ On SRX100 devices, after primary node reboot and cold synchronization arefinished, the chassis cluster auth session timeout age and application namecannot synchronize with the chassis cluster peers. [PR/460181]

■ On SRX5600 devices, low-impact in-service software upgrade (ISSU) chassiscluster upgrade does not succeed with the no-old-master-upgrade option whenyou upgrade from JUNOS Release 9.6R2 to JUNOS Release 10.1. [PR/471235]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the track IP does notdisplay the correct status if the ip-monitor configuration is under RG0. [PR/482556]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the secondary nodedisplays incorrect interface status after a low-impact in-service software upgrade(ISSU) from JUNOS Release 9.6R2 to JUNOS Release 10.1R1. [PR/482566]

■ On SRX3400 and SRX3600 devices, chassis cluster upgrades (LICU) withno-old-master-upgrade from JUNOS Release 9.6R2.11 to 10.0R1.x and fromJUNOS Release 10.0R1.8 to 10.1x.x do not work. [PR/483485]

■ On SRX5600 devices with an active/active chassis cluster configuration, understress conditions, memory pointers of the appid module could be inappropriatelyassigned. This might cause memory corruption. [PR/483522]

■ On SRX3600 devices, after you disable and enable the secondary node track,the IP status remains unreachable. [PR/488890]

■ On SRX5600 and SRX5800 devices, the shaping rate is not honored during LICUupgrades. During LICU upgrades, when the secondary node is upgraded to theprimary node, the shaping rate is doubled and continues to be the same doubledvalue after the LICU upgrade is finished. [PR/499481]

■ On SRX Series devices configured in a chassis cluster, the following informativemessages are erroneously displayed during failover, possibly creating the incorrectimpression that errors have occurred:

■ l2ha_set_rg_state: Setting rg state for 1 (MASTER)

■ l2ha_set_rg_state: Setting rg state for 1 (BACKUP)

[PR/498010]

■ On SRX5600, SRX5800 devices, the shaping rate doubles during LICU upgradesafter the secondary node becomes the primary node and continues to be thesame doubled value after LICU, when LICU upgrade is performed for JUNOSRelease 10.0R2 to 10.1R1.[PR/491834]



Class of Service (CoS)

■ J4350 and J6350 devices might not have the requisite data buffers needed tomeet expected delay-bandwidth requirements. Lack of data buffers might degradeCoS performance with smaller-sized (500 bytes or less) packets. [PR/73054]

■ On J Series devices, with a CoS configuration, when you try to delete all the flowsessions using the clear security flow session command, the WXC applicationacceleration platform might fail over with heavy traffic. [PR/273843]

■ On SRX Series devices, class-of-service-based forwarding (CBF) does not work.[PR/304830]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you change thescheduler type on the Layer 2 aggregated Ethernet interface, the clear interfacestatistics command does not work for the aggregated Ethernet bundle.[PR/485904]

Enhanced Switching

■ On J Series devices, if the access port is tagged with the same VLAN that isconfigured at the port, the access port accepts tagged packets and determinesthe MAC. [PR/302635]

Flow and Processing

■ On J Series devices, even when forwarding options are set to drop packets forthe ISO protocol family, the device forms End System-to-Intermediate System(ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2terminating packets. [PR/252957]

■ On SRX Series devices, the show security flow session command currently doesnot display aggregate session information. Instead, it displays sessions on aper-SPU basis. [PR/264439]

■ On J Series devices, OSPF over a multipoint interface connected as ahub-and-spoke network does not restart when a new path is found to the samedestination. [PR/280771]

■ On SRX Series devices, when traffic matches a deny policy, sessions will not becreated successfully. However, sessions are still consumed, and theunicast-sessions and sessions-in-use fields shown by the show security flow sessionsummary command will reflect this. [PR/284299] [PR/397300]

■ On J Series devices, outbound filters will be applied twice for host-generatedIPv4 traffic. [PR/301199]

■ On SRX Series devices, configuring the flow filter with the all flag might resultin traces that are not related to the configured filter. As a workaround, use theflow trace flag basic with the command set security flow traceoptions flag.[PR/304083]

■ On SRX210, SRX240, J2320, J2350, J4350, and J6350 devices, broadcast TFTPis not supported when flow is enabled on the device. [PR/391399]



■ On SRX210, SRX240, and SRX650 devices, after the device fragments packets,the FTP over a GRE link might not perform properly because of packetserialization. [PR/412055]

■ On SRX240 devices, traffic flooding occurs when multiple Multicast (MC) IP groupaddresses are mapped to the same MC MAC address because multicast switchingis based on the Layer 2 address. [PR/418519]

■ On SRX650 devices, the input DA errors are not updated when packets aredropped because of MAC filtering on the following:

■ SRX240

■ SRX210

■ 16-port and 24-port GPIMs

■ SRX650 front-end port

This is due to MAC filtering implemented in hardware.

[PR/423777]

■ On SRX650 devices, the uplinks to the CPU can be exhausted and the systemcan be limited to 2.5 GB throughput traffic when the device is using similar kindsof source MAC addresses. [PR/428526]

■ On SRX5600 and SRX5800 devices, the network processing bundle configurationCLI does not check if PICs in the bundle are valid. [PR/429780]

■ On SRX650 devices, packet loss is observed when the device interoperates withan SSG20 with AMI line-encoding. [PR/430475]

■ On an SRX210 on-board Ethernet port, an IPv6 multicast packet received getsduplicated at the ingress. This happens only for IPv6 multicast traffic in ingress.[PR/432834]

■ On an SRX5800 device with a 1-Gbps IOC, when more than 10 ports per portmodule are used, intermittent packet loss occurs because of oversubscription.As a workaround, reboot the SRX5800 device. [PR/433209 ]

■ On SRX3400 and SRX3600 devices, the ramp rate of session creation is slow attimes for fragmented UDP traffic. [PR/434508]

■ On SRX5800 devices, when there are nonexistent PICs in the network processingbundle, the traffic is sent out to the PICs and is lost. [PR/434976]

■ On SRX5800 devices, network processing bundling is not supported in Layer 2transparent mode. [PR/436863]

■ The SRX5600 and SRX5800 devices create more than the expected number offlow sessions with NAT traffic. [PR/437481]

■ On J Series devices, NAT traffic that goes to the WXC ISM 200 and return backclear (that is, not accelerated by the WXC ISM 200) does not work. [PR/438152]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, there is missinginformation in the jnxJsFwAuthMultipleFailure trap message. The trap message isrequired to contain the username, IP address, application, and trap name, butthe username is missing. [PR/439314]



■ On SRX5800 devices, for any network processing bundle configuration changeto take effect, a reboot is needed. Currently there is no message displayed aftera bundle configuration change. [PR/441546]

■ On SRX5800 devices, the IOC hot swap is not supported with network processingbundling. If an IOC that has network processing bundling configured getsunplugged, all traffic to that network processor bundle will be lost. [PR/441961]

■ On SRX5800 devices with interfaces in a network processing bundle, the ICMPflood or UDP flood cannot be detected at the threshold rate. However, it can bedetected at a higher rate when the per-network processor rate reaches thethreshold. [PR/442376]

■ On SRX5600 devices, equal-cost multipath (ECMP) does not work at Layer 4when transit traffic is passed. [PR/444054]

■ On an SRX3400 device in combo mode with two SPCs and one NPC, not allsessions are created under the stress test. [PR/450482]

■ On J Series devices, there is a drop in throughput on 64 bytes packet size T3 linkwhen bidirectional traffic is directed. [PR/452652]

■ On SRX240 PoE and J4350 devices, the first packet on each multilink class getsdropped on reassembly. [PR/455023]

■ On SRX240 PoE and J Series devices, packet drops are seen on the lsq interfacewhen transit traffic with a frame length of 128 bytes is sent. [PR/455714]

■ On SRX5600 and SRX5800 devices, system log messages are not generatedwhen CPU utilization returns to normal. [PR/456304]

■ On SRX210, SRX240, and J6350 devices, the serial interface goes down for longduration traffic when FPGA 2.3 version is loaded in the device. As a result, themultilink goes down. This issue is not seen when downgrading the FPGA versionfrom 2.3 to 1.14. [PR/461471]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in end-to-enddebugging, the cp-lbt event actions are not working. There is no change inbehavior with or without the cp-lbt event. [PR/462288]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, during end-to-enddebugging with the jexec event, packet summary trace messages have unknownIP addresses in the packet summary field. [PR/463534]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, data path-debug rate-limitdoes not work properly.

When users configure a low rate limit for a large number of trace messages, thesystem should suspend the trace messages after the configured maximum isreached. The system is not suspending the trace messages. [PR/464151]

■ GPRS tunneling protocol (GTP) application is supported on well-known portsonly. Customized application on other ports is not supported. [PR/464357]

■ On J Series devices, interfaces with different bandwidths (even if they are ofsame interface type, for example, serial interfaces with different clock rates orchannelized T1/E1 interfaces with different timeslots) should not be bundledunder one ML bundle. [PR/464410]



■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, downgrading is notsupported in low-impact in-service software upgrade (ISSU) chassis clusterupgrades (LICU). [PR/464841]

■ On SRX210 devices, the lowest rate ATM CoS PCR supported is 64 Kbps. Theping operation cannot reach an ATM interface with a PCR lower than 64 Kbps.[PR/470994]

■ SRX3400 and SRX3600 devices with one Services Processing Card and twoNetwork Processing Cards operating under heavy traffic produce fewer flowsessions. [PR/478939]

■ On SRX3400, SRX3600, SRX5600 and SRX5800 devices, in Layer 2 mode, IGMPand multicast are supported only on the 224.X.X.X address. [PR/493166]

Hardware

■ On SRX210 devices, the MTU size is limited to 1518 bytes for the 1-port SFPMini-PIM. [PR/296498]

■ On SRX210 devices, the system takes between 2 and 5 minutes to initialize.[PR/298635]

■ On SRX240 and SRX650 devices and 16-port or 24-port GPIMs, the 1G half-duplexmode of operation is not supported in the autonegotiation mode. [PR/424008]

■ On SRX240 devices, the Mini-PIM LEDs glow red for a short duration (1 second)when the device is powered on. [PR/429942]

■ On SRX240 devices, the file installation fails on the right USB slot when both ofthe USB slots have USB storage devices attached. [PR/437563]

■ On SRX240 devices, the combinations of Mini-PIMs cause SFP-Copper links togo down in some instances during bootup, restarting fwdd, and restartingchassisd. As a workaround, reboot the device and the link will be up. [PR/437788]

■ On SRX240 devices, when users swap the USBs after startup, the chassis-controlsubsystem might not respond to any chassis-related commands. As a workaround,avoid swapping plug and play components in the right USB slot. [PR/437798]

■ On SRX650 devices, the 16-port Gigabit Ethernet switch GPIM is incorrectlylabeled as XGPIM. This switch is a double-high XPIM that will operate only inslots 2 to 4 or 6 to 8, connecting to the 20-gigabit connector in slots 2 or 6,respectively. [PR/444511]

■ On SRX210 Low Memory devices, 3G AC402 Live Network Card activation getstimed out. [PR/451493]

■ On SRX5600 devices, during an Routing Engine reboot when processes are beingshut down, a rare race condition occurs that can lead to a Routing Engine kernelcrash. [PR/488484]



Infrastructure

■ On J Series devices, you cannot use a USB device that provides U3 features (suchas the U3 Titanium device from SanDisk Corporation) as the media device duringsystem boot. You must remove the U3 support before using the device as a bootmedium. For the U3 Titanium device, you can use the U3 Launchpad RemovalTool on a Windows-based system to remove the U3 features. The tool is availablefor download at http://www.sandisk.com/Retail/Default.aspx?CatID=1415. (To restorethe U3 features, use the U3 Launchpad Installer Tool accessible athttp://www.sandisk.com/Retail/Default.aspx?CatID=1411). [PR/102645]

■ On J Series devices, if the device does not have an ARP entry for an IP address,it drops the first packet from itself to that IP address. [PR/233867]

■ On J Series devices, when you press the F10 key to save and exit from BIOSconfiguration mode, the operation might not work as expected. As a workaround,use the Save and Exit option from the Exit menu. This issue can be seen on theJ4350 and J6350 routers with BIOS Version 080011 and on the J2320 and J2350routers with BIOS Version 080012. [PR/237721]

■ On J Series devices, the Clear NVRAM option in the BIOS configuration modedoes not work as expected. This issue can be seen on the J4350 and J6350 routerswith BIOS Version 080011 and on the J2320 and J2350 routers with BIOS Version080012. To help mitigate this issue, note any changes you make to the BIOSconfiguration so that you can revert to the default BIOS configuration as needed.[PR/237722]

■ On J Series devices, If you enable security trace options, the log file might notbe created in the default location at /var/log/security-trace. As a workaround,manually set the log file to the directory /var/log/security-trace. [PR/254563]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the SNMP set for theMIB object usmUserPrivKeyChange does not work. [PR/482475]

■ On SRX5600 and SRX5800 devices, e2e.trace shows an incorrect PIC numberfor the egress message. [PR/487331]


■ On J4350 and J6350 devices, the link status of the onboard Gigabit Ethernetinterfaces (ge-0/0/0 through ge-0/0/3) or the 1-port Gigabit Ethernet ePIMinterface fails when you configure these interfaces in loopback mode. [PR/72381]

■ On J Series Routers, asymmetric routing, such as tracing a route to a destinationbehind J Series devices with Virtual Router Redundancy Protocol (VRRP), doesnot work. [PR/237589]

■ On J2320 devices, when you enable the DHCP client, the default route is notadded to the route table. [PR/296469]

■ On SRX5600 and SRX5800 devices, ping to far-end reth interfaces does not workfor different routing instances. [PR/408500]

■ On SRX240 devices, drops in out-of-profile LLQ packets might be seen in thepresence of data traffic, even when the combined (data+LLQ) traffic does notoversubscribe the multilink bundle. [PR/417474]



http://www.sandisk.com/Retail/Default.aspx?CatID=1415

http://www.sandisk.com/Retail/Default.aspx?CatID=1411

■ On SRX240 and SRX650 devices, when you are configuring the link options onan interface, only the following scenarios are supported:

■ Autonegotiation is enabled on both sides.

■ Autonegotiation is disabled on both sides (forced speed), and both sides areset to the same speed and duplex.

If one side is set to autonegotiation mode and the other side is set to forcedspeed, the behavior is indeterminate and not supported. [PR/423632]

■ On SRX and J Series devices, the RPM operation will not work for the probe-typetcp-ping when the probe is configured with the option destination-interface.[PR/424925]

■ On SRX650 devices, the following loopback features are not implemented forT1/E1 GPIMs:

■ Line

■ FDL payload

■ Inband line

■ Inband payload

[PR/425040]

■ On SRX240, SRX650 and SRX5600 devices, the SNMP null zone counter is notincreased if the reth interface is put into the null zone. [PR/427256]

■ On J4350 device, multicast traffic is not received when the source and the receiverare connected to same PE routers. [PR/429130]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you change themulticast scoping to a different multicast address, traffic other than which isconfigured for multicast scoping will not be recieved. [PR/482957]

■ In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported.If the user configures IP CoS in conjunction with ATM CoS, the logical interfacelevel shaper matching ATM CoS rate must be configured to avoid congestiondrops in SAR.

