Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Changes in Default Behavior and Syntax, and for Future Releases in Junos OS Release 12.3 for M Series, MX Series, and T Series Routers

Changes in Default Behavior and Syntax

The following are changes made to Junos OS default behavior and syntax.

High Availability (HA) and Resiliency

  • Configuration support to prevent the LACP MC-LAG system ID from reverting to the default LACP system ID on ICCP failure—You can now configure the prefer-status-control-active statement with the status-control standby configuration at the [edit interfaces aeX aggregated-ether-options mc-ae] hierarchy level to prevent the LACP MC-LAG system ID from reverting to the default LACP system ID on ICCP failure. Use this configuration only if you can ensure that ICCP does not go down unless the router is down. You must also configure the hold-time down value (at the [edit interfaces interface-name] hierarchy level) for the interchassis link with the status-control standby configuration to be higher than the ICCP BFD timeout. This configuration prevents traffic loss by ensuring that when the router with the status-control active configuration goes down, the router with the status-control standby configuration does not go into standby mode.
  • Change in behavior of request system reboot command for MX Series Virtual Chassis (MX Series routers with MPC/MIC interfaces)—Starting in Junos OS Release 12.3R3, the behavior of the request system reboot command has been changed when used with an MX Series Virtual Chassis. To reboot both Routing Engines in each member router of the Virtual Chassis, you can now use any of the following commands:
    • request system reboot
    • request system reboot all-members
    • request system reboot all-members both-routing-engines

    In Junos OS Release 12.2R2 and earlier releases, the request system reboot command rebooted only the master Routing Engine in each member router in the MX Series Virtual Chassis.

    [See request system reboot.]

Interfaces and Chassis

  • On the Channelized OC48/STM16 Enhanced IQ (IQE) PIC with SFP (Model number PB-1CHOC48-STM16-IQE), in the presence of line remote defect indication (LRDI) and line alarm indication signal (LAIS), the 3 LSBs of K2 byte cannot be monitored or viewed through the show interfaces coc48-x/y/z extensive command.
  • Multichassis Link Aggregation (MC-LAG)–When you configure the prefer-status-control-active statement at the [edit interfaces aex aggregated-ether-options mc-ae events iccp-peer-down] hierarchy level, you must also configure the status-control active statement at the [edit interfaces aex aggregated-ether-options mc-ae] hierarchy level. If you configure the status-control standbystatement with the prefer-status-control-active statement, the system issues a warning. [Junos OS Ethernet Interfaces Configuration Guide]
  • Starting with Junos OS Release 12.3, the output of the show chassis fabric topology operational command for a TX Matrix Plus Router has been changed. The string that identifies a cross-chassis serial link for an F13 SIB now includes an additional character to identify the SF chip to which the link connects.
  • New fast-failover option for LACP—You can now configure the Link Aggregation Control Protocol for aggregated Ethernet interfaces to facilitate subsecond failover. To override the default behavior for the IEEE 802.3ad standard and allow the standby link always to receive traffic, include the fast-failover statement at the [edit interfaces aex aggregated-ether-options lacp] hierarchy level.

    [Junos OS Ethernet Interfaces Configuration Guide]

  • New options for Multichassis Link Aggregation (MC-LAG)—For MC-LAG, you can now specify one of two actions to take if the Inter-Chassis Communication Protocol (ICCP) peer if the switch or router goes down. To bring down the interchassis link logical interface if the peer goes down, include the force-icl-down statement at the [edit interfaces aeX aggregated-ether-options events iccp-peer-down] hierarchy level. To have the router or switch become the active node when a peer goes down, include the prefer-status-control-active statement at the[edit interfaces aeX aggregated-ether-options mc-ae events iccp-peer-down] hierarchy level. When you configure the prefer-status-control-active statement, you must also configure the status-control active statement at the [edit interfaces aeX aggregated-ether-options-mc-ae] hierarchy level. If you do not configure the status-control as active with the prefer-status-control-active statement, the router or switch does not become the active node if a peer goes down.

    [Junos OS Ethernet Interfaces Configuration Guide]

  • Enhancement to show interfaces queue command—The output for the show interfaces queue command now displays rate-limit statistics for class-of-service schedulers for all IQ and Enhanced IQ (IQ2E) PICs when rate-limiting is configured, even when no traffic is dropped. When rate limiting is configured but no traffic is dropped, the output for the RL-dropped packets and RL-dropped-bytes fields display the value zero (0). Previously, these fields were not displayed when no traffic was dropped and rate-limiting was configured. To configure rate-limiting for queues before packets are queued for output, you include the rate-limit statement at the [edit class-of-service schedulers transmit-rate rate] hierarchy level.

    [Interfaces Command Reference]

  • New Link Aggregation Control Protocol (LACP) Commands and SNMP MIB—You can now view and clear LACP timeout entries. To display information about LACP timeout entries, use the show lacp timeouts command. Include the interfaces interface-name option to view timeout information about a specific interface only. To clear LACP timeout entries, use the clear lacp timeouts command. Include the interfaces interface-name option to clear timeout information for a specific interface only. A new SNMP MIB is now also available. The jnxLacpAggTimeout MIB lists all interfaces where the jnxLacpTimeOut trap is sent.

    [Interfaces Command Reference]

  • Connectivity fault management MEPs on Layer 2 circuits and Layer 2 VPNs (MX Series routers)—On interfaces configured on Modular Port Concentrators (MPCs) only, you no longer need to configure the no-control-word statement for Layer 2 circuits and Layer 2 VPNs over which you are running CFM maintenance endpoints (MEPs). The control word is enabled by default. For all interfaces not configured on MPCs, you need to continue to include the no-control-word statement at either the [edit protocols l2circuit neighbor neighbor-id interface interface-name] or the [edit routing-instances routing-instance-name protocols l2vpn] hierarchy level when you configure CFM MEPs.

    [Ethernet Interfaces Configuration Guide]

  • The OID jnxBfdSessIntfName has been added to the BFD SNMP MIB to associate the BFD session and the interface it uses.

