Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for QFabric Systems

 

These release notes accompany Junos OS Release 14.1X53-D140 for the QFX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

Note

These release notes include information on all Junos OS Release 14.1X53 releases. Therefore, information about QFX Series devices that are not supported in Junos OS Release 14.1X53-D140 but are supported in other Junos OS Release 14.1X53 releases are included in these release notes.

New and Changed Features

This section describes the new features and enhancements to existing features in Junos OS Release 14.1X53 for the QFX Series.

New Features in Release 14.1X53-D46

Interfaces and Chassis

  • Link Aggregation Control Protocol (LACP) force-up enhancements (QFX5100 switches and QFX5100 Virtual Chassis)—Starting in Junos OS Release 14.1X53-D46, if an aggregated Ethernet interface (AE) on a switch has multiple member links and one member link in that AE is in the force-up state with its peer’s LACP down, and then if LACP comes up partially—that is, if LACP is established with a non-force-up member link—force-up is disabled on the member link on which force-up has been set, and that member link is ready for connection establishment through LACP. Force-up is eligible only if the server-side interface has LACP issues.

New Features in Release 14.1X53-D40

Class of Service

  • Support for policy drop counters in CLI and SNMP (QFX Series switches)—Starting in Junos OS Release 14.1X53-D40, the show interfaces interface-name statistics detail command displays the number of packets dropped on an interface because of policers configured for that interface. The number of packet drops is displayed in the command output in the Bucket drops field under Input errors and Output errors. These statistics are also available through SNMP.

    See show interfaces xe.

High Availability (HA) and Resiliency

  • NSSU improvements to optimize total upgrade time and recover from software image copy or reboot failures (QFX5100 Virtual Chassis or Virtual Chassis Fabric [VCF])—Starting in Junos OS Release 14.1X53-D40, nonstop software upgrade (NSSU) on a Virtual Chassis or VCF supports the following optimizations and error recovery measures:

    • To optimize the time needed to complete NSSU, the master member copies the new software in parallel to multiple members at a time rather than waiting for the copy operation to complete to each member before copying the software image to the next member. By default, the number of parallel copy sessions is based on the Virtual Chassis or VCF size, or you can configure a specific number using the rcp-count number configuration statement.

    • As before, the master aborts the NSSU process if copying the new software to any member fails. As a new error recovery measure, the master also removes the new software image from all members to which it was already transferred.

    • During NSSU, when each member is rebooted in turn with the new software, if any member fails to reboot, the master aborts the NSSU process. As a new recovery measure, the master automatically brings down and reboots the entire Virtual Chassis or VCF. This recovery action causes downtime for the Virtual Chassis or VCF, but brings it up in a stable state, cleanly running the new software on all members without requiring you to manually recover members individually.

    [See Understanding Nonstop Software Upgrade on a Virtual Chassis and Mixed Virtual Chassis or Understanding Nonstop Software Upgrade on a Virtual Chassis Fabric.]

Interfaces and Chassis

  • LAG local minimum links per Virtual Chassis or VCF member (QFX5100 switches)—Introduced in Junos OS Release 14.1X53-D40, the local minimum links feature helps avoid traffic loss due to asymmetric bandwidth on link aggregation group (LAG) forwarding paths through a Virtual Chassis or Virtual Chassis Fabric (VCF) member switch when one or more LAG member links local to that chassis have failed. When this feature is enabled, if a user-configured percentage of local LAG member links has failed on a chassis, all remaining local LAG member links on the chassis are forced down, and LAG traffic is redistributed only through LAG member links on other chassis. To enable local minimum links for an aggregated Ethernet interface (aex), set the local-minimum-links-threshold configuration statement with a threshold value that represents the percentage of local member links that must be up on a chassis for any local LAG member links on that chassis to continue to be active in the aggregated Ethernet bundle. Otherwise all remaining LAG member links on that chassis are also forced down. The feature responds dynamically to bring local LAG member links up or down if you change the configured threshold, or when the status or configuration of LAG member links changes. Note that forced-down links also influence the minimum links count for the LAG as a whole, which can bring down the LAG, so enable this feature only in configurations where LAG traffic is carefully monitored and controlled.

    [See Understanding Local Minimum Links.]

Layer 2 Features

  • Support for IRB interfaces on Q-in-Q VLANs (QFX5100 switches and QFX5100 Virtual Chassis)—Starting with Junos OS Release 14.1X53-D40, integrated routing and bridging (IRB) interfaces are supported on Q-in-Q VLANs—you can configure the IRB interface on the same interface as one used by an S-VLAN, and you can use the same VLAN ID for both the VLAN used by the IRB interface and for the VLAN used as an S-VLAN.

    Packets arriving on an IRB interface that is using Q-in-Q VLANs will get routed regardless of whether the packet is single tagged or double tagged. The outgoing routed packets contain an S-VLAN tag only when exiting a trunk interface; the packets exit the interface untagged when exiting an access interface.

    Note

    You can configure the IRB interface only on S-VLAN (NNI) interfaces, not on C-VLAN (UNI) interfaces.

    [See Understanding Q-in-Q Tunneling.]

  • Dual VLAN tag translation (QFX5100 switches and QFX5100 Virtual Chassis)—Starting with Junos OS Release 14.1X53-D40, you can use the dual VLAN tag translation (also known as dual VLAN tag rewrite) feature to deploy switches in service-provider domains, allowing dual-tagged, single-tagged, and untagged VLAN packets to come into or exit from the switch. Operations added for dual VLAN tag translation are swap-push, swap-swap, and pop-push.

    Dual VLAN tag translation supports:

    • Configuration of S-VLANs (NNI) and C-VLANs (UNI) on the same physical interface

    • Control protocols such as VSTP, OSPF, and LACP

    • IGMP snooping

    • Configuration of a private VLAN (PVLAN) and VLAN on a single-tagged interface

    • Use of TPID 0x8100 on both inner and outer VLAN tags

    [See Understanding Q-in-Q Tunneling.]

  • Support to exclude RVIs from state calculations (QFX5100 switches)—Starting with Junos OS Release 14.1X53-D40, you can exclude a trunk or access interface from the state calculation for a routed VLAN interface (RVI) for member VLANs. An RVI typically has multiple ports in a single VLAN. Excluding trunk and access interfaces from state calculations means that as that soon as the port specifically assigned to the VLAN goes down, the RVI for the VLAN is marked as down. Include the autostate-exclude statement at the [edit interfaces ether-options] hierarchy level.

    [See Excluding a Routed VLAN Interface from State Calculations.]

MPLS

  • Support for IRB interfaces over an MPLS core network (QFX5100 switches)—Starting in Junos OS Release 14.1X53-D40, you can configure integrated routing and bridging (IRB) interfaces over an MPLS network on QFX5100 switches. An IRB is a logical Layer 3 VLAN interface used to route traffic between VLANs.

    By definition, VLANs divide a LAN’s broadcast environment into isolated virtual broadcast domains, thereby limiting the amount of traffic flowing across the entire LAN and reducing the possible number of collisions and packet retransmissions within the LAN. To forward packets between different VLANs, you normally need a router that connects the VLANs. Now you can accomplish this forwarding without using a router by simply configuring an IRB interface on the switch. The IRB interface functions as a logical switch on which you can configure a Layer 3 logical interface for each VLAN. The switch relies on its Layer 3 capabilities to provide this basic routing between VLANs. With IRB, you can configure label-switched paths (LSPs) to enable the switch to recognize which packets are being sent to local addresses, so that they are bridged (switched) whenever possible and are routed only when necessary. Whenever packets can be switched instead of routed, several layers of processing are eliminated.

    [See Example: Configuring IRB Interfaces on QFX5100 Switches over an MPLS Core Network and Understanding Integrated Routing and Bridging .]

Multicast Protocols

  • Support for static multicast route leaking for VRF and virtual-router instances (QFX5100 and EX4300 switches)—Starting with Junos OS Release 14.1X53-D40, you can configure your switch to share IPv4 multicast routes among different virtual routing and forwarding (VRF) instances or different virtual-router instances. Only multicast static routes with a destination-prefix length of /32 are supported for multicast route leaking. Only Internet Group Management Protocol version 3 is supported. To configure multicast route leaking for VRF or virtual-router instances , include the next-table routing-instance-name.inet.0 statement at the [edit routing-instances routing-instance-name routing-options static route destination-prefix/32] hierarchy level. For routing–instance-name, include the name of a VRF or virtual-router instance.

    On the EX4300 switch, multicast route leaking is supported only when the switch functions as a line card in a Virtual Chassis.

    [See Understanding Multicast Route Leaking for VRF and Virtual-Router Instances.]

QFabric Systems

  • Support for displaying the Junos OS software version stored in a USB installer key (QFabric systems)—Starting with Junos OS Release 14.1X53-D40, you can display the version of Junos OS software stored on a standard USB installer key when it is inserted on a Director group device by issuing the show system software usb-software-version command.

  • Support for EX4300 switches in a QFabric System control plane—Starting in Junos OS Release 14.1X53-D40, EX4300 switches can be used as the control plane switches in a QFabric System instead of EX4200 switches.

    • The control plane of a QFX3000-G QFabric System can be comprised of two Virtual Chassis with four EX4300-48T switches each for a copper-based control plane, or four EX4300-48P switches for a fiber-based control plane. Four 10-Gigabit Ethernet uplink ports on each Virtual Chassis connect the two Virtual Chassis configurations together.

    • The control plane of a QFX3000-M QFabric System can be comprised of two EX4300-48T switches with an SFP+ uplink module installed for a copper-based control plane, or two EX4300-48P switches with an SFP+ uplink module installed for a fiber-based control plane.

    You cannot mix EX4300 switches and EX4200 switches in the same QFabric system; the control plane must be comprised of the same type of switch.

    Note

    Junos OS Release 15.1R3 is the recommended software version for the EX4300 switches.

    [See Understanding QFX3000-G QFabric System Hardware Configurations, Understanding QFX3000-M QFabric System Hardware Configurations, and Understanding the QFabric System Control Plane.]

  • Support for SNMPv3 (QFabric systems) —Starting in Junos OS Release 14.1X53-D40, QFabric systems support SNMP version 3 (SNMPv3). In contrast to SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2), SNMPv3 supports authentication and encryption. With SNMPv3, you can query QFabric systems by using the SNMPv3 request, receive SNMPv3 traps and informs, and query QFabric SNMPv3 MIBs for authentication and encryption. SNMPv3 offers strong authentication to determine whether a message is arriving from a valid source and provides message encryption to prevent the data from being snooped by an unauthorized source.

    [See SNMP v3 Overview]

Security

  • Distributed denial-of-service (DDoS) protection (QFX5100 switches and Virtual Chassis)—A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Distributed denial-of-service attacks (DDoS) involve an attack from multiple sources, enabling a much greater amount of traffic to attack the network. The attacks typically use network protocol control packets to trigger a large number of exceptions to the switch control plane. This results in an excessive processing load that disrupts normal network operations. Starting in Junos OS 14.1X53-D40, Junos OS DDoS protection enables QFX5100 switches and Virtual Chassis to continue functioning while under attack. It identifies and suppresses malicious control packets while enabling legitimate control traffic to be processed. A single point of DDoS protection management enables network administrators to customize profiles for their network control traffic.

    [See Understanding Distributed Denial-of-Service Protection on QFX Series Switches].

Software-Defined Networking (SDN)

  • OVSDB-VXLAN support with VMware NSX for vSphere (QFX5100 switches)—Starting with Junos OS Release 14.1X53-D40, the Junos OS implementation of the Open vSwitch Database (OVSDB) management protocol provides a means through which NSX controllers and QFX5100 standalone switches that function as virtual tunnel endpoints (VTEPs) can communicate. In an NSX for vSphere (NSX-v) version 6.2.4 environment, NSX controllers and QFX5100 switches can exchange control and statistical information via the OVSDB schema for physical devices, thereby enabling virtual machine (VM) traffic from entities in a virtual network to be forwarded to bare-metal servers in a physical network and vice versa. You can set up a connection between the QFX5100 management interface (em0 or em1) and an NSX controller.

    [See Understanding the OVSDB Protocol Running on Juniper Networks Devices.]

  • BFD in a VMware NSX for vSphere environment with OVSDB and VXLAN (QFX5100 switches)—Within a Virtual Extensible LAN (VXLAN) managed by the Open vSwitch Database (OVSDB) protocol, by default, Layer 2 broadcast, unknown unicast, and multicast (BUM) traffic is replicated and forwarded by one or more software virtual tunnel endpoints (VTEPs) or service nodes in the same VXLAN. (The software VTEPs and service nodes are collectively referred to as replicators.)

    Starting with Junos OS Release 14.1X53-D40, a Juniper Networks switch that functions as a hardware VTEP in a VMware NSX for vSphere (NSX-v) environment uses the Bidirectional Forwarding Detection (BFD) protocol to prevent the forwarding of BUM packets to a nonfunctional replicator.

    By exchanging BFD control messages with replicators at regular intervals, the hardware VTEP can monitor the replicators to ensure that they are functioning and are, therefore, reachable. Upon receipt of a BUM packet on an OVSDB-managed interface, the hardware VTEP can choose one of the functioning replicators to handle the packet.

    [See Understanding BFD in a VMware NSX Environment with OVSDB and VXLAN.]

  • EVPN-VXLAN support of Virtual Chassis and Virtual Chassis Fabric (QFX5100, QFX5100 Virtual Chassis, Virtual Chassis Fabric)—Ethernet VPN (EVPN) supports multihoming active-active mode, which enables a host to be connected to two leaf devices through a Layer 2 link aggregation group (LAG) interface. In previous Junos OS releases, the two leaf devices had to be QFX5100 standalone switches. Starting with Release 14.1X53-D40, the two leaf devices can be QFX5100 standalone switches, QFX5100 switches configured as a Virtual Chassis, QFX5100 switches configured as a Virtual Chassis Fabric (VCF), or a mix of these options.

    On each leaf device, the LAG interface is configured with the same Ethernet segment identifier (ESI) for the host. The two leaf devices on which the same ESI is configured are peers to each other.

    If a host, for example, host 1, is connected to two leaf devices through LAG interfaces, Layer 2 broadcast, unknown unicast, and multicast (BUM) traffic is handled as follows:

    • Sending BUM packets—Through the control of the LAG interface, only one copy of a BUM packet is forwarded from host 1 to one of the leaf devices to which host 1 is connected.

    • Receiving BUM packets from another host in the Layer 2 overlay—Per multihoming active-active mode, one of the leaf devices to which host 1 is connected is elected as a designated forwarder (DF). If another host in the Layer 2 overlay—for example, host 2—sends a BUM packet, both leaf devices to which host 1 is connected receive the packet, but only the DF forwards it to host 1. The other leaf device drops the packet.

    • Receiving BUM packets from the host that originated the packets—If host 1 sends a BUM packet, the packet is received by all other leaf devices in the Layer 2 overlay, including the peer leaf device to which host 1 is also connected. In this case, the peer leaf device drops the packet because the packet must not be forwarded to host 1, which originated the packet.

    • Receiving BUM packets from another host connected to the same leaf device—If another host—for example, host 3—that is connected to the same leaf device as host 1 sends a BUM packet, the packet is forwarded to both leaf devices to which host 1 is connected. Per a local bias, the same leaf device to which both host 3 and host 1 are connected forwards the packet to host 1. The other remote leaf device to which only host 1 is connected drops the packet.

    [See EVPN-VXLAN Support of Virtual Chassis and Virtual Chassis Fabric.]

New Features in Release 14.1X53-D35

Interfaces and Chassis

  • PVLAN and Q-in-Q on the same interface (QFX5100 switches) —Starting with Junos OS Release 14.1X53-D35, you can configure a private VLAN and Q-in-Q tunneling on the same Ethernet port. To configure both PVLAN and Q-in-Q on the same physical interface, you must configure flexible Ethernet services to support dual methods of configuring logical interfaces. Q-in-Q requires a service provider configuration method, and PVLAN requires an enterprise configuration method.

    To configure a physical interface to support both PVLAN and Q-in-Q:

    1. Configure flexible VLAN tagging to enable the interface to transmit packets with two 802.1Q VLAN tags.
      [edit groups group-name ]
      user@switch# set interfaces interface-name flexible-vlan-tagging
    2. Configure flexible Ethernet services to enable the interface to support PVLAN and Q-in-Q on the same interface.
      [edit groups group-name ]
      user@switch# set interface interface-name flexible-ethernet-services
    3. Enable VLAN bridge encapsulation on the logical interface.
      [edit groups group-name]
      user@switch# set interfaces interface-name unit unit-number encapsulation vlan-bridge
    4. Assign the VLAN ID for the logical interface.
      [edit groups group-name]
      user@switch# set interfaces interface-name unit unit-number vlan-id vlan-id

MPLS

  • Support for equal-cost multipath (ECMP) operation on MPLS using firewall filters (QFX5100 switches)—Starting with Junos OS 14.1X53-D35, QFX5100 switches support ECMP operation on MPLS using firewall filters. Use the following commands to enable the feature:

New Features in Release 14.1X53-D30

Authentication and Access Control

  • Access control and authentication (QFX5100 switches)—Starting with Junos OS Release 14.1X53-D30, QFX5100 switches support controlling access to your network using 802.1X authentication and MAC RADIUS authentication.

    • 802.1X authentication provides port-based network access control (PNAC) as defined in the IEEE 802.1X standard. QFX5100 switches support 802.1X features including guest VLAN, private VLAN (PVLAN), server fail fallback, dynamic changes to a user session, RADIUS accounting, and configuration of port-filtering attributes on the RADIUS server using VSAs. You configure 802.1X authentication at the [edit protocols dot1x] hierarchy level.

    • MAC RADIUS authentication is used to authenticate end devices, whether or not they are enabled for 802.1X authentication. You can permit end devices that are not 802.1X-enabled to access the LAN by configuring MAC RADIUS authentication on the switch interfaces to which the end devices are connected. You configure MAC RADIUS authentication at the [edit protocols dot1x authenticator interface interface-name mac-radius] hierarchy level.

    [See Understanding Authentication on Switches.]

Cloud Analytics Engine

  • Data Learning Engine (DLE) component APIs to access Network Traffic Analysis (NTA) statistics (QFX5100 switches)—Starting with Junos OS Release 14.1X53-D30 and Network Director 2.5, you can enable devices to generate NTA flow statistics using Network Director, and configure DLE to collect, process, and store the data. DLE NTA APIs are provided to allow access to the NTA data that DLE maintains.

    [See Data Learning Engine API Overview.]

  • Data Learning Engine (DLE) streaming flow data subscription service and RESTful APIs (QFX5100 switches)—Starting with Junos OS Release 14.1X53-D30, DLE supports a UDP-based network analytics data subscription service that streams analytics data in bulk to subscribed clients as it is collected. The service supports streaming of application flow path analytics data from active flows on network devices that support Cloud Analytics Engine. DLE clients can subscribe to receive this data using DLE data subscription RESTful APIs, avoiding the overhead of having to periodically request this data from DLE and enabling custom real-time client telemetry.

    [See Data Learning Engine API Overview.]

Ethernet Switching

  • IRB in PVLAN (QFX5100 switches)—Starting with Junos OS Release 14.1X53-D30, you can configure an integrated routing and bridging (IRB) interface in a private VLAN (PVLAN) so that devices in the community and isolated VLANs can communicate with each other and with devices outside the PVLAN at Layer 3 without requiring you to install a router.

    [See Example: Configuring a Private VLAN Spanning Multiple Switches with an IRB Interface.]

Interfaces and Chassis

  • Short-reach mode (QFX5100-48T switch)—Allows you to use short cable lengths (less than 10 meters) for copper-based 10-Gigabit Ethernet interfaces. Enabling short-reach mode reduces power consumption on these interfaces. You can configure short-reach mode for individual interfaces and for a range of interfaces. Enable short-reach mode for individual interfaces by including the enable statement at the [edit chassis fpc slot-number pic slot-number] hierarchy level. Enable short-reach mode for a range of interfaces by including the enable statement at the [edit chassis fpc slot-number pic port-range port-range-low port-range-high] hierarchy level.

MPLS

  • IPv6 Layer 3 VPNs (QFX5100 switches)—QFX5100 switch interfaces in a Layer 3 VPN can now be configured to carry IP version 6 (IPv6) traffic. This feature, commonly referred to as 6VPE, allows for the transport of IPv6 traffic across an MPLS-enabled IPv4 backbone to provide VPN service for IPv6 customers.

  • MPLS over Layer 3 subinterfaces (QFX5100 switches)—Starting with Junos OS Release 14.1X53-D30, MPLS over Layer 3 subinterfaces is supported on a QFX5100 switch when the switch is used as a label switch router (LSR). MPLS over Layer 3 subinterfaces has already been supported when a QFX5100 switch is used as a label edge router (LER).

    [See MPLS Limitations on QFX Series and EX4600 Switches.]

  • MPLS features (QFX5100 Virtual Chassis, Virtual Chassis Fabric)—The following MPLS features are now supported for QFX5100 Virtual Chassis and Virtual Chassis Fabric (VCF):

    • BGP L3 VPN

    • Carrier-over-Carrier and Interprovider

    • Ethernet over MPLS pseudowires based on LDP

    • Static/Dynamic Ethernet pseudowires over LDP/RSVP tunnels

    • Pseudowire over aggregated Ethernet interfaces (core-facing interface)

    • RSVP FRR including link-protection/node-link-protection

    • Junos fast-reroute

    • Ethernet pseudowires over QFX5100 Virtual Chassis and VCF deployments

Software-Defined Networking (SDN)

  • Class-of-service support for OVSDB-managed VXLAN interfaces (QFX5100 switches)—Class-of-service (CoS) features can now be configured on OVSDB-managed VXLAN interfaces on QFX5100 switches. An OVSDB-managed VXLAN interface uses an OVSDB controller to create and manage the VXLAN interfaces and tunnels.

  • Firewall filters on OVSDB-managed interfaces (QFX5100 switches)—Enables you to configure firewall filters on interfaces managed by a Contrail controller through the Open vSwitch Database (OVSDB) management protocol.

    [See Understanding Firewall Filters on OVSDB-Managed Interfaces.]

  • Policers on OVSDB-managed interfaces (QFX5100 switches)—Enables you to configure two-rate three-color markers (policers) on interfaces managed by a Contrail controller through the Open vSwitch Database (OVSDB) management protocol.

    [See Understanding Policers on OVSDB-Managed Interfaces.]

  • MAC limiting on OVSDB-managed interfaces (QFX5100 switches)—Enables you to configure MAC limiting on interfaces managed by a Contrail controller through the Open vSwitch Database (OVSDB) management protocol.

  • NNI and UNI on the same interface (QFX5100 switches)—Enables you to configure the same interface as a network-to-network interface (NNI) and a user-network interface (UNI) when you use Q-in-Q tunneling.

  • OVSDB in Junos OS software package, ISSU and NSSU support (QFX5100, QFX5100Virtual Chassis)—Starting with 14.1X53-D30, OVSDB software is included in the Junos OS software package (jinstall). The introduction of this new feature results in the following changes:

    • To upgrade the OVSDB software on your Juniper Networks switch or Virtual Chassis to a later version, you can now use the in-service software upgrade (ISSU) or nonstop software upgrade (NSSU) process. When upgrading the OVSDB software, be aware that this upgrade requires graceful Routing Engine switchover (GRES) only.

    • To install OVSDB on your QFX5100 switch or Virtual Chassis, you no longer need to download and install the jsdn-i386-release software package.

    [See Understanding In-Service Software Upgrade (ISSU) and Understanding Nonstop Software Upgrade on a Virtual Chassis Fabric.]

  • OVSDB support with Contrail (QFX5100, QFX5100 Virtual Chassis, Virtual Chassis Fabric)—Starting with Junos OS Release 14.1X53-D30, the Open vSwitch Database (OVSDB) management protocol provides a means through which a Contrail controller and a QFX5100 switch, QFX5100 Virtual Chassis, or a Virtual Chassis Fabric that includes QFX5100 switches only can communicate. In an environment in which Contrail Release 2.20 or later is deployed, a Contrail controller and a QFX5100 switch, QFX5100 Virtual Chassis, or Virtual Chassis Fabric can exchange control and statistical information, thereby enabling virtual machine (VM) traffic from entities in a virtualized network to be forwarded to entities in a physical network and the reverse.

    [See Understanding the Open vSwitch Database Management Protocol Running on Juniper Networks Devices.]

  • Support for ping and traceroute with VXLANs (QFX5100 switches)—Enables you to use ping and traceroute to debug the underlay that supports a VXLAN overlay.

    [See ping overlay and traceroute overlay.]

VPNs

  • EVPN control plane for VXLAN supported interfaces (QFX5100 switches)—Traditionally, data centers have used Layer 2 technologies such as Spanning Tree Protocol (STP), multichassis link aggregation group (MC-LAG), or TRILL for compute and storage connectivity. As the design of data centers shifts from more traditional to scale-out, service-oriented multitenant networks, a new data center architecture has been provided that allows decoupling of an underlay network from the tenant overlay network with VXLAN. By using a Layer 3 IP-based underlay coupled with a VXLAN-EVPN overlay, you can deploy larger networks than those possible with traditional Layer 2 Ethernet-based architectures. With overlays, endpoints (servers or virtual machines) can be placed anywhere in the network and remain connected to the same logical Layer 2 network. The benefit is that virtual topology, using both MX Series routers and QFX5100 switches, can be decoupled from the physical topology.