Example:set interfaces at-5/0/0 unit 0 vci 1.110set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COSset class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COSset class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER

[PR/430756]

■ On SRX650 devices, configuring dual and quad T1/E1 framing at the chassislevel has no effect. [PR/432071]

■ On SRX240 devices, the serial interface maximum speed in extensive output isdisplayed as 16384 Kbps instead of 8.0 Mbps. [PR/437530]

■ On SRX Series devices, incorrect Layer 2 circuit replication on the backup RoutingEngine might occur when you:

■ Configure nonstop routing (NSR) and Layer 2 circuit standby simultaneouslyand commit them



■ Delete the NSR configuration and then add the configuration back whenboth the NSR and Layer 2 circuits are up

As a workaround:

1. Configure the Layer 2 circuit for non-standby connection.

2. Change the configuration to standby connection.

3. Add the NSR configuration.

[PR/440743]

■ On SRX210 Low Memory devices, the E1 interface will flap and traffic will notpass through the interface if you restart forwarding while traffic is passing throughthe interface. [PR/441312]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you configurethe SAP listen option using the protocol sap listen command in the CLI, listeningfails in both sparse and sparse-dense modes. [PR/441833]

■ On J Series devices, one member link goes down in a Multilink (ML) bundleduring bidirectional traffic with Multilink Frame Relay (MFR). [PR/445679]

■ On SRX Series devices, If you configure attributes of an interface unit under boththe [interfaces] and the [logical-router logical-router-name interface] hierarchies,only the configuration at the interfaces level will take effect. [PR/447986]

■ On J Series devices, the DS3 interface does not have an option to configuremultilink-frame-relay-uni-nni (MFR). [PR/453289]

■ On SRX210 PoE devices, the ATM interface on G.SHDSL interface will not godown when the interface is disabled through the disable command. [PR/453896]

■ On SRX210 devices, the modem moves to the dial-out pending state whileconnecting or disconnecting the call. [PR/454996]

■ On SRX100 and SRX200 devices with VDLS2, multiple carrier transitions (threeto four) are seen during long duration traffic testing with ALU 7302 DSLAM.There is no impact on traffic except for the packet loss after long duration traffictesting, which is also seen in the vendor CPE. [PR/467912]

■ On SRX210 devices with VDLS2, remote end ping fails to go above the packetsize of 1480 as the packets are get dropped for the default MTU which is 1496on an interface and the default MTU of the remote host ethernet intf is 1514.[PR/469651]

■ On SRX210 devices with VDLS2, ATM COS VBR related functionality can not betested due to lack of support from the vendor. [PR/474297]

■ On SRX210 High Memory devices, IGMP v2 JOINS messages are dropped on anintegrated routing and bridging (IRB) interface. As a workaround, enable IGMPsnooping to use IGMP over integrated bridging and routing (IRB) interfaces.[PR/492564]

■ On SRX100 and SRX210 devices, every time the VDSL2 PIM is restarted in theADSL mode, the first packet passing through the PIM will be dropped. This occursbecause there is a bug in the SAR engine, which will not set the ATM connectionuntil the first packet has been dropped due to no ATM connection. [PR/493099]



■ On SRX100, SRX210, and J Series devices, out-of-band dial-in access using aserial modem does not work. [PR/458114]

■ On SRX210 PoE devices, the G.SHDSL link does not come up with an octal portline card of total access 1000 ADTRAN DSLAM. [PR/459554]

■ On J Series devices, tail drops are seen on a bundle for traffic with a bigger packetsize and smaller fragmentation threshold. [PR/461417]

■ On SRX210 High Memory devices, only six logical interfaces come up on theG.SHDSL ATM interface (including OAM channel). The other two logical interfacesare down. [PR/466296]

■ On SRX210 devices, the G.SHDSL ATM logical interface goes down when ATMCoS is enabled on the interface with OAM. As a workaround, restart the FPC tobring up the logical interface. [PR/472198]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show datapath-debugcounter command gives error messages from the secondary node. [PR/477017]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, link speeds of 100Mbps and 1 Gbps cannot be configured on the ae0 interface with child interfacesconfigured. When you commit the configuration, the system displays an errorabout the mismatch between the ae0 and child interfaces. [PR/482649]

■ On SRX210 High Memory devices, IGMP v2 JOINS messages are dropped on anIRB interface. As a workaround, enable IGMP snooping to use IGMP overIntegrated bridging and routing (IRB) interfaces.

■ The destination and destination-profile options for address andunnumbered-address within family inet and inet6 are allowed to be specifiedwithin a dynamic profile but not supported. [PR/493279]

■ On SRX 240 Low Memory devices and SRX 240 High Memory devices, the RPMServer operation does not work when the probe is configured with the optiondestination-interface.[PR/450266]

■ On SRX 210-High Memory devices, the physical interface module (PIM) showstime in ADSL2+ ANNEX-M, even though it is configured for ANNEX-M ADSL2.[PR/ 497129]

■ On SRX210 High Memory devices, the GRE tunnel session is not created properlyif the tunnel outgoing interface takes a long time to come up. On T1/E1 interfacesof SRX100, SRX210, SRX240, and SRX650 devices, traffic through GRE tunnelmay not work. As a workaround, first create the physical interface and committhe configuration and then create a GRE tunnel configuration. [PR/497864]

■ On SRX5600 and SRX5800 devices, load balance does not happen within theaggregated Ethernet (AE) interface when you prefix length with /24 whileincreamenting the dst ip. [PR/505840]


The following issues currently exist in SRX210 and SRX240 devices with IntegratedConvergence Services:



■ On SRX210 devices with Integrated Convergence Services, the call hold featuredoes not work for Xlite softphones. [PR/432725]

■ On SRX240 devices with Integrated Convergence Services, T1 configuration doesnot support all the 24 time slots for voice calls. It is limited to 5 time slots or linechannels currently. [PR/442934]

■ At least one time slot must be configured for data for voice channels on T1 linesto work. [PR/442932]

■ The music-on-hold feature is not supported for SIP phones. [PR/443681]

■ The peer call server configuration for the media gateway page in J-Web does notcorrectly display the port number field when TCP is used as the transport.[PR/445734]

■ You cannot edit the media gateway IP address field on the peer call server pagein J-Web. [PR/445750]

■ When you click the trunk-group field in J-Web, the configured trunk values arenot displayed. [PR/445765]

■ The J-Web Call Feature Add button does not work. [PR/446422]

■ You cannot edit the extension number on the J-Web call features page.[PR/447523]

■ When you edit the remote access number in J-Web, the change is not displayeduntil you refresh the page. [PR/447530]

■ Comfort noise packets are not generated when both voice activity detection(VAD) and comfort noise generation are enabled for an FXS station. [PR/448191]

■ Caller ID is not displayed on FXS stations for FXO to FXS calls in survivable callserver (SRX Series SCS) state. [PR/451719]

■ In J-Web, if you do not configure the class of restriction and a station template,you cannot configure a station. [PR/452439]

■ In J-Web, you cannot specify the station type (as either analog or SIP).[PR/452813]

■ J-Web does not provide support for the SIP template extension inheritance feature.[PR/455787]

■ SNMP does not provide support for survivable call server (SRX Series SCS)statistics. [PR/456454]

■ For J-Web, a commit is completed when a trunk group is configured without oneor more trunks, but the trunk group configuration is not visible in J-Web or theCLI. You should not be able to configure a trunk group that does not contain atleast one trunk. [PR/460489]

■ Consecutive G.711 faxes pass through between two FXS ports fails whenoriginating and terminating sides alternate. [PR/465775]

■ When T1 lines for stations or trunks are configured, you might hear a momentaryburst of noise on the phone. [PR/467334]

■ You must restart the flow daemon to commit runtime T1 configuration changes.[PR/468594]



■ The voice prompt is not played when the user dials an invalid extension.[PR/472357]

■ The SRX210 device allows the FXS 2 port to be configured as a station and asan FXS trunk concurrently. In this case, the system does not display a commiterror. [PR/473561]

■ For SIP trunk to FXO trunk calls routed through the peer call server, the SRXSeries device removes the called party number in the SIP INVITE messages.[PR/473979]

■ The SIP-to-SIP simultaneous call capacity is limited to 10 calls. [PR/478485]


■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when the firewall andIDP policy both enable diffServ marking with a different DSCP value for the sametraffic, the firewall DSCP value takes precedence and the traffic is marked usingthe firewall DSCP value. [PR/297437]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, HTTP throughputdrops 10 percent from ~3.6 Gbps to ~3.2 Gbps with one Services ProcessingCard. [PR/482801]

■ On SRX5600 and SRX5800 devices, when the device is processing heavy traffic,the show security idp status operational command might fail. As a result, IDPflow, session, and packet statistics do not match firewall statistics. [PR/389501][PR/388048]

■ The SRX210 device supports only one IDP policy at any given time. When youmake changes to the IDP policy and commit, the current policy is completelyremoved before the new policy becomes effective. During the update, IDP willnot inspect the traffic that is passing through the device for attacks. As a result,there is no IDP policy enforcement. [PR/392421]

■ On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Webselecting Configuration>Quick Configuration>Security Policies>IDPPolicies>Security Package Update>Help brings up the IDP policy Help pageinstead of the Signature update Help page. To access the corresponding Helppage, select Configuration>Quick Configuration>IDPPolicies>Signature/Policies Update and then click Help. [PR/409127]

■ On SRX210 devices during attack detection, multiple attacks get detected. Thishappens when the IDP policy contains rules that have the match criteria for thesame attacks. Error/warning messages do not appear during policy compilation.[PR/414416]

■ On SRX3400, SRX3600, SRX5600 and SRX5800 devices, if you want to changeto dedicated mode, the configuration of the security forwarding-processapplication-services maximize-idp-sessions command should be done right beforerebooting the device. This should be done to avoid recompiling IDP policiesduring every commit. [PR/426575]

■ On SRX3400, SRX3600, and SRX5600 devices, when you configure IDP to runin decoupled mode using the set security forwarding-process application-servicesmaximize-idp-sessions command, network address translation (NAT) informationwill not be shown in the event log. [PR/445908]



■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you configure apolicy containing more than 200 rules, with each rule containing the predefinedattack groups (Critical, Major, and Minor), the memory constraint of the RoutingEngine (500 MB) is reached. [PR/449731]

■ On SRX3400, and SRX3600 devices, the logging rate is slightly less in SPUsoperating in combo mode as compared to SPUs operating in non-combo mode.[PR/457251]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices inmaximize-idp-sessions mode, there is an IPC channel between two data planeprocesses. The channel is responsible for transferring the "close session" message(and other messages) from the firewall process to the IDP process. Under stressconditions, the channel becomes full and extra messages might get lost. Thiscauses IDP sessions in the IDP process to hang for longer than necessary, andthey will time out eventually. [PR/458900]

■ When an SRX Series device running JUNOS Release 10.1 (Layer 2access-integrated mode) is rolled back to the JUNOS Release 9.6 image, the DUTcomes up in JUNOS Release 9.6 with Layer 2 access-integrated mode, which wasnot supported in JUNOS Release 9.6. [PR/469069]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-leveldistributed denial-of-service (application-level DDoS) rulebase (rulebase-ddos)does not support port mapping. If you configure an application other than default,and if the application is from either predefined JUNOS Software applications ora custom application that maps an application service to a nonstandard port,application-level DDoS detection will not work. When you configure theapplication setting as default, IDP uses application identification to detectapplications running on standard and nonstandard ports, hence theapplication-level DDoS detection works properly. [PR/472522]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices with application-levelDDoS protection, the IDP session capacity is dropped by 9 percent in integratedmode. [PR/479552]

■ SRX5600 devices operating at high HTTPS session rate with the defaultsession-id-cache-timeout value might run out of memory and begin droppingsessions. As a workaround, reduce the session-id-cache-timeout value. [PR/476215]

J-Flow

■ SRX3400, SRX3600, SRX5600, and SRX5800 devices support 4-byte autonomoussystem (AS) for BGP configuration. However, the J-Flow template versions 5 and8 do not support 4-byte AS, because these J-Flow templates have 2 bytes for theSRC/DST AS field. [PR/416497]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, J-Flow sampling onthe virtual router interface does not show the values of autonomous system (AS)and mask length values. The AS and mask length values of cflowd packets show0 while sampling the packet on the virtual router interface. [PR/419563]



J-Web

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the LEDs on the RoutingEngine and PICs are not shown as green when they are up and online on theJ-Web Chassis View. [PR/297693]

■ On SRX Series devices, when the user adds LACP interface details, a pop-upwindow appears in which there are two buttons to move the interface left andright. The LACP page currently does not have images incorporated with thesetwo buttons. [PR/305885]

■ On SRX Series devices, when the user tries to associate an interface to GVRP, anew window appears. This new window shows multiple move-left and move-rightbuttons. [PR/305919]

■ On SRX210 devices, there is no maximum length limit when the user commitsthe hostname in CLI mode; however, only a maximum of 58 characters aredisplayed in the J-Web System Identification panel. [PR/390887]

■ On SRX210, SRX240, and SRX650 devices, the complete contents of the ToolTipsare not displayed in the J-Web Chassis View. As a workaround, drag the ChassisView image down to see the complete ToolTip. [PR/396016]

■ On SRX100, SRX210, SRX240, and SRX650 devices, the LED status in the ChassisView is not in sync with the LED status on the device. [PR/397392]

■ On SRX Series devices, when you right-click Configure Interface on an interfacein the J-Web Chassis View, the Configure > Interfaces page for all interfaces isdisplayed instead of the configuration page for the selected interface. [PR/405392]

■ On SRX210 Low Memory devices, in the rear view of the Chassis viewer image,the image of ExpressCard remains the same whether a 3G card is present ornot. [PR/407916]

■ On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices, selectingConfigure>Security>Policy>IDP Policies>Security Package Update>Helpin the J-Web user interface brings up the IDP policy Help page instead of theSignature update Help page. To access the corresponding Help page, selectConfigure>IDP>Signature Update and then click Help. [PR/409127]

■ On SRX Series devices, the CLI Terminal feature does not work in J-Web overIPv6. [PR/409939]

■ On SRX210 High Memory, SRX240 PoE, and J Series devices, IDP custom attacksand dynamic attack groups cannot be configured using J-Web. [PR/416885]

■ On J2350, J4350, and J6350 devices, users cannot configure firewall filters usingJ-Web. The Firewall Filters menu was removed because it was not functioningproperly. [PR/422898]

■ On SRX210, SRX240, J2350, J4350, and J6350 devices, when J-Web users selectthe tabs on the bottom-left menu, the corresponding screen is not displayedfully, so users must scroll the page to see all the content. This issue occurs whenthe computer is set to a low resolution. As a workaround, set the computerresolution to 1280 x 1024. [PR/423555]



■ On SRX Series and J Series devices, users cannot differentiate between Activeand Inactive configurations on the System Identity, Management Access, UserManagement, and Date & Time pages. [PR/433353]

■ On SRX210 device, in Chassis View, right-clicking any port and then clickingConfigure Port takes the user to the Link aggregation page. [PR/433623]

■ On SRX100 devices, in J-Web users can configure the scheduler without enteringany stop date. The device submits the scheduler successfully, but the submittedvalue is not displayed on the screen or saved in the device. [PR/439636]

■ On an SRX5600 device, when you click OK or Cancel from the IPS/Exempt ruleconfiguration page, it takes a long time to go to the next page when the InternetExplorer IE browser is used. The slow response is due to predefined attacks,attack group XML data fetching, and the way Internet Explorer IE refreshes thepage. As a workaround, use Firefox 3.5 or later. [PR/449017]

■ On SRX100, SRX210, SRX240, and SRX650 devices, in J-Web the associateddscp and dscpv6 classifiers for a logical interface might not be mapped properlywhen the user edits the classifiers of a logical interface. This can affect the Deletefunctionality as well. [PR/455670]

■ On SRX Series and J Series devices, when J-Web is used to configure a VLAN,the option to add an IPv6 address appears. Only IPv4 addresses are supported.[PR/459530]