    [SNMP MIBs and Traps Guide]

  • On the Channelized OC48/STM16 Enhanced IQ (IQE) PIC with SFP (model number PB-1CHOC48-STM16-IQE), in the presence of line remote defect indication and line alarm indication signal, the 3 least significant bits of the K2 byte cannot be monitored or viewed through the show interfaces coc48-x/y/z extensive command.
  • Starting with Junos OS Release 12.2R1, the quality level parameter for a Synchronous Ethernet interface is optional when the quality-mode option is enabled and the selection-mode option is set to receive-quality. The default quality level for a Synchronous Ethernet interface is SEC for the option-1 network type and ST3 for the option-2 network type.
  • Starting with Junos OS Release 12.3, the output of the show chassis fabric topology operational mode command for a TX Matrix Plus router has been changed. The string that identifies a cross-chassis serial link for an F13 SIB now includes an additional character to identify the SF chip to which the link connects.
  • Version compatibility for Junos OS SDK—As of Junos OS Release 12.3, Junos OS applications install on Junos OS only if the application is built with the same release as the Junos OS release on which the application is being installed. For example, an application built with Release 12.3R2 only installs on Junos OS Release 12.3R2 and does not install on Junos OS Release 12.3R1 or Junos OS Release 12.3R3 or Junos OS Release 13.1R1.
  • Enhancement to Link Layer Discovery Protocol (LLDP) (MX Series and T Series routers)—You can now configure LLDP to generate the interface name as the port ID Type, Length, and Value (TLV). To generate the interface name as the port ID TLV, include the interface-name statement at the [edit protocols lldp port-id-subtype] hierarchy level. The default behavior is to generate the SNMP Index of the interface as the port ID TLV. If you have changed the default behavior, include the locally-assigned statement at the [edit protocols lldp port-id-subtype] hierarchy level to reenable the default behavior of generating the SNMP Index of the interface as the port ID TLV. When you configure LLDP to generate the interface name as the port ID TLV, the show lldp neighbors command displays the interface name in the Port ID field. The default behavior is for the command to display the SNMP index of the interface in the Port ID field.

    [Ethernet Interfaces Configuration Guide, Interfaces Command Reference]

  • Configuring the flow-tap service for IPv6 traffic—The family (inet | inet6) statement at the [edit services flow-tap] hierarchy enables you to specify the type of traffic for which you want to apply the flow-tap service. If the family statement is not included, the flow-tap service is, by default, applied to the IPv4 traffic. To apply the flow-tap service to IPv6 traffic, you must include the family inet6 statement in the configuration. To enable the flow-tap service for IPv4 and IPv6 traffic, you must explicitly configure the family statement for both inet and inet6 families.

    However, you cannot configure the flow-tap service for IPv6 along with port mirroring or sampling of IPv6 traffic on routers that support LMNR-based FPCs. This restriction is in effect even if the router does not have any LMNR-based FPC installed on it. There is no restriction on configuring the flow-tap service on routers that are configured for port mirroring or sampling of IPv4 traffic.

    [Services Interfaces]

  • Prior to Junos OS Release 12.2, when you issue the show system memory command on MX80 routers, the unable to load pmap_helper module: No such file or directory error message is displayed in the output of the command. Starting with Junos OS Release 12.2, PMAP information is correctly displayed in the output of this command for MX80 and ACX Series routers.

    [System Basics and Services Command Reference]

  • New range for message-rate-limit–The range for message-rate-limit under the syslog configuration for services has changed to 0 through 2147483647.
  • Configuration support to prevent the LACP MC-LAG system ID from reverting to the default LACP system ID on ICCP failure—You can now configure the prefer-status-control-active statement with the status-control standby configuration at the [edit interfaces aeX aggregated-ether-options mc-ae] hierarchy level to prevent the LACP MC-LAG system ID from reverting to the default LACP system ID on ICCP failure. Use this configuration only if you can ensure that ICCP does not go down unless the router is down. You must also configure the hold-time down value (at the [edit interfaces interface-name] hierarchy level) for the interchassis link with the status-control standby configuration to be higher than the ICCP BFD timeout. This configuration prevents traffic loss by ensuring that when the router with the status-control active configuration goes down, the router with the status-control standby configuration does not go into standby mode.
  • Layer 2 port mirroring—Starting in Junos OS Release 13.2, you can enable Layer 2 port mirroring of host-generated outbound packets only on MPCs on MX Series 3D Universal Edge Routers.
  • Changes to DDoS protection policers for PIM and PIMv6 (MX Series with MPCs, T4000 with FPC5)—The default values for bandwidth and burst limits have been reduced for PIM and PIMv6 aggregate policers to prevent starvation of OSPF and other protocols in the presence of high-rate PIM activity.

    Policer Limit

    New Value

    Old Value

    Bandwidth (pps)

    8000

    20,000

    Burst (pps)

    16,000

    20,000

    To see the default and modified values for DDoS protection packet-type policers, issue one of the following commands:

    • show ddos-protection protocols parameters brief—Displays all packet-type policers.
    • show ddos-protection protocols protocol-group parameters brief—Displays only packet-type policers with the specified protocol group.

    An asterisk (*) indicates that a value has been modified from the default.

  • Preventing the filtering of packets by ARP policers (MX Series routers)—You can configure the router to disable the processing of the specified ARP policers on the received ARP packets. Disabling ARP policers can cause denial-of-service (DoS) attacks on the system. Due to this possibility, we recommend that you exercise caution while disabling ARP policers. To prevent the processing of ARP policers on the arriving ARP packets, include the disable-arp-policer statement at the [edit interfaces interface-name unit logical-unit-number family inet policer] or the [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet policer] hierarchy level. You can configure this statement only for interfaces with inet address families and on MX Series routers with MPCs. When you disable ARP policers per interface, the packets are continued to be policed by the distributed DoS (DDoS) ARP policer. The maximum rate of is 10000 pps per FPC.