New Features in Release 14.1X53-D27

Hardware

  • QFX5100-24Q-AA switch—This low-latency, high-performance, top-of-rack switch provides 2.56 Tbps throughput. Each QSFP+ port supports 40-Gigabit Ethernet but can be configured as four independent 10-Gigabit Ethernet ports using breakout cables (channelization mode). The switch can also be configured to support 96 10-Gigabit Ethernet ports using breakout cables (channelization mode) with 1280-Gbps total throughput.

    The switch can be ordered with either ports-to-FRUs or FRUs-to-ports airflow and with AC or DC power supplies.

    The QFX5100-24Q-AA module bay can accommodate a single double-wide expansion module (QFX-PFA-4Q) and two single-wide optional expansion modules (two or one each of QFX-EM-4Q and EX4600-EM-8F).

  • QFX-PFA-4Q expansion module (QFX5100-24Q-AA switch)—Starting with Junos OS Release 14.1X53-D27, the QFX5100-24Q-AA switch supports the QFX-PFA-4Q expansion module. This double-wide expansion module provides four additional 40-Gigabit Ethernet QSFP+ ports, a dedicated FPGA, and support for the Precision Time Protocol (PTP).

New Features in Release 14.1X53-D26

Network Management and Monitoring

  • DHCP smart relay (QFX5100)—Starting with Junos OS Release 14.1X53-D26, you can configure alternative IP addresses for the gateway interface so that if the server fails to reply to the requests sent from the primary gateway address, the switch can resend the requests using alternative gateway addresses. To use this feature, you must configure an IRB interface or Layer 3 subinterface with multiple IP addresses and configure that interface as a relay agent.

Open vSwitch Database (OVSDB)

  • New OVSDB command summaries (QFX5100, QFX5100 Virtual Chassis)—Starting with Junos OS Release 14.1X53-D26, the show ovsdb commit failures and clear ovsdb commit failures commands are introduced.

    If you suspect a problem has occurred with the configuration of an OVSDB-managed Virtual Extensible LAN (VXLAN) and associated logical interface(s), you can enter the show ovsdb commit failures command. This command describes the OVSDB-managed VXLANs and associated logical interface(s) that the Juniper Networks switch automatically configured but was unable to commit.

    After you resolve the problem, you can remove the configuration from the queue and retry committing the configuration by using the show ovsdb commit failures command.

  • Storm control on OVSDB-managed interfaces (QFX5100)—Starting with Junos OS Release 14.1X53-D26, you can configure storm control on VXLAN interfaces that are managed by an OVSDB controller. By default, Layer 2 BUM traffic that originates in an OVSDB-managed VXLAN is replicated and forwarded by a service node in the same VXLAN. Because service nodes can be overloaded if too much BUM traffic is received, you can manually configure storm control on server-facing VXLAN interfaces to control how much of this traffic is allowed into a VXLAN.

New Features in Release 14.1X53-D25

MPLS

  • MPLS stitching for virtual machine connections (QFX5100, QFX3500)—By using MPLS, the stitching feature provides connectivity between virtual machines on opposite sides of data center routers. An external controller, programmed in the data plane, assigns MPLS labels to both virtual machines and servers. Then, the signaled MPLS labels are used between the data center routers, generating static label-switched paths (LSPs), resolved over RSVP or LDP, to provide the routes dictated by the labels. The new CLI command stitch, located under the LSP transit command, provides this capability.

    [See MPLS Stitching For Virtual Machine Connection.]

Open vSwitch Database (OVSDB)

  • OVSDB schema updates (QFX5100 switch, QFX5100 Virtual Chassis)—Starting with Junos OS Release 14.1X53-D25, the Open vSwitch Database (OVSDB) schema for physical devices version that is implemented on QFX5100 switches is version 1.3.0. In addition, this schema now supports the multicast MACs local table.

    [See Open vSwitch Database Schema for Physical Devices.]

Software Installation and Upgrade

  • Preboot eXecution Environment (PXE) software for Junos Fusion satellite devices (QFX5100 switches)—Enables you to convert a Junos Fusion satellite device back into a standalone QFX5100 switch. For more information on this feature, please see the Junos OS 14.2R3 Release Notes and the Junos Fusion documentation.

System Management

  • DHCP relay with DHCP server and DHCP client in separate routing instances—You can use a stateless DHCP relay agent between a client and server in different virtual routing instances. This feature uses cross-message exchange between the virtual routing instances and supports both DHCPv4 and DHCPv6 packets. This method ensures that:

    • DHCP server network is isolated from the DHCP clients, because there is no direct routing between the client’s and server’s routing instances.

    • Only DHCP packets, not routine traffic, are relayed across the two routing instances.

    [See DHCP Message Exchange Between DHCP Clients and DHCP Server in Different Virtual Routing Instances.]

  • Precision Time Protocol (PTP) transparent clock (QFX5100 switch)—PTP synchronizes clocks throughout a packet-switched network. With a transparent clock, the PTP packets are updated with residence time as the packets pass through the switch. There is no master/slave designation. With an end-to-end transparent clock, only the residence time is included. The residence time can be sent in a one-step process, which means that timestamps are sent in one packet. In a two-step process, estimated timestamps are sent in one packet, and additional packets contain updated timestamps. In addition, user UDP over IPv4 and IPv6, and unicast and multicast transparent clocks, are supported. You can configure the transparent clock at the [edit protocols ptp] hierarchy level.

    [See Understanding Transparent Clocks in Precision Time Protocol.]

VXLAN

  • Configurable VXLAN UDP port (QFX5100)—Starting with Junos OS 14.1X53-D25, you can configure the UDP port used as the destination port for VXLAN traffic on a QFX5100 switch. To configure the VXLAN destination port to be something other than the default UDP port of 4789, enter set protocols l2-learning destination-udp-port port-number. The port you configure will be used for all VXLANs configured on the switch.

    Note

    If you make this change on one switch in a VXLAN, you must make the same change on all the devices that terminate the VXLANs configured on your switch. If you do not do so, traffic will be disrupted for all the VXLANs configured on your switch. When you change the UDP port, the previously learned remote VTEPs and remote MACs are lost and VXLAN traffic is disrupted until the switch relearns the remote VTEPs and remote MACs.

    [See Understanding VXLANs.]

New Features in Release 14.1X53-D15

Hardware

  • Extended node support (QFX5100-24Q and QFX5100-48T switches)—Enables you to include a QFX5100-24Q switch and a QFX5100-48T switch as a Node device in a QFabric System. To add the device, first install the QFabric “5” family software package (jinstall-qfabric-5-release.tgz) on the switch, and attach two management ports to the QFabric system control plane. For copper-based control plane systems, use the RJ-45 fixed management port and one SFP management port on the QFX5100 Node device with a copper module. For fiber-based control plane systems, use two SFP management ports on the QFX5100 Node device with fiber modules.

    [See Understanding the QFabric System Hardware Architecture.]

  • Improved online insertion and replacement procedures (QFabric systems)—Allows for nondisruptive insertion or replacement of server Node groups, network Node groups, redundant server Node groups, Interconnect devices, and front and rear cards of the Interconnect devices.

    [See Powering Off an Existing QFabric Node Device.]

  • QFX5100 Interconnect device (QFabric systems)—Allows a QFX5100-24Q switch to operate as a QFX3000-M Interconnect device. The interconnect acts like a backplane for data-plane traffic traversing the QFX3000-M QFabric system between Node devices. The QFX5100 Interconnect device has 24 40-Gigabit QSFP+ ports, but only 16 are available as fte ports. The QFX5100 Interconnect device features two RJ-45 management ports and two SFP management ports, which allow connection to either copper-based or fiber-based control-plane networks.

    [See Understanding Interconnect Devices.]

Class of Service

  • Mitigating fate sharing on Interconnect devices by remapping forwarding classes (QFabric systems)—Enables you to remap traffic assigned to a forwarding class into different, separate forwarding classes to mitigate fate sharing as the traffic crosses the Interconnect device. Separating the traffic into multiple forwarding classes spreads the flows across multiple output queues instead of using one output queue for all of the traffic. (Each forwarding class uses a different output queue, and each output queue has its own dedicated bandwidth resources.) Fate sharing occurs when flows in the same forwarding class (flows that have the same IEEE 802.1p priority code point) use the same output queue on an interface, because the flows share the same path and resources. When one flow becomes congested, the congestion can affect the other flows that use the same output queue even if they are not experiencing congestion, because when the congested flow is paused, the other flows that use the same code point are also paused. Because flows from many Node devices cross the Interconnect device, the flows are aggregated at egress interfaces, which increases the chance of fate sharing. Forwarding class remapping mitigates fate sharing on the Interconnect device by separating the traffic into different forwarding classes that use different output queues, so pausing one congested flow does not affect uncongested flows that have been mapped to different forwarding classes and therefore to different output queues.

    [See Understanding How to Mitigate Fate Sharing on a QFabric System Interconnect Device by Remapping Traffic Flows (Forwarding Classes) and Understanding Default CoS Scheduling on QFabric System Interconnect Devices (Junos OS Release 13.1 and Later Releases).]

  • Scheduler configuration on Interconnect device fabric ports (QFabric systems)—Enables you to configure scheduling on the fabric (fte and bfte) ports of the QFabric system Interconnect devices. (This complements the Junos OS Release 13.1 feature that provides scheduler configuration on Node device fabric ports. The combination of access port, Node device fabric port, and Interconnect device fabric port scheduling gives you complete control of scheduling across a QFabric system.) In earlier Junos OS releases, Interconnect device fabric port scheduling was done by default, with no user configuration. In Junos OS Release 14.1X53-D15, the default fabric port scheduler on Interconnect devices is the same as it was in earlier releases.

    Understanding CoS Scheduling Across the QFabric System and Understanding Default CoS Scheduling on QFabric System Interconnect Devices (Junos OS Release 13.1 and Later Releases).]

Multicast Features

  • IGMP querier (QFabric systems)—Enables multicast traffic to be forwarded between connected switches in pure Layer 2 networks. If you enable IGMP snooping in a Layer 2 network without a multicast router, the IGMP snooping reports are not forwarded between connected switches. This means that if hosts connected to different switches in the network join the same multicast group and traffic for that group arrives on one of the switches, the traffic is not forwarded to the other switches that have hosts that should receive the traffic. If you enable IGMP querying for a VLAN, multicast traffic is forwarded between switches that participate in the VLAN if they are connected to hosts that are members of the relevant multicast group.

    [See Using a Switch as an IGMP Querier.]

  • IGMPv3 (QFabric systems)—Introduces support for Internet Group Management Protocol version 3 (IGMPv3). IGMPv3 manages the membership of hosts and routers in multicast groups. IP hosts use IGMP to report their multicast group memberships to any immediately neighboring multicast routing devices. Multicast routing devices use IGMP to learn which groups have members for each of their attached physical networks.

    [See Understanding IGMP.]

  • IGMPv3 snooping (QFabric systems)—With IGMP snooping enabled (the default setting), a switch monitors the IGMP traffic between hosts and multicast routers and uses what it learns to forward multicast traffic to only the downstream interfaces that are connected to interested receivers. This conserves bandwidth by allowing the switch to send multicast traffic to only those interfaces that are connected to devices that want to receive the traffic (instead of flooding the traffic to all the downstream VLAN interfaces).

    [See IGMP Snooping Overview.]

  • Multicast flow groups (QFabric systems)—Node devices usually forward multicast traffic on all available Interconnect devices to distribute the load balancing replication load. As a result, redundant multicast streams can flow through one Interconnect device, making that Interconnect device a potential single point of failure for the redundant flows. Some applications require that the redundant multicast streams flow through different Interconnect devices to prevent a single Interconnect device from potentially dropping both streams of multicast traffic during a failure. You can enforce this use of dual Interconnect devices by using the QFabric flow segregation feature.

    [See Understanding QFabric Multicast Flow Groups.]

  • PIM-SSM (QFabric systems)—Protocol Independent Multicast source-specific multicast (PIM-SSM) uses a subset of PIM sparse mode and IGMP version 3 (IGMPv3) to enable a client to receive multicast traffic directly from the source. PIM SSM uses the PIM sparse-mode functionality to create a shortest-path tree (SPT) between the client and the source, but builds the SPT without the help of a rendezvous point.

    [See PIM SSM.]

Network Management and Monitoring

  • Cloud Analytics Engine (QFX5100 switches)—Uses network data analysis to improve application performance and availability. Cloud Analytics Engine includes data collection, analysis, correlation, and visualization, helping you better understand the behavior of workloads and applications across the physical and virtual infrastructure. Cloud Analytics Engine provides an aggregated and detailed level of visibility, tying applications and the network together, and an application-centric view of network status, improving your ability to quickly roll out new applications and troubleshoot problems.

    [See Cloud Analytics Engine.]

Open vSwitch Database (OVSDB)

  • Automatic configuration of OVSDB-managed VXLANs with trunk interfaces (QFX5100 switches)—In a VMware NSX for Multi-Hypervisor environment for the data center, the QFX5100 switch can automatically configure an OVSDB-managed VXLAN and one or more interfaces associated with the VXLAN, thereby eliminating the need for you to perform these tasks, using the Junos OS CLI. The automatic configuration of the VXLAN and associated interfaces is based on the configuration of a logical switch in NSX Manager or in the NSX API. Starting in Junos OS Release14.1X53-D15, the switch supports the automatic configuration of trunk interfaces and their association with an OVSDB-managed VXLAN. In this situation, trunk interfaces enable the support of multiple software applications running directly on a physical server that generate traffic that must be isolated by OVSDB-managed VXLANs.

    [See Understanding How to Set Up Virtual Extensible LANs in an Open vSwitch Database Environment.]

  • OVSDB support with NSX (QFX5100 Virtual Chassis, Virtual Chassis Fabric)—Starting with Junos OS Release 14.1X53-D15, the Junos OS implementation of the Open vSwitch Database (OVSDB) management protocol provides a means through which VMware NSX controllers and a QFX5100 Virtual Chassis or a Virtual Chassis Fabric that includes QFX5100 switches only can communicate. In an NSX multi-hypervisor environment, NSX version 4.0.3 and later controllers and a QFX5100 Virtual Chassis or Virtual Chassis Fabric can exchange control and statistical information via the OVSDB schema for physical devices, thereby enabling virtual machine (VM) traffic from entities in a virtual network to be forwarded to entities in a physical network and vice versa.

    You can set up a connection between the QFX5100 management interface (em0 or em1) and an NSX controller.

    [See Setting Up Open vSwitch Database Connections Between Junos OS Devices and Controllers.]

QFabric Systems

  • QFabric system software downgrade support (QFabric systems)—Starting with Junos OS 14.1X53-D15, downgrading software provides a quick recovery mechanism to a previous software version and configuration file in cases where a software upgrade or configuration changes have made the QFabric system unstable or inoperable. The recovery mechanism consists of a “restore-point,” which is a snapshot of the software on the QFabric system as well as the configuration that can be rolled back to. Downgrade support does not replace the existing backup and restore functionality.

    • To enable software downgrade:

    • Create a restore-point.

      Note

      You can only create one restore-point at a time. Creating a new restore-point deletes the existing restore-point if there is one. Also, all CLI commands are blocked while creating a restore-point.

      To create a restore-point, issue the request system software restore-point command.

    • To roll back to the restore-point, issue the request system software recover-from-restore-point command.

    • To display the status of the Director group after creating a restore-point for the QFabric system, issue the show system software restore-point status command.

Security

  • Error message displayed when TCAM is full (QFX5100 switches)—Firewall filters are stored in ternary content addressable memory (TCAM). With previous versions of Junos OS, if you configure a firewall filter that cannot fit into the available TCAM space, the filter defaults to "permit any," and no error message is displayed in the CLI. With Junos OS Release 14.1X53-D15, an error message is displayed in the CLI if this occurs.

    [See Planning the Number of Firewall Filters to Create.]

  • Media Access Control Security (MACsec) support (QFX5100-24Q switches)—Starting with Junos OS Release 14.1X53-D15, MACsec is supported on all eight SFP+ interfaces on the EX4600-EM-8F expansion module when it is installed in a QFX5100-24Q switch. MACsec is an industry-standard security technology that provides secure communication for all traffic on point-to-point Ethernet links. MACsec is capable of identifying and preventing most security threats, and can be used in combination with other security protocols to provide end-to-end network security. MACsec is standardized in IEEE 802.1AE.

    [See Understanding Media Access Control Security (MACsec).]

Virtual Chassis and Virtual Chassis Fabric

  • Increase vmember limit to 512k support (Virtual Chassis Fabric)—Increases the number of vmembers to 512k. For example, to calculate how many interfaces are required to support 4000 VLANs, divide the maximum number of vmembers (512,000) by the number of configured VLANS (4000). In this case, 128 interfaces are required.

    [See Understanding Bridging and VLANs.]

VLAN Infrastructure

  • Support for private VLANs (QFX5100 switches)—VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by splitting the broadcast domain into multiple isolated broadcast subdomains and essentially putting secondary VLANs inside a primary VLAN. PVLANs restrict traffic flows through their member switch ports (called “private ports”) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port is usually connected to a router, firewall, server, or provider network. Each PVLAN typically contains many private ports that communicate only with a single uplink, thereby preventing the ports from communicating with each other.

    Just like regular VLANs, PVLANs are isolated on Layer 2 and require that a Layer 3 device be used to route traffic among them. PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from one another.

    [See Understanding Private VLANs.]

New Features in Release 14.1X53-D10

Authentication and Access Control

  • IPv6 for RADIUS AAA (QFX5100 switch and Virtual Chassis)—Starting with Junos OS Release 14.1X53-D10, QFX5100 switches and QFX5100 Virtual Chassis support IPv6, along with the existing IPv4 support, for user authentication, authorization, and accounting (AAA) using RADIUS servers.

    RADIUS authentication is a method of authenticating users who attempt to access the router or switch. To use RADIUS authentication on the switch, configure information about one or more RADIUS servers on the network by including one radius-server statement at the [edit system] hierarchy level for each RADIUS server.

    When you configure a source address for each configured RADIUS server, each RADIUS request sent to a RADIUS server uses the specified source address.

    • Authentication—Specify which source address Junos OS uses when accessing your network to contact an external RADIUS server for authentication. You configure the IPv6 source address for RADIUS authentication at the [edit system radius-server server-address source-address] hierarchy level.

    • Accounting—Specify which source address Junos OS uses when contacting a RADIUS server for sending accounting information. You configure the IPv6 source address for RADIUS authentication at the [edit system accounting destination radius server server-address source-address] hierarchy level.

    [See source-address.]

Bridging and Learning

  • MAC notification (QFX5100)—Starting with Junos OS Release 14.1X53-D10, MAC notification is supported on QFX5100 switches. The switches track clients on a network by storing MAC addresses in the Ethernet switching table on the switch. When switches learn or unlearn a MAC address, SNMP notifications can be sent to the network management system at regular intervals to record the addition or removal of the MAC address. This process is known as MAC notification.

    The MAC Notification MIB controls MAC notification for the network management system.

    The MAC notification interval defines how often these SNMP notifications are sent to the network management system. The MAC notification interval works by tracking all MAC address additions or removals on the switch over a period of time and then sending all tracked MAC address additions or removals to the network management server at the end of the interval.

    Enabling MAC notification allows you to monitor the addition and removal of MAC addresses from the Ethernet switching table remotely using a network management system. The advantage of setting a high MAC notification interval is that the amount of network traffic is reduced because updates are sent less frequently. The advantage of setting a low MAC notification interval is that the network management system is better synchronized with the switch.

    Two new MIBs related to MAC notification are provided at Junos OS Release 14.1X53-D10. See Documentation Updates.

    [See Configuring MAC Notification (CLI Procedure).]

  • Default VLAN and multiple VLAN range support (QFX5100)—Starting with Junos OS Release 14.1X53-D10, the default VLAN and multiple VLAN range are supported on QFX5100 switches. They provide the ability for the switch to operate as a plug and play device and connect to various Ethernet-enabled devices in a small, scaled enterprise network. When the switch boots, a VLAN named default is created. The default VLAN is automatically created for every routing instance that belongs to a type of virtual-switch and for the default routing instance named default-switch. All interfaces on the switch are automatically configured as access interfaces and are part of the default VLAN.

    The default VLAN accepts and forwards untagged packets only and is preconfigured with a VLAN ID (vlan-id) of 1. The default VLAN does not support a VLAN ID list (vlan-id-list), vlan-id set to all, or vlan-id set to none. You can configure the VLAN ID to be another value, but the value must be between 1 and 4093.

    Access interfaces that are VoIP-enabled or 802.1X-enabled are internally converted to trunk interfaces, so that the interfaces can belong to multiple VLANs. If the interfaces do not belong to a valid VLAN, the interfaces automatically become part of the default VLAN.

    You can configure more than one VLAN range, and each range can contain unique VLAN properties.

    Note

    Virtual Chassis interfaces cannot be preconfigured to belong to the default VLAN or any other VLAN.

    Note

    For interfaces to be part of the default VLAN, you must configure the interfaces to be part of the Ethernet switching family. You can configure Ethernet switching at the [edit interfaces interface-name unit family] CLI hierarchy level.

  • Ethernet ring protection switching (QFX5100)—Starting with Junos OS Release 14.1X53-D10, Ethernet ring protection switching (ERPS) is supported on QFX5100 switches. ERPS helps achieve high reliability and network stability. Links in the ring never form loops that fatally affect the network operation and services availability.

    [See Understanding Ethernet Ring Protection Switching Functionality.]

High Availability

  • Resilient hashing support for link aggregation groups and equal cost multipath routes (QFX5100)—Starting with Junos OS Release 14.1X53-D10, resilient hashing is now supported by link aggregation groups (LAGs) and equal cost multipath (ECMP) sets.

    A LAG combines Ethernet interfaces (members) to form a logical point-to-point link that increases bandwidth, provides reliability, and allows load balancing. Resilient hashing enhances LAGs by minimizing destination remapping when a new member is added to or deleted from the LAG.

    Resilient hashing works in conjunction with the default static hashing algorithm. It distributes traffic across all members of a LAG by tracking the flow’s LAG member utilization. When a flow is affected by a LAG member change, the packet forwarding engine (PFE) rebalances the flow by reprogramming the flow set table. Destination paths are remapped when a new member is added to or existing members are deleted from a LAG.

    Resilient hashing applies only to unicast traffic and supports a maximum of 1024 LAGs, with each group having a maximum of 256 members.

    An ECMP group for a route contains multiple next-hop equal cost addresses for the same destination in the routing table. (Routes of equal cost have the same preference and metric values.)

    Junos OS uses a hash algorithm to choose one of the next-hop addresses in the ECMP group to install in the forwarding table. Flows to the destination are rebalanced using resilient hashing.

    Resilient hashing enhances ECMPs by minimizing destination remapping when a new member is added to or deleted from the ECMP group.

    [See Understanding the Use of Resilient Hashing to Minimize Flow Remapping in Trunk Groups.]

Infrastructure

  • Licensing enhancements (QFX Series)—Starting with Junos OS Release 14.1X53-D10, licensing enhancements on QFX Series switches enable you to configure and delete license keys in a Junos OS CLI configuration file. The license keys are validated and installed after a successful commit of the configuration file. If a license key is invalid, the commit fails and issues an error message. You can configure individual license keys or multiple license keys by issuing Junos OS CLI commands or by loading the license key configuration contained in a file. All installed license keys are stored in the /config/license/ directory.

    To install an individual license key in the Junos OS CLI, issue the set system license keys key name command, and then issue the commit command.

    For example:

    To verify that the license key was installed, issue the show system license command.

    For example:

    To install multiple license keys in the Junos OS CLI, issue the set system license keys key name command, and then issue the commit command.

    For example:

    To verify that the license key was installed, issue the show system license command.

    To install an individual license key configuration in a file, issue the cat command:

    For example:

    Load and merge the license configuration file.

    For example:

    Issue the show | compare command to see the configuration, and then issue the commit command.

    For example:

    To verify that the license key was installed, issue the show system license command.

    For example:

    To install multiple license keys in a file, issue the cat command:

    For example:

    Load and merge the license configuration file, and then issue the commit command.

    For example:

    To verify that the license key was installed, issue the show system license command.

    You can also delete or deactivate individual and multiple license keys in the Junos OS CLI by issuing the delete system license keys or deactivate system license keys commands. Do not use the request system license delete command to delete the license keys.

    For example, to issue the delete system license keys command:

Interfaces and Chassis

  • Fast reboot option (QFX5100)—Starting with Junos OS Release 14.1X53-D10, you can enhance the reboot time on a QFX5100 by issuing the new fast-boot option with the request system reboot command (request system reboot fast-boot). The switch reboots in such a way as to minimize downtime of network ports by not bringing the network ports down immediately as in the normal reboot option. There is minimal traffic loss while the forwarding device is reprogrammed.

    [See request system reboot.]

  • Keep a link up on a multichassis link aggregation group (MC-LAG) when LACP is not configured on one of the MC-LAG peers (QFX5100 switch)—Junos OS Release 14.1X53-D10 provides connectivity from provider edge devices to customer edge devices when LACP is not configured on a customer edge device. The customer edge device must have one link connected to the provider edge device, though, and multichassis link aggregation must be configured between the provider edge devices in the MC-LAG. You can configure the force-up feature in Link Aggregation Control Protocol (LACP) on the provider edge device for which you need connectivity. Additionally, only one member interface in the aggregated Ethernet interface can be active, otherwise the provider edge device will receive duplicate packets.