■ On SRX Series devices in J-Web the left-side menu items and page content mightdisappear when Troubleshoot is clicked twice. As a workaround, click theConfigure or Monitor menu to get back the relevant content. [PR/459936]

■ On SRX100, SRX210, SRX240, SRX650, and J Series devices, in J-Web, theoptions Input filter and Output Filter are displayed in VLAN configuration page.This feature is not supported, and the user cannot obtain or configure any valueunder these filter options. [PR/460244]

■ On SRX100, SRX210, SRX240, SRX650, and J Series devices, in J-Webconfiguration for the routing feature, if you enter double quotation marks in thetext boxes that accept characters (for example, protocol name, file name, anddescription), then you cannot delete the data with double quotation marks throughJ-Web. As a workaround, you can use the CLI to introduce another backslash,which removes the double quotation marks from the data. [PR/464030]

■ On SRX100, SRX210, SRX240, SRX650, and J Series devices, in the J-Webinterface, the Traceoptions tab in the Edit Global Settings window of the OSPFConfiguration page (Configuration>Routing>OSPF Configuration) does notdisplay the available flags (tracing parameters). As a workaround, use the CLI toview the available flags. [PR/475313]

■ On SRX100, SRX210, SRX240, SRX650, and J Series devices, when you have alarge number of static routes configured, and if you have navigated to pagesother than to page 1 in the Route Information table in the J-Web interface(Monitor>Routing>Route Information), changing the Route Table to query otherroutes refreshes the page but does not return you to page 1. For example, if yourun the query from page 3 and the new query returns very few results, the RouteInformation table continues to display page 3 with no results. To view the results,navigate to page 1 manually. [PR/476338]



■ On SRX210, SRX240, SRX650 and J Series devices, in the J-Web interface,Monitor>Switching>Spanning Tree shows a null page when Spanning TreeProtocol is not running on the device. [PR/484202]

■ On SRX210 Low Memory, SRX210 High Memory, and SRX210 PoE devices, inthe J-Web interface, Configuration>Routing>Static Routing does not displaythe IPv4 static route configured in rib inet.0. [PR/487597]

■ On SRX210, SRX240, and SRX650 devices, wired equivalent privacy (WEP) keyvalidation is not properly executed in J-Web, sometimes an error is returnedeven if the proper validation key has been submitted. [PR/486910]

■ On SRX3400 devices, in chassis cluster mode, the predefined attacks list willalso be loaded. [PR/488607]

■ On J2350, J4350, J6350, SRX100 Low Memory, SRX100 High Memory, SRX210Low Memory, SRX210 High Memory, SRX210 PoE, SRX240 Low Memory,SRX240 High Memory, and SRX650 devices, in J-Web, in all the class of service(CoS) features, system commits configuration without reporting any validationmessages, even if you have not done any changes. [PR/495603]

■ On SRX devices, using J-Web the security zone associated to a logical unit otherthan zero gets associated to a logical unit zero. [PR/504026]


■ On SRX3400 and SRX3600 devices, a minor alarm is not triggered when thecentral point or SPU session table is full. [PR/405990]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the queue statisticsare not correct after deletion and re-creation of a logical interface (IFL) or creationof a new IFL. IFL statistics are not cleared for 15 minutes after chassis-control isrestarted. [PR/417947]

■ On SRX5600 devices, when the system is in an unstable state (for example SPUreboot), NFS might generate residual.nfs files under the /var/tmp directory,which can occupy the disk space for a very long time. As a workaround, run therequest sys storage cleanup command to clean up when the system has low diskspace. [PR/420553]

■ On SRX650 devices, the kernel crashes when the link goes down during TFTPinstallation of the srxsme image. [PR/425419]

■ On SRX650 devices, continuous messages are displayed from syslogd when portsare in switching mode. [PR/426815]

■ On SRX240 devices, if a timeout occurs during the TFTP installation, booting theexisting kernel using the boot command might crash the kernel. As a workaround,use the reboot command from the loader prompt. [PR/431955]

■ On SRX240 devices, when you configure the system log hostname as 1 or 2, thedevice goes to the shell prompt. [PR/435570]

■ On SRX240 devices, the Scheduler Oinker messages are seen on the console atvarious instances with various Mini-PIM combinations. These messages are seenduring bootup, restarting fwdd, restarting chassisd, and configuration commits.[PR/437553]



■ On SRX Series and J Series devices with session-init and session-close enabled,you should not clear sessions manually when too many sessions are in status"used". [PR/445730]

■ On SRX5600 and SRX5800 devices, data path debug trace messages are gettingdropped at above 1000 packets per second (pps). [PR/446098]

■ On J2350, J4350, and J6350 devices, extended Bit Error Rate Test (BERT) takesan additional 3 hours to complete even though a BERT-period of 24 hours is set.[PR/447636]

■ On SRX5800 devices, rebooting is required for any NP bundle configurationchange to take effect. Currently there is no notification displayed after the bundleconfiguration change to notify that a reboot is required for the change to takeeffect. [PR/441546]

■ On SRX5600 and SRX5800 devices, the simple filter does not work after rebootof the new primary node. [PR/ 486181]


■ On SRX210 and SRX240 devices, source NAT using interface IP address on thepp0 interface is not working. Traffic is not forwarded because of NAT translationfailure via this interface. [PR/479256]

■ On SRX240 High Memory devices, under HA environment, the secondary boxcan go to DB> mode when there are many policies configured and TCP/UDP/ICMPtraffic matched them. [PR/493095]

■ On J4350 devices, when you place internal calls, interface based persistentnetwork address translation (NAT) displays only one active hairpinning sessioninstead of two, even after the call is established. [PR/504932]

■ On SRX3400, SRX-3600, SRX-5600, and SRX-5800 devices NAT'd behavior inevent-logs is incorrect for 10.1. Due to a bug, the log output shows both src anddst IP from client/server instead of just the IP address which is NAT'd. The correctaddress should be as follows:If only dest is nat?ed, ip address displayed in log should be 0.0.0.0->5.0.0.1If only src is nat?ed, ip address displayed in log should be 4.0.0.0->0.0.0.0The 10.1 output shows 4.0.0.0->5.0.0.1

[PR/505454]

Power over Ethernet (PoE)

■ On SRX240 and SRX210 devices, the output of the PoE operational commandstakes roughly 20 seconds to reflect a new configuration or a change in status ofthe ports. [PR/419920]

■ On SRX210 and SRX240 devices, the deactivate poe interface all command doesnot deactivate the PoE ports. Instead, the PoE feature can be turned off by usingthe disable configuration option. Otherwise, the device must be rebooted for thedeactivate setting to take effect. [PR/426772]

■ On SRX210 and SRX240 devices, the output for the show poe telemetriescommand shows the telemetry data in chronological order. This should bechanged to reverse-chronological order (most recent data first). [PR/429033]



■ On SRX210 and SRX240 devices, reset of the PoE controller fails when the restartchassis-control command is issued and also after system reboot. PoE functionalityis not negatively impacted by this failure. [PR/441798]

■ On SRX210 devices, the fourth access point connected to the services gatewayfails to boot with the default Power over Ethernet (PoE) configuration. As aworkaround, configure all the PoE ports to a maximum power of 12.4 watts.Use the following command to configure the ports:root#set poe interface all maximum-power 12.4[PR/465307]

■ On SRX100, SRX210, SRX240, and SRX650 devices, with factory defaultconfigurations the device is not able to manage the AP. This might be due to theDHCP default gateway not being set. [PR/468090]

■ On SRX 210 PoE devices managing AP AX411 access points , the device mightnot be able to synchronize time with the configured NTP Server. [PR/460111]

■ On SRX 210PoE devices managing AX411 access points, traffic of 64 bytes atspeed more than 45 megabits per second (Mbps), might result in loss of keepalivesand reboot of the AX411 Access Point. [PR/471357]

■ On SRX 210 PoE devices, high latencies might be observed for the InternetControl Message Protocol (ICMP) pings between two wireless clients when 32virtual access points (VAPs) are configured. [PR/472131]

■ On SRX 210 PoE devices, when AX411 access points managed by the SRXdevices reboot, the configuration might not be reflected onto the AX411 accesspoint. As a result, Ax411 access point retain the factory default configuration.[PR/476850]

Security

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the egress filter-basedforwarding (FBF) feature is not supported. [PR/396849]

■ On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassiscluster, if the Infranet Controller auth table mapping action is configured asprovision auth table as needed, UAC terminates the existing sessions after RoutingEngine failover. You might have to initiate new sessions. Existing sessions willnot get affected after Routing Engine failover if the Infranet Controller auth tablemapping action is configured as always provision auth table. [PR/416843]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, you should notconfigure rulebase-DDoS rules that have two different application-DDoS objectsto run on one destination service because the traffic destined to one applicationserver can encounter more than one rule. Essentially, for each protectedapplication server, you have to configure a single application-level DDoS rule.[PR/467326]



SNMP

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the value forjnxBoxDescr.0 MIB object is incorrectly displayed as SRX 3400 instead ofSRX3400. Note that there is no blank space between SRX and model number.(3400/3600). [PR/490296]

USB Modem

■ On SRX210 , SRX100, SRX240, and SRX650 devices, when you restart fwdd atthe dial-out side, the umd interface goes down and the call never gets connected.As a workaround, disable the dialer interface and restart the forwarding daemon.Enable the dialer interface when the forwarding daemon is up and running. Withthis the dial-out side re-connects with the dial-in side successfully. [PR/480206]

Perform the following steps:

1. Disable the dialer interface.

root@noky# set interfaces dl0 disable

root@noky# commit

2. Restart forwarding daemon.

root@noky# run restart forwarding Forwarding Daemon started, pid 1407

root@noky# delete interfaces dl0 disable

root@noky# commit

3. Enable the dialer interface.

root@noky# delete interfaces dl0 disable

root@noky# commit

■ On SRX210 High Memory devices and J6350 devices, packet loss is seen duringrapid ping operations between the dialer interfaces when packet size is morethan 512 Kbps. [PR/484507]

■ On SRX210 High Memory devices, the modem interface can handle bidirectionaltraffic of up to 19 Kbps. During oversubscription of 20-Kbps or more traffic, thekeepalive packets are not exchanged and the interface goes down. [PR/487258]

■ On SRX210 High Memory devices, IPv6 is not supported on dialer interfaceswith a USB modem. [PR/489960]

■ On SRX210 High Memory devices, http traffic is very slow through the umd0interface. [PR/489961]

■ On SRX210 High Memory devices, on multiple resets of the umd0 interface, theumd0 interface keeps flapping if the d10 (dialer) interface on either the dialinor dialout interface goes down because no keepalive packets are exchanged. Asa workaround, increase the ATS0 value to 4 or greater. [PR/492970]

■ On SRX210 Services Gateways with Integrated Convergence Services, when youhave USB modem configurations and you remove the USB modem from USBport 1, the device reboots. [PR/491777]



■ On SRX100, SRX210, SRX240, and SRX650 devices, the call terminates if youremove and insert a USB modem. [PR/491820]

■ On SRX210 High Memory devices and J6350 devices, the D10 link flaps duringlong-duration traffic of 15-Kbps and also when packet size is 256 Kbps or more.[PR/493943]

Unified Access Control (UAC)

■ On J Series devices, MAC address-based authentication does not work when therouter is configured as a UAC Layer 2 Enforcer. [PR/431595]


■ On SRX210 High Memory devices, content filtering provides the ability to blockprotocol commands. In some cases, blocking these commands interferes withprotocol continuity, causing the session to hang. For instance, blocking the FETCHcommand for the IMAP protocol causes the client to hang without receiving anyresponse. [PR/303584]

■ On SRX210 High Memory devices, when the content filtering message type isset to protocol-only, customized messages appear in the log file. [PR/403602]

■ On SRX210 High Memory devices, the express antivirus feature does not senda replacement block message for HTTP upload (POST) transactions if the currentantivirus status is engine-not-ready and the fallback setting for this state is block.An empty file is generated on the HTTP server without any block messagecontained within it. [PR/412632]

■ On SRX240, SRX650, J2320, J2350, J4350, and J6350 devices, Outlook Expressis sending infected mail (with an EICAR test file) to the mail server (directly, notthrough DUT). Eudora 7 uses the IMAP protocol to download this mail (throughDUT). Mail retrieval is slow, and the EICAR test file is not detected. [PR/424797]

■ On SRX650 devices operating under stress conditions, the UTM subsystem filepartition might fill up faster than UTM can process and clean up existingtemporary files. In that case, the user might see error messages. As a workaround,reboot the system [PR/435124]

■ On SRX240 High Memory devices, FTP download for large files (larger than 4MB) does not work in a two-device topology. [PR/435366]

■ On SRX210, SRX240, and SRX650 devices, the Websense server stops takingnew connections after HTTP stress. All new sessions get blocked. As aworkaround, reboot the Websense server. [PR/435425]

■ On SRX240 devices, if the device is under UTM stress traffic for several hours,users might get the following error while issuing a UTM command:

the utmd subsystem is not responding to management requests.

As a workaround, restart the utmd process. [PR/436029]




■ For SRX210 High Memory devices, during configuration of access and trunkports, the individual VLANs from the vlan-range are not listed. [PR/489872]

■ On SRX650 devices, when VLAN tagging is configured and traffic is sent, theoutput of show interfaces ge-0/0/1 media detail VLAN tagged frame count is notshown. [PR/397849]

■ On SRX240, SRX650, J4350, and J6350 devices, tagged frames on an accessport with the same VLAN tag are not getting dropped. [PR/414856]

■ On SRX650 devices, customer-vlans and vlan-push do not work together for thesame VLAN [PR/476999].

■ On SRX100, SRX210, and SRX240 devices, the packets are not being sent outof the physical interface when the VLAN ID associated with the VLAN interfaceis changed. As a workaround, you need to clear the ARP. [PR/438151]

■ On SRX5600 and SRX5800 devices, in Layer 2 mode the first packet is used forMAC learning, and it will not be flooded, so the first packet is dropped if the MACaddress is not available in the MAC table. [PR/486980]

■ On SRX5600 and SRX5800 devices, ISIS adjacency is not formed on the VLANtagged reth interface.[PR/488899]

■ On SRX100 Low Memory, SRX100 High Memory, SRX210 Low Memory, SRX210High Memory, SRX240 High Memory, and SRX650 devices, the Link LayerDiscovery Protocol (LLDP) organization specific Type Length Value (TLV), mediumattachment unit (MAU) information always propagates as "Unknown".[PR/480361]

■ On SRX100 High Memory devices and SRX210 Low Memory devices, dot1xunauthenticated ports accept Link Layer Discovery Protocol (LLDP) Protocol DataUnits (PDUs) from neighbors. [PR/485845]

VPNs

■ On SRX5600 devices, the shared IKE limit for IKE users is not currently enforced.More users than are specified in the shared IKE limit are able to establishIKE/IPsec tunnels. [PR/288551]

■ On SRX5600 devices, the IKE authentication method displays an unknownmessage on the dial-up VPN. [PR/393939]

■ On SRX210 and SRX240 devices, concurrent login to the device from a differentmanagement systems (for example, laptop or computers) are not supported.The first user session will get disconnected when a second user session is startedfrom a different management system. Also, the status in the first user system isdisplayed incorrectly as “Connected”. [PR/434447]

■ On SRX Series and J Series devices, the site-to-site policy-based VPNs in a threeor more zone scenario will not work if the policies match the address “any”,instead of specific addresses, and all cross-zone traffic policies are pointing tothe single site-to-site VPN tunnel. As a workaround, configure address books indifferent zones to match the source and destination, and use the address bookname in the policy to match the source and destination. [PR/441967]



WLAN

■ On SRX Series devices, when WLAN configuration is committed, it takes a whilebefore the configuration is reflected on the access point, depending on thenumber of virtual access points and the number of access points connected.[PR/450230]

■ On SRX210, SRX240 and SRX650 devices, J-Web online Help displays the listof all the countries and is not based on the regulatory domain within which theaccess point is deployed. [PR/469941]

WXC Integrated Services Module

■ When two J Series devices with WXC Integrated Services Modules (WXC ISM200s) installed are configured as peers, traceroute fails if redirect-wx is configuredon both peers. [PR/227958]

■ On J6350 devices, JUNOS Software does not support policy-based VPN with WXCIntegrated Services Modules (WXC ISM 200s). [PR/281822]

Resolved Issues in JUNOS Release 10.1 for SRX Series Services Gatewaysand J Series Services Routers

The following issues from JUNOS Release 10.0 have been resolved with this release.The identifier following the description is the tracking number in our bug database.