    [Network Interfaces, Protocol Family and Interface Address Properties]

IPv6

  • Change in automatically generated virtual-link-local-address for VRRP over IPv6— The seventh byte in the automatically generated virtual-link-local-address for VRRP over IPv6 is 0x02. This change makes the VRRP over IPv6 feature in Junos OS 12.2R5, 12.3R3, 13.1R3, and later releases inoperable with Junos OS 12.2R1, 12.2 R2, 12.2R3, 12.2R4, 12.3R1, 12.3R2, 13.1R1, and 13.3R2 releases if an automatically generated virtual-link-local-address ID used. As a workaround, use a manually configured virtual-link-local-address instead of an automatically generated virtual-link-local-address.

J-Web

  • On all M Series, MX Series, and T Series platforms, the username field does not accept HTML tags or the < and >characters. The following error message appears: A username cannot include certain characters, including < and >.

Junos OS XML API and Scripting

  • IPv6 address text representation is stored internally and displayed in command output using lowercase—Starting with Junos OS Release 11.1R1, IPv6 addresses are stored internally and displayed in the command output using lowercase. Scripts that match on an uppercase text representation of IPv6 addresses should be adjusted to either match on lowercase or perform case-insensitve matches.
  • <get-configuration> RPC with inherit="inherit" attribute returns correct time attributes for committed configuration—In Junos OS Release 12.3R1, when you configured some interfaces using the interface-range configuration statement, if you later requested the committed configuration using the <get-configuration> RPC with the inherit="inherit" and database="committed" attributes, the device returned junos:changed-localtime and junos:changed-seconds in the RPC reply instead of junos:commit-localtime and junos:commit-seconds. This issue is fixed in Junos OS Release 12.3R2 and later releases so that the device returns the expected attributes in the RPC reply.
  • Escaping of special XML characters required for request_login (M Series, MX Series, and T Series)—Beginning with Junos OS Release 12.3R11, you must escape any special characters in the username and password elements of a request_login XML RPC request. The following five symbols are considered special characters: greater than (>), less than (<), single quote (’), double quote (“), and ampersand (&). Both entity references and character references are acceptable escape sequence formats. For example, &amp; and &#38; are valid representations of an ampersand. Previously no escaping of these characters was required.

MPLS

  • Starting in Junos OS Release 9.3, when you run the show route table mpls.0 protocol ccc command, the next-hop information includes the outgoing interface and the name of the label-switched path. Previously, the next-hop information included the outgoing interface and the MPLS label value.

    [MPLS]

  • Policers for MPLS LSPs (T Series Core Routers)—You can now configure an MPLS LSP policer for a specific LSP to be shared across different protocol family types. To do so, you must configure the LSP policer as a logical interface policer. Include the logical-interface-policer statement at the [edit firewall policer policer-name] hierarchy level. Previously, you could not configure an MPLS LSP policer as a logical interface policer. When you configure an MPLS LSP policer as a logical interface policer, that single policer polices traffic for all protocol families for an LSP. An MPLS LSP policer not configured as a logical interface policer continues to police traffic for a specific protocol family only.

    [Firewall Filters and Traffic Policers Configuration Guide, MPLS Applications Configuration Guide]

  • Starting in Junos OS Release 12.2, at the end of each adjust-interval, LSP’s max_average for the auto-bandwidth functionally does not reset to zero. The max_average retains the value from the last interval until the first sample of the current interval is received. When the first sample of the current interval is received, the max_average is updated to the first sample value.

    In the show mpls lsp command output, the value for Max AvgBW util now displays the value of the maximum average bandwidth utilization from the previous interval until the first sample of the current interval is obtained.

    [MPLS Operational Mode Commands]

Multicast

  • In a bootstrap router (BSR)-enabled bidirectional PIM domain, mixing Junos OS Release pre-12.1R7 releases and later releases can cause unexpected outages. If you have a deployment with routers running Junos OS Release pre-12.1R7 and if you upgrade a subset of the routers to Junos OS Release 12.1R7 or later, the group-to-RP mapping across the domain breaks and an outage occurs.

Network Address Translation (NAT)

  • Protection of MX Series, M Series, and T Series routers from denial-of-service (DoS) attacks—New CLI options provide improved protection against DoS attacks.
    • NAT mapping refresh behavior—Prior to Junos OS Release 12.3, a conversation was kept alive when either inbound or outbound flows were active. This remains the default behavior. As of this release, you can also specify mapping refresh for only inbound flows or only outbound flows. To configure mapping refresh behavior, include the mapping-refresh (inbound | outbound | inbound-outbound) statement at the [edit services nat rule rule-name term term-name then translated secure-nat-mapping] hierarchy level.
    • EIF inbound flow limit—Previously. the number of inbound connections on an EIF mapping was limited only by the maximum flows allowed on the system. You can now configure the number of inbound flows allowed for an EIF. To limit the number of inbound connections on an EIF mapping, include the eif-flow-limit number-of-flows statement at the [edit services nat rule rule-name term term-name then translated secure-nat-mapping] hierarchy level.

      [Next-Generation Network Addressing Carrier-Grade NAT and IPv6 Solutions]

  • Limitation on number of terms for NAT rules applied to inline services interfaces—You are limited to a maximum of 200 for a NAT rule that is applied to an inline services (type si) interface. If you specify more than 200 terms, you will receive following error when you commit the configuration:
    [edit]
      'service-set service-set-name'
        NAT rule rule-name with more than 200 terms is disallowed for si-x/y/z.n
    error: configuration check-out failed 
  • The method for computing the block size for deterministic port block allocation for network port translation (NAPT) when the configured block size is zero has changed, and is computed as follows:

    block-size = int(64512/ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)])

    where:

    64512 is the maximum available port range per public IP address.