    [See Forcing MC-LAG Links or Interfaces with Limited LACP Capability to Be Up.]

Layer 3 Features

  • Loop-free alternates (QFX5100)—Starting with Junos OS Release 14.1X53-D10, QFX5100 switches support loop-free alternates (LFA) to compute backup next hops for IS-IS routes, providing IP fast-reroute capability for IS-IS routes. These routes, with precomputed backup next hops, are preinstalled in the Packet Forwarding Engine, which performs a local repair and switches to the backup next hop when the link for the primary next hop for a particular route is no longer available. With local repair, the Packet Forwarding Engine can correct a path failure before it receives recomputed paths from the Routing Engine. Local repair reduces the amount of time needed to reroute traffic to less than 50 milliseconds. You can configure loop-free alternates (LFA) for IS-IS at the [edit protocols isis] hierarchy level.

  • IS-IS support (QFX5100)—Starting with Junos OS Release 14.1X53-D10, on QFX5100 switches, the IS-IS protocol has extensions to differentiate between different sets of routing information sent between routers and switches for unicast and multicast. IS-IS routes can be added to the RPF table when special features such as traffic engineering and shortcuts are turned on. You configure the feature under the [edit protocols isis] hierarchy level.

MPLS

  • MPLS-based Layer 3 VPNs (QFX5100)—Starting with Junos OS Release 14.1X53-D10, MPLS-based Layer 3 VPNs are supported on QFX5100 switches.

    Customer networks are private and can use either public addresses or private addresses. When customer networks that use private addresses connect to the public Internet infrastructure, the private addresses might overlap with private addresses being used by other network users. MPLS BGP VPNs solve this problem by adding the route distinguisher prefix to the route.

    You can configure the switch as a CE or PE using Layer 3 MPLS/BGP VPN for interprovider and carrier-of-carrier VPNs. The key difference between interprovider and carrier-of-carriers VPNs is whether the customer sites belong to the same autonomous system (AS) or to a separate AS:

    • Interprovider VPNs—The customer sites belong to different ASs. You need to configure EBGP to exchange the customer’s external routes.

    • Carrier-of-carriers VPNs—The customer sites belong to the same AS. You need to configure IBGP to exchange the customer’s external routes.

  • Ethernet-over-MPLS (L2 circuit) (QFX5100)—Starting with Junos OS Release 14.1X53-D10, Ethernet-over-MPLS is supported on QFX5100 switches. Ethernet-over-MPLS enables you to send Layer 2 Ethernet frames transparently over an MPLS cloud. Ethernet-over-MPLS uses a tunneling mechanism for Ethernet traffic through an MPLS-enabled Layer 3 core. It encapsulates Ethernet protocol data units (PDUs) inside MPLS packets and forwards the packets, using label stacking, across the MPLS network.

    This technology has applications in service provider, enterprise, and data center environments. For disaster recovery purposes, data centers are hosted in multiple sites that are geographically distant and interconnected using a WAN network. These data centers require Layer 2 connectivity between them for the following reasons:

    • To replicate the storage over Fibre Channel over IP (FCIP). FCIP works only on the same broadcast domain.

    • To run a dynamic routing protocol between the sites.

    • To support high availability clusters that interconnect the nodes hosted in the various data centers.

  • MPLS LSP protection (QFX5100)—Starting with Junos OS Release 14.1X53-D10, the following types of MPLS LSP protection are supported on QFX5100 switches:

    • Fast reroute (FRR)

    • Link protection

    • Node link protection

[ See MPLS Overview.]

Network Management and Monitoring

  • Chef for Junos OS (QFX5100)—Starting with Junos OS Release 14.1X53-D10, Chef for Junos OS is supported on all QFX5100 switches, not just QFX5100 switches that are running Junos OS with automated enhancements for QFX5100 switches.

  • Puppet for Junos OS (QFX5100)—Starting with Junos OS Release 14.1X53-D10, Puppet for Junos OS is supported on QFX5100 switches that are not running Junos OS with automated enhancements for QFX5100 switches.

  • IEEE 802.3ah (QFX5100)—Starting with Junos OS Release 14.1X53-D10, QFX5100 switches support the IEEE 802.3ah standard for the Operation, Administration, and Maintenance (OAM) of Ethernet in networks. The standard defines OAM link fault management (LFM). You can configure IEEE 802.3ah OAM LFM on point-to-point Ethernet links that are connected either directly or through Ethernet repeaters. Ethernet OAM provides the tools that network management software and network managers can use to determine how a network of Ethernet links is functioning. You configure the feature under the [edit protocols oam ethernet] hierarchy level.

OpenFlow

  • Support for OpenFlow v1.0 and v1.3.1 (QFX5100)—Starting with Junos OS Release 14.1X53-D10, QFX5100 switches support OpenFlow v1.0 and v1.3.1. OpenFlow v1.0 enables you to control traffic in an existing network by adding, deleting, and modifying flows in the switch. You can configure one OpenFlow virtual switch and one active OpenFlow controller under the [edit protocols openflow] hierarchy on each QFX5100 switch in the network.

    In addition to the OpenFlow v1.0 functionality, OpenFlow v1.3.1 allows the action specified in one or more flow entries to direct packets to a base action called a group. The purpose of the group action is to further process these packets and assign a more specific forwarding action to them. You can view groups that were added, modified, or deleted from the group table by way of the OpenFlow controller using the show openflow groups command. You can view group statistics using the show openflow statistics groups command.

    OpenFlow v1.0 and v1.3.1 are not supported on MX Series routers or EX9200 switches in Junos OS Release 14.1X53-D10. OpenFlow v1.0 is supported in Junos OS Release 14.1 on these platforms.

    [See Understanding OpenFlow Operation and Forwarding Actions on Devices Running Junos OS.]

Open vSwitch Database (OVSDB)

  • OVSDB support with NSX (QFX5100)—Starting with Junos OS Release 14.1X53-D10, the Junos OS implementation of the Open vSwitch Database (OVSDB) management protocol provides a means through which VMware NSX controllers and QFX5100 switches that support OVSDB can communicate. In an NSX multi-hypervisor environment, NSX version 4.0.3 controllers and QFX5100 switches can exchange control and statistical information via the OVSDB schema for physical devices, thereby enabling virtual machine (VM) traffic from entities in a virtual network to be forwarded to entities in a physical network and vice versa.

    You can set up a connection between the QFX5100 management interface (em0 or em1) and an NSX controller.

    [See Setting Up Open vSwitch Database Connections Between Junos OS Devices and Controllers.]

Security

  • Port mirroring to IP address (QFX5100)—Starting with Junos OS Release 14.1X53-D10, you can send mirrored packets to an IP address over a Layer 3 network (for example, if there is no Layer 2 connectivity to the analyzer device). This feature also enables you to apply an IEEE-1588 timestamp to the mirrored packets.

Software Installation

  • Open Source Python modules supported in automation enhancement (QFX5100)—Starting with Junos OS Release 14.1X53-D10, these Open Source Python modules are pre-installed in the jinstall-qfx-5-flex-x.tgz software bundle:

    • ncclient—Facilitates client scripting and application development through the NETCONF protocol.

    • lxml—Combines the speed and XML feature completeness of the C libraries libxml2 and libxslt with the simplicity of a native Python API.

    • jinja2—Serves as a fast, secure, designer-friendly templating language.

    [See Overview of Python with QFX5100 Switch Automation Enhancements.]

Virtual Chassis and Virtual Chassis Fabric

  • Alias support for Virtual Chassis and Virtual Chassis Fabric (VCF) nodes—Starting with Junos OS Release 14.1X53-D10, an alias can be used to label nodes in a Virtual Chassis and VCF. An alias allows you to more clearly identify a member switch in your Virtual Chassis or VCF by assigning a text label to it. The text label appears alongside the switch's serial number whenever operational commands, such as show virtual-chassis, are used to monitor Virtual Chassis status.

    [See aliases.]

  • Local link bias support for Virtual Chassis with QFX Series member switches—Starting with Junos OS Release 14.1X53-D10, Virtual Chassis Local Link Bias is available on Link Aggregation Group (LAG) bundles on QFX3500 Virtual Chassis, QFX3600 Virtual Chassis, and mixed QFX3500 and QFX3600 Virtual Chassis. Virtual Chassis local link bias conserves bandwidth on Virtual Chassis ports (VCPs) by using local links to forward unicast traffic exiting a Virtual Chassis that has a LAG bundle composed of member links on different member switches in the same Virtual Chassis. A local link is a member link in the LAG bundle that is on the member switch that received the traffic. Because traffic is received and forwarded on the same member switch when local link bias is enabled, no VCP bandwidth is consumed by traffic traversing the VCPs to exit the Virtual Chassis using a different member link in the LAG bundle.

    [See Understanding Local Link Bias.]

  • Adaptive load balancing support (Virtual Chassis Fabric)—Starting with Junos OS Release 14.1X53-D10, adaptive load balancing (ALB) is supported in Virtual Chassis Fabric (VCF). ALB improves traffic management within a VCF by using dynamic load information to make traffic forwarding decisions. ALB introduces a method to better manage extremely large traffic flows—elephant flows—by splicing them into smaller flows—flowlets—and individually forwarding the flowlets across the VCF to the same destination device over different paths.

    [See Understanding Traffic Flow Through a Virtual Chassis Fabric.]

VXLAN

  • Layer 2 VXLAN gateway (QFX5100)—Starting with Junos OS Release 14.1X53-D10, VXLAN is an overlay technology that enables you to stretch Layer 2 connections over an intervening Layer 3 network by encapsulating (tunneling) Ethernet frames in a VXLAN packet that includes IP addresses. You can use VXLAN tunnels to enable migration of virtual machines between servers that exist in separate Layer 2 domains by tunneling the traffic through Layer 3 networks. This functionality enables you to dynamically allocate resources within or between data centers without being constrained by Layer 2 boundaries or being forced to create large or geographically stretched Layer 2 domains. Using VXLANs to connect Layer 2 domains over a Layer 3 network means that you do not need to use STP to converge the topology (so no links are blocked) but can use more robust routing protocols in the Layer 3 network instead.

    [See Understanding VXLANs.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 14.1X53 for QFX Series.

Authentication and Access Control

  • Increase in TACACS message length (QFX Series)—Starting with Junos OS Release 14.1X53-D40, the length of TACACS messages allowed on Junos devices has been increased from 8150 to 65535 bytes.

Ethernet Switching

  • L2 Learning protocol—On QFX5100 Switches, the new parameter exclusive-mac mac is added to enhance the MAC move feature. This feature is used to track MAC addresses when they appear on a different physical interface or within a different unit of the same physical interface. When you configure the exclusive-mac mac parameter at the [edit protocols l2-learning global-mac-move] hierarchy level, the specified MAC address is excluded from the MAC move limit algorithm. The MAC address will not be tracked.

Interfaces and Chassis

  • ARP and MAC table synchronization during MC-LAG troubleshooting (QFX Series switches and EX4300 switches)—Starting in Junos OS Release 14.1X53-D40, the arp-l2-validate CLI statement is supported at the [edit interfaces irb] hierarchy level for QFX Series switches and EX4300 switches. This command can be used to help maintain ARP and MAC table synchronization in an MC-LAG to prevent traffic loss while troubleshooting network problems that cause inconsistencies between the two tables.

    [See TroubleshootingMultichassis Link Aggregation and arp-l2-validate.]

  • Configuring unified forwarding table profiles (EX4600 Virtual Chassis, QFX5100 Virtual Chassis, and QFX Series Virtual Chassis Fabric)—Starting in Junos OS Release 14.1X53-D40, Packet Forwarding Engines on switches in a Virtual Chassis or Virtual Chassis Fabric (VCF) do not automatically restart upon configuring and committing a unified forwarding table profile change using the set chassis forwarding-options statement. Instead, a message is displayed at the CLI prompt and logged to the switch’s system log, prompting you to reboot the Virtual Chassis or VCF for the change to take effect. This change avoids Virtual Chassis or VCF instability that might occur with these switches if the profile update propagates to member switches and otherwise causes multiple Packet Forwarding Engines to automatically restart at the same time. This behavior change does not apply to other switch types or to EX4600 and QFX5100 switches not in a Virtual Chassis or VCF; in those cases, the switch continues to restart automatically when a unified forwarding table profile change is committed.

    We recommend that you plan to make profile changes in a Virtual Chassis or VCF comprised of these switches only when you can perform a Virtual Chassis or VCF system reboot shortly after committing the configuration update, to avoid instability if one or more member switches restart unexpectedly with the new configuration (while the remaining members are still running the old configuration).

    [See Configuring the Unified Routing Table and forwarding-options (chassis).]

  • New vc-path command display for Virtual Chassis Fabric (VCF)—Starting in Junos OS Release 14.1X53-D40, the output from the show virtual-chassis vc-path command displays additional fields when showing the forwarding path from a source interface to a destination interface in a Virtual Chassis Fabric (VCF), including details of multiple possible next hops. The vc-path command display for a forwarding path in a Virtual Chassis remains unchanged.

    [See show virtual-chassis vc-path.]

  • Gigabit interface speeds (QFX5100 switches)—Starting with Junos OS Release 14.1X53-D43, QFX5100 switches correctly interpret and display the interface speed as 1000mbps (1 Gbps) for ge- interfaces on 1-Gigabit Ethernet SFP ports. In prior releases from Junos OS Release 13.2X52-D20 up until 14.1X53-D43, the system incorrectly interprets and displays the speed of these interfaces as 10 Gbps. [See show interfaces ge.]

  • Starting with Junos OS Release 14.1X53-D47, on QFX5100 switches, the configuration statement source-destination-only-loadbalancing under the [edit forwarding-options enhanced-hash-key] hierarchy is not visible in the CLI. The statement is not supported on QFX5100.

MPLS

  • On QFX5100 PE switches with Layer 2 circuit configured, enabling VLAN bridge encapsulation on a CE interface drops packets if flexible Ethernet services and VLAN CCC encapsulation are configured on the same logical interface. You can configure only one encapsulation type: either set interfaces xe-0/0/18 encapsulation flexible-ethernet-services or set interfaces xe-0/0/18 encapsulation vlan-ccc.

Network Management and Monitoring

  • Juniper MIBs loading errors fixed (QFX Series)—Starting with Junos OS Release 14.1X53-D48, duplicated entries and errors while loading MIBs on the Manage Engine MIB browser are fixed for the following MIB files:

    • jnx-chas-defines.mib

    • jnx-ifotn.mib

    [See MIB Explorer.]

Open vSwitch Database (OVSDB)

  • Automatic configuration of trunk interfaces that handle untagged packets in OVSDB-managed VXLANs (QFX5100, QFX5100Virtual Chassis)—In previous Junos OS releases, if you specified a VLAN ID of 0 for a logical switch port in VMware NSX Manager or in the NSX API, the QFX5100 switch automatically configured an access interface to handle untagged packets in the associated Open vSwitch Database (OVSDB)–managed Virtual Extensible LAN (VXLAN). Starting with 14.1X53-D26, specifying a VLAN ID of 0 in a logical switch port configuration causes the QFX5100 switch to automatically configure a trunk port. To enable the trunk port to handle untagged packets, the QFX5100 switch also configures a native VLAN with an ID of 4094. Upon receipt of an untagged packet, the trunk interface adds a VLAN tag of 4094 to the packet and removes the tag as the packet exits the interface, thereby rendering the packet as untagged again.

    This change supports the division of an OVSDB-managed physical interface into multiple logical interfaces, some of which are associated with VXLANs that have untagged packets and some of which are associated with VXLANs that have tagged packets.

SNMP

  • Change in value for a QFabric SNMP object—The jnxFabricDeviceEntryName object now displays the alias of the device and the jnxFabricDeviceEntryDescription object contains the serial number only.

Software Upgrade

  • A controlled version of Junos OS is introduced for the QFX Series in Junos OS Release 14.1X53-D15. The controlled version of Junos OS is required to enable Media Access Control security (MACsec) on a switch. The controlled version of a Junos OS release contains all features and functionality available in the standard version of the Junos OS release while also supporting MACsec. The controlled version of Junos OS is not, by default, shipped on any QFX Series switch. You can download the controlled version of Junos OS from the Software Download Center, provided that you are located in a geography where you are allowed to download the controlled version of Junos OS. If you are unsure of which version of Junos OS is running on your switch, enter the show version command. If the “JUNOS Crypto Software Suite” description appears in the output, you are running the controlled version of Junos OS.

    The controlled version of Junos OS contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of the controlled version of Junos OS is strictly controlled under United States export laws. The export, import, and use of the controlled version of Junos OS is also subject to controls imposed under the laws of other countries.

    If you have questions about acquiring the controlled version of Junos OS in your country, contact the Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

Virtual Chassis and Virtual Chassis Fabric

  • New VCF multicast distribution tree configuration option—Starting with Junos OS Release 14.1X53-D35, a new Virtual Chassis Fabric (VCF) configuration option, fabric-tree-root, is available on EX Series and QFX Series devices in an autoprovisioned or preprovisioned VCF. This option changes how the VCF builds the multicast distribution trees (MDTs) used for forwarding and load-balancing broadcast, unknown unicast, and multicast (BUM) traffic within the VCF. By default, a VCF builds MDTs with each VCF member as the root of a tree, creating as many MDTs as members in the VCF. Setting the fabric-tree-root option for one or more members preempts this behavior. Instead, for each member configured with this option, the VCF only builds MDTs with those members as root nodes (referred to as the fabric tree roots). The recommended usage of this option is to set all spine devices in the VCF, and only spine devices, as fabric tree roots.

    Using this option avoids traffic interruption in a VCF when a leaf device becomes unavailable and the VCF needs to redistribute traffic within the VCF over the available MDTs. Using only spine-rooted MDTs provides a redistribution path to any destination leaf member directly through a spine member, and prevents traffic from flowing redundantly over paths to and from leaf members (which happens with leaf-rooted MDTs, creating excess traffic load in large VCFs).

    [See fabric-tree-root.]

  • Adaptive load balancing (ALB) feature (Virtual Chassis Fabric)—Starting in Junos OS Release 14.1X53-D46, the adaptive load balancing (ALB) feature for Virtual Chassis Fabric (VCF) is being deprecated to avoid potential VCF instability. The fabric-load-balance configuration statement in the [edit forwarding-options enhanced-hash-key] hierarchy is no longer available to enable and configure ALB in a VCF. When upgrading a VCF to a Junos OS release where ALB is deprecated, if the configuration has ALB enabled, you should delete the fabric-load-balance configuration item before initiating the upgrade.

    See Understanding Traffic Flow Through a Virtual Chassis Fabric and fabric-load-balance.

  • New configuration option to disable automatic Virtual Chassis port conversion (QFX3500, QFX3600, and QFX5100 Virtual Chassis)—Starting in Junos OS Release 14.1X53-D47, you can use the no-auto-conversion statement at the [edit virtual-chassis] hierarchy level to disable automatic Virtual Chassis port (VCP) conversion in a QFX3500, QFX3600, or QFX5100 Virtual Chassis. Automatic VCP conversion is enabled by default on these switches. When automatic VCP conversion is enabled, if you connect a new member to a Virtual Chassis or add a new link between two existing members in a Virtual Chassis, the ports on both sides of the link are automatically converted into VCPs when all of the following conditions are true:

    • LLDP is enabled on the interfaces for the members on both sides of the link. The two sides exchange LLDP packets to accomplish the port conversion.

    • The Virtual Chassis must be preprovisioned with the switches on both sides of the link already configured in the members list of the Virtual Chassis using the set virtual-chassis member command.

    • The ports on both ends of the link are supported as VCPs and are not already configured as VCPs.

    Automatic VCP conversion is not needed when using default-configured VCPs on both sides of the link to interconnect two members. On both ends of the link, you can also manually configure network or uplink ports that are supported as VCPs, whether or not the automatic VCP conversion feature is enabled.

    Deleting the no-auto-conversion statement from the configuration returns the Virtual Chassis to the default behavior, which reenables automatic VCP conversion.

Known Behavior

This section lists the limitations in Junos OS Release 14.1X53 for the QFX Series.

EVPN

  • QFX5100 switches do not support ingress VLAN access control list (IVACL) flood filters. If you configure such as a filter by issuing the set vlans <vlan name> forwarding-options flood input <filter name> command on a QFX5100 switch, the filter is implemented on egress traffic instead of on ingress traffic, which causes unexpected results. The unexpected results especially impact packets in which a VLAN header is added or removed in egress traffic, for example, IRB traffic and VXLAN traffic. As a workaround for these types of traffic, we recommend applying a filter policy on the ingress VLAN traffic and not using the flood keyword in the command that you issue. PR1166200

  • QFX5100-48S and QFX5100-48ST might partially drop VXLAN packets for certain packet sizes at line rate. This is the limitation of the Broadcom chipset used in this platform PR1168794

General Routing

  • On a QFabric system, if you perform a nonstop software upgrade, sometimes a QSFP+ connection (fte- interface) on the Interconnect device will be down while the corresponding link on the redundant server node group (RSNG) side will be up. PR894524

  • On a QFX5100 switch, syslog might not be retain after perform unified ISSU due to the data disk is formatted if the upgrade through ISSU. PR964950

  • On QFX3500 and QFX5100 switches, the amount of time that it takes for Zero Touch Provisioning to complete might be lengthy because TFTP might take a long time to fetch required data. PR980530

  • On a QFX5100 Node device in a QFabric system, MAC-move limiting does not work properly. Do not use the set mac-move-limit statement at the [edit ethernet-switching-options secure-access-port] hierarchy level. PR980610

  • Cloud Analytics Compute Agent Web API does not provide the option to configure the VXLAN destination port. PR1036372

  • After the connection between a QFX5100 switch and an NSX controller is terminated, the OVSDB schema for physical devices on the switch retains information about remote virtual tunnel endpoints (VTEPs) and remote MAC addresses even though the remote VTEPs and entities associated with the remote MAC addresses are no longer reachable. PR1048661

  • Packets are not mirrored when mirror IP address is configured on remote device. PR1052028

  • On OCX1100-48SX switches, the USB drive is not detected by Junos OS. PR1053417

  • On OCX1100-48SX switches, the recovery partition option does not work. If you use the workaround (which is to use the ONIE reinstall mechanism), the switch loses configuration data. PR1053597

  • On OCX1100-48SX switches, Linux kernel core files are not created. Junos OS kernel core files are created. PR1057408

  • On QFX5100 switches, when you downgrade from Junos OS Release 14.1X53-D15 or later to Junos OS Release 14.1X53-D10 or earlier, the 40-Gbps Ethernet interfaces on QSFP+ transceivers might not come up. As a workaround, power cycle the switch after you perform the software upgrade. PR1061213

  • On QFX5100 switches that are configured with the include-option-82 nak option so that Dynamic Host Configuration Protocol (DHCP) servers include option 82 information in NAK messages, two copies of option-82 might be appended to DHCP ACK packets. PR1064969

  • On the QFX5100 and QFX5200 Virtual Extensible LANs (VXLANs) with the VLAN IDs of 1 and 2 are configured on a device. The replicated packets for these VXLANs should include the VLAN tags of 1 or 2. Instead, the replicated packets for these VXLANs are untagged, which might result in the packets being dropped by a device that receives the packets. To avoid this issue, using a VLAN ID of 3 or higher when configuring a VXLAN on a device. PR1072090

  • In a VXLAN-OVSDB topology, if a VMware NSX or Contrail controller pushes a large logical switch (LS) configuration (approx 400-500) to a Juniper Networks device, the existing Bidirectional Forwarding Detection (BFD) sessions with aggressive timers (Less than 1 second) might flap. As a workaround, configure the BFD timer to be at least 1 second. PR1084780

  • A console or SSH session with a QFX10002 switch might hang if the switch is concurrently handling large-scale OVSDB transactions including but not limited to the dynamic creation of a large number of VXLANs or logical interfaces. PR1087323

  • On QFX5100 Series switches, when configuring VXLAN, and if a Bare Metal Server(BMS) and Service node are connected on the same L3 subnet, a TOR Service Node(TSN) failover may result into the traffic loss. As a workaround, this problem will not happen if there is a L3 router hop from encapping HW-VTEP. The problem won't happen in a standard L3 underlay with leaf-spine-leaf topology. PR1090192

  • VLANs cannot be mixed, that is , some have VXLAN associated and some not, otherwise vlan members all will not work. For example, the following configuration will not be allowed to commit. set vlans v100 vlan-id 100 set vlans v100 vxlan vni 100100 set vlans v200 vlan-id 200 set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members all PR1100560

  • On a QFX5100 switch, when you perform unified ISSU, interfaces configured with Link Aggregation Control Protocol (LACP) with speed set to fast will come up and go down, causing all protocols on the interface to come up and go down. As a workaround, before you perform an ISSU, configure the LACP speed setting to slow on the switch and its peers. PR1124969

  • The traffic for only the first member on the QFX5100 switches is displayed . This is because of the Packet Forwarding Engine limitation. For logical interface statistics, we cannot distinguish the aggregated Ethernet member traffic. All the aggregated Ethernet members will have the same statistics. For example, if we have aggregated Ethernet with 2 members (xe-0/0/5 and xe-0/0/6) and if we send 100 packets to ae.50 interface, both the aggregated Ethernet members (xe-0/0/5.50 and xe-0/0/6.50) will have 100 packets. So it is displayed on the first member. PR1149955