AX411 Access Point

■ On SRX210 PoE, SRX240 PoE, and SRX650 devices, the access point clusteringfeature was not supported in JUNOS Release 10.1B1. [PR/481976: This issue hasbeen resolved.]

Chassis Cluster

■ On SRX5600 and SRX5800 devices, during data path debugging on a chassiscluster in active/active mode, the IOC EZchip egress trace messages were nottraced. [PR/440019: This issue has been resolved.]

■ On SRX5600 and SRX5800 devices in a chassis cluster whenever the reth interfacewith static MAC address was configured, ping operation failed from the directlyconnected device to the chassis cluster. [PR/455051:This issue has been resolved.]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the chassis clusterconfigurations caused the SPU to crash. [PR/460378: This issue has beenresolved.]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, during data pathdebugging on a chassis cluster in active/active mode with customized actionprofile, the packets that had been matched by the packet filter were dropped at



the secondary node 1 and showed unknown packet summary messages.[PR/477388: This issue has been resolved.]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, flowd core occurredafter you applied a load balance policy. [PR/485532: This issue has been resolved.]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, a flowd core file erroroccurred on the backup node when you rebooted the active node and multicasttraffic. [PR/484562: This issue has been resolved.]

■ On SRX5800 devices, two nodes in a chassis cluster used the same index fordifferent tunnels. If there was a conflict in the tunnel index and you cleared thetunnel using the index from one node, an extra tunnel might got removed fromthe other node. [PR/472109: This issue has been resolved.]

■ On SRX3400 and SRX3600 devices, the new primary node on LICU in JUNOSRelease 9.6R2 build was affected in the in-service software upgrade (ISSU)window. [PR/473149: This issues has been resolved.]

■ For SRX3400, SRX3600, SRX5600, SRX5800 devices, the aggregated Ethernetload balancing algorithm with Layer 4 src/dst ports was not supported.[PR/486867: This issue has been resolved.]


■ On SRX5600 devices, class of service was not supported in transparent mode.[PR/424286: This issue has been resolved.]

Flow and Processing

■ On J2350, J4350, and J6350 devices, OSPF over GRE over IPsec did not work.[PR/105279: This issue has been resolved.]

■ On SRX100 devices with a native VLAN configured on trunk ports, packets sentout were tagged. Instead, packets should have been sent untagged from thetrunk port. [PR/455323: This issue has been resolved.]

■ On SRX5600 devices, the request system storage cleanup command was deletingthe configuration file juniper.conf.spu.gz from /var/tmp/. This will cause failureof VPN. [PR/474581: This issue has been resolved]

■ On SRX5600 and SRX5800 devices with data path debugging enabled, multicastpackets were not traced at the IOC egress chip. [PR/455608: This issue has beenresolved.]

■ On SRX and J series devices, the mplsResourceTunnelTable reported bandwidthin bits per second instead of kilobits per second. [PR/432716: This issue hasbeen resolved.]

■ MPLS LSP auto-bandwidth adjustment stopped working when RSVP signaled forthe path; either optimization was initiated or the LSP went down. [PR/438157:This issue has been resolved.]

■ On SRX5600 devices, the update Packet Data Protocol (PDP) request initiatedfrom gateway GPRS support nodes (GGSNs) might have gotten dropped if the



message did not contain an information element (IE) for GSN addresses.[PR/475645: This issue has been resolved]

■ On SRX100 Low Memory devices, when you sent the traffic out on a trunk, asingle stream was replicated and sent out on all the member ports of that trunk.[PR/497313: This issue has been resolved.]

Hardware

■ On SRX240 devices, when users swapped the USBs after startup, thechassis-control subsystem might not respond to any chassis-related commands.[PR/437798: This issue has been resolved.]

■ On SRX240 devices, booting up the device with a USB storage device in boththe USB slots might have resulted in a kernel crash. [PR/437515: This issue hasbeen resolved.]


■ On SRX210 devices, after you created a station in J-Web, the details were notdisplayed until you refreshed the page. [PR/446830: This issue has been resolved.]

■ On SRX210 devices, J-Web did not contain support to configure T1 lines forstations. [PR/470036: This issue has been resolved.]

■ In the Via and Contact headers of REGISTER and INVITE messages, incorrect IPaddresses were sent over SIP trunks through VPN tunnels. [PR/478125: Thisissue has been resolved.]

■ Voice codec support is limited to G.711 u-law only. [PR/469094: This issue hasbeen resolved] [PR/485021: This issue has been resolved]


■ On SRX3400 devices, the IPv6 transit counters on the reth interface showedinvalid value statistics. [PR/391407: This issue has been resolved.]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, interface statistics onthe st0 interface were not accurate. [PR/436857: This issue has been resolved.]

■ On SRX210 PoE devices, the local loopback that was enabled on the G.SHDSLATM interface did not work. [PR/456393: This issue has been resolved]


■ On SRX5600 and SRX5800 devices, when the device processes heavy traffic,the show security idp status operational command might fail. As a result, IDPflow, session, and packet statistics did not match firewall statistics. [PR/389501PR/388048: This issue have been resolved.]

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you performedthe SSL inspection, the HTTPS sessions with higher data transaction sizes failedbecause of heavy CPU usage. As a result, new connections might have failed.[PR/390308: This issue has been resolved.]



■ On SRX100 devices, IDP signature updates might have failed if the last knowngood IDP policy was active. The situation occurred if you loaded a new IDP policyand it failed to load for any reason. [PR/468184: This issue has been resolved.]

J-Web

■ On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the available list ofpredefined attacks and groups were not listed on the J-Web IDP IPS and exemptrule configuration pages. [PR/295283: This issue has been resolved.]

Tracking PR for all switching pages general issues. [PR/431667: This issue hasbeen resolved]

■ On SRX Series and J Series devices, on the spanning-tree configuration page, theEdit interface/msti window did not save the data before committing theconfiguration. [PR/433506: This issue has been resolved.]

■ On SRX Series and J Series devices, it took extra time to load the J-Web pageswhen you click Add or Edit in the STP, GVRP and IGMP-Snooping configurationpages. [PR/422523: This issue has been resolved.]


■ On SRX5600 and SRX5800 devices during data path debugging, the IPsec packetswere not traced at the IOC EZchip egress event. [PR/441663: This issue has beenresolved.]

■ On SRX5800 devices, when VPN was not in use, the device did not generate thevar/tmp/spu_kmd_init/ file, which is logged by Iked_cfg. This should not happenbecause it is not an error condition. As a result disk space might be wasted overtime. As a workaround, run the cp /dev/null /var/tmp/spu_kmd_init commandfrom the shell to create this file. Also run request sys storage cleanup to clean upwhen the system has low disk space. [PR/425380: This issue has been resolved.]

Power over Ethernet

■ On SRX210 and SRX240 devices, the class-4 powered device did not get poweredon when PoE was configured to operate in class management mode. [PR/437406:This issue has been resolved]

■ SRX210 and SRX240 devices operating under overload conditions took longerto power off than what is specified in the standards. [PR/437416: This issue hasbeen resolved.]

■ On SRX240 and SRX210 devices, the last powered device did not power on ifthe allocated power became equal to the power limit on the device. Powerallocated must always be less than the power limit. For example, SRX240 devicescannot be configured such that allocated power becomes 150 W, even thoughit is possible to allocate the power up to 149.8 W. [PR/437792: This issue hasbeen resolved.]



USB Modem

■ On SRX210 PoE devices, if you have USR USB modems configured, the devicegoes into DB mode. [PR/497184: This issue has been resolved.]


■ On SRX650 devices under stress conditions, heavy data traffic going throughthe UTM subsystem sometimes led to system buffers being used up and to trafficbeing stopped. [PR/436998: This issue has been resolved.]

■ On SRX210 High Memory devices, the express antivirus initial database downloadfailed because of the slow start of the device interface. [PR/388535: This issuehas been resolved.]


■ On SRX100, SRX240, and J Series devices, default VLAN was not added to theswitch trunk with the "VLAN member all" configuration after reboot. [PR/450869:This issue has been resolved.]


■



Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series ServicesGateways and J Series Services Routers

This section lists outstanding issues with the documentation.


■ The following section has been removed from the JUNOS Software SecurityConfiguration Guide to reflect RPC ALG data structure cleanup: “Display the SunRPC Port Mapping Table.”

■ The “Verifying the RPC ALG Tables” section of the JUNOS Software SecurityConfiguration Guide has been renamed to “Verifying the Microsoft RPC ALGTables” to reflect RPC ALG data structure cleanup.

140 ■ Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services

Routers


Attack Detection and Prevention

The default parameters documented in the firewall/NAT screen configuration optionstable in the JUNOS Software Security Configuration Guide and the J-Web online Helpdo not match the default parameters in the CLI. The correct default parameters are:

tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } }[edit security screen ids-option untrust-screen]

CLI

The following sections have been removed from the JUNOS Software CLI Referenceto reflect RPC ALG data structure cleanup:

■ show security alg sunrpc portmap

■ clear security alg sunrpc portmap

Flow

The JUNOS Software CLI Reference and JUNOS Software Security Configuration Guidestate that the following aggressive aging statements are supported on all SRX Seriesdevices when in fact they are not supported on SRX3400, SRX3600, SRX5600, andSRX5800 devices:

■ [edit security flow aging early-ageout]

■ [edit security flow aging high-watermark]

■ [edit security flow aging low-watermark

Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services

Routers ■ 141

Errata and Changes in Documentation for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

■ Information about secure context and router context has been removed fromthe JUNOS Software Administration Guide and the JUNOS Software SecurityConfiguration Guide. If you want to use both flow-based and packet-basedforwarding simultaneously on a system, use the selective stateless packet-basedservices feature instead. For more information, see “Configuring SelectiveStateless Packet-Based Services” in the JUNOS Software Administration Guide.

Hardware Documentation

■ On SRX100 devices, the Alarm LED is off, indicating that the device is startingup.

Note that when the device is on, if the Alarm LED is off, it indicates that noalarms are present on the device.

■ The “Configuring Basic Settings for the SRX100 Services Gateway with aConfiguration Editor” section in the SRX100 Services Gateway Hardware Guidecontains the following inaccuracies:

■ The documentation incorrectly implies that the management port andloopback address must be defined for the device.

■ The documentation should indicate that the SSH remote access can beenabled.

■ The documentation indicates the CLI command set services ssh, which isincorrect. The correct command is set system services ssh.

■ The J-Web Initial Set Up screenshot shown in the SRX210 Services Gateway GettingStarted Guide and the SRX240 Services Gateway Getting Started Guide containsthe following inaccuracies: The J-Web screenshot incorrectly shows the “EnableDHCP on ge-0/0/0.0” check box as disabled in factory default settings. The J-Webscreenshot should indicate the “Enable DHCP on ge-0/0/0.0” check box as enabledin factory default settings.

■ The show chassis environment cb 0 command mentioned in the SRX5600 ServicesGateway Hardware Guide is modified to show chassis environment cb node 0.

■ The Power over Ethernet section in the SRX210 Services Gateway Hardware Guideincorrectly states that PoE+ support (IEEE 802.3at standard) is available on allmodels of SRX210 devices.

The guide should state that

■ PoE (IEEE 802.3 af) support is enabled only on the SRX210 Services GatewayPoE model.

■ PoE+ (IEEE802.3 at) support is enabled only on the SRX210 ServicesGateway with Integrated Convergence Services model.


Routers


Installing Software Packages

■ The current SRX210 documentation does not include the following information:

On SRX210 devices, the /var hierarchy is hosted in a separate partition (insteadof the root partition). If JUNOS Software installation fails as a result of insufficientspace:

1. Use the request system storage cleanup command to delete temporary files.

2. Delete any user-created files in both the root partition and under the /varhierarchy.

■ The “Installing Software using the TFTPBOOT Method on the SRX100, SRX210,and SRX650 Services Gateway” section in the JUNOS Software AdministrationGuide contains the following inaccuracies:

■ The documentation incorrectly implies that the TFTPBOOT method requiresa separate secondary device to retrieve software from the TFTP server.

■ The documentation should indicate that the TFTPBOOT method does notwork reliably over slow speeds or large latency networks.

■ The documentation indicates that before starting the installation, you onlyneed to configure the gateway IP, device IP address, and device IP netmaskmanually in some cases, when actually you need to configure them manuallyin all cases.

■ The documentation should indicate that on the SRX100, SRX210, and SRX240devices, only the ge-0/0/0 port supports TFTP in uboot, and on the SRX650device, all front-end ports support TFTP in uboot.

■ Step 2 of the “Installing JUNOS Software Using TFTPBOOT” instructionsshould mention that the URL path is relative to the TFTP server’s TFTP rootdirectory. The instructions should also mention that you should store theJUNOS Software image file in the TFTP server’s TFTP root directory.

■ The documentation should indicate that the TFTPBOOT method installssoftware on the internal flash on SRX100, SRX210, and SRX240 devices,whereas on SRX650 devices, the TFTP method can install software on theinternal or external CompactFlash card.

■ The JUNOS Software Administration Guide is missing the following informationabout installing software using USB on SRX100, SRX210, SRX240, and SRX650devices:

You can install or recover the JUNOS Software using USB on SRX100, SRX210,SRX240, and SRX650 devices. During the installation process, the installationpackage from the USB is installed on the specified boot media.

Before you begin the installation, ensure the following prerequisites are met:

■ U-boot and Loader are up and running on the device.

■ USB is available with the JUNOS Software package to be installed on thedevice.


Routers ■ 143


To install the software image on the specified boot media:

1. Go to the Loader prompt. For more information on accessing the Loaderprompt, see “Accessing the Loader Prompt” on page 260 of the JUNOSSoftware Administration Guide.

2. Enter the following command at the Loader prompt:

Loader>install URL

Where URL is file:///package

Example:

Loader>install file:///junos-srxsme-9.4-200811.0-domestic.tgz

When you are done, the file reads the package from the USB and installs thesoftware package. After the software installation is complete, the device bootsfrom the specified boot media.

NOTE: USB to USB installation is not supported. Also, on SRX100, SRX210, andSRX240 devices, the software image will always be installed on NAND flash, but onSRX650 devices, the software image can be installed either on the internal or externalCompactFlash card based on the boot media specified.


■ The SRX Series Integrated Convergence Services Configuration and AdministrationGuide does not include show commands for JUNOS Release 10.1.

■ On SRX210 and SRX240 devices with Integrated Convergence Services, theTransport Layer Security (TLS) option for the SIP protocol transport is notsupported in JUNOS Release 10.1. However, it is documented in the IntegratedConvergence Services entries of the JUNOS Software CLI Reference Guide.

■ The JUNOS Software CLI Reference contains Integrated Convergence Servicesstatement entries for the music-on-hold feature which is not supported for thisrelease.