    Nr_Addr_PR_Prefix is the number of usable pre-NAT IPv4 subscriber addresses in a from clause match condition

    Nr_Addr_PU_Prefix is the number of usable post-NAT IPv4 addresses configured in the NAT pool

Network Management and Monitoring

  • Each Routing Engine runs its own SNMP process (snmpd), allowing each Routing Engine to maintain its own engine boots. However, if both Routing Engines have the same engine ID and the Routing Engine with the lesser snmpEngineBoots value is selected as the master Routing Engine during the switchover process, the snmpEngineBoots value of the master Routing Engine is synchronized with the snmpEngineBoots value of the other Routing Engine.

    [Network Management Configuration Guide]

  • New system log message indicating the difference in the Packet Forwarding Engine counter value (M Series, MX Series, and T Series)—Effective in Junos OS Release 12.3R9, if the counter value of a Packet Forwarding Engine is reported lesser than its previous value, then the residual counter value is added to the newly reported value only for that specific counter. In that case, the CLI shows the MIB2D_COUNTER_DECREASING system log message for that specific counter.
  • SNMP MIB support for subscriber interface index—The Juniper Networks enterprise-specific Subscriber MIB, whose object ID is {jnxSubscriberMibRoot 1}, supports a new MIB table, jnxSubscriberInterfaceHardwareIndexTable, to display the index of subscriber interfaces. The jnxSubscriberInterfaceHardwareIndexTable, whose object identifier is {jnxSubscriberGeneral 4}, contains jnxSubscriberInterfaceHardwareIndexEntry that maps to the specification of each subscriber. You must provide the session ID of the subscriber in the SNMP Get and GetNext queries. When you perform an SNMP walk operation, you need to provide only the name of the subscriber interface index table or the name of the object.

    Each jnxSubscriberInterfaceHardwareIndexEntry, whose object identifier is {jnxSubscriberInterfaceHardwareIndexTable 1}, contains the objects listed in Table 3.

    Table 3: jnxSubscriberInterfaceHardwareIndexTable

    Object

    Object ID

    Description

    jnxSubscriberInterfaceHardwareIndexHandleHiWord

    jnxSubscriberInterfaceHardwareIndexEntry 1

    Subscriber handle associated with each subscriber. Returns the most significant 32 bits of the 64-bit subscriber ID. The value of the subscriber handle is a monotonically increasing number.

    jnxSubscriberInterfaceHardwareIndexHandleLoWord

    jnxSubscriberInterfaceHardwareIndexEntry 2

    Subscriber handle associated with each subscriber. Returns the least significant 32 bits of the 64-bit subscriber ID. The value of the subscriber handle is a monotonically increasing number.

    jnxSubscriberInterfaceHardwareIndex

    jnxSubscriberInterfaceHardwareIndexEntry 3

    The hardware index of the subscriber interface.

    [SNMP MIBs and Traps Reference]

Routing Policy and Firewall Filters

  • Firewall filter option to force premium treatment for traffic (MX Series routers)— By default, a hierarchical policer processes the traffic it receives according to the traffic’s forwarding class. Premium, expedited-forwarding traffic has priority for bandwidth over aggregate, best-effort traffic. Now you can include the force-premium option at the [edit firewall filter filter-name term term-name] hierarchy level to ensure that traffic matching the term is treated as premium traffic by a subsequent hierarchical policer, regardless of its forwarding class. This traffic is given preference over any aggregate traffic received by that policer.

    Consider a scenario where a firewall filter is applied to an interface that receives both expedited-forwarding voice traffic and best-effort video traffic. Traffic that matches the first term of the filter is passed to a hierarchical policer in the second term. The hierarchical policer also receives best-effort data traffic from another source. The filtered video traffic is treated the same as this data traffic, as aggregate traffic with a lower priority than the premium voice traffic. Consequently, some of the video traffic might be dropped and some of the data traffic passed on.

    To avoid that situation, include the force-premium option in the firewall filter term that passes traffic to the hierarchical policer. This term forces the video traffic to be marked as premium traffic. The hierarchical policer gives both the voice traffic and the video traffic priority over the aggregate data traffic.

    Note: The force-premium filter option is supported only on MPCs.

  • Extends support for Layer 2 policers to MX Series routers with MPC3—You can now configure Layer 2 policers for the ingress and egress interfaces on MX Series routers with MPC3. Policer types include single-rate two-color, single-rate three-color (color-blind and color-aware), and two-rate three-color (color-blind and color-aware). To configure Layer 2 policing, include the policer statement at the [edit firewall] hierarchy level.

    [Junos OS Firewall Filters and Traffic Policers]

Routing Protocols

  • Bidirectional Forwarding Detection (BFD) is a protocol that verifies the liveliness of data paths. One desirable application of BFD is to detect connectivity to routers that span multiple network hops and follow unpredictable paths. On M Series, MX Series, and T Series platforms only, starting in Junos OS Release 12.3, multihop BFD runs on the CPU in the FPC, DPC, or MPC. Previously, multihop BFD ran from the Routing Engine.
  • Junos OS Release 12.3 supports a new show firewall templates-in-use operational command. This command enables you to display the names of filters configured using the filter statement at either the [edit firewall] or [edit dynamic-profiles profile-name firewall] hierarchy level and that are being used as templates for dynamic subscriber filtering. The command also displays the number of times the filter has been referenced by subscribers accessing the network.

    [Routing Protocols and Policies Command Reference]

  • When configuring the advertise-external statement for an AS confederation, we recommend that EBGP peers belonging to different autonomous systems be configured in a separate EBGP peer group. This ensures consistency while BGP sends the best external route to peers in the configured peer group.

    [Routing Protocols Guide]

  • If you configure the route-distinguisher statement in addition to the route-distinguisher-id statement, the value configured for route-distinguisher supersedes the value generated from route-distinguisher-id. To avoid a conflict in the two route distinguisher values, we recommend ensuring that the first half of the route distinguisher obtained by configuring the route-distinguisher statement be different from the first half of the route distinguisher obtained by configuring the route-distinguisher-id statement.