  • On the QFX5100 switch, high ICMP delays are experienced when pinging directly-connected integrated routing and bridging (IRB) interfaces. This is due to a hardware limitation. Transit traffic is not affected. PR1164135

  • This is a product limitation when a large config needs to be applied and has been attributed to scaling issues. In such cases "ssh" might work right away or in the worst case might not work until the rebooted master comes up. PR1169978

  • When configuring VLAN on interface as well as through apply-goups system might fail to commit. This type of configuration is not supported. commit fail - Check-out failed for Layer 2 address flooding and learning process PR1186657

  • On the QFX Series switches, if VSTP is not configured on a switch, VSTP or PVST+ BPDUs will flood on the VLAN because the scenario wishes to be supported, where two adjacent switches are configured with VSTP and the intermediate switch is not and it can act as a transparent bridge for VSTP or PVST+. This behavior can be disabled by the knob provided in the workaround field. PR1199367

  • On a QFabric system, system log messages might be flooded during the mapping of interfaces to VLANs. You can ignore these system log messages. PR1200853

  • MPLS ECMP with penultimate hop popping (PHP) does not work with single labels. PR1212113

  • The mismatch/change in Redundancy Group ID among peers will not impact the MCLAG behaviour . PR1236510

  • For the QFX5100 platform, there is a register setting that parses the inner packet payload for transit VXLAN packets. If the inner packet header has a TTL of 0 or 1, the packet will be sent to the RE for further processing. If a firewall filter is set on the loopback interface of the QFX5100 leaf, the firewall filter must explicitly allow this traffic. PR1239458

  • On QFX5100-48T with short-reach mode enabled on copper ports, these copper ports will flap when you commit any configuration related to routing instances. PR1248611

  • OVSDB controller session goes down after deleting and re-adding tor agent. The root cause is understood. The behavior is expected by design. Due to software limitation, between Contrail and Juniper TOR the ca certificate of Tor Agent cannot be updated once it is pushed from Contrail to Juniper TOR. The work around is to manually delete /var/db/certs/ca-cert.pem from TOR after deleting and re-adding tor agent. And then OVSDB controller session will be established automatically. It is very rare for the customer to deleting and re-adding tor agent. As this won?t happen in customer?s daily operation, this issue is being considered as minor, and no fix will be made. Dev suggests to close this PR as not fixed/limitation with release note. Detailed explanation can be found below: Ca-cert.pem carries the public key of Tor Agent as well as other certificate info. It is pushed from Contrail Tor Agent and stored on TOR, upon the first OVSDB session connection for Tor Agent. It is used for SSL authentication between Tor Agent and Tor. From TOR's point of view, the ca-cert.pem file (and the public key it carries) should be unchanged until the controller entity is removed from the ovsdb database. Updating the file incorrectly can lead to security issues (man-in-the-middle attacks). TOR and TOR Agent use public and private keys to encrypt and decrypt data. These keys have to match. When there is a certificate mismatch, that means the public key (of Tor Agent, held by Tor) doesn't match the private key (of Tor Agent, kept by Tor Agent). Mismatch happed because when a tor-agent is deleted, all provisioning related to the tor-agent are deleted. And that includes the cert files as well. And when it is re-added, it is provisioned freshly, hence new cert file. However, the contrail provisioning doesn't update anything in the TOR and hence the controller configuration in the TOR remains as such, resulting in the mismatch. PR1300991

  • On scaled Qfabric system, during group RSNG upgrade, if traffic ingress RSNG and traffic egress RSNG upgraded in same group, then there may be intra vlan traffic drop for up to 3 minutes. PR1358491

  • RR-INE VM load balancing does not occur on the DGs. PR1506229

Interfaces and Chassis

  • On a QFabric system, multicast IPv6 ping might not work. Because of this, well known multicast IPv6 address ping (ff02::1, see RFC4291) does not work. PR974396

  • On a QFabric system, if the system sends and receives multicast traffic, you issue the request fabric administration power-off node-devicecommand for the master Node device, and then replace the Node device, some multicast traffic might be dropped when the interfaces renegotiate their LACP settings. PR1035254

  • If ICCP and ICL links are disabled and subsequently enabled in a MC-LAG, there could be a traffic loss of around 6 seconds. PR1122509

  • On a QFabric system, during an NSSU upgrade (for example: from Junos OS Release 13.2X52 to 14.1X53-D40), traffic loss might be seen while upgrading a redundant server node group. PR1207804

  • During a QFabric NSSU from Junos OS Release 12.2X50 to Release 14.1X53, multicast traffic might be impacted (loss or duplication) for up to 60 seconds while upgrading ICs. The variation in loss duration depends on the number of front/back cards on the IC, number of distribution trees passing through those ICs, and so on, because all forwarding paths need to be set up afresh after an upgrade. PR1225870

  • On Qfabric systems, during the reboot of CPE Primary device, there could be packet loss of control packets for few seconds. The control packets have the provisioning for re-transmission so protocols may not be impacted as long as protocol dead-interval or hold-interval is more than 10 seconds during CPE Primary reboot. The data traffic is not impacted by CPE Primary reboot. PR1252908

  • On a scaled Qfabric system, during NSSU fabric upgrade from Junos OS Release 12.2 to Junos OS Release 14.1, when first IC goes for reboot then partial multicast/flood traffic loss may be seen for upto 2 minute duration. PR1350624

  • On a scaled Qfabric system, during NSSU fabric upgrade, when second IC goes for reboot/upgrade 40 seconds of partial multicast loss might be seen. PR1353230

  • On a scaled Qfabric system, when IC gets rebooted with MBB enabled, then there may be 100 second partial flood traffic loss when rebooted IC comes up. PR1353589

Layer 2 Features

  • The following control packets share the same policer (burst and bandwidth) in hardware, so changing one in the DDoS protection CLI also changes the DDoS parameter for other protocols:

    • STP, PVSTP, and LLDP share DDoS parameters

    • l3mtu-fail, TTL, and ip-opt share DDoS parameters

    • RSVP, LDP, and BGP share DDoS parameters

    • unknown-l2mc, RIP, and OSPF share DDoS parameters PR1211911

  • L2TP is not supported on QFX5100 switches. PR1212269

  • In a Q-in-Q tunneling configuration on a QFX5100 switch that is running under Junos OS Release 14.1X53-D40, if you configure a VLAN ID on the egress UNI interface that is the same as the S-VLAN ID, and if the vlan-id-list statement is not configured on the logical interface on that UNI interface, Q-in-Q packets might be forwarded out with dual tags after they exit from the UNI interface. As a workaround, always include vlan-id-list in the Q-in-Q configuration. PR1216724

MPLS

  • On the QFX5100 switches in a Layer 3 VPN setup, when traceroute is run on an ingress PE device to a laptop, only Phop, and laptop are displayed. Topology: PE1------P-----PE2------Laptop. The following output shows that the egress PE2 device is missing: {master:0} user@host> traceroute routing-instance VPN1 200.200.200.25 traceroute to 200.200.200.25 (200.200.200.25), 30 hops max, 40 byte packets 1 10.1.50.2 (10.1.50.2) 10.973 ms 22.267 ms 21.850 ms MPLS Label=299920 CoS=0 TTL=1 S=0 MPLS Label=16 CoS=0 TTL=1 S=1 2 200.200.200.25 (200.200.200.25) 10.820 ms 10.686 ms 10.697 ms. This is a hardware limitation. PR1188551

Platform and Infrastructure

  • On QFX5100 Series switches, the Link Aggregation Control Protocol (LACP) in fast mode can go down and then come back up. This causes a timeout and a service outage during a unified ISSU or an NSSU. In addition, after rebooting the master Routing Engine is rebooted, switches can experience intermittent traffic loss on non-LAG interfaces, and redundant trunk groups (RTG) convergence time can be too long. PR1116923

  • On QFX5100 Virtual Chassis, generic routing encapsulation (GRE) counters might not increment with a firewall filter and PIM configured. PR1124170

QFabric Systems

  • On a QFabric system, if an interface that has not been configured is added to a VLAN, an unrelated error message might be displayed. PR816600

  • Rebooting a master, without following the below steps, causing the traffic to drop is an expected behavior. During a planned reboot the expectation is to follow the steps given below. Step 1: Do a mastership switchover Step 2: Make sure the switchover is complete and then do the reboot (on the new-backup). PR1163441

Routing Protocols

  • On QFX Series switches, the output of the show route multicast extensive command does not display correct statistics because the Packet Forwarding Engine hardware does not support multicast stream-specific statistics. PR607228

  • On a QFX5100 Series switch, if one firewall filter is configured with source-port-range-optimize or destination-port-range-optimize and multiple noncontiguous source-port or destination-port match conditions, it fails. PR1163523

  • If the L3_DEFIP table in the Packet Forwarding Engine is full, then does not install any more active routes from the Routing Engine. If those active routes are deleted from the Packet Forwarding Engine, then it will program the rest of the routes from Routing Engine to Packet Forwarding Engine. PR1231774

Known Issues

The following issues are outstanding in Junos OS Release 14.1X53 for the QFX Series. The identifier following the description is the tracking number in our bug database.

For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at https://www.juniper.net/prsearch.

Class of Service (CoS)

  • On QFX5100 switches, with the CoS traffic-control-profiles configuration (without the guaranteed-rate), the CoS configuration is not actually pushed to the Packet Forwarding Engine. CoS configuration is validated in 2 stages - commit-check and commit-sync. In this case, commit-check passes but commit-sync fails. Hence, there is syslog error and configuration is not pushed down. But, once the commit check is passed, CoS removes the default scheduler associated with the physical interface which should ideally happen after the commit synchronization. Without default scheduler attached to the physical interface, the control packets are not prioritized and hence you see link flap and mastership change. The link can be used as reference, it has to be tested before implementing in production. https://www.juniper.net/techpubs/en_US/junos15.1/topics/example/cos-hierarchical-port-scheduling-ets-configuring.html PR1183139

EVPN

  • VXLAN ping and traceroute overlay do not follow the same path as the data packets over VXLAN tunnel when ECMP uplinks on first-hop TOR. PR1106169

  • On QFX5100 switches, EVPN routes from compute nodes can be withdrawn when no change has taken place on either the compute node or the QFX5100 switch. PR1106510

  • During a unified ISSU, system logs might indicate that the pipe between l2ald and vgd is blocked when the pipe buffer is full. It is blocked until sufficient data has been read from the pipe to allow the write to complete. When the pipe is unblocked, it is notified and the queued data is flushed. This is normal when the communication traffic is heavy. PR1136533

  • When VXLAN is configured on QFX5100 switches, a VXLAN table is created to resolve routes to remote virtual tunnel endpoints (VTEPs),. If the underlay is OSPF, IS-IS, or EBGP, the routes can distribute the traffic over multiple paths if load balancing is configured. However, if the underlay is IBGP, the route selects one of the available paths rather than using all the available paths. PR1154961

  • QFX5100 switches do not support ingress VLAN access control list (IVACL) flood filters. If you configure such as a filter by issuing the set vlans <vlan-name> forwarding-options flood input <filter-name> command and specify policer as the action on a QFX5100 switch, the filter is implemented on egress traffic instead of on ingress traffic, which causes unexpected results especially for integrated routing and bridging (IRB) traffic or VXLAN traffic. For example, in the case of Layer 2 traffic intended for VLAN 101 and temporarily encapsulated with a VLAN header (VLAN 100), such a filter applied to VLAN 100 might result in the ingress interfaces in VLAN 101 being flooded by traffic intended for VLAN 100. Further, in the case of routing traffic between VLANs, traffic intended for VLAN 101 might be routed to the IRB interface associated with VLAN 100, or in the case of VXLAN traffic, to a virtual tunnel endpoint (VTEP) on which VLAN 100 is configured. PR1168777

  • Use the clear ethernet switching command on an OVSDB-enabled switch because doing so might cause a delay in relearning MAC addresses, and depending on the scale of VNs, this delay can increase. To recover the switch once the logical interfaces are down because of a MAC move limit shutdown, use the clear ethernet-switching recovery-timeout command. PR1275025

General Routing

  • On a QFabric system, MAC learning on node devices is distributed and communicated using BGP. The BGP update interval limits the rate at which a node device can see MAC addresses learned on other node devices. This limit is 30 MAC moves during a 5 second MAC move detection interval. If the configured MAC move limit is higher than 30, the higher move count is not detected. PR729499

  • On a QFabric system, when alias names are configured, the CLI presents apply-groups and apply-groups-except as completion options, but they are not valid completion options. For example, if you type the set fabric aliases interconnect-device interconnect-device-name statement followed by the "?" symbol, the CLI shows apply-groups and apply-groups-except as completion options, but they are not valid completion options. PR739962

  • On a QFabric system, the | filter node-group <node-group-name> option might not work for some operational commands. PR768821

  • On a QFabric system, when you change the time zone, the time zone change is propagated to many QFabric system components. Because of this, there might be a delay in propagating the time zone to all of the components. When you execute the first operation after a time zone change, the time stamp might display the old time zone instead of the new time zone. After the first incorrect display of the time zone, all subsequent commands will display the time stamp correctly. PR805827

  • On a QFabric system, if perform a large scale, multi-dimensional nonstop software upgrade (NSSU), there might be some minor packet loss during the Network Node Group (NNG) portion of the upgrade. PR823980

  • On a QFX5100 switch, running tcpdump on the console might cause system instability or cause protocols such as STP or LACP to fail. PR932592

  • On Juniper switches, when an QFX5100 connect to any other Juniper switches through a 40G DAC connection, the link might not come up. This is because QFX5100 has auto-negotiation enabled on 40G DAC interface by default, any other Juniper switches have auto-negotiation disable by default. As a workaround, disable auto-negotiation on the QFX5100 will recover the connection. When 40G interface works as virtual chassis port (VCP) on both side in Virtual Chassis or Virtual Chassis Fabric (VCF) scenario, it does not have this issue, and auto-negotiation disable is not required. PR935197

  • On the QFX5100 switch, a MAC address that is specified as part of a MAC-based VLAN is authenticated on an interface, for example, xe-1/1/1, on which 802.1X authentication in multiple supplicant mode is configured. However, the same MAC address might not be authenticated on another interface, for example, xe-2/1/1, if the MAC address moves to interface xe-2/1/1 from interface xe-1/1/1. PR1007589

  • On a QFX5100 switch with VXLAN configured, adding or deleting an interface to/from the VLAN to which the VXLAN is associated, the switch might drop traffic for devices connected to other interfaces in the same VLAN. PR1019378

  • QFX5100 1G sfp link will not come up with some devices. PR1021260

  • In a QFX5100 Virtul Chassis Fabric (VCF) setup, a kernel synchronization process crashes and generates a core file after NSSU. PR1023140

  • LFM adjacencies on the vcf drops when back-up and line card members are rebooted during NSSU, resulting in a state of "Active Send Local" until NSSU is completed. PR1023831

  • On a mixed Virtual Chassis or Virtual Chassis Fabric (VCF) that contains at least one QFX3500 or QFX3600 member switch, MACsec configuration cannot be committed. PR1024921

  • Traffic convergence delay time for link protection, node-link protection, and fast reroute is more than 50ms for the QFX5100-48T switch. PR1026957

  • If you configure a QFX5100 switch to be a VXLAN virtual tunnel endpoint and also configure it to be a PIM RP, the multicast tree does not successfully converge and multicast traffic is dropped. PR1027159

  • When a transceiver on a QFX5100, QFX3500, and QFX3600 switch is removed and reinserted into an interface within 30 seconds after issuing the set virtual-chassis vc-port set command to convert the interface into a Virtual Chassis port (VCP), the VCP is not created. PR1029829

  • On QFX5100 Series switches, when the device connects to EX4550 Series switch by 40G interface, when EX4550 switch is rebooted, the 40G interface on the QFX5100 switch might come up as channelized 10G ports. As a workaround, configure set chassis fpc <fpc-slot> pic <pic-slot> port <port-num> channel-speed disable-auto-speed-detection on QFX5100. PR1049314

  • On OCX1100 switches with model numbers ending in “-AFO”, the output of show chassis environment shows the direction of temperature sensors incorrectly as AFI. ?AFO? indicates that airflow is front-to-back that is, air intake to cool the chassis is through the vents on the front panel of the chassis, and hot air exhausts through the vents on the rear panel of the chassis. PR1061821

  • a) DHCP Relay in forwarding mode does not maintain any binding of the DHCP Client. In this case, if the DHCP server responds the INFORM-ACK directly to the relay agent address, the relay looks for a matching binding entry. In the absence of a binding entry, this ACK is dropped. b) DHCP server looks for an existing binding entry for the DHCP client. And if present, fetches the relay agent address from the entry and uses it to send the unicast INFORM-ACK. PR1066679

  • On QFX5100 Series switches, with default factory settings, if adding an interface to OVSDB configuration and port bindings are pushed from NSX, the transaction fails and moves to failed queue. PR1082218

  • On QFX Series Switches, nonstop software upgrade (NSSU) cannot be used to upgrade from a Junos OS Release 14.1X53 image to a Junos OS Release 15.1 or later image. PR1087893

  • In a mixed mode Virtual Chassis with QFX3500 switches, if multicast packets are sent to the Routing Engine at a high rate, the Virtual Chassis might become unresponsive. PR1117133

  • On QFX5100 Series switches, the auto-negotiation must disable on both ends of a 40 Gigabit Ethernet interface in order for the interface to remain up. For example, on each switch, issue the set interface et-x/y/z ether-options no-auto-negotiation command. PR1118318

  • In a large scale VXLAN and OVSDB setup (for example, 100K MAC/1K VNI), Routing Engine switchover causes secure sockets layer (SSL) connection to controller break around 4 minutes. And no new MAC entries are learnt during this time. Existing and programmed MAC entries will remain and the switch will continue to forward traffic for those MACs. PR1136123

  • On QFX Series switches, if VSTP is not configured on a switch, VSTP or PVST+ BPDUs might flood on the VLAN because the scenario wishes to be supported, where two adjacent switches are configured with VSTP and the intermediate switch is not and it can act as a transparent bridge for VSTP or PVST+. PR1199367

  • In a large scale QFX Virtual Chassis Fabric (VCF), the timeout errors might be seen when running the command request system reboot all-members at now to immediately reboot all members of the VCF. PR1215130

  • On QFX Series switches, LLDP does not work on management and internal Ethernet (em) interfaces. PR1224832

  • On a QFX5100 switch, you cannot perform an in-service software upgrade from Junos OS Release 14.1X53-D30 to Junos OS Release 14.1X53-D40. As a workaround, during a maintenance window, download the new software version, perform a regular software upgrade, and reboot the switch. PR1229272

  • ICCP session is maintained by multihop BFD (non-distributed mode). The time interval for BFD keepalive messages is similar to GRES configuration (for example, keepAlive = 8 seconds). PR1230576

  • The smid process might crash on QFX3500, this has been fixed through internal PRs and contains a fix from Junos OS Release 15.1R5 and later. PR1245772

  • The management daemon (MGD) might crash after invoking a specific RPC, SSH or console must to be reconnected. PR1271024

  • In Junos OS environment, the J-Web Denial of Service is observed due to multiple vulnerabilities in the Embedthis Appweb Server. PR1345330

  • Upon the receipt of certain types of malformed PCEP packets, the pccd process might crash. PR1395205

  • On the EX4200 switches, default storm control configuration CPE switch needs to be modified for the G-Fabric systems with 100 and more nodes. PR1395276

  • After the IGMP leaves, OIFS continue to exist in *,G even though IGMP-snooping has no membership. PR1415619

  • Unable to get multicast traffic even though every ipmc entry is correct. PR1437536

  • SSH login might fail if a user account exists in both the local database and RADIUS/TACACS+. PR1454177

  • The SNMP_TRAP_jnxFabricFruRemoval and jnxFabricFruInsertion reports the following message during DG NSSU: jnxFabricClass.1.0.0 Wrong Type (should be OBJECT IDENTIFIER). PR1505708

  • Rebooting the whole NNG couple of times followed by terminating the rpdf process on NNG generates an rpdf core file on the RSNG node-group. PR1495676

  • Multiple ksyncd process generates core file on NNG at ksyncd_msg_handler_common when receivers are moved from one aggregated Ethernet interface to another. PR1501666

  • The rpdf process generates core file on NW-NG at mc_inet_sgv_iter_match during longevity tests. PR1502710

  • The vrrpd process generates core file on RSNG at vrrp_fsm_bringup on removing the member node from the RSNG group. PR1504132

  • Master DG in all 6 interfaces in the bond 1 are active at the same time. PR1506160

  • The vrrpd process generates core file at vrrpd_process_ppmd_packet on reloading RSNG. PR1506496

  • The rpdf process generates core file on RSNG at mc_edge_gme_vdm_node_process_l3ifl_change when the vrf process is deleted followed by rollback. PR1524334

  • The SFP-T stop receives any incoming packets. PR1385830

  • The following error message is observed: Failed (Invalid parameter:-4) to add Grp IP:0xefc000f0, Src IP:0xa10f4769 with IPMCidx:0x0 VID:106. PR1391630

  • NNG does not include IPMC entries for specific group and source. PR1471956

  • Entire traffic get dropped or blocked after the rpdf process restarts on the RSNG1. PR1473770

  • When rpd restarts in the NW-NG-0, the (*,G) entries might be missed. PR1495990

  • Multicast entries are flushed out and re-learnt in the RSNG Packet Forwarding Engine after the Virtual Chassis switchover. PR1521067

  • The rpdf process generates core file at sockbridge_extract_mc when restarting the whole NNG (both Routing Engines and all line cards). PR1502711

  • CCIF service deletes all 7 virtual nodes in the event of nonresponsive state caused by the DCF service instability. PR1526937

  • CCIF is in the nonresponsive state frequently, unable to perform critical functions of different flavours. PR1526953

  • Inconsistency in displayed director environment information. PR1527574

Interfaces and Chassis

  • On a QFabric system, momentary loss of Layer 2 multicast traffic might occur when you reboot the backup network Node group Routing Engine. PR691729

  • On a QFabric system, momentary loss of Layer 2 multicast traffic might occur when you reboot the fabric manager Routing Engine. PR692006

  • Mcast traffic drops are observed seen with the following error message: brcm_rt_ip_mc_ipmc_install. PR1461339

  • On a QFabric system, the fabric-limit option of the MAC move limit feature is not included in the CLI help documentation. For information about the fabric-limit option, see the documentation at this URL: http://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/configurat ion-statement/mac-move-limit-port-security-qfx-series.html PR733496

  • On a QFX3000 QFabric system on which RSTP and MSTP is configured, if you change the port cost of an interface on a non-root bridge and it results in changing a forwarding port to a blocked port (or vice versa), this may result in a temporary loop being created and loop will be cleared within sub second. PR776762

  • On a QFabric system, some analyzer sessions might not work after a system upgrade from Junos OS Release 12.2X50-D10 to Junos OS Release 12.2X50-D20. PR815390

  • BPDU guard gets cleared for sometime during Network node-group switchover. PR856614

  • On a QFabric system, the periodic packet management process (ppmd) might go down while the network Node group master virtual machine is restarting. PR862770

  • On a QFabric system, after a Network Node Group (NNG) switchover, sometimes the routing protocol process (rpd) might stop operating on the network Node group (NW-NG) master. PR878148

  • The priority of a VRRP group can be tied to the operational state of an interface, using the "track interface" keywords. If the interface goes down, the priority of the VRRP group is reduced by a specified amount, possibly triggering a VRRP mastership change. The priority of a VRRP group, tracking an aggregated Ethernet interface on an RSNG/SNG, is not being reduced (as expected) when the aggregated Ethernet interface is operationally down. PR882628

  • On a QFabric system, after a reboot of the Network Node group, a MAC address might be missing from the Fabric Routing Protocol process (rpdf) and the kernel, but it is available in the Ethernet Switching process (eswd). PR884070

  • On QFX5100 switches, if you configure MC-LAG, RB mac sync, and LACP force up, the number of packets received (rx) might be twice the amount sent (tx) from the customer edge to the core. PR1015655

  • On a QFabric system, when a host is learnt on a non-default routing instance then in remote node the host route shall be installed in same non-default routing instance table as well as default routing instance table. PR1300354

Layer 2 Features

  • QFX5100 switches do not support multiple service nodes for the handling of Layer 2 broadcast, unknown unicast, and multicast (BUM) traffic within an OVSDB-managed VXLAN. PR985872

  • On QFX5100 Virtual Chassis or Virtual Chassis Fabric switches, when an xSTP bridge protocol data unit is distributed to the FPC (one member switch), there might be traffic loss if the FPC is rebooted. PR990247

  • When a Virtual Chassis port (VCP) is added between two QFX5100 member switches that are already interconnected using a VCP, a VCP link aggregation group (LAG) is formed and some multicast packets between the two member switches might be duplicated. PR1007204

  • On a mixed-mode Virtual Chassis Fabric (VCF), if you perform a nonstop software upgrade and a MAC address is present on the ingress or egress Packet Forwarding Engine, in some cases known Layer 2 unicast traffic might still be flooded over the VLAN. PR1013416

  • On QFX5100 switches, the Layer 3 routes that form VXLAN tunnels use per-packet load balancing by default, which means that load balancing is implemented if there are ECMP paths to the remote tunnel endpoint. This is different from normal routing behavior in which per-packet load balancing is not used by default. (Normal routing uses per-prefix load balancing by default.) PR1018814