■ In the JUNOS Interfaces and Routing Configuration Guide, the Configuring VDSL2Interface chapter incorrectly states that J-Web support for configuring the VDSL2Interface is not available in this release. The J-Web support is available for VDSL2interfaces in JUNOS Software release 10.1.

■ In the JUNOS Interfaces and Routing Configuration Guide, the Configuring G.SHDSLInterface chapter incorrectly states that J-Web support for configuring the G.SHDSLInterface is not available in this release. The J-Web support is available forG.SHDSL interfaces in JUNOS Software release 10.1.


Routers



■ The JUNOS Software Security Configuration Guide does not state that customattacks and custom attack groups in IDP policies can now be configured andinstalled even when a valid license and signature database are not installed onthe device.

■ The JUNOS Software CLI Reference is missing information about the followingIDP policy template commands:

■ Use this command to display the download status of a policy template:

user@host>request security idp security-package download status

Done; Successfully downloaded from (https://devdb.secteam.juniper.net/xmlexport.cgi).

■ Use this command to display the installation status of a policy template:

user@host>request security idp security-package install status

Done;policy-templates has been successfully updated into internal repository (=>/var/db/scripts/commit/templates.xsl)!

■ The ip-action definition on SRX3400, SRX3600, SRX5600, and SRX5800 in theJUNOS Software Security Configuration Guide on page 504 Table 73 is incorrect.The correct definition should be as follows: Enables you to implicitly block asource address to protect the network from future intrusions while permittinglegitimate traffic. You can configure one of the following IP action options inapplication-level DDoS: ip-block, ip-close, and ip-notify.

■ The exclude-context-values option in the JUNOS Software Security ConfigurationGuide on page 810 Table 101 is missing. The definition for exclude-context-valuesshould be as follows: Configure a list of common context value patterns thatshould be excluded from application-level DDoS detection. For example, if youhave a Web server that receives a high number of HTTP requests on home/landingpage, you can exclude it from application-level DDoS detection.

■ The JUNOS Software CLI Reference guide and the Junos Security Configurationguide states that the maximum acceptable range for the timeout (IDP Policy) is65535 seconds, whereas the ip-action timeout range has been modified to 0-64800seconds.

■ The JUNOS Software CLI Reference guide and the Junos Security Configurationguide has missing information about the new CLI option download-timeout, whichhas been introduced to set security idp security-package automatic download-timeout< value >, to configure the download timeout in minutes. The default value fordownload-timeout is one minute. If download is completed before thedownload-timeout, signature is automatically updated after the download. If thedownload takes longer than download-timeout, auto signature update is aborted.Syntax:user@host# set security idp security-package automatic download-timeout ?Possible completions: < download-timeout >Maximum time for download to complete (1 - 60 minutes)


Routers ■ 145


[edit]user@host# set security idp security-package automatic download-timeoutRange: 1 – 60 secondsDefault: 1 second

■ The Junos Software CLI Reference guide incorrectly states the show security idpstatus and clear security idp status logs, whereas the logs should be as follows:

■ Correct show security idp status log

user@host> show security idp statusState of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:15:02 ago)Packets/second: 5 Peak: 11 @ 2010-02-05 06:51:58 UTCKBits/second : 2 Peak: 5 @ 2010-02-05 06:52:06 UTCLatency (microseconds): [min: 0] [max: 0] [avg: 0]Packet Statistics:[ICMP: 0] [TCP: 82] [UDP: 0] [Other: 0]Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]TCP: [Current: 2] [Max: 6 @ 2010-02-05 06:52:08 UTC]UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]Session Statistics: [ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]Policy Name : sampleRunning Detector Version : 10.2.160091104

■ Correct clear security idp status log

user@host> clear security idp statusState of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:13:45 ago)Packets/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTCKBits/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTCLatency (microseconds): [min: 0] [max: 0] [avg: 0]Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]TCP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]Policy Name: sampleRunning Detector Version: 10.2.160091104

■ The Verifying the Policy Compilation and Load Status section of the JUNOSSoftware Security Configuration Guide has a missing empty/new line beforethe IDPD Trace file heading, in the second sample output.

J-Web

The following information pertains to SRX Series and J Series devices:

■ J-Web security package update Help page—The J-Web Security Package UpdateHelp page does not contain information about download status.

■ J-Web pages for stateless firewall filters—There is no documentation describingthe J-Web pages for stateless firewall filters. To find these pages in J-Web, go toConfigure>Security>Firewall Filters, then select IPv4 Firewall Filters or IPv6


Routers


Firewall Filters. After configuring filters, select Assign to Interfaces to assignyour configured filters to interfaces.

■ There is no documentation describing the J-Web pages for media gateways. Tofind these pages in J-Web, go to Monitor>Media Gateway.

Screens

The following information pertains to SRX Series and J Series devices:

■ In the JUNOS Software Design and Implementation Guide, the “ImplementingFirewall Deployments for Branch Offices” chapter contains incorrect screenconfiguration instructions.

Examples throughout this guide describe how to configure screen options usingthe set security screen screen-name CLI statements. Instead, you should use theset security screen ids-option screen-name CLI statements. All screen configurationoptions are located at the [set security screen ids-option screen-name] level of theconfiguration hierarchy.


■



Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gateways and JSeries Services Routers

■ Transceiver Compatibility for SRX Series and J Series Devices on page 147

■ Power and Heat Dissipation Requirements for J Series PIMs on page 148

■ Supported Third-Party Hardware for J Series Services Routers on page 148

■ J Series CompactFlash and Memory Requirements on page 149

Transceiver Compatibility for SRX Series and J Series Devices

We strongly recommend that only transceivers provided by Juniper Networks beused on SRX Series and J Series interface modules. Different transceiver types(long-range, short-range, copper, and so on) can be used together on multiport SFPinterface modules as long as they are provided by Juniper Networks. We cannotguarantee that the interface module will operate correctly if third-party transceiversare used.

Please Contact Juniper Networks for the correct transceiver part number for yourdevice.

Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers ■ 147

Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers

Power and Heat Dissipation Requirements for J Series PIMs

On J Series Services Routers, the system monitors the PIMs and verifies that the PIMsfall within the power and heat dissipation capacity of the chassis. If powermanagement is enabled and the capacity is exceeded, the system prevents one ormore of the PIMs from becoming active.

CAUTION: Disabling power management can result in hardware damage if youoverload the chassis capacities.

You can also use CLI commands to choose which PIMs are disabled. For details aboutcalculating the power and heat dissipation capacity of each PIM and troubleshootingprocedures, see the J-series Services Routers Hardware Guide.

Supported Third-Party Hardware for J Series Services Routers

The following third-party hardware is supported for use with J Series Services Routersrunning JUNOS software.

USB Modem We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR5637.

Storage Devices The USB slots on J Series Services Routers accept a USB storage device or USB storagedevice adapter with a CompactFlash card installed, as defined in the CompactFlashSpecification published by the CompactFlash Association. When the USB device isinstalled and configured, it automatically acts as a secondary boot device if theprimary CompactFlash card fails on startup. Depending on the size of the USB storagedevice, you can also configure it to receive any core files generated during a routerfailure. The USB device must have a storage capacity of at least 256 MB.

Table 5 on page 148 lists the USB and CompactFlash card devices supported for usewith the J Series Services Routers.

Table 5: Supported Storage Devices on the J Series Services Routers

Third-Party Part NumberStorage CapacityManufacturer

SDCZ2-256-A10256 MBSanDisk—Cruzer Mini 2.0

SDCZ3-512-A10512 MBSanDisk

SDCZ7-1024-A101024 MBSanDisk

DTI/512KR512 MBKingston

DTI/1GBKR1024 MBKingston

SDDR-91-A15N/ASanDisk—ImageMate USB 2.0 Reader/Writer forCompactFlash Type I and II

148 ■ Hardware Requirements for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers


Table 5: Supported Storage Devices on the J Series Services Routers (continued)

Third-Party Part NumberStorage CapacityManufacturer

SDCFB-512-455512 MBSanDisk CompactFlash

SDCFB-1000.A101 GBSanDisk CompactFlash

J Series CompactFlash and Memory Requirements

Table 6 on page 149 lists the CompactFlash card and DRAM requirements for J SeriesServices Routers.

Table 6: J Series CompactFlash Card and DRAM Requirements

Maximum DRAM SupportedMinimum DRAM RequiredMinimum CompactFlash CardRequiredModel

1 GB512 MB512 MBJ2320

1 GB512 MB512 MBJ2350

2 GB512 MB512 MBJ4350

2 GB1 GB512 MBJ6350

Related Topics ■ New Features in JUNOS Release 10.1 for SRX Series Services Gateways and JSeries Services Routers on page 80


■ Changes In Default Behavior and Syntax in JUNOS Release 10.1 for SRX SeriesServices Gateways and J Series Services Routers on page 93


■ Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX SeriesServices Gateways and J Series Services Routers on page 160


Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways

Dual-Root Partitioning Scheme

JUNOS Release 10.1 supports dual-root partitions on SRX100, SRX210, SRX240, andSRX650 devices. Dual-root partition allow the SRX Series devices to remain functional

Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways ■ 149


if there is file system corruption and facilitate easy recovery of the corrupted filesystem.

SRX Series devices running JUNOS Release 9.6 or earlier support a single-rootpartitioning scheme where there is only one root partition. Because both the primaryand backup JUNOS Software images are located on the same root partition, thesystem fails to boot if there is corruption in the root file system. The dual-rootpartitioning scheme guards against this scenario by keeping the primary and backupJUNOS Software images in two independently bootable root partitions. If the primaryroot partition becomes corrupted, the system will be able to boot from the backupJUNOS Software image located in the other root partition and remain fully functional.

SRX Series devices that ship with JUNOS Release 10.1 are formatted with dual-rootpartitions from the factory. SRX Series devices that are running JUNOS Release 9.6or earlier can be formatted with dual-root partitions when upgrading to JUNOS Release10.1.

NOTE: The dual-root partitioning scheme allows the SRX Series devices to remainfunctional if there is file system corruption and facilitates easy recovery of thecorrupted file system. Although you can install JUNOS Release 10.1 on SRX100,SRX210, SRX240, and SRX650 devices with the single-root partitioning scheme, westrongly recommend the use of the dual-root partitioning scheme.

Selection of Boot Media and Boot Partition

When the SRX Series device powers on, it tries to boot the JUNOS Software from thedefault storage media. If the device fails to boot from the default storage media, ittries to boot from the alternate storage media.

SRX100, SRX210, SRX240 devices boot from the following storage media (in orderof priority):

1. Internal NAND flash (default; always present)

2. USB storage device (alternate)

SRX650 devices boot from the following storage media (in order of priority):

1. Internal CompactFlash card (default; always present)

2. External CompactFlash card (alternate)

3. USB storage device (alternate)

With the dual-root partitioning scheme, the SRX Series device first tries to boot theJUNOS Software from the primary root partition and then from the backup rootpartition on the default storage media. If both primary and backup root partitions ofa media fail to boot, then the SRX Series device tries to boot from the next availabletype of storage media. The SRX Series device remains fully functional even if it bootsthe JUNOS Software from the backup root partition of storage media.

150 ■ Dual-Root Partitioning Scheme Documentation for SRX Series Services Gateways


Important Differences Between Single-Root and Dual-Root Partitioning Schemes

Note the following important differences in how SRX Series devices use the two typesof partitioning systems.

■ With the single-root partitioning scheme, there is one root partition that containsboth the primary and backup JUNOS Software images. With the dual-rootpartitioning scheme, the primary and backup copies of JUNOS Software are indifferent partitions. The partition containing the backup copy is mounted onlywhen required.

■ With the dual-root partitioning scheme, when the request system software addcommand is performed for a JUNOS Software package, the contents of the otherroot partition are erased. The contents of the other root partition will not be validunless the installation is completed successfully.

■ With the dual-root partitioning scheme, after a new JUNOS Software image isinstalled, add-on packages like jais or jfirmware should be reinstalled as required.

■ With the dual-root partitioning scheme, the request system software rollback CLIcommand does not delete the current JUNOS Software image. It is possible toswitch back to the image by issuing the rollback command again.

■ With the dual-root partitioning scheme, the request system software delete-backupCLI command does not take any action. The JUNOS Software image in the otherroot partition will not be deleted.

Upgrade Methods

SRX Series devices that ship from the factory with JUNOS Release 10.10 are formattedwith the dual-root partitioning scheme.

Existing SRX Series devices that are running JUNOS Release 9.6 or earlier use thesingle-root partitioning scheme. While upgrading these routers to JUNOS Release10.1, you can choose to format the storage media with dual-root partitions (stronglyrecommended) or retain the existing single-root partitioning.

Certain JUNOS Software upgrade methods format the internal media beforeinstallation, whereas other methods do not. To install JUNOS Release 10.1 with thedual-root partitioning scheme, you must use an upgrade method that formats theinternal media before installation.

The following upgrade methods format the internal media before installation:

■ Installation from the boot loader using a TFTP server

■ Installation from the boot loader using a USB storage device

■ Installation from the CLI using the special partition option (available in JUNOSRelease 10.1)

The following upgrade methods retain the existing partitioning scheme:

■ Installation using the CLI

■ Installation using J-Web



WARNING: Upgrade methods that format the internal media before installation wipeout the existing contents of the media. Only the current configuration will bepreserved. Any important data should be backed up before starting the process.

NOTE: Once the media has been formatted with the dual-root partitioning scheme,you can use conventional CLI or J-Web installation methods, which retain the existingpartitioning and contents of the media, for subsequent upgrades.

Upgrading to JUNOS Release 10.1 Without Transitioning to Dual-Root Partitioning

If dual-root partitioning is not desired, use the conventional CLI and J-Web installationmethods, as described in the JUNOS Software Administration Guide for Security Devices.

Upgrading to JUNOS Release 10.1 with Dual-Root Partitioning

To format the media with dual-root partitioning while upgrading to JUNOS Release10.1, use one of the following installation methods:

■ Installation from the boot loader using a TFTP server. This method is preferableif console access to the system is available and a TFTP server is available in thenetwork.

■ Installation from the boot loader using a USB storage device. This method ispreferable if console access to the system is available and the system can bephysically accessed to plug in a USB storage device.

■ Installation from CLI using the special partition option. This method isrecommended only when console access is not available. This installation canbe performed remotely.

NOTE: After upgrading to JUNOS Release 10.1, the U-boot and boot loader must beupgraded for the dual-root partitioning scheme to work properly.

Each of the aforementioned methods of installing JUNOS 10.1 with dual-rootpartitioning is described in detail in the following sections:

■ Installing from the Boot Loader Using a TFTP Server on page 152

■ Installing from the Boot Loader Using a USB Storage Device on page 153

■ Installing from the CLI Using the partition Option on page 154

■ Upgrading the Boot Loader on page 154

Installing from the Boot Loader Using a TFTP Server

See the JUNOS Software Administration Guide for Security Devices for detailedinformation on installing JUNOS Software using a TFTP server.



To install JUNOS Release 10.1 from the boot loader using a TFTP server:

1. Upload the JUNOS Software image to a TFTP server.

2. Stop the device at the loader prompt and set the following variables:

■ ipaddr

loader> set ipaddr=<IP-address-of-the-device>

■ netmask

loader> set netmask=<netmask>

■ gatewayip

loader> set gatewayip=<gateway-IP-address>

■ serverip

loader> set severip=<TFTP-server-IP-address>

3. Install the image using the following command at the loader prompt:

loader> install tftp://<server-ip>/<image-path-on-server>

For example:

loader> install tftp://10.77.25.12/junos-srxsme-10.1R1-domestic.tgz

This will format the internal media and install the new JUNOS Software imageon the media with dual-root partitioning.