    [Routing Protocols Guide]

  • BGP hides a route received with a label block size greater than 256 (M Series, MX Series, and T Series)— When a BGP peer (running Junos OS) sends a route with a label block size greater than 256, the local speaker hides the route and does not re-advertise this route. The output of the show route detail/extensive hidden/all displays the hidden route and states the reason as label block size exceeds max supported value. In earlier Junos OS releases, when a peer sent a route with a label block size greater than 256, the routing protocol process (rpd) terminated abnormally.
  • Configure and establish targeted sessions with third-party controllers using LDP targeted neighbor (M Series and MX Series)— Starting with Junos OS Release 12.3R10, you can configure LDP targeted neighbor to third-party controllers for applications such as route recorder that wants to learn label-FEC bindings of an LSR. LDP targeted neighbor helps to establish a targeted session with controllers for a variety of applications.

Security

  • DDoS protection support for more protocol groups and packet types (MX Series)—DDoS protection now supports the following additional protocol groups and packet types:
    • amtv4—IPv4 automatic multicast (AMT) traffic.
    • amtv6—IPv6 AMT traffic.
    • frame-relay—Frame relay traffic.
    • inline-ka—Inline service interfaces keepalive traffic.
    • inline-svcs—Inline services traffic.
    • keepalive—Keepalive traffic.
    • l2pt—Layer 2 protocol tunneling traffic.

    Two packet types are available for the frame-relay protocol group:

    • frf15—Multilink frame relay FRF.15 packets.
    • frf16—Multilink frame relay FRF.16 packets.

    The PPP protocol group has an additional packet type available, mlppp-lcp for MLPPP LCP packets.

    [System Basics and Services Command Reference]

  • In all supported Junos OS releases, regular expressions can no longer be configured if they require more than 64MB of memory or more than 256 recursions for parsing.

    This change in the behavior of Junos OS is in line with the Free BSD limit. The change was made in response to a known consumption vulnerability that allows an attacker to cause a denial of service (resource exhaustion) attack by using regular expressions containing adjacent repetition operators or adjacent bounded repetitions. Junos OS uses regular expressions in several places within the CLI. Exploitation of this vulnerability can cause the Routing Engine to crash, leading to a partial denial of service. Repeated exploitation can result in an extended partial outage of services provided by the routing process (rpd).

Services Applications

  • Starting in Junos OS Release 12.3R3, the destination-address statement in a firewall rule from statement might not have the address value of 0::00 with IPv6.
    [edit services stateful-firewall rule rule-name term term-name from]destination-address (address | any-unicast) <except>;

    This issue is being tracked by PR857106.

  • In Junos OS Release 12.3R3 and earlier, when peers in a security association (SA) became unsynchronized, packets with invalid security parameter index (SPI) values could be sent out, and the receiving peer dropped those packets. The only way to recover was to manually clear the SAs or wait for them to time out. Starting in Junos OS release 12.3.R4, you can enable automatic recovery by using the new respond-bad-spi max-responses configuration statement, which appears under the [edit services ipsec-vpn ike policy] hierarchy level. This command results in a resynchronization of the SAs when invalid SPIs are received.
  • New statement for resynchronization of SAs—In Junos OS Release 12.3R3 and earlier, when peers in a security association (SA) became unsynchronized, packets with invalid security parameter index (SPI) values could be sent out, and the receiving peer dropped those packets. The only way to recover was to manually clear the SAs or wait for them to time out. Starting in Junos OS release 12.3.R4, you can enable automatic recovery by using the respond-bad-spi max-responses configuration statement, which appears under the [edit services ipsec-vpn ike policy] hierarchy level. This statement results in a resynchronization of the SAs when invalid SPIs are received.

    The max-responses value has a default of 5 and a range of 1 through 30.

    [edit services ipsec-vpn ike policy]respond-bad-spi max-responses;
  • Protection of routers from denial-of-service (DoS) attacks—New CLI options provide improved protection against DOS attacks.
    • NAT mapping refresh behavior—Prior to this release, a conversation was kept alive when either inbound or outbound flows were active. This remains the default behavior. As of 12.3R6, you can also specify mapping refresh for only inbound flows or only outbound flows. To configure mapping refresh behavior, include the mapping-refresh (inbound | outbound | inbound-outbound) statement at the [edit services nat rule rule-name term term-name then translated secure-nat-mapping] hierarchy level.
    • EIF inbound flow limit—Previously. the number of inbound connections on an EIF mapping was limited only by the maximum flows allowed on the system. Starting in Release 12.3R6, you can configure the number of inbound flows allowed for an EIF. To limit the number of inbound connections on an EIF mapping, include the eif-flow-limit number-of-flows statement at the [edit services nat rule rule-name term term-name then translated secure-nat-mapping] hierarchy level.

      The show services nat pool detail command now shows the current number of EIF flows and the flow limit.

      Current EIF Inbound flows count: 0
          EIF flow limit exceeded drops: 0
      
    • Maximum dropped flows—There is a default maximum of 2000 drop flows allowed per PIC at a given instance of time. You can now configure the maximum number of drop flows allowed per direction (ingress and egress) at any given instance of time. This enables you to limit the creation of drop flows during a denial-of-service (DOS) attack. When the maximum number of drop flows exceeds the configured or default limit, drop flows are not created and packets are dropped silently, meaning that no syslog message is generated for the dropped packets. If maximum dropped flows is configured, the appropriate error counters are incremented for packets dropped due to exceeded limits.

      To limit the number of drop flows, include the max-drop-flows ingress ingress-flows egress egress-flows statement at the [edit services service-set service-set-name] hierarchy level.

      The show services stateful-firewall statistics extensive command now shows the maximum flow drop counters when max-drop-flows is configured.

          Drop Flows:
            Maximum Ingress Drop flows allowed: 20
            Maximum Egress Drop flows allowed: 20
            Current Ingress Drop flows: 0
            Current Egress Drop flows: 0
            Ingress Drop Flow limit drops count: 0
            Egress Drop Flow limit drops count: 0
      
  • TWAMP connection/session will come up only if the session padding length is greater than or equal to 27 bytes on the TWAMP Client. The valid range of padding length supported by the TWAMP Server is 27 bytes to 1400 bytes. If IXIA is used as the TWAMP Client, packet length range from 41 bytes to 1024 bytes is supported.