  • On a mixed-mode Virtual Chassis Fabric (VCF) with interface-mac-limit configured, if you remove the complete mac-limit configuration, the mac-limit behavior might remain. As a workaround, reboot the device. PR1044460

  • In a QFX5100 Virtual Chassis or Virtual Chassis Fabric, an NSSU to Junos OS Release 14.1X53-D35 might cause a traffic loss for a few seconds for BUM traffic. PR1128208

  • If the QFX5100 has multiple ae interfaces with child members (1 Gigabit or 10 Gigabit respectively ). If some ae interfaces are configured for MSTP and some are not, for example, ae1 and ae2. ae1 is part of MSTP but ae2 is not. Then, ae2 child members do not forward transit or CPU originated traffic. PR1163227

  • Packets might be dropped when using egress UNI VLAN-ID without vlan-id-list configuration. Packets are dropped when egress UNI VLAN-ID is not matched with customer inner tag-id. PR1216732

  • https://www.juniper.net/documentation/en_US/junos/information-products/topi c-collections/ex-qfx-series/release-notes/ex-qfx-series-junos-release-notes -14.1X53-D47.pdf PR1387610

MPLS

  • In the event of link failure when multiple LSPs are using a link-protected and fast-rerouted link, the convergence time is proportional to the number of LSPs sharing the protected link. PR1015806

  • In the event of link failure when multiple LSPs are using a link-protected and fast-rerouted link, the convergence time is proportional to the number of LSPs sharing the protected link. PR1016146

  • When a link fails on a transit router that hosts a Layer 2 circuit over an RSVP tunnel, the traffic convergence time is approximately 350 ms for a single pseudowire. PR1016992

  • On a QFX5100 switch, if an MPLS link is in hot standby mode and a pseudowire switchover is triggered by the event remote site local interface signaled down, traffic flowing through the pseudowire might drop. PR1027755

  • On QFX5100 using the Ethernet tagged mode of operation on a pseudowire, Layer 2 control protocols might fail to come up between customer edge devices (CEs) across the pseudowire. This issue is not seen when the pseudowire mode of operation is Ethernet raw mode. PR1028537

  • On QFX5100 switches using the IS-IS routing protocol as an interior gateway protocol between customer edge (CE) switches for an Layer 2 circuit, the CEs might fail to form an IS-IS adjacency over a pseudowire. As a workaround, use an alternative IGP protocol such as OSPF. Both IS-IS and OSPF link state protocols use the same algorithm for computing the best path through the network. PR1032007

  • On a QFX5100 switch, the enhanced hash key does not work for MPLS-IP packets. PR1095136

Network Management and Monitoring

  • On a QFabric system, jnxVpnIfDown traps are generated whenever a physical interface or a routed VLAN interface (RVI) goes down. PR828384

Platform and Infrastructure

  • On a QFabric system, the output displayed for the "show arp expiration-time" operational command might not be properly formatted. The last column ("TTE") might be misaligned so that the output might appear to be in the second-to-last column ("Flags"). PR737585

  • On a QFabric system, error messages about VLAN control set failures on network Node groups might be displayed. These messages do not indicate traffic interruptions or resource leaks and can be ignored. PR815902

  • On a mixed-mode Virtual Chassis Fabric, during a Routing Engine switchover, the system might experience a 200-300 millisecond loss of traffic. PR964987

  • On QFX5100 switches with a large number of firewall terms configured, firewall filters might stop working after you perform a unified ISSU. PR966445

  • In a mixed-mode Virtual Chassis Fabric (VCF), control plane packets such as OSPF or PIM might not be mirrored by the native analyzer when the output port belongs to another member in the Virtual Chassis. PR969542

  • On a Virtual Chassis Fabric, if you issue the show interfaces gr-0/0/0 extensive command, GRE statistics for logical interface gr-0/0/0.0 are not updated properly and it takes a long time for the CLI to respond. PR979629

  • When an IGMP leave is sent from a host to a QFX5100 switch, one packet per multicast group is dropped during route programming. PR995331

  • On QFX5100 switches acting as a VXLAN virtual tunnel endpoint (VTEP), known unicast traffic might be dropped from the VXLAN after GRES (for example, NSSU, ISSU). PR1026408

  • On QFX5100 Virtual Chassis, generic routing encapsulation (GRE) counters might not increment with a firewall filter and PIM configured. PR1124170

  • On QFX3500 and QFX3600 switches with ECMP enabled, if you add or delete routes continuously, the Packet Forwarding Engine might stop forwarding traffic, causing a traffic blackhole. PR1137890

  • On a QFX5100 Virtual Chassis, when you perform a non-stop software upgrade from Junos OS Release 14.1X53-D30.6 to Junos OS Release 14.1X53-D32, there might be traffic loss for up to one second. PR1154635

  • When RSNG backup has lower MAC/SYSID on reboot, we see a case of abrupt mastership switchover. Workaround for RSNG backup reboot: ssh login to the RSNG master. Execute this command to get access to RSNG backup request session member <fpc backup number>. In the CLI mode on the RSNG backup, go to edit mode and execute the following commands: set interfaces me5 disable and set interfaces me6 disable. On commit, it will ask for confirmation confirm yes and hit enter. This will automatically reboot the RSNG backup. PR1240951

Routing Protocols

  • On a QFabric system, the show pim join extensive command does not always display the downstream interfaces for multicast routes. The workaround is to issue the show multicast route command to display the downstream interfaces for multicast routes. PR890214

  • On a mixed-mode Virtual Chassis Fabric (VCF), when you add a new member to an existing VCF, routing protocols might transit down and up. PR957292

  • Protocol flaps during commit operation, when parent IRB MTU (1500) is lower than the irb.unit MTU (1600). PR1200962

  • When a static multicast route with a next-table next hop is changed from a table that cannot forward the traffic to one that can and then revert back to the original table, the traffic might continue to flow out the downstream interface even though the static route is no longer pointing to the table that allowed for the traffic increase. For example, 1) starting state: output rate is 100k pps show configuration groups vrf1 routing-instances r1 routing-options static route 233.252.0.1/32 next-table r4.inet.0; route 233.252.0.2/32 next-table r4.inet.0; 2) change the route such that one of the routes now has a next-table of inet.0 and outbound traffic rate increases to 101k pps show configuration groups vrf1 routing-instances r1 routing-options static route 233.252.0.1/32 next-table inet.0; route 233.252.0.2/32 next-table r4.inet.0; 3) revert the change to return to the original configuration (traffic rate stays at 101k pps) show configuration groups vrf1 routing-instances r1 routing-options static route 233.252.0.1/32 next-table r4.inet.0; route 233.252.0.2/32 next-table r4.inet.0; PR1217958

  • On EX4300/QFX5100/QFX5200 Series switches in multicast scenario, when upstream interface gets flap on non-DR router, the traffic might not be forwarded to downstream multicast receiver. PR1250737

  • On the QFX3500, QFX3600, and QFX5000 Series switches without DHCP/BOOTP configuration, if IRB interface is configured without an IP address, then the device cannot transmit the bootstrap protocol (BOOTP) packet received with the destination MAC address of the switch correctly. PR1259544

User Interface and Configuration

  • On a QFabric system, if you configure a firewall filter in the [family ethernet-switching] hierarchy, the QFabric CLI might erroneously allow you to apply the filter to a layer 3 interface. PR677381

  • On a QFabric system, if a route is learned from an eBGP neighbor that is multiple hops from the QFabric system, and the same route is learned from other eBGP routers and multipath is enabled, the routes are not reachable from a server Node device or from a redundant server Node group. The routes remain in the network Node group routing table. Traffic on the network Node group devices can reach the destination route, but traffic on the server Node device or the server Node group cannot reach the destination route. This is the expected system behavior. PR682836

  • If a configuration file contains groups related configuration is loaded by command load replace, a commit confirmed operation might fail. When this issue occurs, the new configuration is committed even if you do not confirm it within the specified time limit. PR925512

Virtual Chassis

  • On a mixed Virtual Chassis Fabric (VCF), a Virtual Chassis port (VCP) link between two members disappears after you perform a nonstop software upgrade. The show virtual-chassis protocol adjacency member command output shows the state of the VCP link as initializing. PR1031296

Resolved Issues

This section lists the issues fixed in the Junos OS Release 14.1X53 for the QFX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: Release 14.1X53-D140

Important Fixes in 14.1X53-D140

  • Improved file system and disk health check scripts for better monitoring and alerting. PR1414409

  • QFD shared storage updated from GFS-1 to GFS-2 for better performance. PR1415060

  • Updated Fusion-MPT kernel module from version 3.04-20 to version 4.28.00. PR1432314

General Routing

  • Multiple vulnerabilities are observed in OpenSSH. PR1208815

  • ISSU to Junos OS Release 17.1R1 and earlier releases are not supported on the QFX5100 switches. PR1255878

  • On the QFabric system, malicious LLDP crafted packet leads to privilege escalation, denial of service. PR1343600

  • On the QFX5100 Series of switches, stateless IP firewall filter might fail to evaluate certain packets. PR1343402

  • On QFabric, DRE might duplicate to mount remote mount point from the shared storage and consumed resource of DRE. This cause DRE to become nonresponsive. PR1378180

  • DMA failure errors might be observed when the cache is full or flushes. These errors might cause the device not to accept the SSH credentials and crash the Virtual Chassis. PR1383608

  • The rpd process crashes when executing specific show ospf interface commands from the CLI with the configured OSPF authentication. PR1385014

  • A race condition on receipt of crafted LLDP packets leads to memory leakage and an LLDP crash. PR1410239

  • On the QFX5100 switch, slow packet drops might be observed when there are packets on the port before its buffer configuration is completed after the reboot. This issue is very rare and the window could be just few milliseconds. PR1466770

  • Ingress drops are included at the CLI from interface statistics and added to InDiscards. PR1468033

  • Traffic might be lost on the ECMP path after an HDD failure on the master DG. PR1430811

  • Privilege escalation vulnerability in dual Routing Engines, Virtual Chassis, or High Availability cluster might allow unauthorized configuration change. PR1441795

  • Major alarm logs messages for temperature conditions at 56 degrees celsius. PR1446363

  • Wrong serial number for QFabric/Director is observed in the Junos CLI command. PR1433862

  • Mib2d might crash with error information about MIB2D_SNMP_INDEX_DUPLICATE. PR1033249

  • MySQL error message is observed daily across Qfabric estate running D122.8/D17.1: ERROR: the age of the last checkpoint is 9437574. PR1392248

  • NTP does not synchronizes on the QFX5100 nodes. PR1453234

  • False HDD alarms are displays on executing the show chassis alarms director-device command. PR1498161

  • The sshd logs displays the following error message in the SFC syslog: Could not load host key: /etc/ssh/ssh_host_ed25519_key. PR1498279

  • MySQL server connection gets lost and fabric becomes inaccessible after the DG mastership switchover. PR1499389

  • The rpdf process generates core file on RSNG at thread_insert() function on re improvising the interconnected devices or on NNG restart. PR1501496

  • The following message are displayed continuously on the fabric when the root partition is full on master DG: JTASK_SCHED_SLIP. PR1502954

  • The following unexpected snmp trap error messages are reported in the /tmp/sfctraphandler.log file when BGP neighborships are not formed: snmpd: send_trap: Error building ASN.1 representation. PR1503627

  • The sfcsnmpd process generates core file at sfc_cache_refresh_oid_lookup_table. PR1492618

  • The rpdf process generates core file while trying to recover the NW-NG-0:pime interface by restarting the node NNG at mc_edge_gme_vdm_node_process_l3ifl_change. PR1498376

  • The dcpfe process might crash if interfaces are interchanged between the aggregated Ethernet interfaces in a single commit in the QFabric system. PR1499042

  • The rpdf process generates core file at rpd_server_rt_walk_cleanup_abort on RSNG during DG mastership. switchover. PR1499926

  • The rpdf process generates core file at bgp_bridgevpn_put_prefix on NW-NG-0 when the aggregated Ethernet interface link flaps. PR1500258

  • Multiple rpdf process generates core file at mc_inet_dcf_instance_get on NW-NG when the RSNG aggregated Ethernet interfaces were disabled or enabled. PR1500348

  • The rpdf process generates core file at mc_edge_gme_vdm_node_process_l3ifl_change on rebooting NW-NG-0. PR1501184

  • The rpdf process generates core file on backup NNG at krt_fabric_l3mc_rt_chg_q_hdlr during VLAN membership change. PR1501969

  • The rpdf process generates core file at mc_inet_process_l3_mcast_rt_update on NW-NG during longevity tests. PR1502712

  • On QFabric, the dcd process generates core file at dcd_process_sync-writes () function might be seen after rebooting NNG. PR1506102

  • On QFabric, the pafxpc process generates core file on NNG linecard at pfeman_session_msg_handler on rebooting NNG. PR1501184

  • SNMP request becomes nonresponsive. PR1412910

  • VRRP states mismatch the NNG and RSNG. PR1468551

  • Improved I/O cache handling and enable native I/O on VMM. PR1486968

  • Disabled scsi_reserve function is not used. PR1489108

  • Added permit firewall policy to allow incoming ntp traffic.PR1491784

  • The rpdf process generates coore file while trying to recover the NW-NG-0:pime interface by restarting the node NNG at mc_edge_gme_vdm_node_process_l3ifl_change. PR1498376

  • Additional firewall policy to allow client DNS queries from QF directors. PR1509383

  • On Qfabric, the drbd syncer rate value gets adjusted to the standard value about 30 percent of the available replication bandwidth. PR1349651

  • Additional HDD parameters are monitored. PR1349669

  • Efficient monitoring mechanism for CCIF service and database. PR1407166

  • Introduced additional parameters in smartd for monitoring. PR1411638

  • Enabled write caching on the raid volume to yields better performance. PR1414189

  • Updated kernel version from 2.6.18-410 to version 2.6.18-419. PR1415049

  • Improvements and fine tuning of GFS-2 parameters done to achieve overall disk and file system performance. PR1415065

  • DG bond interface hashing algorithm changed to layer 3+4 settings for better utilization of the physical links. PR1423847

  • Improvements in health check scripts to prevent accessing/pbdata when it is inaccessible. PR1424798

  • Stopped unwanted SSH warning message from CLI. PR1425482

  • Increased number of stored cnm/cnmonitor log files to 50 files and added compression or archiving functions. PR1426223

  • Added additional benchmark and monitoring toolset (sysbench and iotop). PR1427604

  • Added additional network bandwidth measurement tool (IPERF3) for the inter DG connectivity. PR1431273

  • Connection tracking mechanism replaced from statefull to stateless firewall. PR1431280

  • Increased MySQL innodb_log_file_size setting from 5 MB to 1 GB for better performance. PR1431283

  • Additional performance enhancements on cron job scheduling. PR1487055

  • Recent and stable version of Python 3.7.8 included. PR1522487

  • IPMI event service mode changed from pooling to daemon mode for better performance. PR1522857

  • Improvements in the CN monitor to monitor dcfservice. PR1523605

Interfaces and Chassis

  • Multicast breaks when mc-group is bound to 0x2000001 in the Packet Forwarding Engine for one RSNG. PR1389950

  • On QFabric system, NNG does not send the PIM register message to RP after the Routing Engine switchover. PR1337371

  • On QFabric system with PIM enabled, the PIM register message might not be sent from NNG and lots of pime interfaces might be observed on the Qfabric. As a result, the device might get stuck in the Register state. PR1378598

  • Multicast traffic drops might be observed in the QFabric system. PR1428619

  • Mcast traffic drops is observed with the following error message: brcm_rt_ip_mc_ipmc_install. PR1461339

  • In the QFabric solutions, there might be stale entries in the Packet Forwarding-Engine for the inactive multicast flows. PR1441668

Network Management and Monitoring

  • Specific SNMP OID is less detailed than in Junos OS Release 12.2X50D51.7. PR1389765

  • All the fabric nodes in the QFabric system are rebooted in a rare scenario. PR1409348

  • In the Qfabric system, on Junos OS Release 14.1X53D122.8, the sfcsnmpd process generates core file. PR1442875

Platform and Infrastructure

  • Console port authentication bypass vulnerability is observed. PR1378429

QFabric Systems

  • On QFabric, multicast traffic loss might be observed in the MBB scenario when one IC is shut down and brought up back. PR1329477

  • NTP goes out of synchronization on the components. PR1334178

  • On Qfabric systems, there could be memory leak for the RPDF process during S,G route churn. A core file might be generated due to system memory exhaustion. High RPDF memory utilization might be observed. PR1353283

  • Approximately 1200 and more TCP connections are opened between DRE and NFS server, and pbstorage is not accessible from DRE. PR1259008

  • On the QFX3100-M and QFX3100-G switches, the (S,G) entries are not present in the Packet Forwarding Engine of the receiver. PR1343161

  • The enhanced dg_control_plane_health script integrated in the QFX3100 switches replaces the cpeswitchover script because the new one checkes the CPE failure and switches traffic to another CPE correctly. PR1424353

  • Traffic might encounter forwarding problems in certain conditions after parity error logs appear. PR1439882

Routing Protocols

  • The parity errors in the Layer 3 IPv4 table in the Packet Forwarding Engine memory might cause traffic to be silently discarded. PR1364657

  • The aggregated Ethernet interface is not programmed in ECMP on RSNG. PR1456791

User Interface and Configuration

  • Local VRRP VIP address in Qfabric might not be resolved in a particular RSNG. PR1370045

Resolved Issues: Release 14.1X53-D130

General Routing

  • FCoE sessions/non-FCoE traffic might be affected when links to interconnect are disconnected caused by queue corruption. PR1182274

  • Configuring child members of a LAG interface in analyzer input ports has seen issues when corresponding FPC restart or line card removal/re-add happens. Analyzer will not work as expected with symptoms like kernel reporting analyzer related errors and Packet Forwarding Engine mis-programming. PR1286777

  • On QFabric, core files of cosd can be observed on RSNG/NNG some times if the configuration includes FCset configurations applied with non-wild card on all interfaces that includes aggregated Ethernet interfaces. Sample non-wild card configurations is as follows: set class-of-service interfaces ae0 forwarding-class-set fcoe_fc_set output-traffic-control-profile fcoe_tc_profile, set class-of-service interfaces ae0 congestion-notification-profile fcoe_cn_profile, and set class-of-service interfaces ae0 unit 0 classifiers ieee-802.1 fcoe_cl. The known trigger for the core files to be generated are: 1) The cosd crashes when manually restarted twice after boot. Later it can crash on every restart. 2) On RSNG/NNG, if cosd gets restarted once on active device and later Routing Engine switch-over then cosd on the new master Routing Engine crashes. The cosd crashes on subsequent switchovers too. To recover from this issue, the RSNG needs to be rebooted. PR1311158

  • In QFabric system with Redundant Server Node Group (RSNG), when all the Layer 2 interfaces in ingress VLAN are deleted on egress node, Layer 3 traffic across different node groups might be dropped. PR1320549

  • After NSSU to Junos OS Release 14.1X53-D75 / D121/D122, the port LEDs for some ports might not glow. This issue is seen for ports on 'new' master on the RSNGs. PR1323575

  • When you execute a VTY command show dcbcm stuckbuf-info <port #> with an invalid port number, that crashes the Packet Forwarding Engine. PR1332069

  • PAFXPC core files are generated when remote member physical interface was referenced in the vty command (interface Packet Forwarding Engineverification command) show dcbcm ifd <ifd name> on QFX5100 Platform configured as a RSNG Node in Qfabric. This might occur by mistake during debugging as the remote member ifd is currently listed along with local physical interface's. With the fix applied through this PR, the remote physical interface will not be locally present to avoid such crash. PR1343701

  • On QFabric systems, when ECMP path is created with one local next-hop and one remote next-hop and ecmp-do-local-lookup statement is configured, Network Node Group (NNG) might point to a wrong next-hop, a connectivity issue might be seen. PR1381519

  • On QFabric systems, if all the Layer 2 interfaces on one ingress VLAN are deleted on the egress node, routing for the ingress VLAN might be unexpectedly disabled on the egress node, resulting in traffic drop from the ingress VLAN to the other VLANs on egress node. PR1399281

  • On QFX3100 director platform, NSSU disruption might be observed if there is corrupted ccif_server.db file, because the device starts the NSSU process without having it checked in advance. PR1399852

Interfaces and Chassis

  • On a QFabric system, unexpected behavior or crash might be observed if make-before-break timeout is configured less than 30 seconds. PR1286613

  • On Qfabric systems, there could be memory leak for the RPDF process during S,G route churn. A core file might be generated due to system memory exhaustion. PR1353283

  • In case of jumbo packets sent from SFID to NNG Routing Engine, the fragmented TTP packets reaching the Routing Engine from a particular FPC/LC will have the same source IP, destination IP, and protocol (TTP).The fragments coming from the same FPC will have all the four identifiers required for re-assembly for Jumbo frames. Since SFID is having ip_id as zero when forming the TTP IP header, all the TTP packets from SFID carry the same ip_id which causeS a problem during reassembly of fragmented packets. When system encounter this issue, from NW-NG-0, the "data size < length" or "header length < data size" will increments from the output of show system statistics ip: {master} qfabric-admin@NW-NG-0> show system statistics ip | match "data size" xxxx with data size < data length xxxx with header length < data size. PR1392548

Layer 2 Features

  • On QFabric system, under a race condition the sfid-bcm cored file mighte be seen and results in service impact. PR1301042

Platform and Infrastructure

  • The script check logic to detect and report PSU fault on director device on Qfabric is not complete. Then in case if a PSU fails on a QFX3100, alarms will not be generated/sent. PR1333495

  • From Qfabric system Director Device, the following logs might be seeing in the syslog: Apr 22 23:12:11 <0.6> dg1 kernel: mptscsih: ioc0: attempting task abort! (sc=ffff8100925636c0) Apr 22 23:12:11 <0.4> dg1 kernel: scsi 0:0:0:0: Apr 22 23:12:11 <0.6> dg1 kernel: command: ATA command pass through(16): 85 08 0e 00 00 00 01 00 00 00 00 00 00 00 ec 00 Apr 22 23:12:11 <0.6> dg1 kernel: mptscsih: ioc0: task abort: SUCCESS (sc=ffff8100925636c0) Apr 22 23:12:11 <0.3> dg1 kernel: scsi 0:0:0:0: timing out command, waited 6s May 10 09:32:13 <1.5> dg1 scsi_reserve: [error] unable to exec sg_persist. This could happen when the storage module sends a task to the device and the task is not completed within a time out period, the module attempts to abort the task and retry it again later. This happens when the module is not able to access underlying hardware and can be recovered automatically. PR1358932

QFabric Systems

  • On QFabric systems, replacing one interconnect device might break the fabric connectivity for all node groups to the existing Interconnect devices (ICs). It might be caused by incorrect IC replacement procedure, For example, the system has already 4 IC entries and another new IC is added to replace exist one, and the keepalives come from 5th IC which is not programmed on the system database. PR1327694

  • Similar to the following "Critical Alert" logs might be seen from Qfabric Directer Group device: dg0 syslogd: %USER-1: Filesystem_health_monitor : Critical Alert for Physical Memory: Total:35.19GB Used:33.09GB Free:2.09GB Free%:5% dg0 syslogd: %USER-1: Filesystem_health_monitor : Critical Alert for Physical Memory: Total:35.19GB Used:33.09GB Free:2.09GB Free%:5% dg0 syslogd: %USER-1: Filesystem_health_monitor : Critical Alert for Physical Memory: Total:35.19GB Used:33.09GB Free:2.09GB Free%:5%. These are cosmetic issue only and can be simply ignored as there is no service impact. This kind of cosmetic logs was suppressed from Junos OS Release 14.1X53-D130 and onwards. PR1350965

Routing Protocols

  • On QFX5100 platform, some of the IPv4 multicast routes in the Packet Forwarding Engine might fail to install and update during normal operations, and as a result, multicast traffic from impacted groups traversing through the device might be silently discarded. PR1320723

User Interface and Configuration

  • For RSNG VRRP interface, the VIP address might not work correctly if the Layer 3 VRRP interface up/down event occurs in RSNG/SNG. PR1320723

Resolved Issues: Release 14.1X53-D49

Authentication and Access Control

  • On QFX Series switches except QFX10000, with DHCP security enabled, if the DHCP packets from DHCP clients are received from the DHCP snooping trust interface (by default, all trunk ports on the switch are trusted), such packets might be sent back on the same interface, resulting in the MAC move of the source MAC on the other the Layer 2 devices. PR1369785

  • On Junos OS platforms with supporting dot1x, the dot1xd core-dumps might be seen when it receives the reply from the authd and reply length is less than 28 Bytes. PR1372421

General Routing

  • RIPv2 update packets might not send with IGMP snooping enabled. It might cause the RIP protocol not to come up. PR1375332

  • DMA failure errors might be seen when the cache flush or the cache is full. These errors might cause the device not to accept SSH credentials and the Virtual Chassis to hang. PR1383608

  • sdk-vmmd might consistently write to the memory. PR1393044

  • On QFX5100-48T switches, when performing TISSU (Topology Independent In-Service Software Upgrade) operation, link flaps on 10-Gigabit copper interfaces might be observed on the peer device. These flaps might cause unexpected failover of the connected PC/servers, which results in service impact. PR1393628

  • MPLS configuration changes or topology changes might result in generation of tunnel initiator clear messages in the syslog. PR1396014