4. Once the system boots up with JUNOS Release 10.1, upgrade the U-boot andboot loader immediately. See “Upgrading the Boot Loader” on page 154.

Installing from the Boot Loader Using a USB Storage Device

To install JUNOS Release 10.1 from the boot loader using a USB storage device:

1. Format a USB storage device in MS-DOS format.

2. Copy the JUNOS Software image onto the USB storage device.

3. Plug the USB storage device into the SRX Series device.

4. Stop the device at the loader prompt and issue the following command:

loader> install file:///<image-path-on-usb>

For example:

loader> install file:///junos-srxsme-10.1R1-domestic.tgz



This will format the internal media and install the new JUNOS Software imageon the media with dual-root partitioning.

5. Once the system boots up with JUNOS Release 10.1, upgrade the U-boot andboot loader immediately. See “Upgrading the Boot Loader” on page 154.

Installing from the CLI Using the partition Option

To install JUNOS Release 10.1 with the partition option:

1. Upgrade the device to JUNOS Release 10.1 or later using the CLI or J-Web. Thiswill install the new image with the older single-root partitioning scheme.

2. After the device reboots with JUNOS Release 10.1, upgrade the boot loader toversion 1.5. See “Upgrading the Boot Loader” on page 154.

3. Reinstall the 10.1 image from JUNOS CLI using the request system software addcommand with the partition option. This will copy the image to the device, thenreboot the device for installation. The device will boot up with the 10.1 imageinstalled with the dual-root partitioning scheme.

NOTE: This process might take 15–20 minutes. The system will not be accessibleover the network during this time.

Upgrading the Boot Loader

To upgrade the boot loader to version 1.5:

1. Upgrade to JUNOS Release 10.1 (with or without dual-root support enabled).

The JUNOS 10.1 image contains the latest boot loader binaries in the followingpath: /boot/uboot, /boot/loader.

2. Enter the shell prompt.

3. Run the following command from the shell prompt:

bootupgrade –u /boot/uboot –l /boot/loader

Installing JUNOS Release 9.6 or Earlier Release on Systems with Dual-RootPartitioning

JUNOS Release 9.6 and earlier is not compatible with the dual-root partitioningscheme. These releases can only be installed if the media is reformatted withsingle-root partitioning. Any attempt to install JUNOS Release 9.6 or earlier on adevice with dual-root partitioning without reformatting the media will fail with anerror. You must install the JUNOS Release 9.6 or earlier image from the boot loaderusing a TFTP server or USB storage device.



NOTE: You cannot install a JUNOS Release 9.6 or earlier package on a system withdual-root partitioning using the JUNOS CLI or J-Web. An error will be returned if thisis attempted.

NOTE: You do not need to reinstall the earlier version of the boot loader.

Reinstalling the Single-Root Partition Release Over TFTP

To reinstall JUNOS Software from the boot loader using a TFTP server:

1. Upload the JUNOS Software image to a TFTP server.

2. Stop the device at the loader prompt and set the following variables:

■ ipaddr

loader> set ipaddr=<IP-address-of-the-device>

■ netmask

loader> set netmask=<netmask>

■ gatewayip

loader> set gatewayip=<gateway-IP-address>

■ serverip

loader> set severip=<TFTP-server-IP-address>

3. Install the image using the following command at the loader prompt:

user@host> install tftp://<server-ip>/<image-path-on-server>

For example:

loader> install tftp://10.77.25.12/junos-srxsme-9.6R1-domestic.tgz

This will format the internal media and install the JUNOS Software image on themedia with single-root partitioning.

Reinstalling the Single-Root Partition Release Using USB

To reinstall JUNOS Software from the boot loader using a USB storage device:

1. Format a USB storage device in MS-DOS format.

2. Copy the JUNOS Software image onto the USB storage device.

3. Plug the USB storage device into the SRX Series device.

4. Stop the device at the loader prompt and issue the following command:



user@host> install file://<image-path-on-usb>

For example:

loader> install file:///junos-srxsme-9.6R1-domestic.tgz

This will format the internal media and install the JUNOS Software image on themedia with single-root partitioning.

Recovery of the Primary JUNOS Software Image with Dual-Root Partitioning Scheme

If the SRX Series Services Gateway is unable to boot from the primary JUNOS Softwareimage, and boots up from the backup JUNOS Software image in the backup rootpartition, a message is displayed on the console at the time of login indicating thatthe device has booted from the backup JUNOS Software image:

login: user

Password:

***********************************************************************

** **

** WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE **

** **

** It is possible that the active copy of JUNOS failed to boot up **

** properly, and so this device has booted from the backup copy. **

** **

** Please re-install JUNOS to recover the active copy in case **

** it has been corrupted. **

** **

***********************************************************************

Because the system is left with only one functional root partition, you shouldimmediately restore the primary JUNOS Software image. This can be done by installinga new image using the CLI or J-Web. The newly installed image will become theprimary image, and the device will boot from it on the next reboot.



CLI Changes

This section describes CLI changes when the SRX Series device runs JUNOS Release10.1 with the dual-root partitioning scheme.

■ Changes to the Snapshot CLI on page 157

■ partition Option with the request system software add Command on page 158

Changes to the Snapshot CLI

On an SRX Series device, you can configure the primary or secondary boot devicewith a “snapshot” of the current configuration, default factory configuration, or rescueconfiguration. The snapshot feature is modified to support dual-root partitioning.The options as-primary, swap-size, config-size, root-size, var-size, and data-size are notsupported on SRX Series devices.

With the dual-root partitioning scheme, performing a snapshot to a USB storagedevice that is less than 1 GB is not supported.

With the dual-root partitioning scheme, you must use the partition option whenperforming a snapshot. If the partition option is not specified, the snapshot operationfails with a message that the media needs to be partitioned for snapshot.

The output for the show system snapshot CLI command is changed in devices withdual-root partitions to show the snapshot information for both root partitions:

user@host> show system snapshot media usbInformation for snapshot on usb (/dev/da1s1a) (primary)

Creation date: Jul 24 16:16:01 2009

JUNOS version on snapshot:

junos : 10.1I20090723_1017-domestic

Information for snapshot on usb (/dev/da1s2a) (backup)

Creation date: Jul 24 16:17:13 2009

JUNOS version on snapshot:

junos : 10.1I20090724_0719-domestic

NOTE: You can use the show system snapshot media internal command to determinethe partitioning scheme present on the internal media. Information for only one rootis displayed for single-root partitioning, whereas information for both roots isdisplayed for dual-root partitioning.



NOTE: Any removable media that has been formatted with dual-root partitioningwill not be recognized correctly by the show system snapshot CLI command onsystems that have single-root partitioning. Intermixing dual-root and single-rootformatted media on the same system is strongly discouraged.

partition Option with the request system software add Command

A new partition option is available with the request system software add CLI command.Using this option will cause the media to be formatted and repartitioned before thesoftware is installed.

When the partition option is used, the format and install process is scheduled to runon the next reboot. Therefore, it is recommended that this option be used togetherwith the reboot option.

For example:

user@host>request system software add junos-srxsme-10.1R1-domestic.tgz no-copyno-validate partition rebootCopying package junos-srxsme-10.01R1-domestic.tgz to var/tmp/install

Rebooting ...

The system will reboot and complete the installation.

WARNING: Using the partition option with the request system software add CLIcommand erases the existing contents of the media. Only the current configurationis preserved. Any important data should be backed up before starting the process.

Using Dual Chassis Cluster Control Links: Upgrade Instructions for the Second RoutingEngine

A second Routing Engine is required for each device in a cluster if you are using thedual control links feature (SRX5000 line only). The second Routing Engine does notprovide backup functionality; its purpose is only to initialize the switch on the SwitchControl Board (SCB). The second Routing Engine must be running JUNOS Release10.1 or later.

Because you cannot run the CLI or enter configuration mode on the second RoutingEngine, you cannot upgrade the JUNOS Software image with the usual upgradecommands. Instead, use the master Routing Engine (RE0) to create a bootable USBstorage device, which you can then use to install a software image on the secondRouting Engine (RE1).

158 ■ Using Dual Chassis Cluster Control Links: Upgrade Instructions for the Second Routing Engine


To upgrade the software image on the second Routing Engine (RE1):

1. Use FTP to copy the installation media into the /var/tmp directory of the masterRouting Engine (RE0).

2. Insert a USB storage device into the USB port on the master Routing Engine(RE0).

3. In the UNIX shell, navigate to the /var/tmp directory:

start shellcd /var/tmp

4. Log in as root or superuser:

su [enter]password: [enter SU password]

5. Issue the following command;

dd if=installMedia of=/dev/externalDrive bs=64

where

■ externalDrive—Refers to the removable media name. For example, theremovable media name on an SRX5000 line device is da0 for both RoutingEngines.

■ installMedia—Refers to the installation media downloaded into the /var/tmpdirectory. For example, install-media-srx5000-10.1R1-domestic.tgz.

The following code example can be used to write the image that you copied tothe master Routing Engine (RE0) in step 1 onto the USB storage device:

dd if=install-media-srx5000-10.1R1-domestic.tgz of=/dev/da0 bs=64k

6. Log out as root or superuser:

exit

7. After the software image is written to the USB storage device, remove the deviceand insert it into the USB port on the second Routing Engine (RE1).

8. Move the console connection from the master Routing Engine (RE0) to the secondRouting Engine (RE1), if you do not already have a connection.

9. Reboot the second Routing Engine (RE1). Issue the following command:

# reboot

■ When the following system output appears, press y:

WARNING: The installation will erase the contents of your disks.Do you wish to continue (y/n)?

■ When the following system output appears, remove the USB storage deviceand press Enter:

Using Dual Chassis Cluster Control Links: Upgrade Instructions for the Second Routing Engine ■ 159

Using Dual Chassis Cluster Control Links: Upgrade Instructions for the Second Routing Engine

Eject the installation media and hit [Enter] to reboot?

Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX Series ServicesGateways and J Series Services Routers

In order to upgrade to JUNOS Release 10.1 or later, your device must be runningone of the following JUNOS Software releases:

■ 9.1S1

■ 9.2R4

■ 9.3R3

■ 9.4R3

■ 9.5R1 or later

If your device is running an earlier release, upgrade to one of these releases and thento the 10.1 release. For example, to upgrade from Release 9.2R1, first upgrade toRelease 9.2R4 and then to Release 10.1B3.

For additional upgrade and download information, see the JUNOS SoftwareAdministration Guide and the JUNOS Software Migration Guide.

JUNOS Software Release Notes for EX Series Switches

■ New Features in JUNOS Release 10.1 for EX Series Switches on page 160

■ Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX SeriesSwitches on page 164

■ Limitations in JUNOS Release 10.1 for EX Series Switches on page 165

■ Outstanding Issues in JUNOS Release 10.1 for EX Series Switches on page 168

■ Resolved Issues in JUNOS Release 10.1 for EX Series Switches on page 171

■ Errata in Documentation for JUNOS Release 10.1 for EX SeriesSwitches on page 174

■ Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX SeriesSwitches on page 174

New Features in JUNOS Release 10.1 for EX Series Switches

New features in Release 10.1 of JUNOS Software for EX Series switches are describedin this section.

Not all EX Series software features are supported on all EX Series platforms in thecurrent release. For a list of all EX Series software features and their platform support,see EX Series Switch Software Features Overview.

160 ■ Upgrade and Downgrade Instructions for JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services

Routers


http://www.juniper.net/techpubs/en_US/junos101/topics/concept/ex-series-software-features-overview.html

New features are described on the following pages:

■ Hardware on page 161

■ Access Control and Port Security on page 162

■ Bridging, VLANs, and Spanning Trees on page 162

■ Class of Service (CoS) on page 162

■ Infrastructure on page 162

■ Interfaces on page 163

■ Layer 2 and Layer 3 Protocols on page 163

■ Management and RMON on page 163

■ MPLS on page 163

■ Packet Filters on page 163

Hardware

■ EX2200 switch—The EX2200 switch is a fixed-configuration switch that isavailable in four models—24-port or 48-port models with either all ports equippedfor Power over Ethernet (PoE) or none of the ports equipped for PoE.

All EX2200 models provide network ports that have 10/100/1000BASE-T GigabitEthernet connectors and uplink ports that support 1-gigabit small form-factorpluggable (SFP) transceivers for use with fiber connections and copperconnections. For information about software features supported on the EX2200switch, see EX Series Switch Software Features Overview .

The following optical interfaces are supported on the EX2200 switch:

■ EX-SFP-1GE-T (1000BASE-T, 100 m)

■ EX-SFP-1GE-SX (1000BASE-SX, 220 m, 275 m, 500 m, or 550 m)

■ EX-SFP-1GE-LX (1000BASE-LX, 10 km)

■ EX-SFP-1GE-LH (1000BASE-LH or 1000Base-LH, 70 km)

■ EX-SFP-1FE-FX (100BASE-FX, 2 km)

■ EX-SFP-FE20KT13R15 (100BASE-BX-U, 20 km)

■ EX-SFP-FE20KT15R13 (100BASE-BX-D, 20 km)

■ New optical transceiver support—The 8-port 10-Gigabit Ethernet SFP+ linecard in EX8200 switches now supports one new optical transceiver:EX-SFP-10GE-ER (10GBase-ER, 40 km).

New Features in JUNOS Release 10.1 for EX Series Switches ■ 161


http://www.juniper.net/techpubs/en_US/junos101/topics/concept/ex-series-software-features-overview.html

Access Control and Port Security

■ Captive portal authentication—Captive portal authentication allows you toauthenticate users on EX Series switches by redirecting Web browser requeststo a login page that requires users to input a username and password beforethey are allowed access to the network. In addition to using the feature to controlnetwork access by requiring users to provide information that is authenticatedagainst a RADIUS server database, you can also use it to display an acceptable-usepolicy to users before they access your network. An authentication whitelistallows you to specify MAC addresses that are allowed to bypass authentication.

Bridging, VLANs, and Spanning Trees

■ Proxy ARP—Proxy ARP can be configured on a per-VLAN basis, in eitherrestricted or unrestricted mode.

■ IPv6 unicast VRF support—EX Series switches now support IPv6 unicast VRFtraffic.

■ Private VLANs—Private VLANs (PVLANs) are now supported on EX8200 switches.


■ Port shaping and queue shaping—Port shaping and queue shaping (theshaping-rate configuration statement) is now available on EX8200 switches.

Infrastructure

■ IPv6 support on EX8200 switches—EX8200 switches now support configurationof IPv6 addresses.

■ Automatic refreshing of scripts—You can refresh commit, event, and op scriptsautomatically using operational mode commands such as request system scriptsrefresh-from commit, request system scripts refresh-from event, or request systemscripts refresh-from op.

■ Source gateway IP address selection for relayed DHCP packets—The sourcegateway IP address selection for relayed DHCP packets feature allows you to usethe gateway IP address (giaddr) as the source IP address of the switch for relayedDHCP packets when an EX Series switch is used as the DHCP relay agent.

162 ■ New Features in JUNOS Release 10.1 for EX Series Switches


Interfaces

■ Unicast reverse-path forwarding support—Unicast reverse-path forwarding(RPF) is available on EX8200 switches. The unicast RPF feature can be enabledon specific interfaces on EX8200 switches and supports ECMP traffic.