Subscriber Access Management

  • Effect of changing the forwarding class configuration with PPP fast keepalive (MX Series routers with MPC/MIC interfaces)—To change the default queue assignment (forwarding class) for outbound traffic generated by the Routing Engine, you can include the forwarding-class class-name statement at the [edit class-of-service host-outbound-traffic] hierarchy level.

    For PPP fast (inline) keepalive LCP Echo-Request and LCP Echo-Reply packets transmitted between an MX Series router with MPCs/MICs and a PPP client, changing the forwarding class configuration takes effect immediately for both new PPP-over-Ethernet (PPPoE), PPP-over-ATM (PPPoA), and L2TP network server (LNS) subscriber sessions created after the configuration change, and for existing PPPoE, PPPoA, and LNS subscriber sessions established before the configuration change.

    In earlier Junos OS releases with PPP fast keepalive, forwarding class configuration changes applied only to new PPPoE, PPPoA, and LNS subscriber sessions created after the configuration change. The forwarding class setting was fixed for existing PPPoE, PPPoA, and LNS subscriber sessions, and could not be changed until the session was terminated and re-established.

    [Junos OS Subscriber Access Configuration Guide, Junos OS Class of Service Configuration Guide]

  • Display of a warning message for enhanced policer statistics (MX Series routers)—When you commit a configuration that contains the enhanced-policer statement at the [edit chassis] hierarchy level, a warning message is displayed stating that all the FPCs in the router need to be rebooted for the configuration changes to become effective. At this point, you must confirm that you want to proceed with the reboot of the FPCs. If you do not reboot the FPCs, the FPCs return all 0s (zeros) when you perform a query for the retrieval of detailed statistics—for example, when you issue the show firewall detail command.

    [System Basics, Chassis-Level Features]

  • When an MX Series router configured as an L2TP network server (LNS) sends an Access-Request message to RADIUS for an LNS subscriber, the LNS now includes the Called-Station-ID-Attribute when it receives AVP 21 in the ICRQ message from the L2TP network concentrator (LAC).
  • The user username option for the clear services l2tp session command is no longer available in the CLI for LNS on MX Series routers. Added to the option’s previous unavailability for LAC on MX Series routers, this means that L2TP on MX Series routers does not support clearing L2TP sessions based on subscriber username. As an alternative, you can determine the session ID for the username by issuing the show subscribers detail command, and then remove the session with the clear services l2tp session local-session-id session-id command.

    [Subscriber Access]

  • The user username option for the show services l2tp session command is no longer available in the CLI for L2TP LAC or L2TP LNS on MX Series routers. To view L2TP session information organized by subscriber username, you can issue the show subscribers detail command or the show network-access aaa subscribers username command.

    [Subscriber Access]

  • Enhanced filtering for tracing PPP and PPPoE operations (MX Series routers)—Capturing relevant traces for particular PPP and PPPoE subscribers increases in complexity as the number of subscribers increases. New filter options have been added to simplify tracing PPP service operations and PPPoE subscriber operations in a scaled subscriber environment. You can include one or more of the following options at the [edit protocols ppp-services traceoptions filter] or [edit protocols pppoe traceoptions filter] hierarchy levels:
    • aci regular-expression—Regular expression to match the agent circuit identifier provided by PPP or PPPoE client.
    • ari regular-expression—Regular expression to match the agent remote identifier provided by PPP or PPPoE client.
    • service regular-expression—Regular expression to match the name of PPP or PPPoE service.
    • underlying-interface interface-name—Name of a PPP or PPPoE underlying interface. You cannot use a regular expression for this filter option.

    When you apply more than one of these trace filters, events for a particular connection are traced only when it matches all of the filter conditions. For example, when you configure the following filter options, PPP (jpppd) events are traced only for PPP connections where the agent circuit identifier begins with the string west-metro-ge and the agent remote identifier includes the string CUST-0102:

    user@host1> set protocol ppp-service traceoptions filter aci west-metro-ge*user@host1> set protocol ppp-service traceoptions filter ari *CUST-0102*

    Similarly, when you configure the following filter options, PPPoE events are traced only for PPPoE connections where the subscribers are on static interface pp0.50001 and receive the premium service:

    user@host1> set protocol pppoe traceoptions filter interface pp0.50001user@host1> set protocol pppoe traceoptions filter service premium

    The amount of information logged when a connection matches the filters is considerably less than when no filters are applied. If the connection does not match the configured filters, some information is still logged, but only a minimal amount.

    [Subscriber Access]

  • Increased visibility for PPP session state in trace logs (MX Series routers)—Log files generated by tracing jpppd (ppp-service) operations now display the interface name for each line of the traced events. The new information might also include the module or the session state and event type for each event. This new information appears immediately after the timestamp and makes it easier to distinguish PPP packet exchange and session states in the logs.

    [Subscriber Access]

  • Interface names logged for PPPoE messages (MX Series routers)—Log output for PPPoE PADI, PADM, PADN, PADO, PADR, PADS, and PADT packets now explicitly includes the interface name rather than just the index.

    [Subscriber Access]

  • Microsecond timestamps for certain tracing operations (MX Series routers)—The logs generated when tracing authd, jpppd, and pppoed operations have been enhanced to provide more precise timestamps. The timestamps now record events at microsecond intervals.

    [Subscriber Access]

  • On MX80 routers, you can configure only four inline services physical interfaces as anchor interfaces for L2TP LNS sessions: si-1/0/0, si-1/1/0, si-1/2/0, si-1/3/0. You cannot configure si-0/0/0 for this purpose on MX80 routers.
  • Source Class Parameterized Match Condition (MX Series routers with MPCs/MICs)—You can now reference source-class in the parameterized match condition of the dynamic profile filter. Source class usage allows you to limit traffic to specific subscribers from specific network zones. These limits are per subscriber and the profile name is communicated using RADIUS. The source-class parameterized match condition is supported for both IPv4 and IPv6.