  • In a DHCPv6 relay scenario, when QFX5100 works as DHCPv6 relay agent, if DHCPv6 packets that have both UDP source and destination ports as 547 are received, then they are dropped and not forwarded to the DHCPv6 server. As a result, the DHCPv6 process fails. PR1399067

  • On QFX5100 switches, traffic initiated from a server connected to an interface are dropped at the interface if the interface configuration is changed from family ethernet-switching with VXLAN to family inet. PR1399733

  • Parity error detection/correction for QFX-3500 in Junos OS Release 14.1X53-D48 is not supported. PR1402455

  • An issue is seen when you commit a configuration in a particular sequence that includes system configuration first and then replacement of all group configurations when you issue the replace command. The MD5File failed for /config/juniper.conf warning might be seen while you issue the commit check command and if you confirm the commit using the commit confirmed command, then the configuration does not get rolled back even if you do not confirm the commit. PR1403380

Layer 2 Features

  • After you upgrade a QFX5100 to Junos OS Release 14.1X53-D48, we do not notice storm control taking effect although the storm-control (?) profile is in effect. PR1401086

  • QFX5100 is not forwarding the traffic that is triple tag if the software version is Junos OS Release 14.1X53-D27 or later. PR1415769

MPLS

  • Statistics of transit traffic does not increment LSP statistics signaled by RSVP-TE. PR1362936

Network Management and Monitoring

  • The MIB2D_RTSLIB_READ_FAILURE: rtslib_iflm_snmp_pointchange syslog might be seen during configuration restore. Root cause: The mib-process daemon will send requests to kernel to update SNMP ifIndex for the interfaces that it is learning. If this interface is already deleted from kernel, the above syslogs could be seen. This interface learning by mib-process daemon will happen later, once kernel sends the ADD notification for these interfaces. There is no impact due to this syslog during the configuration restore scenario. PR1279488

Routing Protocols

  • On QFX Series switches, if host destined packets (that is , the destination address belongs to the device) come from the interface with ingress filter of log/syslog action (for example, 'filter <> term <> then log/syslog'), such packets might not be dropped and reach the Rputing Engine unexpectedly. PR1379718

  • If a QFX5100 device has a host route with ECMP (equal-cost multipath) next-hops and receives a better path with a single next-hop, then the next-hop in the interface configuration does not change. PR1387713

Resolved Issues: Release 14.1X53-D48

Class of Service (CoS)

  • Firewall filter cannot filter packets with DST IP as 224/4 and DST MAC = QFX_intf_mac on loopback interface using a single match condition for source address 224.0.0.0/4. PR1354377

General Routing

  • IPv6 firewall syslog action shows source, destination address wrongly correct address: 2001:DB8:4:0:0:0:0:2 2001:DB8:4:0:0:0:0:1 PFE_FW_SYSLOG_IP6_TCP_UDP: FW: .local..0 A tcp SA 120:b80d:400:0:0:0:0:200 DA 120:b80d:400:0:0:0:0:100 sport: 0 dport: 0 (258 packets)^M PFE_FW_SYSLOG_IP6_TCP_UDP: FW: .local..0 A tcp SA 120:b80d:400:0:0:0:0:200 DA 120:b80d:400:0:0:0:0:100 sport: 0 dport: 0 (252 packets)^M. PR1104378

  • The initial implementation of auto-channelization relied upon the success or failure of certain timing related state machines. In some instances such as when an upstream device is rebooting, or in the process of initializing interfaces this can result in incorrectly (auto) channelizing a native 40G link. Once channelized the port must be manually reconfigured to restore native 40G connectivity which can impact some ZTP boot scenarios. This change modifies the decision tree to include reading of the applicable EEPROM register of the inserted qSFP to determine if the cable is capable of breakout before performing auto-channelization. PR1317872

  • On QFX5100 switches, well known ports are used as source port in the VxLAN scenario. Per RFC, it is recommended the dynamic or private port which can range 49152-65535. PR1335227

  • Fan RPM spikes every time the temprature sensor reaches its threshold level and revert to normal level when the temperature decreases. There is no functional impact to fan control software because of this fluctuation. PR1345181

  • On QFX5100 switches, the Packet Forwarding Engine might drop the ARP reply packets after changing the interface MAC address. PR1353241

  • On QFX5100-VC, VME interface might be unreachable after link flap of em0 on master FPC. PR1362437

  • On QFX3500 and QFX3600 platforms, OSPF might remain in init status after loading the Junos OS Release 14.1X53-D47.4 image. PR1362996

  • On QFX5100 switches in VC/VCF scenario, the chassisd might crash after issuing the CLI show chassis hardware. This can result in VCP down and traffic drop. PR1366746

  • On QFX Series switches, if IS-IS packet is received with DMAC as 09:00:2b:00:00:05 (ISO 9542, All Intermediate System Network Entities Address) and Jumbo frame with EtherType as 0x8870 (non-standard, used by Cisco), such packet will be dropped, resulting in failure in the adjacency. PR1368913

  • On QFX5100-VC running Junos OS Release 14.1X53-D43 through Junos OS Release 14.1X53-D47, command show interfaces ae<interface-name> extensive might display duplicate entries for member interfaces. PR1369713

  • On QFX5100, IPv6 routed packet is transmitted over VRRP virtual IP address though its VRRP state is in transition to master. PR1372163

  • On QFX5100 Virtual Chassis platform with GRES configured, if the backup member has file of /var/run/consoleredirect.pid, then reboot the master member of the Routing Engine switchover, the backup cannot become the master member. PR1372521

  • On QFX Series platform, if RTG redundant trunking group (RTG) is enabled with a large-scale MAC address, MAC refresh frame might not be sent out from the new primary link after RTG failover by deactivating the former primary link on peer side. PR1372999

  • A QFX5100 Packet Forwarding Engine might show DISCARD next hop for overlay-bgp-lo0-ip when the QFX5100 is the leave in a leave-spine topology. PR1380795

  • In Open vSwitch Database (OVSDB) environment, Virtual Chassis master copies /var/db/ovsdatabase to backup every 10 seconds and Virtual Chassis backup writes the whole OVS database to SSD frequently. This causes a high write I/O and shortens the SSD lifetime. PR1381888

Infrastructure

  • On QFX5100 platform, a complete packet loss is experienced if mac-move-limit is enabled on an interface which has encapsulation flexible-vlan-tagging configured and has a port which has Layer 2 and Layer 3 VLAN. PR1357742

Interfaces and Chassis

  • On QFX3500, QFX3600, and QFX5100 Series switches, MC-LAG peer might not send ARP request to the host. PR1360216

Layer 2 Features

  • After rebooting one unit in Virtual chassis, the unit cannot establish the LAG because lacp packet drops. PR1361054

  • On QFX5100 switches, IPv6 traffic over VxLAN tunnel does not hash, this might result in some unexpected issue in ECMP scenario. PR1368258

  • On QFX5100 switches, if changing an interface from VXLAN to a member of an aggregated Ethernet interface, the DHCP relay might not work and the DHCP client might not get IP address normally. PR1377521

MPLS

  • On all QFX5100 platforms, if the P/PE router is configured with no-decrement-ttl, the routing protocol process (rpd) sends the NO_PROPAGATE_TTL flag even for the tunnel transit case. PR1366804

Routing Protocols

  • On QFX5100 platforms, the switch might get into an improper state where it is unable to correct parity errors in the Packet Forwarding Engine memory. Traffic might get silently dropped and get discarded for specific destination IPs. PR1364657

Resolved Issues: Release 14.1X53-D47

EVPN

  • With VXLAN configured for 30 VXLAN VNis, L3 Unicast traffic loss may be observed on deleting and adding back all the VXLAN VNI's. PR1318045

  • Given three leaf VTEPs: two remote VTEPs and one local VTEP, the programming for a MAC address might become mis-programmed on the local VTEP. This might happen when a MAC address in the EVPN database moves from remote VTEP (VTEP #1) to a local VTEP (VTEP #2) and then to a different remote VTEP (VTEP #3), the programming for the MAC address on the device with VTEP #2 is still point to remote VTEP #1. It will not be updated with the correct VTEP where the MAC address has moved (VTEP #3). PR1335431

General Routing

  • Memory leak in JDHCP during dhcp session RELEASE/BIND PR1181723

  • On EX Series or QFX Series Virtual Chassis, if new members are not zeroized prior to being added to the Virtual Chassis, and then one of the new members splits from the Virtual Chassis, then whenever you run "commit" or "commit check", the commit might hang for a long time and then report a timeout error on the FPC that split from the Virtual Chassis. PR1211753

  • During the last stage of NSSU, before rebooting the master, NSSU state is set to idle and reboot is issued around 10 seconds after. The traffic drop is observed for these 10 seconds.PR1219693

  • A QFX5100-48S or QFX5100-96S might incorrectly show the media type of an SFP-T copper module as fiber in the output of the 'show interface' command. PR1240681

  • On EX/QFX Series switches, if Dynamic Host Configuration Protocol (DHCP) server uses boot file name option, when doing ZTP (Zero Touch Provisioning), the device cannot receive the image with error info of "Image File Not Set", causing image and configuration upgrade failure. PR1247648

  • Junos OS: Short MacSec keys may allow man-in-the-middle attacks (CVE-2018-0021); Refer to https://kb.juniper.net/JSA10854 for more information. PR1251909

  • On QFX5100 Series Switches, the following errors might get displayed with multicast configuration/traffic. The messages do not indicate traffic impact, however multicast statistics might not work due to these messages. Feb 15 07:28:49 switch fpc0 brcm_ipmc_get_multicast_stats:3947 brcm_ipmc_stat_get failure Feb 15 07:28:49 switch fpc0 brcm_rt_stats:1906 brcm_ipmc_get_multicast_stats failure err=-7. PR1255497

  • On EX4600/QFX5100 Series switches, when an Integrated Routing and Bridging interface (IRB) is configured with the underlying layer 2 interfaces, if an Address Resolution Protocol (ARP) reply is received whose destination Media Access Control (MAC) is the same with IRB's MAC, the packet is consumed and also flooded in the Virtual Local Area Network (VLAN) as the ARP reply's MAC address received on the underlying layer 2 interface is not the interface's MAC. PR1294530

  • Network Analytics process may be incorrect instantiated leading to traffic statistics not being transmitted. When this occurs the 'Sent' value for 'show analytics collector' will display as zero and 'show analytics traffic-statistics' will be empty: root@QFX5100> show analytics collector Address Port Transport Stream format State Sent 10.10.10.72 50020 udp json n/a 0 10.10.10.167 50020 udp json n/a 0 root@QFX5100> show analytics traffic-statistics CLI issued at 2018-03-26 22:15:56.411671 PR1297535

  • On Enhanced Layer 2 Software (ELS) platform, if an interface is configured under a VLAN "A" but the same VLAN "A" is not configured in the chassis, there won't be any commit error being generated after performing committing configuration, which might lead to software upgrade failure. PR1302904

  • On QFX5100 platform, for a subinterface of AE interface, the run-time pps statistics value is zero. This is a cosmetic issue. It does not have any service/traffic impact. PR1309485

  • On QFX5100, QFX3500, and QFX3600 platforms, traffic loss might be seen if sending traffic via the 40G interface which is connected with peers through DWDM and the CRC errors of the interface may also keep on increasing after flapping the interface on QFX side. PR1309613

  • On QFabric, a core file creation of cosd can be observed on RSNG/NNG some times if the configuration includes FCset configurations applied with non-wild card on all interfaces that includes AE interfaces. PR1311158

  • Traffic drop occurs on sending L3 traffic across MPLS LSP. PR1311977

  • On QFX5100 platform, transit traffic over GRE tunnels might hit CPU and trigger a DDoS violation on L3NHOP in below cases 1. When Unilist routes are formed to reach the Tunnel destination. As a workaround, With ECMP configuration removed, delete and reprogramming of GRE interface will resolve the issue 2. If deleting specific route for GRE tunnel destination IP. As a workaround, restart PFE process. PR1315773

  • On QFX3500, QFX3600, or QFX5100 with Simple Network Management Protocol (SNMP) protocol enabled, if an interface connected to VoIP product, has Link Layer Discovery Protocol (LLDP) and LLDP-MED enabled, l2cpd might drop core files repeatedly. PR1317114

  • On QFX5100 switches, if openflow is configured with interfaces and controller options, then the openflow session might flap constantly. This issue is caused by a malformed Openflow response packet. PR1323273

  • On Enhanced Layer 2 Software (ELS) platform, VLAN or VLAN bridge might not be added or deleted if there is an interface bridge domain (IFBD) hardware token limit exhaustion. It might cause new IFBDs not be created or old IFBDs not be deleted. PR1325217

  • On QFX5100 Series switches with Ethernet Virtual Private Netork with Virtual Extensible Local Area Network (EVPN/VxLAN) multi-homing configuration, if the aggregation interface (AE) is configured with Service Provider style, then deleting one VxLAN might cause traffic loop for multi-homing scenario. PR1327978

  • In Virtual Chassis (VC) or Virtual Chassis Fabric (VCF) scenario using QFX5100, if VXLAN is configured on access ports which are in the same VLAN, it might interfere another independent/unrelated port, a Virtual Chassis port (VCP) or a network port. As a result, members of the Virtual Chassis or the VCF are split. PR1330132

  • After adding new leaf node to VCF , spine fpc loop sent back frame via ingress AE port issue has been fixed from 14.1X53-D47 PR1335909

  • The analyzer status might show as down when port mirroring is configured to mirror packets from an AE member. PR1338564

  • The interfaces with SFP-T transceivers are detected by RSTP as LAN interface type instead of point to point. The problem appears because of an incorrect duplex variable assignment for the link partner. PR1341640

  • FXPC process might generate a core file when removing VXLAN configuration. PR1345231

  • QFX5100-48T 10G interface might be auto-negotiated at 100M speed instead of 10G after peer device reboot. PR1347144

  • On QFX Series switches with AE interface configured, the GTP (GPRS Tunnel Protocol) traffic cannot be hashed correctly when transmitted through the AE interface. PR1351518

  • On QFX3500/QFX3600 platform, OSPF might remain in init status after loading the 14.1X53-D47.4 image. PR1362996

Interfaces and Chassis

  • On QFX3500, QFX3600, or QFX5100 Series switches with MC-AE configured, when local and peer MC-AE are both down and then local MC-AE is up and peer MC-AE is still down, ARP reply might be dropped in this scenario. PR1282349

  • On EX/QFX platform with MC-LAG enabled, if "redundancy-group-id-list" isn't configured under ICCP, upgrading might encounter commit failure during bootup. PR1311009

  • On EX4600/QFX5100 platform, if the ICL link is configured on a single interface (such as GE-0/0/0, without LAG) and one member of MC-LAG is down, and both MC-LAG peers are rebooted, packets might drop on ICL of MC-LAG peer where MC-LAG is up. PR1345316

  • If CVLAN(customer virtual local area network) range 16(e.g., vlan-id-list 30-45)is configured in a Q-in-Q(i.e., 802.1ad) scenario, all the 16 VLANs might not pass traffic. PR1345994

Layer 2 Features

  • On a QFX5100 switch, with a fully meshed MC-LAG topology configured, sometimes there is more traffic loss when the ICL interface goes down and then back up compared to when you have Junos OS Release 14.1X53-D35 software installed. The root cause has been identified, and this issue does not affect MC-LAG functionality. PR1209322

  • When l2ald daemon ( l2-learning) is restarted there might be l2ald core file generated. PR1229838

  • When a VTEP interface is flapping frequently, a core dump may be seen which causes traffic forwarding to stop until the pfe is recovered from the core dump. PR1230198

  • On QFX3500/QFX3600/QFX5100 Series switches, if RTG and xSTP are configured on the same VLAN, RTG interface might go to blocked state and packets cannot be forwarded as expected over the RTG interfaces. PR1230750

  • On QFX5100 platform, ARP entry might be learned on STP blocking ports if GARP reply packets or broadcast ARP reply packets are received on spanning tree blocking ports. As a result, traffic loss might be seen. PR1324245

  • When there are multiple logical units on a lag (ae) interface, ingress pop might not work when the configuration is changed on the interface and rolled back. PR1331722

  • When there are multiple logical units on a lag (ae) interface, ingress pop might not work when the configuration is changed on the interface and rolled back. PR1331722

  • On QFX5100 Series platforms, the DHCP packet might be forwarded by the MSTP blocked port if the "dhcp-security group * overrides no-option82" is enabled, which might lead to MAC flapping and form a loop. PR1345610

MPLS

  • On QFX5100 switches, unified ISSU is not supported with MPLS configuration. PR1264786

  • On QFX3500/QFX3600/QFX5100 Series switches with Dynamic Host Configuration Protocol (DHCP) relay configured under Border Gateway Protocol (BGP)-Layer 3 Virtual Private Network (VPN), DHCP clients connect to the switch can not get IP address over BGP-L3VPN. PR1303442

  • On QFX5100 platforms with hot-standby for the l2circuit scenario, the device might not forward traffic if the primary path fails over to standby circuit. PR1329720

Platform and Infrastructure

  • On mixed Virtual Chassis (Virtual Chassis) / Virtual Chassis Fabric (VCF), QFX5100 works as RE (Route Engine) and EX4300 works as Line Card. The knob "interface-mac-limit" configured for interfaces on EX4300 does not work. PR1259634

  • In Virtual Chassis scenario, when the master member FPC reboots and the interface on which the ARP is learned goes down along with the master FPC, traffic loss might be observed for about 10 seconds. At that time, the ARP entry cannot be learned from the remaining FPC. PR1283702

Routing Policy and Firewall Filters

  • On all Junos OS platforms with "vrf-target auto" configured under routing-instance, the rpd might crash after an unrelated configuration change. PR1301721

Routing Protocols

  • In a rare condition, an mt tunnel interface flap cause a backup Routing Engine core file to be created. The exact root cause is not known.PR1135701

  • In situations where BGP multipath is used and there is a large route scale, the lead route (the one selected as active) may not been deleted right away and remains as the active route. The router doesn't consider routes as multipath feasible if they are received from a peer that has gone down. Because of this, the active route will not be feasible for multipath and the router will not able to find a lead route for BGP multipath (lead route has to be the active route). This causes the tearing down of BGP multipath and re-creation of BGP multipath later when the active route isdeleted and the new active route became feasible for BGP multipath. PR1156831

  • On QFX5100 Series switches, if Protocol Independent Multicast (PIM) source-specific multicast (SSM) is used, IPv6 multicast traffic from the soure might be 100% dropped. PR1292519

  • On QFX5100 platforms, some of the IPv4 multicast routes in the Packet Forwarding Engine might fail to install and update during normal operations, and as a result, multicast traffic from impacted groups traversing through the device might be silently discarded. PR1320723

  • Consistent load balancing minimizes flow remapping in an equal-cost multipath (ECMP) group. Previously on QFX5100 switches, the CLI command 'set policy-options policy-statement ECMP term 2 then load-balance consistent-hash' hid the 'consistent-hash' attribute from the load-balance object.PR1322299

  • On EX4600 or QFX5100 platform, Intermediate System to Intermediate System (IS-IS) Level 2 (L2) Hello packets are dropped when they come from a Brocade device, then ISIS L2 adjacency will fail. The issue is seen only for Jumbo ISIS L2 packets. PR1325436

  • On QFX5100 , if an Integrated Routing and Bridging (IRB) interface is loopbacked with a physical interface in another VLAN on the switch, then the IRB interface is not be accessible to remote networks. PR1333019

Virtual Chassis

  • On QFX5100 Virtual Chassis or VCF topology, it takes 10 minutes to obtain RE role if you reboot chassis. The issue is seen only when there is offline chassis in Virtual Chassis/VCF topology. PR1225696

  • On QFX5100 Switches Virtual-Chassis, traffic loop might be seen during network port to VCP(Virtual Chassis Port) conversion. Once those interfaces are removed from Virtual-Chassis, VLAN programming might be affected. PR1346851

  • On QFX5100 Switches platforms, performing vulnerability test using NMAP application might cause fxpc process to crash resulting in traffic loss and coredump. This issue is seen only in Virtual Chassis (VC) environment. Example of Nmap command which causes problem "nmap -v -sO 192.168.101.1". PR1351411

Resolved Issues: Release 14.1X53-D46

General Routing

  • In a data center interconnect (DCI) scenario, when two QFX5100-24Qs in different data centers are interconnected using a 40G link and when DWDM is used in the connection especially with ADVA and single mode fiber (SMF) on one side and multi mode fiber (MMF) on the other, the 40G connection between the two QFX5100-24Qs may not be stable. Sometimes the link will come up and sometimes not. Frame errors might be seen constantly. PR1178799

  • On QFX5100, receiving malformed PIM Hello packets can cause 24-byte memory leaks. PR1224397

  • MACsec issue: The "show security macsec statistics" command does not show expected results. Statistics are incorrectly cleared for each physical interface (IFD) under eth periodic (1 second). PR1283544

  • On QFX5100-48T switch with AE interface configured, if there is a speed setting to 1G on AE member xe interface, the AE link flap might be seen every time when changing configuration and no matter what config is changed. PR1284495

  • If storm control is enabled with the shutdown action on QFX3500, QFX3600, QFX5100, EX4300, orEX4600, the interface with DN and SCTL flags will lose the SCTL flag and will remain permanently down after GRES. PR1290246

  • In QFX5100 if a fan module is released, a major alarm is raised instead of a minor alarm. PR1291622

  • QFX5100 FXPC coredump when a large number of routes is pushed to program in the hardware. PR1294033

  • On QFX5100 switches, the 40-gigabit interface might not come up if a specific vendor direct attach copper (DAC) cable is used. PR1296011

  • On QFX Series platforms with the ZTP feature enabled, the DHCP clients are not getting an IP address if the DHCP pool with /31 subnet is configured. However, if the DHCP pool with /30 or /24 is configured, it works fine. With /31 configured, the DHCP client state remains as "requesting": user@host> show dhcp client binding IP address Hardware address Expires State Interface 0.0.0.0 00:00:5E:00:53:00 0 SELECTING irb.0 0.0.0.0 00:00:5E:00:53:01 0 SELECTING vme.0 10.160.136.65 00:00:5E:00:53:03 0 REQUESTING et-0/0/0.0 PR1298234

  • qfx5100 crash and fxcp core during normal operation PR1306768

  • On all QFX Series platform, all the Internet Control Message Protocol (ICMP) requests that are sending to the Integrated Routing and Bridging (IRB) interface might be dropped for 4-60 seconds if an IRB interface is configured as its gateway in a failover scenario for Virtual-Chassis. PR1319146

EVPN

  • In an EVPN VXLAN scenario, a previous learned MAC address from a remote Ethernet segment Identifier (ESI) cannot be changed to local even it is connected directly. The MAC address of the host might remain as learned from ESI instead of local interface until the MAC address is aged out. PR1303202

Platform and Infrastructure

  • Dropping the TCP RST packet incorrectly on PFE might cause traffic drop. PR1269202

Interfaces and Chassis

  • QFX5100: Packets are getting dropped if outer TPID is set with 0x9100. PR1267178

Multiprotocol Label Switching (MPLS)

  • QFX5100/EX4600: Stale MPLS label entries might exist on MPLS table in PFE after deleting or disabling the underlying interface of IRB/AE interface. PR1243276

  • On QFX5100/QFX3500/QFX3600/EX4600 Series switches in Multiprotocol Label Switching (MPLS) penultimate-hop popping (PHP) scenario, after MPLS next-hop changed and then back, traffic might stop passing LSP. PR1309058

Multicast Protocols

  • Multicast traffic is black-holed when the master reboot is done on a QFX5100 or EX4600 Virtual Chassis. PR1164357

Routing Protocols

  • On EX4600/QFX Series switches with unicast-in-lpm configured, EBGP packets with ttl=1 and non-EBGP packets with ttl=1, whether destined for the device or even transit traffic, go to the same queue. This might result in valid EBGP packets drop which can cause EBGP flap. PR1227314

  • QFX5100 might log "Cannot program filter "xxx" (type VFP FBF)" but the VFP entries did not reached max_count 512 . PR1229375

  • If the number of 'Ref count' entries used by firewall filter applied on loopback interface is more than 255, log 'dc-pfe: list_destroy(): non-empty list (1)' is printed after commit the firewall filter configuration. PR1286209

Security

  • The Juniper Networks enhanced jdhcpd process might experience high CPU utilization, or crash and restart upon receipt of an invalid IPv6 UDP packet. Both high CPU utilization and repeated crashes of the jdhcpd process might result in a denial of service as DHCP service is interrupted. Refer to JSA10800 for further details. PR1119019

  • A buffer overflow vulnerability in Junos OS CLI might allow a local authenticated user with read only privileges and access to Junos CLI, to execute code with root privileges. Refer to JSA10803 for further details. PR1149652

  • Two vulnerabilities in telnetd service on Juniper Networks Junos OS might allow a remote unauthenticated attacker to cause a denial of service through memory and/or CPU consumption. Please refer to JSA10817 for more information. PR1159841

  • Junos: Potential remote code execution vulnerability in PAM (CVE-2017-10615); Refer to https://kb.juniper.net/JSA10818 for more information. PR1192119