Layer 2 and Layer 3 Protocols

■ IPv6 Layer 3 multicast routing and forwarding—EX3200 and EX4200 switchesnow support IPv6 Layer 3 multicast routing and forwarding, which includesMulticast Listener Discovery version 1 (MLDv1) and MLDv2 to manage multicastgroup membership; reverse-path forwarding (RPF) to enable multicast routersto correctly forward multicast traffic to other multicast routers; ProtocolIndependent Multicast sparse mode (PIM SM) and PIM source-specific multicast(PIM SSM) protocols; and static rendezvous point (RP), bootstrap RP, andembedded RP to manage RP information for multicast groups.

Management and RMON

■ Real-time performance monitoring (RPM) support on EX8200 switches—RPMis supported on EX8208 and EX8216 switches.

■ SNMP MIB enhancements—The SNMP agent polls and gets details of all MIBson EX2200 switches.

MPLS

■ MPLS enhancements—On EX3200 and EX4200 switches MPLS supports classof service (CoS), IP over MPLS, and fast reroute to reroute the label-switchedpath in cases of link failure.

Packet Filters

■ IPv6 support for firewall filters on EX3200 and EX4200 switches—On EX3200and EX4200 switches, you can apply match conditions to IPv6 traffic on Layer3 interfaces, aggregated Ethernet interfaces, and loopback interfaces.

The following are the match conditions applicable to IPv6 traffic:destination-address, destination-port, destination-prefix-list, icmp-code, icmp-type,interface, next-header, packet-length, source-address, source-port, source-prefix-list,tcp-established, tcp-flags, tcp-initial, and traffic-class.

The following are the actions and action modifiers applicable to IPv6 traffic:accept, discard, routing-instance, analyzer, count, forwarding-class, loss-priority, andpolicer.

■ Enhancement to the interface match condition on EX8200 switches—OnEX8200 switches, you can now specify aggregated Ethernet interfaces as matchconditions using the interface match condition. You can configure an ingress or

New Features in JUNOS Release 10.1 for EX Series Switches ■ 163


egress firewall filter with an aggregated Ethernet interface as a match conditionand apply the firewall filter to ports, VLANs, and Layer 3 interfaces.

Related Topics ■ Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX SeriesSwitches on page 164




■ Errata in Documentation for JUNOS Release 10.1 for EX Series Switches onpage 174

■ Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switcheson page 174

Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series Switches

The following changes system behavior, configuration statement usage, or operationalmode command usage have occurred since the previous release and might not yetbe documented in the JUNOS Software for EX Series switches documentation:

Layer 2 and Layer 3 Protocols

■ EX Series switches now support the show multicast rpf instance instance-namecommand.

■ The iso option is not available in the show pfe route command because it is notsupported on EX Series switches.

Infrastructure

■ On EX Series switches, the sip-server statement in the [edit system services dhcp]hierarchy is now supported, allowing explicit configuration of SIP server addressesfor DHCP servers.


■ On EX3200 switches and EX4200 switches, the request system power-offother-routing-engine command and the request system power-off both-routing-enginescommand are disabled.

■ The output of the show chassis hardware command for EX3200 switches andEX4200 switches has been changed. The Description field in the output nowdisplays SFP-100-LX40 for the 100Base-LH interface and SFP-100-LH for the100Base-ZX interface.

■ If you enable PIM on all interfaces using the interface all command, it is notenabled on the me0 and vme interfaces by default. Therefore you do not neednot explicitly disable PIM on the management interfaces. Previously, enablingPIM on all interfaces caused it to be enabled on these management interfaces.

164 ■ Changes in Default Behavior and Syntax in JUNOS Release 10.1 for EX Series Switches


Related Topics ■ New Features in JUNOS Release 10.1 for EX Series Switches on page 160






Limitations in JUNOS Release 10.1 for EX Series Switches

This section lists the limitations in JUNOS Release 10.1R1 for EX Series switches.

Access Control and Security

■ When you have configured more than 1024 supplicants on a single interface,802.1X authentication might not work as expected and the 802.1X process(dot1xd) might fail.

Class of Service

■ On EX8200 switches, classification of packets using ingress firewall filter ruleswith forwarding-class and loss-priority configurations does not rewrite the DSCPor 802.1p bits. Rewriting of packets is determined by the forwarding-class andloss-priority values set in the DSCP classifier applied on the interface.

■ On EX4200 switches, the traffic is shaped at rates above 500 kb, even when theshaping rate configured is less than 500 kb. The minimum shaping rate is 500kb.

■ When the scheduler map bound to an interface is changed, there might be packetdrops temporarily in all the interfaces bound to the scheduler map while theconfiguration change is being implemented.

Firewall Filters

■ On EX Series switches, when interface ranges or VLAN ranges are used inconfiguring firewall filters, egress firewall filter rules take more than 5 minutesto install.

■ IGMP packets are not matched by user-configured firewall filters.

Limitations in JUNOS Release 10.1 for EX Series Switches ■ 165


Infrastructure

■ If you configure interface parameters on an EX3200 or EX4200 switch runningJUNOS Release 9.2 or Release 9.3 for EX Series switches and then attempt toupgrade to a later release or a later version of Release 9.3 than the one that iscurrently installed, the switch might display the following error message: init:interface-control is thrashing , not restarted. As a workaround, on the interfacesyou had previously configured, configure no-auto-negotiation and set the linkmode to full-duplex, then commit the revised configuration.

■ The RADIUS request sent by an EX Series switch contains both ExtensibleAuthentication Protocol (EAP) Identity Response and State attributes.

■ On EX Series switches, an SNMP query fails when the SNMP index size of a tableis greater than 128 bytes, because the Net SNMP tool does not support SNMPindex sizes greater than 128 bytes.

■ Spanning-tree, GVRP, or IGMP snooping configuration windows might load slowlyin the J-Web interface. Wait till the windows load completely before enteringinformation, or some information might get lost.

■ On EX Series switches, the show snmp mib walk etherMIB does not display anyoutput, even though the etherMIB is supported. This occurs because the valuesare not populated at the module level—they are populated at the table level only.You can issue show snmp mib walk dot3StatsTable, show snmp mib walkdot3PauseTable, and show snmp mib walk dot3ControlTable commands to displaythe output at the table level.

■ When you issue the request system power-off command, the switch halts insteadof turning off power.

■ In the J-Web interface, the Ethernet Switching monitoring page might not displaymonitoring details if there are more than 13,000 MAC entries on the switch.

■ In the J-Web interface, changing port roles from Desktop, Desktop and Phone,and Layer 2 Uplink might not remove the configurations for enabling dynamicARP inspection and DHCP snooping.

■ On EX8200 switches, if IS-IS is enabled on routed VLAN interfaces (RVIs), IS-ISadjacency states go down and come up after a graceful Routing Engine switchover(GRES).

■ When an external RADIUS server goes offline and comes back online after sometime, subsequent captive portal authentication requests might fail until the authddaemon is restarted. As a workaround, you can configure the revert interval—thetime after which to revert to the primary server—and restart the authd daemon.

■ Momentary loss of an inter-Routing Engine IPC message might trigger the alarmthat displays the message Loss of communication with Backup RE. There is nofunctionality affected.

166 ■ Limitations in JUNOS Release 10.1 for EX Series Switches


Interfaces

■ EX Series switches do not support queued packet counters. Therefore, the queuedpacket counter in the output of the show interfaces interface-name extensivecommand always displays a count of 0 and is never updated.

■ The following message might appear in the system log:

Resolve request came for an address matching on Wrong nh nh:355, type:Unicast...?

You can ignore this message.

■ On EX3200 and EX4200 switches, when port mirroring is configured on anyinterface, the mirrored packets leaving a tagged interface might contain anincorrect VLAN ID.

■ On EX8200 switches, port mirroring configuration on a Layer 3 interface withthe output configured to a VLAN is not supported.

■ On EX8200 switches, when an egress VLAN that belongs to a routed VLANinterface (RVI) is configured as the input for a port mirroring analyzer, theanalyzer incorrectly appends a dot1q (802.1Q) header to the mirrored packetsor does not mirror any packets at all. As a workaround, configure a port mirroringanalyzer with each port of the VLAN as egress input.

■ The following interface counters are not supported on routed VLAN interfaces(RVI): local statistics, traffic statistics, and transit statistics.

■ EX Series switches do not support IPv6 interface statistics. Therefore, all valuesin the output of the show snmp mib walk ipv6IfStatsTable command always displaya count of 0.

■ The show interface detail | extensive command might display double counting ofpackets or bytes for the transit statistics and traffic statistics counters. You canuse the counter information displayed under the Physical interface section of theoutput.

■ When a virtual management Ethernet (VME) interface is used as a default gatewayand the VME is the indirect next hop for any route, the route might not changedynamically and could always point to VME interface.







Limitations in JUNOS Release 10.1 for EX Series Switches ■ 167


Outstanding Issues in JUNOS Release 10.1 for EX Series Switches

The following are outstanding issues in JUNOS Release 10.1R1 for EX Series switches.The identifier following the description is the tracking number in our bug database.

NOTE: PRs 300576, 403842, 409934, 415569, 415748, 429589, 440611, 455670,and 488318 which were included in the earlier release notes as outstanding issues,have been removed, because these issues are not applicable to JUNOS Release 10.1R1for EX Series switches.


■ If you configure the RADIUS server revert-interval interval option, the switch doesnot attempt to reconnect to the unreachable server after the revert interval haselapsed. [PR/304637]


■ There might be traffic loss on VLANs learned through MVRP during GRES. Afterthe GRES, there will not be any traffic loss. [PR/458303]

■ On EX Series switches, in a scaled environment with more than 4000 VLANs,MVRP advertisements might not be sent intermittently when the VLANmembership is modified. [PR/475701]

Class of Service

■ If you are configuring an interface as part of an aggregated Ethernet interface,and also configuring CoS on that interface, do not commit both configurationsusing a single commit operation. Use separate commit operations to committhe two configurations. [PR/490542]

Firewall Filters

■ On an EX2200 switch when you add a syslog action modifier to the firewall filter,the pfem process might core dump when the filter binding is changed from anegress VLAN to an ingress VLAN [PR/495572]

■ If an ingress firewall has been configured with a LAG-interface-match conditionand you delete this firewall configuration, the pfem process might core dump.When the pfem process is restarted, it works as expected. [PR/504273]

168 ■ Outstanding Issues in JUNOS Release 10.1 for EX Series Switches


Infrastructure

■ On EX Series switches, MAC addresses not present in the forwarding database(FDB) because of hash collision are not removed from the Ethernet switchingprocess (eswd). These MAC addresses do not age out of the Ethernet switchingtable even if traffic is stopped completely and are never relearned when trafficis sent to these MAC addresses, even when there is no hash collision. As aworkaround, clear those MAC addresses from the Ethernet switching table.[PR/451431]

■ Though the interface-range configuration statement is not supported under the[edit groups] hierarchy, an error message might not be displayed when you usethe interface-range statement. [PR/453538]

■ On EX8200 switches, when IGMP snooping is enabled on an interface, the IPv6multicast Layer 2 control frame is not forwarded to other interfaces in the sameVLAN. [PR/456700]

■ The jnxFirewall MIB might not be populated in a firewall filter configuration. Asa workaround, set up the following configuration to skip the firewall MIB:

user@switch# show snmpview firewall_exclude { oid .1.3.6.1.4.1.2636.3.5 exclude; oid .1;}community public { view firewall_exclude; authorization read-only;}

[PR/464061]

■ On EX2200 switches, the MIB OID ipv6Forwarding indicates that IPv6 is supportedeven though IPv6 is not supported. The value of the ipv6Forwarding.0 MIB objectis 1. [PR/473128]

■ If you attempt to set the time zone to Europe/Berlin on a switch with dual RoutingEngines, the commit command might fail. [PR/483273]

Interfaces

■ On EX8200 switches, aggregated Ethernet interfaces might go down and comeback up for a few minutes while the switch is updating many routes. [PR/416976]

J-Web Interface

■ In the J-Web interface, you cannot commit some configuration changes in thePorts Configuration page and VLAN Configuration page because of the followinglimitations for port mirroring ports and port mirroring VLANs:

■ A port configured as the output port for an analyzer cannot be a member ofany VLAN other than the default VLAN.

Outstanding Issues in JUNOS Release 10.1 for EX Series Switches ■ 169

Outstanding Issues in JUNOS Release 10.1 for EX Series Switches

■ A VLAN configured to receive analyzer output can be associated with onlyone port.

[PR/400814]

■ In the J-Web interface, uploading a software package to the switch might notwork properly if you are using Internet Explorer version 7. [PR/424859]

■ If an SRE module, RE module, SF module, line card, or Virtual Chassis memberis in offline mode, the J-Web interface might not update the dashboard imageaccordingly. [PR/431441]

■ In the J-Web interface, in the Port Security Configuration page, you are requiredto configure action when you configure MAC limit even though configuring anaction value is not mandatory in the CLI. [PR/434836]

■ In the J-Web interface, in the OSPF Global Settings table in the OSPF Configurationpage, the Global Information table in the BGP Configuration page, or the AddInterface window in the LACP Configuration page, if you try to change the positionof columns using the drag-and-drop method, only the column header moves tothe new position instead of the entire column. [PR/465030]

■ In the J-Web interface, in the OSPF Configuration page (Configuration > Routing> OSPF), the Traceoptions tab in the Edit Global Settings window does notdisplay the available flags (tracing parameters). As a workaround, use the CLI toview the available flags. [PR/475313]

■ When you have a large number of static routes configured and if you havenavigated to pages other than page 1 in the Route Information table in the J-Webinterface (Monitor > Routing > Route Information), changing the Route Tableto query other routes refreshes the page, but does not return to page 1. Forexample, if you run the query from page 3 and the new query returns very fewresults, the Results table continues to display page 3 and shows no results. Toview the results, navigate to page 1 manually. [PR/476338]

■ In the J-Web interface, the dashboard does not display the uplink ports whentransceivers are not plugged into the ports. [PR/477549]

■ An IPv4 static route configured sing the CLI might not be displayed when youselect the Configure -> Routing-> Static Routing option in the J-Web interface.[PR/487597]

■ In the J-Web interface the OSPF Monitoring page might display an error messageif there are multiple interfaces/neighbors detected in an autonomous system.[PR/502132]





170 ■ Outstanding Issues in JUNOS Release 10.1 for EX Series Switches




Resolved Issues in JUNOS Release 10.1 for EX Series Switches

The following are the issues that have been resolved since JUNOS Release 10.0R1for EX Series switches. The identifier following the descriptions is the tracking numberin our bug database.


■ When both DHCP relay and DHCP snooping are configured on an EX2200 switch,the DHCP snooping database might not be built on the switch. [PR/480682: Thisissue has been resolved.]


■ When Multiple VLAN Registration Protocol (MVRP) and MSTP are enabled togetheron EX Series switches, convergence does not occur between MVRP and MSTP.[PR/449248: This issue has been resolved.]

■ On EX4200 switches with the access interface through which traffic enters theswitch configured as trusted (secure-access-port interface interface-namedhcp-trusted), VLAN Spanning Tree Protocol (VSTP) bridge protocol data units(BPDUs) are sent to the Routing Engine with the learning CPU code 37 insteadof the reserved learning CPU code 306. [PR/468095: This issue has been resolved.]

■ On EX3200 and EX4200 switches with large VLAN configurations (more than1024 VLANs), stale dynamic VLAN entries might be found in the Ethernetswitching process (eswd) after you delete VLANs or deactivate the Multiple VLANRegistration Protocol (MVRP). [PR/471647: This issue has been resolved.]

■ On an EX2200 switch, when there is no STP or RTG configured in the networkand there is traffic looping, after the network loop is broken, sometimes MAClearning might not occur. As a workaround, restart the forwarding (pfem) process.[PR/473454: This issue has been resolved.]

■ When MVRP and VSTP are enabled together on EX Series switches, convergencedoes not occur between MVRP and VSTP. [PR/477019: This issue has beenresolved.]