    [Subscriber Access Configuration Guide]

  • L2TP support for SNMP statistics (MX Series routers)—By default, SNMP polling is disabled for L2TP statistics. As a consequence, the L2TP tunnel and global counters listed in the table have a default value of zero.

    Table 4: SNMP Counters for L2TP Statistics

    Counter Name

    Type

    jnxL2tpTunnelStatsDataTxPkts

    Tunnel

    jnxL2tpTunnelStatsDataRxPkts

    Tunnel

    jnxL2tpTunnelStatsDataTxBytes

    Tunnel

    jnxL2tpTunnelStatsDataRxBytes

    Tunnel

    jnxL2tpStatsPayloadRxOctets

    Global

    jnxL2tpStatsPayloadRxPkts

    Global

    jnxL2tpStatsPayloadTxOctets

    Global

    jnxL2tpStatsPayloadTxPkts

    Global

    You can enable collection of these statistics by including the enable-snmp-tunnel-statistics statement at the [edit services l2tp] hierarchy level. When enabled, the L2TP process polls for these statistics every 30 seconds for 1000 sessions. The potential age of the statistics increases with the number of subscriber sessions; the data is refreshed more quickly as the number of sessions decreases. For example, with 30,000 sessions, none of these statistics is more than 15 minutes old.

    Best Practice: The system load can increase when you enable these counters and also use RADIUS interim accounting updates. We recommend you enable these counters when you are using only SNMP statistics.

    [Subscriber Access]

  • RADIUS accounting support of duplicate reporting for nondefault VRFs (MX Series routers)—You can now configure duplicate RADIUS accounting records to be sent to a nondefault VRF; that is, to an LS:RI combination other than default:default. You can also specify up to five access profiles in the target VRF that list the RADIUS servers that receive the duplicate reports. Include the vrf-name statement at the new [edit access profile profile-name accounting duplication-vrf] hierarchy level to designate the single nondefault target VRF. Include the access-profile-name statement at the same hierarchy level to designate the access profiles listing the RADIUS servers.
  • DNS address assignment in DHCPv6 IA_NA and IA_PD environments (MX Series)—Starting in Junos OS Release 12.3R3 and Release 13.3R1, DHCPv6 local server returns the DNS server address (DHCPv6 attribute 23) as a global DHCPv6 option, rather than as an IA_NA or IA_PD suboption. DHCPv6 returns the DNS server address that is specified in the IA_PD or IA_NA pools—if both address pools are requested, DHCPv6 returns the address specified in the IA_PD pool only, and ignores any DNS address in the IA_NA pool.

    In releases prior to 12.3R3, and in releases 13.1 and 13.2, DHCPv6 returns the DNS server address as a suboption inside the respective DHCPv6 IA_NA or IA_PD header. You can use the multi-address-embedded-option-response statement at the [edit system services dhcp-local-server dhcpv6 overrides] hierarchy level to revert to the prior behavior. However, returning the DNS server address as a suboption can create interoperability issues for some CPE equipment that cannot recognize the suboption information.

    [Subscriber Access]

  • Support for VLAN ID none configuration for MC-LAG bridge domains in active-active mode (MX Series)—To facilitate forwarding and media access control (MAC) and Address Resolution Protocol (ARP) synchronization among multichassis link aggregation (MC-LAG) peers when the VLAN identifier is none, you must now configure a service identifier within bridge domains in active-active mode.

    To configure a service identifier for a bridge domain, configure the service-id statement at the [edit bridge domain bridge-domain-name] hierarchy level. You must configure the same service identifier for MC-LAG peers.

  • ANCP sessions may not persist across a graceful Routing Engine switchover and may need to be reestablished.
  • New vpi and vci options in show subscribers command (MX Series routers with MPCs and ATM MICs with SFP)—Adds the following two new options to the show subscribers operational command to enable you to display information about active subscribers using PPPoE-over-ATM, PPP-over-ATM (PPPoA), IP-over-ATM (IPoA), or bridged IP-over-Ethernet-over-ATM to access the router over an ATM network:
    • vpi—ATM virtual path identifier (VPI) on the subscriber’s physical interface, in the range 0 through 65535
    • vci—ATM virtual circuit identifier (VCI) for each VPI configured on the subscriber interface, in the range 0 through 255

    In earlier Junos OS releases, the vpi and vci options were not available for the show subscribers command.

    To display information about ATM subscriber interfaces based on their VPI and VCI values so you can better distinguish ATM-based subscribers from Ethernet-based subscribers, you can use the new vpi and vci options for the show subscribers command together or separately. For example, the following show subscribers command includes both the vpi and vci options to display extensive information about the active PPPoE-over-ATM subscriber using VPI 40 and VCI 50. The ATM VPI and ATM VCI fields are new in this output.

    user@host> show subscribers vpi 40 vci 50 extensive
    Type: PPPoE
    User Name: testuser
    IP Address: 100.0.0.2
    IP Netmask: 255.255.0.0
    Logical System: default
    Routing Instance: default
    Interface: pp0.0
    Interface type: Static
    MAC Address: 00:00:65:23:01:02
    State: Active
    Radius Accounting ID: 2
    Session ID: 2
    ATM VPI: 40
    ATM VCI: 50
    Login Time: 2012-12-03 07:49:26 PST
    IP Address Pool: pool_1
    IPv6 Framed Interface Id: 200:65ff:fe23:102
    
    

    [Subscriber Access, System Basics and Services Command Reference]

  • Updated AAA Terminate Reason Mappings (MX Series routers)—The AAA idle-timeout terminate reason is now mapped to the RADIUS accounting Idle Timeout (4) terminate cause, and the AAA session-timeout terminate reason is now mapped to the RADIUS Session Timeout (5) terminate cause. In earlier releases, both terminate reasons were mapped to the RADIUS accounting NAS Request (10) terminate cause.