  • On Junos OS devices with SNMP enabled, a network-based attacker with unfiltered access to the Routing Engine can cause the Junos OS snmpd process (daemon) to crash and restart by sending a crafted SNMP packet. Repeated crashes of snmpd process can result in a partial denial-of-service condition. Additionally, it might be possible to craft a malicious SNMP packet in a way that can result in remote code execution. Refer to https://kb.juniper.net/JSA10793 for more information. PR1282772

Virtual Chassis

  • On QFX platform with non stop routing configured on performing a routing engine switch, there is possibility of drops for a short duration. Commit marker sequence has been modified to check state of commit, and only if a valid entry is seen then warning is prompted. PR1225829

VXLAN

  • AE interface cannot forward traffic in VXLAN configuration. PR1213701

Resolved Issues: Release 14.1X53-D45

General Routing

  • In a Layer 3 VPN, if IRB is used between the penultimate hop and the PE node, if checking VRF connectivity using PE to PE ping, then pinging to the PE loopback address or interface IP address from the remote PE does not work. PR1211462

  • Due to some register values at PHY for tuning the cable is not optimal, the interface might experience continuous flapping. PR1273861

  • Previous PR 1169106, changed the behavior for 'rxbps' to report bits per second for streaming data, instead of bytes. The output for "show analytics traffic-statistics interface" was changed from 'Octets per second' to 'Bits per second' as seen below, but the actual value reported remained in bytes: QFX5100> show analytics traffic-statistics interface ge-0/0/2 Time: 00:00:00.363490 ago, Physical interface: ge-0/0/2 Traffic Statistics: Receive Transmit Total octets: 87926097472 11412 Total packets: 1373845261 41 Unicast packet: 1373845261 3 Multicast packets: 0 34 Broadcast packets: 0 4 Bits per second: 762063768 1584 <<<<<<<<< Display shows Bits per second, but 762063768 BYTES are reported Packets per second: 1488405 0 CRC/Align errors: 0 0 Packets dropped: 0 0 Code changes in this PR completed the changes to reflect the correct value in bits. Additionally, documentation has since been changed to reflect 'rxbps' represents 'Total bits received per second': https://www.juniper.net/documentation/en_US/junos/topics/concept/analytics- streaming-statistics-remote-understanding.html PR1285434

  • When ovsdatabase in QFX5100 was corrupted accidentally, ovsdb-server daemon cannot launch properly even though rebooting QFX5100. PR1288052

  • On QFX5100 Series Switches with EVPN/VxLAN deployed, VLAN flood index might not be programed correctly on PFE. Due to this, the ARP requests to the virtual gateway are dropped, and traffic forwarding is affected. PR1293163

Class of Service (CoS)

  • In current design, in order for the knob "transmit-rate" applied within the "forwarding-class-set" to work properly, must configure the knob "guaranteed-rate" for "forwarding-class-set", this is mandatory. Without "guaranteed-rate" configured, if configuring "transmit-rate" in value then "transmit-rate" applied within the "forwarding-class-set" does not work, this is as per design, but if configuring "transmit-rate" in percent then "transmit-rate" applied within the "forwarding-class-set" still works, this is not as per design. PR1277497

EVPN

  • On QFX5100 deleting a vxlan causes traffic disruption in all other vxlans. Rolling back the vxlan deletion alone would not resolve the issue. Rollback and l2-learning restart thereafter is needed to recover. Issue is fixed in JunOS 14.1X53-D40 onwards. PR1215883

  • In a VxLAN scenario, the Packet Forwarding Engine manager daemon (fxpc) and kernel crash might be observed after adding MTU configuration on QFX5000-VC platform. PR1283966

  • A new option exclusive-mac is added under protocols l2-learning global-mac-move set protocols l2-learning global-mac-move exclusive-mac <mac>.PR1285749

Interfaces and Chassis

  • On a QFX5100 VC/VCF when you upgrade the firmware via normal upgrade or NSSU from 13.2X51-D30.4 to 14.1X53-D35 or from 14.1X53-D35 to 14.1X53-D40, you can sometimes encounter and DCD core. PR1276745

  • On a QFabric system, unexpected behaviour or crash may be observed if make-before-break timeout is configured less than 30 seconds. PR1286613

Layer 2 Ethernet Services

  • A new static MAC is configured under AE interface, but the MAC of the LACP PDUs sent out is not changed. PR1204895

Multiprotocol Label Switching (MPLS)

  • On QFX5100/EX4600 Series switches, when deleting an IRB/AE interface with MPLS enabled, it might not delete related entries from MPLS routing table in PFE. Which leading stale MPLS routes in PFE. The stale entries in the MPLS forwarding table(PFE) will impact the scale scenarios. PR1243276

QFabric Systems

  • The QFabric director retrieves syslogs and SNMP traps from different components—such as node-groups, node-devices, and interconnects—and logs them in the /tmp/sfc-captures/misc directory. Over a period of time, this can consume a large amount of disk space, as these logs are not purged. PR1272190

Routing Protocols

  • On QFX5100, when resilient hashing is enabled on ECMP paths, flows on other paths should not be rehashed when one path goes down. But for host routes (/32 routes), rehashing might happen in some cases. PR1137998

  • On a Virtual Chassis Fabric, you might see an error such as MMU ERR Type: 1B error, Addr: 0x001052cf, module: 42, which indicates that there was an ECC error in the PFE MMU counter memory. ECC errors are corrected by the hardware without software intervention and are corrected only when a packet hits that memory. Reading an ECC-errored entry always generates an interrupt; however, the error will only be corrected when the packet hits the memory. Because this is a counter memory, the counter thread reads this memory continuously, and hence you see continuous error messages. PR1198162

  • On QFX3500/QFX3600/QFX5100/EX4300/EX4600 Series switches, Border Gateway Protocol (BGP) packets with IPv6 link local address as destination address are not punted to CPU, so it results in BGP session failing to establish. PR1267565

  • On QFX5100 and EX4600 switches, when you are adding or deleting routes on a system with a large number of routes, in rare cases, the fxpc process might access an already freed-up memory space, causing the fxpc process to crash and restart with a core file generated. PR1271825

  • On QFX5100-24Q and QFX5100-48S, if IPv6 link local packets are from members other than the first member of a channelized interface (for example, xe-0/1/2:1, xe-0/1/2:2, or xe-0/1/2:3), IPv6 packets are dropped. PR1283065

Resolved Issues: Release 14.1X53-D44

General Routing

  • If Media Access Control Security (MACsec) session flaps, dot1x might crash and core dump, then MACsec session would fail to be established. PR1251508

  • On QFabric systems, an incorrect alarm is displayed when the fan tray is removed---an incorrect FPC slot value is displayed in the alarm. PR1273894

Interfaces and Chassis

  • On QFX3500/QFX3600/QFX5100/EX4600/EX4300 Series switches with MC-LAG configuration, if ARPs are resolved across VRFs by route leaking, it might cause traffic to be dropped in scaling ARP entries (for example: 3K). PR1241297

Layer 2 Features

  • On QFX5100, MAC learning will be very slow when clearing MAC addresses in cases of scale MAC learning (128k). PR1240114

  • On QFX5100/EX4600 Series switches, if one filter last term is configured with reject action and applied on lo0 (loopback interface) interface, then it might cause media access control address (MAC) learning flap when the Dynamic Host Configuration Protocol (IGMP)/Dynamic Host Configuration Protocol (DHCP) packets are received. PR1245210

  • On QFX5100 switches, if you configure a Layer 3 interface with vlan-tags outer 0x9100.xx, then packets are dropped on this interface. PR1267178

Platform and Infrastructure

  • On QFabric, high disk utilization might be seen on Master DG because the processes (e.g.,sfcsnmpd, cnm, mgd, sfctraphandler, dgsnmpd etc.) keep opening these log files and keep updating incoming immediate logs. PR1245817

  • In rare cases, the Packet Forwarding Engine might drop the TCP RST (reset) packet from the Routing Engine side while doing GRES or flapping an interface, and traffic might be dropped. PR1269202

QFabric Systems

  • The QFabric director retrieves syslogs and SNMP traps from different components—such as node-groups, node-devices, and interconnects—and logs them in the /tmp/sfc-captures/misc directory. Over a period of time, this can consume a large amount of disk space, as these logs are not purged. PR1272190

Routing Protocols

  • A filter attached to the lo0 interface with terms containing either destination-port-range-optimize or source-port-range-optimize statements will unexpectedly discard traffic. PR1228335

  • When polling the SNMP MIB jnxFirewallsEntry and if more than one firewall filter was configured and attached toany logical interfaces on the QFX3500 platform, the counters for only one firewall filter would be returned. Now all filters and counters are returned when polling the MIB. PR1250776

Virtual Chassis

  • A VCF might experience an outage for a while when a Virtual Chassis port (VCP) is flapping. PR1158798

Resolved Issues: Release 14.1X53-D43

General Routing

  • The VCF is not communicating properly with the backup spine. PR1141965

  • On QFX5100 Series switches, a major alarm about 'Management Ethernet 1 Link Down' might be raised even though the device does not use Management Ethernet 1 (em1) interface. PR1228577

  • On QFX3500, DHCP binding may not work when untrusted ARP inspection is enabled in the snooping device PR1229399

  • On QFX5100 and EX4600 switches, if traceroute is used between endpoints and the path travels through a GRE tunnel, hops in the tunnel are displayed by an asterisk in the traceroute output. PR1236343

  • On QFX5100 Series switches, if Ethernet virtual Private Network (EVPN) over Virtual Extensible Local Area Networks (VXLAN) with multi-homing are configured, after executing the command of "delete protocols evpn vni-options" and "delete protocols evpn extended-vni-list" on non-Designated Forwarder (DF) device, then executing rollback command, the DF device might transmit the broadcast, unknown unicast, and multicast (BUM) traffic. PR1239672

  • Due to wrong type defined when printing value drawn from PFE, "show interfaces" might show extremely huge digit compared to the actual value. Example: QFX> show interfaces extensive et-0/1/0 Physical interface: et-0/1/0, Enabled, Physical link is Up . Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Bucket drops: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 429496729600 <<<<<<<<<<<<<<<< Output errors: Carrier transitions: 3, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0, Bucket drops: 0 Where 429496729600 is 6400000000 in hexadecimal. However, the actual value is 0x64 or 100 in decimal. PR1245748

  • On QFabric with QFX5100 as network node, changing any Link Aggregation Control Protocol (LACP) configuration over 10G interface on QFX5100 will cause all other Aggregated Ethernet (AE) interfaces to flap. PR1246280

  • SFP-T in QFX5100-48S-6Q does not work at 100 Mbps full duplex in Junos OS Release 14.1X53-D35 and later. PR1250453

  • The output of 'show interface' may incorrectly show interfaces as Link-mode: Auto and Speed: Auto even though the interface is manually configured at a speed and duplex setting. This issue is cosmetic in nature as the interface is indeed running at the manually configured Speed and Duplex setting. PR1260986

  • Unless all the FPCs SDK are initialized, PICs initialization will not happen. The root-cause of the issue was identified as a dependency on SDK initialization for all FPCs to bring the PIC online. This has been resolved by removing the dependency to wait for all FPC's to get initialized to bring the PIC's to online state. In the images going forward starting from this release, as soon as any of the FPC's gets initialized, PIC online will happen on QFX3008 Interconnect. PR1261685

  • On standalone QFX5100 or on Virtual Chassis (VC) / Virtual Chassis Fabric (VCF) with QFX5100, Media Access Control Security (MACsec) licenses may not be added sometimes. PR1269667

Class of Service (CoS)

  • On QFX5100/EX4600/EX4300 Series switches, if forwarding-class-sets with more than one forwarding-classes is applied to interface, and the scheduler for these forwarding-classes under this forwarding-class-sets are not configured with shaping-rate, then it might cause traffic to be dropped for this interface. PR1255077

EVPN

  • On QFX5100 Series with VxLAN/EVPN configured, when multiple IP addresses are configured for VTEP source interface, traffic might be dropped on spines. PR1248773

  • Removing force-up on an active link can cause programming issues on the QFX5100. Traffic returning from the destination will not be forwarded on an egress of the QFX5100. PR1264650

Interfaces and Chassis

  • The AE interface might be down after NSSU is done on QFX5100 or EX4600 switches. PR1227522

  • On an EX4300, EX4600, or a QFX Series switch, if one logical interface is configured in one VLAN and then is deleted and added to another VLAN, traffic might not be transmitted correctly. PR1228526

  • On QFX3500/QFX3600/QFX5100/EX4600/EX4300 Series switches with MC-LAG configuration, if ARPs are resolved across VRFs by route leaking, it might cause traffic to be dropped in scaling ARP entries (for example: 3K). PR1241297

  • [ QFX5100-VC ] / [ 14.1X53-D40 & 14.1X53-D42.3 ] IGMP general query packet destined to 224.0.0.1 are sent back on the received interface, breaking the unicast connectivity. PR1262723

Junos Fusion Satellite Software

  • The following conditions must be met before a Junos switch can be converted to a satellite device when the action is initiated from the aggregation device: 1. The Junos switch must be in factory default settings OR it must have include 'set chassis auto-satellite-conversion' in its configuration 2. The package used to do the conversion must be one of SNOS 3.0, SNOS 1.0R5, SNOS 2.0R2 or higher. PR1249877

Layer 2 Features

  • After rebooting or clearing interface statistics, excessive input/output statistics might be observed in "show interface aeX" command on QFX5100/EX4600/EX4300 Series switches. PR1228042

  • On QFX5100, in cases of scale MAC learning (128k), MAC learning is very slow when MAC addresses are being cleared. PR1240114

  • On QFX5100/EX4600 Series switches, VxLAN/EVPN is configured with multi-homing mode, the DF (Designated Forwarder) might forward BUM traffic received from ESI (Ethernet Segment Identifier) peer to CE facing interface after deleting/adding back VLAN. PR1260533

Multiprotocol Label Switching (MPLS)

  • In MPLS layer 2 or layer 3 VPN scenario, QFX5100/EX4600 Series switches work as PE router and the core interface of PE using IRB interface. When deactivating/disabling/deleting underline member interface of the IRB, and if the (parent) IPv4 nexthop is uninstalled first before cleaning up the (child) MPLS nexthop, the fxpc process might crash and restart. And the FXPC core will be seen. PR1242203

Network Management and Monitoring

  • On Qfabric, once active LAG goes down on CPE-1 (control plane ethernet) due to LACP timeout or some other reason and physical interface member interface does not go down, director group (DG) is not moving to standby links on CPE-2. This will cause all system protocols flap on the FM. PR1253825

Routing Policy and Firewall Filters

  • On QFX Series switches and EX4300 switch, the command of showing policy which has parameter of "load-balance consistent-hash" might cause rpd to crash. PR1200997

Routing Protocols

  • A vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the router rather than discarded. The crafted packet, destined to the router, will then be processed by the routing engine (RE). A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out. Refer to JSA10749 for more information. PR1220209

  • On QFX5100/EX4600 Series switches, firewall filter that contains filter-specific policers might not process packets correctly after committing for the TCAM entries of filter are programmed over multiple slices of TCAM memory space. Note: Firewall filter terms are programmed as TCAM entries in the TCAM memory table. So in scenario with multiple of filter terms (for example: more than 256), this state might be seen easily. PR1232926

  • QFX5100 and EX4600 switches might not send router advertisement (RA) packets to clients when igmp-snooping is configured on a user VLAN, and the end clients connected to the devices can lose IPv6 connectivity. PR1238906

  • On QFX5100 switches, multicast route leaking does not support a Layer 3 interface (IPv4) as an upstream port. As a workaround, use an integrated routing and bridging (IRB) interface. PR1250430

  • In a VCF scenario that includes an EX4300 switch, if fabric-tree-root is configured, then the broadcast, unknown, and multicast (BUM) traffic might not be forwarded. PR1257984

Resolved Issues: Release 14.1X53-D42

General Routing

  • Ports on the uplink module (QFX-EM-4Q) on QFX5100-24Q model alone do not get converted to VCP ports even after explicitly converting them to VCP. As a workaround, after converting the ports to VC ports, rebooting the QFX5100-24Q would complete the the VCP conversion successfully. Issue is fixed in JunOS 14.1X53-D42 onwards. The in-built 24 ports on the QFX5100-24Q do not have any such issues. PR1158657

  • In an EX4600 or QFX5100 Virtual Chassis or Virtual Chassis Fabric (VCF), when using scp on the management interfaces to copy files greater than about 150MB, you might see protocol flapping and Routing Engine TCP connections dropping. PR1213286

  • On QFX3500/QFX3600/QFX5100 Virtual Chassis (VC) or Virtual Chassis Fabric (VCF) with "nonstop-routing (NSR)" and "switchover-on-routing-crash" configured, if the rpd on master Routing Engine crashes, the VC or VCF fails to perform switchover to the backup Routing Engine. PR1220811

  • On QFX5100 and EX4600 switches, during a nonstop software upgrade (NSSU), if an aggregated Ethernet (AE) interface is configured with multiple subinterfaces across multiple Flexible PIC Concentrators (FPCs), the AE interface might go down. PR1227522

  • If you are performing a topology-Independent in-service software upgrade (TISSU) from one version of Junos OS Release 14.1X53 to another on a QFX5100 switch, and the network analytics feature [edit service analytics] is configured, the upgrade might not succeed. In addition, the fxpc process might stop working, and you might notice that a core file is generated. PR1234945

EVPN

  • When the master RE is rebooted and comes back up in QFX5100-VC with VxLAN UDP port configured, the vtep tunnel is created before it gets the updated udp-port information, and the encapsulated packets might be sent with the incorrect UDP destination port. PR1214750

Infrastructure

  • On QFabric systems, no more PFE IDs can be allocated when the SOURCE_TRUNK_MAP_MODBASE table reaches its limit. PR1236584

  • In a QFabric system, after a Node device is replaced in a Node group, you might observe issues when running the file copy and request routing-engine login other-routing-engine commands between redundant server Node group members. As a restoration-only workaround:

    • If the Node with the bad TNP entry is the backup, reboot the backup Node.

    • If the Node with the bad TNP entry is the master, do a switchover, then reboot the new backup member that has the bad TNP entry.

    PR1236898

Layer 2 Features

  • The fxpc process can generate a core file on QFX5100. PR1231071

Network Management and Monitoring

  • On QFabric system, sfcsnmpd log messages are getting populated after upgrading to 14.1X53-D40 and D41. The sfcsnmpd is supposed to run only on master DG, hence sfcsnmpd is not running on backup DG as expected. These logs messages are harmless in backup DG only and do not impact any functionality. PR1238939

QFabric Systems

  • While installing Junos AIS (JAIS) on a QFabric system, JAIS is not getting pushed to Network Node group (NW-NG0) node. JAIS gets installed on all other nodes(director, redundant server node group (RSNG) and server node group (SNG)) except NW-NG group. PR1233166

  • On Qfabric, issue show fabric based multicast commands from Network Node Group (NNG) and show is dereferencing the freed memory (command example: root@NNG> show fabric multicast) during route delete. This may cause rpdf crash. PR1242781

Routing Protocols

  • On QFX5100/EX4600 Series switches, if one filter is configured with match of "ipv6 tcp-established", then committing configuration might cause pfe process to crash. PR1234729

  • On a QFX5100 switch, Gratuitous Address Resolution Protocol (GARP) reply packets are not updating the Address Resolution Protocol (ARP) table. GARP request packets, however, are updating the ARP table as expected. PR1246988

Resolved Issues: Release 14.1X53-D40

General Routing

  • In case you are using QFX5100-48T-6Q, "show chassis hardware" displays QFX5100-48C-6Q like below. -------------------------------- root@QFX5100-48T> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis TR0214999999 QFX5100-48C-6Q --------------------------------. PR1006271

  • On QFX Series mixed Virtual Chassis Fabric (VCF), software rollback with the force option (request system software rollback force) might not work. PR1028666

  • Certain QFX and EX Series devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from previous packets. This issue is also known as 'Etherleak' and often detected as CVE-2003-0001. Refer to JSA10773 for more information. PR1063645

  • By enabling this configurations, it Drops spanning-tree protocol BPDUs (for STP, MSTP, and RSTP) entering any or a specified interface The BPDU drop feature can be specified only on interfaces on which no spanning-tree protocol is configured. This behavior is same as EX platforms. PR1084116

  • QFX5100-48S-6Q or QFX5100-96S-8Q might display incorrectly as "QFX5100-24Q-2P" in the output of "show chassis hardware" after the Flexible PIC Concentrator (FPC) restart or master role switchover. PR1093677

  • If MAC move limit is configured to drop traffic, QFX and EX Series switches might forward traffic instead of dropping traffic when the MAC move limit is exceeded. PR1105372

  • In a Virtual Chassis Fabric (VCF) with three or four spine devices, the spine devices operating in the linecard role cannot assume the Routing Engine role, including in cases where the master or backup Routing Engine fails. PR1115323

  • On a QFabric system, when enabling "set fabric routing-options traceoptions" command on the initial Network Node Group (NNG) master for an extended period might cause the log files (approximately 1GB) exhausted the /var partition. As a result, an abnormal shutdown of the master Routing Engine (RE) was seen and mastership switched over to backup RE. In the corner case, the new master experienced a re-synchronization failure with the line cards PFEMAN thread. Under these circumstances, the Packet Forwarding Engine manager (pafxpc) restart is expected which will lead to interface flapping. PR1133679

  • On QFX5100 switches, the openflowd process might generate a core file. PR1142563

  • From 14.1X53-D36, there is a commit check added to prevent more than one IFL per physical interface(IFD) assigned to one single VLAN. PR1144123

  • On EX4300/EX4600/QFX3500/QFX3600/QFX5100 series switches, if you insert bad SFP or SFP+ optic in a port and replace it with a good optic, then the good optic might not come up. PR1144190

  • On EX4600/QFX5100 and QFX10000 series switches, after performing command "show version detail", an error message "Error: abnormal communication termination with app-engine-management-service daemon" might be seen at the end of the output. PR1144234

  • On QFX5100/EX4600 Series switches, the switch might be in abnormal state after Junos try to write the large file on virtual-disk and reboot at the same time due to the Quick Emulator (QEMU) cache mode is set to "none". The recommended setting is "write through" mode. This is Quick Emulator (QEMU) issue which reporting an error when Junos try to disk IO or blocking disk IO access from Junos. There are two pieces of software in QFX5100: hypervisor (host software) and JUNOS (a VM running on top of hypervisor). All peripherals (e.g. Disks, network cards, etc) on JUNOS are simulated by a piece of software called QEMU. PR1146353

  • After the number of DHCP server IPs in the dhcp-relay configuration is modified (increased or decreased), messages log file will be filled with following error messages and eventually cause DHCP process (jdhcpd) to crash. jdhcpd: %USER-3-DH_SVC_SENDMSG_FAILURE: sendmsg() from 10.161.102.1 to port 67 at 0.0.0.0 via interface 615 and routing instance VR08_v881_900_office_system failed: Can't assign requested address PR1147831

  • On EX4600/QFX Series switches, in corner cases, the PFE manager (fxpc) might crash when an SFP-T transceiver is removed/inserted too quickly or the interface is deleted. PR1152097

  • On EX4600/QFX series platform, or its virtual chassis or virtual chassis fabric, the device automatically restarts (for the UFT configuration to take effect) when the Unified Forwarding Table (UFT) profile is reconfigured or modified. When this happen in a scaled Virtual Chassis or Virtual Chassis Fabric (VCF) environment, the VC/ VCF might become unstable and fail to recover, the VCF (all member devices) must be rebooted to reestablish stable VC/ VCF operation. To avoid this situation, configure the desired UFT profile when initially setting up the standalone/ VC/ VCF, rather than as a configuration update later during the standalone/ VC/ VCF operation. After the fix, for standalone and virtual chassis with a single member, it works as before. For VC and VCF with more than one member, the member does not restart anymore. And, it generates a syslog message to notify the user to restart the system manual when UFT config is changed. PR1152102

  • On QFX5100 switches, a child member might drop the incoming Link Aggregation Control Protocol (LACP) frames when this child member is moved from an access-mode VXLAN LAG interface to a trunk-mode VXLAN LAG interface. PR1153042

  • On QFX Series and EX Series switches, if you configure VRRP with an MC-LAG between the master and backup switches, both VRRP members of IRB interfaces might stay in the master state after a software upgrade. PR1157075

  • On a VCF platform, the memory usage limitation for the vccpd daemon is 131Mbytes in memory. Any VCP port flapping will cause a small memory leak (256KB~1MB) in VCF and if the memory usage is reached 131Mbytes, the vccpd will crash with a core dumped and then restart. In the meantime, a member of the VCF will disconnect from VCF, this will have service impact for a while before vccpd comes up again. PR1158798

  • In VC or VCF deployment, if a connection between members is made after all other VCP links have been auto-converted to VCP, the new connection may not successfully convert to VCP. PR1159242

  • On an EX4600 Virtual Chassis or a QFX Series Virtual Chassis or Virtual Chassis Fabric (VCF), if you convert the Virtual Chassis port (VCP) to a network port by issuing the "request virtual-chassis vc-port delete" command, broadcast and multicast traffic might be dropped due to the port remaining programmed as a VCP in the hardware. PR1159461

  • An insufficient authentication vulnerability on platforms where Junos OS instances are run in a virtualized environment, may allow unprivileged users on the Junos OS instance to gain access to the host operating environment, and thus escalate privileges. PR1161762

  • On an EX4600/QFX Virtual Chassis with the members of the LAG are on the same VC member device, the multicast packets getting dropped (approximately 120 sec) during the master Routing Engine (RE) role switch reboot. PR1164357