■ On EX3200 and EX4200 switches, when MVRP dynamic VLAN creation isdisabled, deregistration of VLANs on trunk interfaces does not occur even afterthe tag associated with the VLAN has been modified. [PR/479636: This issue hasbeen resolved.]

■ On EX3200 and EX4200 switches, stale MVRP VLAN membership entries mightbe found on blocked interfaces even after MVRP has been deactivated on thepeer switch. [PR/482126: This issue has been resolved.]

Resolved Issues in JUNOS Release 10.1 for EX Series Switches ■ 171


Class of Service

■ On an EX2200 switch, when a queue is oversubscribed and you modify ascheduler with the buffer-size exact option on it such that it reduces the allocatedbuffers on the queue, the queue can stop dequeueing packets. As a workaround,stop traffic going out on the port, and deactivate and reactivate class of service(CoS). You can also reboot the switch. [PR/481401: This issue has been resolved.]

Firewall Filters

■ The accept action and the log and syslog action modifiers in the firewall filterconfiguration might not work as expected for packets destined for the switch.[PR/406714: This issue has been resolved.]

■ On EX3200 and EX4200 switches, if you configure an egress firewall filter withthe match condition source-address or destination-address on a VLAN and itsrouted VLAN interface (RVI), the firewall filter might not work properly.[PR/476626: This issue has been resolved.]

Hardware

■ On 48-port SFP line cards used in EX8200 switches, do not install a transceiverin the first or last port on the bottom row (ports 1 and 47). Transceivers installedin these ports are difficult to remove. As a workaround, you can remove thetransceiver by using a small flathead screwdriver or other tool to lift the lock onthe transceiver. [PR/423694: This issue has been resolved.]

Infrastructure

■ On an EX2200 switch, if the following message is displayed when the switch isbooting, the installed package might be corrupted:

mount_check: SHA1 (/packages/jkernel-ex-10.1-20090925.0) =f45dd191b053b608dafecc0ef3ea329c9f85693b!=5fe72546eed0c0cb83e6addc6709720f56e8b6da

As a workaround, reinstall the image from the loader prompt with the -- formatoption set. [PR/433663: This issue has been resolved.]

■ The DHCP snooping database is not built after graceful Routing Engine switchover(GRES) is performed twice. Even though packets are coming from the DHCPserver, they are not inserted in the DHCP relay. [PR/461318: This issue has beenresolved.]

■ If an interface is assigned to a VLAN before the interface's stg state is set, loopsmight form in the network if a VLAN ID is assigned to the VLAN while theinterface is active in a redundant topology. [PR/472617: This issue has beenresolved.]

■ On EX8200 switches, after a graceful Routing Engine switchover (GRES), youcan navigate through the Maintenance menu in the LCD even after theMaintenance menu in the LCD has been disabled using the set chassis lcdmaintenance-menu disable command. As a workaround, delete the LCD

172 ■ Resolved Issues in JUNOS Release 10.1 for EX Series Switches


Maintenance menu configuration using the CLI on the new master switch, andthen disable the LCD Maintenance menu using the set chassis lcdmaintenance-menu disable command. [PR/473597: This issue has been resolved.]

■ In some rare cases, switch bootup fails when the JUNOS Software is loading. Themessage Device not ready displays because the NAND flash is not responding.Workaround: Power cycle the switch. [PR/482026: This issue has been resolved.]

■ The name of the ethernet-switching-options authentication-whitelist statement willbe changed. The new name is correct in the documentation but is shown in theCLI as ethernet-switching-options white-list. [PR/487167: This issue has beenresolved.]

■ A memory leak might be present in the pfem SPF database. As a workaround,you can restart the pfem process. [PR/493197: This issue has been resolved.]

J-Web Interface

■ In the J-Web interface, the Edit MSTI window in the Spanning Tree Configurationpage might not display details of an uncommitted interface configuration.[PR/433506: This issue has been resolved.]

■ In the J-Web interface, the menu on the left side of the J-Web pages and contentsof the J-Web pages might disappear when you double-click the Troubleshoot tab.As a workaround, click the Dashboard tab or the Configure tab, and then clickthe Troubleshoot tab to display the menu and contents of the page. [PR/459936:This issue has been resolved]

■ In the J-Web interface, in the OSPF Configuration page, no flags are displayedfor the Traceoptions tab in OSPF Global Settings. [PR/461558: This issue hasbeen resolved.]

■ In the J-Web interface, in the BGP Configuration page (Configuration > Routing> BGP), if the values entered in the text boxes (for protocols, filename, anddescription) contain double quotation marks, the J-Web interface does not allowyou to delete those values. If the value in the Group Name contains doublequotation marks, the J-Web interface allows you to delete the BGP group name,but the deleted value reappears when you refresh the BGP Configuration page.As a workaround, delete the values that contain double quotation marks usingthe CLI. [PR/464030: This issue has been resolved.]

■ When you access the J-Web interface using the Mozilla Firefox Web browser andmove a J-Web window (for example, the Add Interface window) over the browsertoolbars, the window appears behind the browser toolbars. After this problemoccurs, the window cannot be moved, because the title bar of the window is notvisible. If you cancel and reopen the window, the window continues to appearbehind the browser toolbars. [PR/473238: This issue has been resolved.]

■ In the J-Web interface Static Routing Configuration page, you might not be ableto delete a configured next-hop address because the Delete button is disabled.[PR/476572: This issue has been resolved.]

Resolved Issues in JUNOS Release 10.1 for EX Series Switches ■ 173








Errata in Documentation for JUNOS Release 10.1 for EX Series Switches

There are no outstanding documentation issues in this release.







Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches

The following pages list the issues in JUNOS Release 10.1R1 for EX Series switchesregarding software upgrade or downgrade:

■ Upgrading or Downgrading from JUNOS Release 9.4R1 for EX SeriesSwitches on page 174

■ Upgrading from JUNOS Release 9.3R1 to Release 10.1 for EX SeriesSwitches on page 175

■ Upgrading from JUNOS Release 9.2 to Release 10.1 for EX SeriesSwitches on page 175

■ Downgrading from JUNOS Release 10.1 to Release 9.2 for EX4200Switches on page 177

Upgrading or Downgrading from JUNOS Release 9.4R1 for EX SeriesSwitches

The ARP aging time configuration in the system configuration stanza in JUNOS Release9.4R1 is incompatible with the ARP aging time configuration in JUNOS Release 9.3R1

174 ■ Errata in Documentation for JUNOS Release 10.1 for EX Series Switches


or earlier and JUNOS Release 9.4R2 or later. If you have configured system arpaging-timer aging-time on EX Series switches running JUNOS Release 9.4R1 and upgradeto JUNOS Release 9.4R2 or later or downgrade to JUNOS Release 9.3R1 or earlier,the switch will display configuration errors on booting up after the upgrade ordowngrade. As a workaround, delete the arp aging-timer aging-time configuration inthe system configuration stanza and reapply the configuration after you completethe upgrade or downgrade.

The format of the file in which the Virtual Chassis topology information is stored waschanged in JUNOS Release 9.4. When you downgrade JUNOS Release 9.4 or laterrunning on EX4200 switches in a Virtual Chassis to JUNOS Release 9.3 or earlier,make topology changes, and then upgrade to JUNOS Release 9.4 or later, the topologychanges you have made using JUNOS Release 9.3 or earlier are not retained. Theswitch restores the last topology change you have made using JUNOS Release 9.4.

Upgrading from JUNOS Release 9.3R1 to Release 10.1 for EX SeriesSwitches

If you are upgrading from JUNOS Release 9.3R1 and have voice over IP (VoIP) enabledon a private VLAN (PVLAN), you must remove this configuration before upgrading,to prevent upgrade problems. VoIP on PVLAN interfaces is not supported in releaseslater than JUNOS Release 9.3R1.

Upgrading from JUNOS Release 9.2 to Release 10.1 for EX Series Switches

For JUNOS Release 9.3 and later for EX Series switches, during the upgrade process,the switch performs reference checks on VLANs and interfaces in the 802.1Xconfiguration stanza. If there are references in the 802.1X stanza to names or tagsof VLANs that are not currently configured on the switch or to interfaces that are notconfigured or do not belong to the ethernet-switching family, the upgrade will fail. Inaddition, static MAC addresses on single-supplicant mode interfaces are not supported.

CAUTION: If your Release 9.2 configuration includes any of the following conditions,revise the configuration before upgrading to Release 10.1. If you do not take theseactions, the upgrade will fail:

■ Ensure that all VLAN names and tags in the 802.1X configuration stanza areconfigured on the switch and that all interfaces are configured on the switch andassigned to the ethernet-switching family. If the VLAN or the interface is notconfigured and you try to commit the configuration, the commit will fail.

■ Remove static MAC addresses on single-supplicant mode interfaces. If they existand you try to commit the configuration, the commit will fail.

■ In an 802.1X configuration stanza, if authentication-profile-name does not existand you try to commit the configuration, the commit will fail.

■ In an 802.1X configuration stanza, broadcast and multicast MAC addresses arenot supported in a static MAC configuration. If they exist and you try to committhe configuration, the commit will fail.

Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches ■ 175


■ Support for static MAC bypass in single or single-secure mode has been removed.If static MAC bypass exists and you try to commit the configuration, the commitwill fail.

■ In an 802.1X configuration stanza, the switch will not accept the option vrangeas an assigned VLAN name. If it exists and you try to commit the configuration,the commit will fail.

■ Enabling 802.1X and the port mirroring feature on the same interface is notsupported. If you enable 802.1X and port mirroring on the same interface andthen attempt to commit the configuration, the commit will fail.

■ In an 802.1X configuration stanza, if the VLAN name or tag specified under dot1xauthenticator static does not exist and you try to commit the configuration, thecommit will fail.

■ If the MSTP configuration contains a VLAN (under protocols mstp msti msti-id)that does not exist on the switch and you try to commit the configuration, thecommit will fail. Remove the VLAN from the MSTP configuration before youperform an upgrade.

■ In the interfaces configuration stanza, if no-auto-negotiation is configured butspeed and link duplex settings are not configured under ether-options and youtry to commit the configuration, the commit will fail. If no-auto-negotiation isconfigured under ether-options, you must configure speed and link duplex settings.

■ In the ethernet-switching-options configuration, if action is not configured for thenumber of MAC addresses allowed on the interface (under secure-access-portinterface interface-name mac-limit in the CLI or in the Port Security Configurationpage in the J-Web interface), and you try to commit the configuration, the commitwill fail. You must configure an action for the MAC address limit before upgradingfrom Release 9.2 to Release 10.1.

■ If you have configured a tagged interface on logical interface 0 (unit 0), configurea tagged interface on a logical interface other than unit 0 before upgrading fromRelease 9.2 to Release 10.1. If you have not done this and you try to committhe configuration, the commit will fail. Beginning with JUNOS Release 9.3 for EXSeries switches, untagged packets, BPDUs (such as in LACP and STP), andpriority-tagged packets are processed on logical interface 0 and not on logicalinterface 32767. In addition, if you have not configured any untagged interfaces,the switch creates a default logical interface 0.

■ On EX4200 switches, if you have installed advanced licenses for features suchas BGP, rename the /config/license directory to /config/.license_priv beforeupgrading from Release 9.2 to Release 9.3 or later. If the switch does not havea /config/license directory, create the /config/.license_priv directory manuallybefore you upgrade. If you do not rename the /config/license directory or createthe /config/.license_priv directory manually, the licenses installed will be deletedafter you upgrade from Release 9.2 to Release 9.3 or later.

176 ■ Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches


Downgrading from JUNOS Release 10.1 to Release 9.2 for EX4200Switches

When you downgrade a Virtual Chassis configuration from JUNOS Release 10.1 toRelease 9.2 for EX Series switches, member switches might not retain the mastershippriorities that had been configured previously. To restore the previously configuredmastership priorities, commit the configuration by issuing the commit command.







Upgrade and Downgrade Issues for JUNOS Release 10.1 for EX Series Switches ■ 177


JUNOS Documentation and Release Notes

For a list of related JUNOS documentation, seehttp://www.juniper.net/techpubs/software/junos/ .

If the information in the latest release notes differs from the information in thedocumentation, follow the JUNOS Release Notes.

To obtain the most current version of all Juniper Networks® technical documentation,see the product documentation page on the Juniper Networks website athttp://www.juniper.net/techpubs/.

Juniper Networks supports a technical book program to publish books by JuniperNetworks engineers and subject matter experts with book publishers around theworld. These books go beyond the technical documentation to explore the nuancesof network architecture, deployment, and administration using JUNOS Software andJuniper Networks devices. In addition, the Juniper Networks Technical Library,published in conjunction with O'Reilly Media, explores improving network security,reliability, and availability using JUNOS configuration techniques. All the books arefor sale at technical bookstores and book outlets around the world. The current listcan be viewed at http://www.juniper.net/books .

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we canimprove the documentation. You can send your comments [email protected], or fill out the documentation feedback form athttps://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to includethe following information with your comments:

■ Document name

■ Document part number

■ Page number

■ Software release version

Requesting Technical Support

Technical product support is available through the Juniper Networks TechnicalAssistance Center (JTAC). If you are a customer with an active J-Care or JNASC supportcontract, or are covered under warranty, and need postsales technical support, youcan access our tools and resources online or open a case with JTAC.

■ JTAC policies—For a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located athttp://www.juniper.net/customers/support/downloads/710059.pdf.

■ Product warranties—For product warranty information, visithttp://www.juniper.net/support/warranty/.

178 ■ JUNOS Documentation and Release Notes


http://www.juniper.net/techpubs/software/junos/

http://www.juniper.net/techpubs/

http://www.juniper.net/books

mailto:[email protected]

https://www.juniper.net/cgi-bin/docbugreport/

http://www.juniper.net/customers/support/downloads/710059.pdf

http://www.juniper.net/support/warranty/

■ JTAC Hours of Operation —The JTAC centers have resources available 24 hoursa day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides you withthe following features:

■ Find CSC offerings: http://www.juniper.net/customers/support/

■ Search for known bugs: http://www2.juniper.net/kb/

■ Find product documentation: http://www.juniper.net/techpubs/

■ Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/

■ Download the latest versions of software and review release notes:http://www.juniper.net/customers/csc/software/

■ Search technical bulletins for relevant hardware and software notifications:https://www.juniper.net/alerts/

■ Join and participate in the Juniper Networks Community Forum:http://www.juniper.net/company/communities/

■ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial NumberEntitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

■ Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

■ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visitus at http://www.juniper.net/support/requesting-support.html.

If you are reporting a hardware or software problem, issue the following commandfrom the CLI before contacting support:

user@host> request support information | save filename

To provide a core file to Juniper Networks for analysis, compress the file with thegzip utility, rename the file to include your company name, and copy it toftp.juniper.net:pub/incoming. Then send the filename, along with software versioninformation (the output of the show version command) and the configuration, [email protected]. For documentation issues, fill out the bug report form located athttps://www.juniper.net/cgi-bin/docbugreport/.

Requesting Technical Support ■ 179

Requesting Technical Support

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

http://www.juniper.net/support/requesting-support.html

mailto:[email protected]

https://www.juniper.net/cgi-bin/docbugreport/

Revision History

17 February 2010—Revision 2, JUNOS Release 10.1R1

15 February 2010—Revision 1, JUNOS Release 10.1R1

Copyright © 2010, Juniper Networks, Inc. All rights reserved.

Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, orregistered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, orotherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensedto Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

180 ■ Requesting Technical Support


junos release notes 10

Documents

t series routers

junos release

j series services routers

t series core routers

t series routing platforms

srx series services

software release notesrelease

ex series ethernet switches