    To support backward compatibility, you can configure the router to support the previous behavior—use the terminate-code aaa shutdown (idle-timeout | session-timeout) radius 10 statement at the [edit access] hierarchy level.

    [Subscriber Access]

  • ATM subscriber enhancements for configuring RADIUS NAS-Port extended format (MX Series routers with MPCs/MICs)—Enables you to use the same access profile to configure an extended format for the NAS-Port (5) RADIUS IETF attribute for both ATM subscribers and Ethernet subscribers. In earlier Junos OS releases, you used the access profile to configure the NAS-Port extended format only for Ethernet-based subscribers.

    For ATM subscribers, the NAS-Port extended format configures the number of bits (bit width) in the slot-width, adapter-width, port-width, vpi-width, and vci-width fields in the NAS-Port attribute. Each field can be 1 through 32 bits wide; however, the combined total of the widths of all fields must not exceed 32 bits, or the configuration fails.

    To configure the NAS-Port extended format for ATM subscribers in an access profile, include the new atm stanza and appropriate ATM bit width options in the nas-port-extended-format statement at the [edit access profile profile-name radius options] hierarchy level.

    Instead of globally configuring an extended format for the NAS-Port attribute in an access profile, you can configure the NAS-Port extended format on a per-physical interface basis for both Ethernet interfaces and ATM interfaces. In earlier Junos OS releases, you configured the NAS-Port extended format only for Ethernet interfaces.

    To configure the NAS-Port extended format for an ATM interface, include one or both of the vpi-width and vci-width options in the nas-port-extended-format statement at the [edit interfaces interface-name radius-options nas-port-options nas-port-options-name] hierarchy level.

  • DHCPv6 Relay Agent (MX Series)—Starting in Junos OS Release 12.3R3, during the subscriber authentication or client authentication process, you can identify a subset of the DHCPv6 Relay Agent Remote-ID option (option 37) in the client PDU name to be concatenated with the username instead of concatenating the entire Remote-ID. You can use the enterprise-id and remote-id statements at the [edit forwarding-options dhcp-relay dhcpv6 authentication username-include relay-agent-remote-id] and the [edit system services dhcp-local-server dhcpv6 authentication username-include relay-agent-remote-id] hierarchy levels.
  • DHCP client IP address (MX Series)—Starting in Junos OS Release 12.2, you can configure the subnet to which the DHCP local server matches the requested IP address. The server accepts and uses an active client’s requested IP address to address assignment only when the requested address and the IP address of the DHCP server interface are in the same subnet. The server accepts and uses a passive client’s requested IP address only when the requested address and the IP address of the relay interface are in the same subnet.

User Interface and Configuration

  • Enhancement to set date ntp command—You can now specify an authentication-key number for the NTP server used to synchronize the date and time on the router or switch. Include the new key number option with the set date ntp command. The key number you include must match the number you configure for the NTP server at the [edit system ntp authentcation-key number] hierarchy level.
  • TFEB Slot—On MX80 routers, the FPC Slot output field has been changed to TFEB Slot for the show services accounting flow inline-jflow, show services accounting errors inline-jflow, and show services accounting status inline-jflow commands.

VPNs

  • On a Layer 3 VPN PE routing device, a direct subnet route on a LAN PE-CE interface is advertised with a matching next-hop label. Previously, when there were multiple matching next hops, one of the next-hop labels was selected for the direct subnet route. There was room for improvement because a packet with a destination address matching the subnet route might need to be sent to another next hop in the LAN. Starting in Release 12.3, Junos OS no longer advertises the direct subnet route on a LAN PE-CE interface when there are multiple matching next hops. The direct subnet route on LAN PE-CE interface is advertised only if there is a single matching next hop.

    [VPNs]

  • Starting in Junos OS Release 11.4, vrf-import policies must reference a target community in the from clause. If the import policy does not reference a specific community target or if the referenced community is a wildcard, the commit operation fails. As an exception, the policy does not need to reference a community target in the from clause when the policy action in the then clause is "reject." Prior to Junos OS Release 11.4, when the vrf-import policy did not reference a specific community target in the from clause, the commit operation succeeded, but the import policy had a non-deterministic effect.

    [VPNs]

Changes Planned for Future Releases

The following are changes planned for future releases.

Routing Protocols

  • Change in the Junos OS support for the BGP Monitoring Protocol (BMP)—In Junos OS Release 13.3 and later, the currently supported version of BMP, BMP version 1, as defined in Internet draft draft-ietf-grow-bmp-01, is planned to be replaced with BMP version 3, as defined in Internet draft draft-ietf-grow-bmp-07.txt. Junos OS can support only one of these versions of BMP in a release. Therefore, Junos OS Release 13.2 and earlier will continue to support BMP version 1, as defined in Internet draft draft-ietf-grow-bmp-01. Junos OS Release 13.3 and later support only the updated BMP version 3 defined in Internet draft draft-ietf-grow-bmp-07.txt. This also means that beginning in Junos OS Release 13.3, BMP version 3 configurations are not backwards compatible with BMP version 1 configurations from earlier Junos OS releases.

    [Routing Protocols]

  • Removal of support for provider backbone bridging (MX Series routers) from Release 14.1—Starting with Junos OS Release 14.1, the provider backbone bridging (PBB) capability is disabled and not supported on MX Series routers. The pbb-options statement and its substatements at the [edit routing-instances routing-instance-name] hierarchy level and the pbb-service-options statement and its substatements at the [edit routing-instances routing-instance-name service-groups service-group-name] hierarchy level are no longer available for configuring customer and provider routing instances for PBB. When you upgrade MX Series routers running Junos OS Releases 12.3, 13.2, or 13.3 to Junos OS Release 14.1 and if your deployment contains PBB settings in configuration files, the configuration files after the upgrade need to be modified to remove the PBB-specific attributes because PBB is not supported in Release 14.1 and later.

    [Provider Backbone Bridging]

Related Documentation

Modified: 2016-06-09