  • On QFX10000/EX4600/EX4300 Series switches, the Digital Optical Monitoring (DOM) update takes more than 25 sec to update when the interface goes down right away, and the issue is not seen on other platforms. PR1165507

  • On a QFX5100 switch with an integrated routing and bridging (IRB) interface configured as a Layer 3 interface and with two hosts (Host A and Host B) connected to the switch, if you deactivate the IP address on Host A and then configure the same IP address on Host B, the outgoing interface of the IP address might not be changed in the ARP table. PR1166400

  • If a QFX5100 Virtual Chassis is created with a QFX5100-48S in the routing-engine role and a QFX5100-48T in the linecard role, ports of the QFX5100-48T might be shown as having media type Fiber. PR1166810

  • On a QFX Virtual Chassis Fabric (VCF), when adding more members to VCF, since more members lead to more physical interfaces and more DEVBUF (device buffer) type of memory. When members of a VCF over 24 it will most likely trigger the DEVBUF type memory reach its limitation and the syslog messages like the following will be seen in syslog file. /kernel: %KERN-5: kmem type devbuf using 331293K, approaching limit 412876K PR1167390

  • On QFX5100-48T, when issuing 'show interface <INT> xtensive' (or strictly 'show interface <INT> media') that the "Local resolution:" section of the "Autonegotiation information" section continues to show that flow control is enabled for both tx and rx even though flow control has been explicitly configured as disabled and additionally shows as disabled in the top portion of output. PR1168511

  • On QFX Series switches, up to four port-mirroring analyzers can be configured, with maximum two of these used for mirroring ingress traffic and maximum two mirroring egress traffic. If a configuration with more than four analyzer sessions per QFX switch/Node is committed, the commit will fail and a relevant error message will be reported. The current code change introduced by this PR generates and error message which is sent to the user's console when such configuration with more than four analyzer sessions is attempted. This code change does not remove the limitation of four analyzer sessions per QFX switch/Node. PR1168528

  • When enable LLDP and interface description is long(greater that 32 chars) on remote switch, the l2cpd (Layer 2 Control Protocol process) might crash with core dump if performing SNMP MIB walk since LLDP code is running within l2cpd. PR1169252

  • On a Qfabric system, the syslog message "on /: filesystem full" is observed continually on Diagnostic Routing Engine (DRE), and clearing "Linking" file will not cause service impact. The following log message will be observed when this issue occurs: DRE-0 /kernel - - - pid 1299 (sh), uid 0 inumber 37 on /: filesystem full DRE-0 /kernel - - - pid 1299 (sh), uid 0 inumber 37 on /: filesystem full PR1169760

  • On EX4600/QFX5100 switches, when a VLAN is mirrored, the mirrored packets may contain 38 additional bytes. The IP address in this packet is randomly generated and may appear as one of many existing, valid IP addresses on the Internet. It may appear as ERSPAN as well, which is a proprietary non-Juniper protocol. These addresses and packet types can be ignored. They may appear as alerts in certain IDP / IDS's and packet analyzer applications which can be ignored. PR1170589

  • On QFX5100-48T switch with a release before 14.1X53-D35, copper interface with auto-negotiation (AN) enabled by default when an interface without explicit auto-negotiation configured. From 14.1X53-D35 and onwards, the default behavior has been changed, when a copper interface without explicit auto-negotiation configured, it comes up with 100M and AN disabled by default. If the interface connects to an interface on peer end that with AN enabled, the link may not come up for AN is disabled on the QFX5100-48T side. After 14.1X53-D37 14.1X53-D39 14.1X53-D40 and onwards, the default behavior has been changed again, AN will be enabled for Copper ports 0-47 by default. PR1170909

  • On QFX5100-48S switch, if insert or remove a SFP-T optic from one port, then fxpc core might occur and traffic forwarding might be interrupted. PR1170941

  • If you enable aggregated Ethernet links by deleting the disable command, LACP core files might be generated. PR1173562

  • On QFX5100 device, packet loss and framing errors might be observed on QSFP+40GE-LX4 transceiver. PR1177499

  • On EX4600, QFX3500, QFX3600, and QFX5100 switches, some SFP-T modules could not be recognized due to low timeout for I2C read/write. PR1180097

  • FCoE sessions/non-FCoE traffic might be affected when links to Interconnect are disconnected caused by Queue corruption PR1182274

  • On QFX5100 Series switches, in VXLAN scenario with scaled AE interfaces or when AE child member is deactivated-activated back, flood next-hop is not getting updated with physical child interface when child list entries are not populated completely for all ae sub-ifls. This might result in traffic drop. PR1182495

  • When the show chassis environment is executed the temp value shows correct readings but jnxOperatingTemp.7.2.0.0 = 0 might show "0" This is a bug. PR1190186

  • On Junos based platforms, if they are configured as DHCP client, DHCP offer packet which giaddress is not zero might be dropped. PR1191452

  • On QFabric System QFX3000-G and QFX3000-M, when the command "show chassis environment pem interconnect-device" is executed, a chassisd core might be generated. Though, this does not create any production impact. PR1193597

  • On QFX3000-G or QFX3000-M QFabric System, when unknown unicast frames received at a high speed on a certain node. The sfid of this Node might be stuck after some time and the Node stops learning MAC address. No new MACs are learnt after this. This will cause unknown unicast traffic flooding, and further result in network connectivity issues, and network performance degradation of the customer network. PR1200829

  • On QFX5100-96S with 850W AC power supply inserted, in certain environments, because of a software defect, there is a statistical probability of the QFX5100 850W AC power supply shutting itself down. PR1203591

  • After you added or removed PEM on QFX5100, "show chassis environment pem" does not output correct Current(A) and Power(A) usage. PR1204850

  • On QFX5100 switches, 'Rx power low warning set' messages might be logged continuously for channelization ports that are in the DOWN state with snmpwalk running in the background. PR1204988

  • On QFX5100 Series switches, configuring MSTI not in incremental order might cause the existing MSTI fails to learn MAC address, and then traffic forwarding is affected. PR1205074

  • On QFX5100 Series switches, flow modifying operations may cause openflow process core dump due to purge timer software issue. PR1206127

  • There are basically three arguments (periodic, diagnostic, and tx) for the lcdd_cmd -f 0 -d chassism -c command. These top-level commands expect different numbers of arguments. If any one of the arguments is missing when the command is executed on a QFX3500 or QFX3600 switch, the chassisd process might crash. PR1206328

  • The QFX5100 returns wrong information for flow registration to the openflow controller even though show openflow ... output from the CLI shows the correct output. PR1206572

  • If a QFX5100 switch or VCF is configured with IGMP snooping but not with any PIM-related configuration, a mcsnoopd memory leak might occur when the device receives PIM Hello packets that need to be forwarded further. When PIM hellos are arriving on the device, 12 bytes are allocated for every PIM hello packet, increasing the amount of memory consumed by the mcsnoopd process. As a workaround, either restart the mcsnoopd process or apply a firewall filter that discards PIM packets on the loopback (lo0) interface of the device in the input direction. PR1209773

  • In a Layer 3 VPN, if IRB is used between the penultimate hop and the PE node, if checking VRF connectivity using PE to PE ping, then pinging to the PE loopback address or interface IP address from the remote PE does not work. PR1211462

  • On a QFX5100 with a JPSU-850W-AC-AFO power supply inserted. In rare conditions, when closely spaced I2C commands were executed by the software within 100us, the JPSU-850W-AC-AFO may be reset. If the QFX5100 with a single power supply inserted, the box will reboot. With this fix, a 100 microseconds delay were added between every i2c commands to prevent JPSU-850W-AC-AFO reset, and to prevent QFX5100 unexpected reboot. PR1211736

  • In an EX4600 or QFX5100 Virtual Chassis or Virtual Chassis Fabric (VCF), when using scp on the management interfaces to copy files greater than about 150MB, you might see protocol flapping and Routing Engine TCP connections dropping. PR1213286

Class of Service (CoS)

  • On QFX Series switches, the cosd might crash and generate the core file when DSCP classifier with both multicast Forwarding Classes (Queue 8-11) and Unicast Forwarding Classes (Queue 0-7) is applied on a layer 3 interface. PR1137104

  • On QFX5100 and EX4600 switches, ICMP, SSH, and ARP traffic generated by the switch might be forwarded to queue 7 (network-control); the default behavior is that the traffic would be forwarded to queue 0 (best-effort). PR1178188

  • On QFX5100 Series switches, if shaper is configured with shaping value in terms of percent of interface speed, after interface speed changed through CLI, this shaping value will not changed with new interface speed, and interface flap might happen then. PR1184505

  • In ETS configuration, if transmit-rate is configured at queue-level, guaranteed rate should be configured at the TCP level. If not, commit does to fail, but a syslog message is logged to inform the config failure. The config is not pushed to kernel/PFE In case of VC, when a member joins, since the config check is already done on master, the config is sent to members. Since the guranateed rate configured is 0, the logic to calculate the trasnmit-rate fails. PR1195498

EVPN

  • cli to allow user configuration to provide (EBGP) AS number for per vni auto-derived route target PR1108613

  • On QFX5100-96S standalone/VC/VCF mode, the packet forwarding engine manager daemon (fxpc) process might crash continuously when the SFP/SFP+ transceivers is removed and then inserted in the specific 10-gigabit ethernet (xe) interface (xe-*/0/95) which has extended-vlan-bridge/flexible-vlan-tagging configuration. PR1159156

  • On QFX5100 switches, if a trunk interface is a VXLAN port, tagged frames matching the native VLAN ID might be sent out with the native VLAN tagged. PR1164850

  • On QFX5100 which is running with VxLAN Open vSwitch Database (OVSDB) feature, the packet forwarding engine manager (fxpc) might crash and generates the core file due to heap memory exhaustion for kernel. This is specific issue with OVSDB and does not affect multicast VxLAN. PR1187299

  • On QFX5100 deleting a vxlan causes traffic disruption in all other vxlans. Rolling back the vxlan deletion alone would not resolve the issue. Rollback and l2-learning restart thereafter is needed to recover. Issue is fixed in JunOS 14.1X53-D40 onwards. PR1215883

High Availability (HA) and Resiliency

  • After graceful switchover is triggered in the master VRRP router for the first time, the master state for all the VRRP instances are toggled to the backup and come back to the master immediately. During this time, all the traffic is dropped and comes back. PR1142227

  • On QFX5100/EX4600 Series switches with MC-LAG is configured, the MC-LAG local state is not updated and cause forwarding traffic drop after performing in-service software upgrade (ISSU). This issue is not seen with PFE restart/system boot up. PR1151658

Infrastructure

  • On EX4300 Virtual Chassis, when upgrading from Junos OS Release 15.x to Release 16.x via NSSU, the backup or any linecard upgrades first to a new image, and then the old master might have an upgrade failure, and keep rebooting. PR1190164

Interfaces and Chassis

  • With multi-chassis lag configuration, the switch-options service-id configuration is required. If service-id configuration is missing, there should be a commit error. This commit error is missing. PR989778

  • Fixed in 14.1X53-D40 PR996005

  • You might be unable to commit your configuration if you modify the subnet of an IP address on an IRB interface by using the "replace pattern" command. PR1119713

  • On a QFabric system, traffic might drop if there is a mismatch in the ordering of the fabric (fte) interface numbers between the Network Node Group (NNG) and the Interconnect (IC) device or if there is a new node addition or an interface ID change caused by any configuration change on the fte interface. As a workaround, correct the ordering of the FTE links between the node and the IC (lower to higher on the node and corresponding lower to higher on the IC). PR1188574

Layer 2 Features

  • On QFX Series switches, when transmitting large packet which is more than MTU configured and not be fragmented on the IRB interface, ICMP error packet about type3 with code4 can not be generated. The large packets are getting silently dropped. PR1089445

  • The Packet Forwarding Engine manager daemon (FXPC) might crash on a QFX5100 switch if multiple processes attempt to access the Ethernet-switching table/database at the same time. PR1146937

  • On an EX4300 switch in a VCF, if a Layer 3 AE interface is looped back with a Layer 2 port in the same VLAN, then traffic with the same destination MAC to the AE interface is dropped (for example, the ping address of the AE interface). PR1157283

  • On EX4600/QFX5100/NFX250 series switches, configure LFM (link-fault-management) and action-profile with action link-down on an interface. If this interface is down and up at the first time, LFM Discovery is success and interface is able to be up. But if this interface is down and up at the second time, then LFM Discovery is failure and interface never recover from Link-Down state. PR1158110

  • On a QFX5100 switch, if you delete a VLAN and create a new VLAN with a different VLAN ID but use the same VNI, and you commit those changes within a single commit, a MAC learning failure might occur on the newly created VLAN. These system logging messages might be displayed: fpc0 BRCM-VIRTUAL,brcm_vxlan_hw_add(),263:Failed to Program vxlan bd(22) token(0xf) status(-8) fpc0 BRCM-VIRTUAL,brcm_virtual_bd_add(),626:Cannot create Virtual-BD for bd(22) fpc0 BRCM-VIRTUAL,brcm_virtual_port_add(),101:Port(ge-0/1/2) add came before bd(22) add fpc0 LBCM-L2,pfe_bcm_l2_addr_delete_by_vlan(),52:delete L2 entries associated with bd 21(65535) failed(-4) PR1161574

  • On QFX5100/QFX3500, buffer is corrupted on port 0 (*/*/0) and error message MACDRAINTIMEOUT and dcbcm_check_stuck_buffers are observed, which could eventually lead to port 0 (*/*/0) flapping. PR1162947

  • On QFX5100 switches with a CoS classifier configured on an AE interface, if you add or delete a subinterface, traffic loss of approximately 10 packets might occur while you are committing the changes. PR1162963

  • On QFX5100 switch, syslog may contain repeated messages like so: fpc12 Unit: 0 port 47 start error detected. PR1164096

  • Repeated "nh_unilist_update_weight:" error messages when CCC L2VPN is configured. These are harmless PR1167846

  • On QFX5100/EX4600 platform, when a Private VLAN is trunked and that interface is disconnected (cable removal or system reboot) there is a section of code that causes an issue in how the switch handles VLANs. This issue might cause all VLANS to be dropped. This issue is also present when a PVLAN is added to a working trunk. PR1169601

  • On EX4600 and QFX5100 series switches configured "tag-protocol-id" and "flexible-vlan-tagging". If the switch receives traffic, whose outer tag protocol ID is not 0x8100 (e.g. 0x88a8, 0x9100, or 0x9200, which are usually used by double tag traffic) on a trunk interface, the switch always uses 0x8100 as outer protocol tag ID when it sends out the traffic. PR1170939

  • On EX4600/QFX Series switches, after add and delete the fifth logical interface, the first 4 AE subinterfaces might be down and lose connectivity. PR1171488

  • On QFX5100 and EX4600 switches, every time a MAC address is learned, some messages might be output to syslog and be repeated frequently. The logged messages have no impact on service traffic. PR1171523

  • On QFX and EX4600 platform, in the scenario that MSTP/RSTP/VSTP is configured to prevent layer-2 network loop, there might be a chance that xSTP convergence may fail on the interface that configured with flexible-vlan-tagging and encapsulation extended-vlan-bridge. PR1179167

  • PFE stats counters should be always incremental. In some cases, a user can observe lower stats values than the previously values given, and this will trigger following logs errors: "pfed: downward spike received from pfe for ipackets_reply" or "pfed: downward spike received from pfe for opackets_reply" The fix for this issue will give this logs "info" severity. PR1183184

  • Ipv6 Linklocal filter entry to match on Unicast LinkLocal Address will not be Hit on the channelized interfaces, other than Lane 0 port PR1193313

  • MAC move limit configuration is not supported in 16.1 for QFX-5100 PR1194699

Multiprotocol Label Switching (MPLS)

  • In MPLS scenario, on EX4600/QFX Series switches with AE interface configured, after change the IGP metric and disable the AE interface, the fxpc crash might be observed when child nexthop of a UNILIST is pointing to NULL. PR1168150

  • Ping over LSP shows different behavior in regards to HLIM. PR1179518

  • For 2 label PUSH cases, both labels are consuming entries in the same label table. This might result in instabilities of MPLS tunnels and packets drop when add/delete routes. Correct behavior should be that tunnel label goes in one table and VRF label should go in another table. PR1185550

  • On QFX5100 switches or a QFX3500 or QFX3600 Virtual Chassis, IP packet frames of 1500 bytes might drop when family mpls is configured on a logical interface. PR1199919

  • On EX4600/QFX3500/QFX3600/QFX5100 Series switches, traffic received from the MPLS core at the PHP node might not get forwarded to the egress ECMP IPv4 next hop. PR1212519

Network Management and Monitoring

  • On a QFX3000-G or QFX3000-M QFabric System, in rare cases, the MySQL DB might be locked, with the result that MySQL and the sfcsnmpd service do not run on Director and any request directed to them does not get a response. SNMP traps and MIB walks might not work as expected. In this problematic situation, the QFabric stops sending SNMP traps to a network management system (NMS), and the NMS cannot get SNMP information from the QFabric. As a restoration workaround, restart the sfcsnmpd process from the Director. PR1165565

  • On QFabric system, SNMP does not work due to dead-lock on sfcsnmpd threads in a rare condition. PR1192627

Platform and Infrastructure

  • In customer setup ingress node is RSNG and egress node is NNG, since NNG has all vlan information this fix will work. Say if ingress node is NNG and egress node is RSNG, this fix may not work because egress node RSNG may not have the incoming vlan information. This fix will work only if incoming vlan information is available in egress node. As per design for server node groups vlan information will be selectively downloaded as per configuration so this fix may not work in case were incoming vlan is not available in egress node. PR1103274

  • On QFX5100 with VXLAN feature, all encap traffic would be dropped due to remote VTEP is pointing to failure next hop in PFE. Then you may see the syslog message below. BRCM-VIRTUAL,brcm_virtual_venh_install(),1479:VENH installation failed .. nh-id(14987) PR1136540

  • On QFX Series switches, if a VLAN tag (e.g. VLAN 10) is assinged to a VLAN hardware token 4, when VLAN 10 carries the routing protocol traffic (for example OSPF/ISIS/BGP), that traffic will be put into a wrong queue (Queue 22) which has rate limit (100pps), then it might cause protocol flap. PR1146722

  • On QFX5100 switches in a Virtual Chassis Fabric (VCF), the "clear arp" command does not clear ARP entries for interfaces defined in a routing instance. To work around this issue, you can explicitly specify the interface name for which to clear ARP entries, as follows: clear arp interface <interface name>. ARP entries are properly cleared when using this form of the command. PR1159447

  • If DHCP packets with MPLS tags are sent to the CPU on a QFX5100 node acting as a PHP node, the logical interfaces index on the packet notification might not be set correctly, and the DHCP packets might be dropped. PR1164675

  • When the system log severity level 7 debug level is set, this debug message is printed on a per-packet basis---/kernel: setsocketopts: setting SO_RTBL_INDEX to 1. PR1187508

QFabric Systems

  • On QFabric systems, if one power supply unit is removed and inserted back to DG (director group), the alarm message is not very clear. PR1165890

  • On a QFabric system, system logging (syslog) messages from all components are stored in the MySQL database on the Director. When syslog messages are generated at a high rate, a continuous deadlock might occur from the MySQL server side. Eventually, all incoming syslog insert transactions are kept waiting in the database queue to acquire a lock and expire after 50 seconds, so the syslog messages are not inserted in the database. New syslog messages might not be displayed when you issue the "show log messages" command on the Director. After some time has passed, when the lock is released, the new logs might be seen, even logs that were missing. As a restoration workaround, restart the mysql service on the master DG and wait 15 minutes. Then restart the sfc service on both DGs. PR1174011

Routing Protocols

  • On QFX Series switches, when a neighbor device sends a flood of Link Layer Discovery Protocol(LLDP) traffic bigger than 1,000 pps to the QFX, Link Aggregation Control Protocol(LACP) flaps might be seen on unrelated interfaces. PR1058565

  • On QFX5100 and EX4600 switches, if you use the Network Configuration Protocol (NETCONF) to add or delete firewall filters on an integrated bridging and routing (IRB) interface, the Packet Forwarding Engine Manager (fxpc) might generate a core file. PR1155692

  • FXPC crash may happen during an ECMP route delete from LPM table. This might have happened due to large scale route change operation. SDK vendor provided a fix as a resolution. PR1158517

  • Loopback filter not working due to higher priority system dynamic filter. Implicit DHCPv6/v4_l3_tag filter installed is conflicting with the configured loopback filter PR1159024

  • On QFX5100 and EX4600 switches, when a limit traffic filter is configured with TTL=1 packets accepted on the loopback interface, the host-bound unicast packets with TTL=1 (for example, OSPF packets) might be dropped. PR1161936

  • On a QFX3500 switch, if you configure one interface with PIM and the interface sends hello packets, and then you change its PIM hello-interval from non-zero to 0, the interface sends hello packets continuously. PR1166236

  • On EX4600/QFX Series switches with logical interface, if family mpls is configured first and then other families like inet/inet6 are configured on the logical interface, then the other families configuration might not be programmed correctly in PFE, which can result in traffic not getting forwarded on the newly configured families. PR1166595

  • On QFX5100 switches, if you apply a firewall filter on the loopback interface with the match condition for packets with TTL 0/1 and with "policer" set as the action, the term does not catch the packets. PR1166936

  • ALL traffic destined for leaked route are forwarded to CPU. The traffic expected to be treated as transit. Ping between the default routing instance and routing-instance which leaking routes via the rib-group takes around 40-90 ms. juniper@abc:~$ ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=62 time=17.9 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=62 time=42.3 ms 64 bytes from 10.1.1.1: icmp_seq=3 ttl=62 time=15.3 ms 64 bytes from 10.1.1.1: icmp_seq=4 ttl=62 time=18.0 ms 64 bytes from 10.1.1.1: icmp_seq=5 ttl=62 time=21.1 ms PR1167156

  • On QFX3500 or QFX5100 switches, when parity errors occur on interfaces, they might affect the memory management unit ( MMU ) memories. MMU counters can be corrupted, the interface buffers might be stuck, and there might be interface flaps and traffic loss on the affected ports. As a workaround (restoration only), reboot the system. PR1169700

  • On EX4600/QFX5100 series switches with virtual chassis scenario, if configure primary and secondary RTG (redundant-trunk-group) links on fpc0/master and fpc1/backup respectively and then perform NSSU. During a NSSU upgrade, when the original master/fpc0 goes down, secondary RTG links on original backup/fpc1 become active and they forward traffic for about roughly 17 seconds and thereafter stop forwarding any traffic across. Traffic starts flowing again once the primary RTG links take over the control. PR1170258

  • Currently, on QFX5100/EX4600 with filter based GRE (for a filter with decapsulate gre action), first, only one prefix is supported per filter. If the prefix is a destination address, it should be a /32 prefix. Second, the filter only supports one term. And last, filter change may don't take effect(the workaround is to unbind and bind the filter). With the fix each term having a decapsulate gre action in a filter can have multiple destination prefixes(max of 100 per term) with prefix length 32 and one source prefix(any prefix length/wild card). Filter change will take effect as expected. PR1171053

  • On EX4600/QFX5100 switches, in rare cases, route insert failure in _soc_alpm_128_write_pivot function will lead to a loop in the code resulting in a watchdog timeout. This will result in the FPC crash and restart with a core dump. PR1173980

  • On EX4600 and QFX5100 series switches, there are several profiles that allocate memory differently for MAC addresses and host addresses. These profiles can be configured as "l2-profile-one, l2-profile-two, l2-profile-three, l3-profile, lpm-profile". If multicast and unicast host entries reach the maximum number of the L3 host table in related profile, then multicast traffic will be dropped. PR1177430

  • The static route cannot be configured with 'resolve' and 'retain' flags together and we have a check to ensure this. But if one of the flags is configured via 'set routing-options static defaults' and another flag is configured via static route then commit is accepted and this is causing rpd crash. PR1178418

  • In some scenarios after ECMP route flapping on QFX switches traffic is blackholed. RIB programming is fine: root@qfx> show route 172.16.2.1 inet.0: 843 destinations, 2707 routes (843 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.16.2.0/25 *[BGP/170] 6d 12:24:13, MED 106, localpref 100, from 10.1.32.2 AS path: ?, validation-state: unverified to 172.16.5.101 via ae2.0 > to 172.16.6.101 via ae4.0 [BGP/170] 6d 12:20:20, MED 106, localpref 100, from 10.1.32.4 AS path: ?, validation-state: unverified > to 172.16.6.101 via ae4.0 [BGP/170] 6d 12:20:24, MED 111, localpref 100, from 10.1.32.1 AS path: ?, validation-state: unverified > to 172.16.5.21 via ae1.0 [BGP/170] 6d 12:24:09, MED 111, localpref 100, from 10.1.32.3 AS path: ?, validation-state: unverified > to 172.16.6.21 via ae3.0 FIB programming is fine: root@qfx> show route forwarding-table destination 172.18.2.0/25 Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif 172.16.2.0/25 user 0 ulst 131157 4 indr 131098 19 172.16.5.101 ucst 2349 9 ae2.0 indr 131154 16 172.16.6.101 ucst 2397 9 ae4.0 But kernel nexthops point to discard nexthop in broadcom sdk. Hence traffic to destination is blackholed. PR1179610

  • On a QFX/EX4600 Virtual Chassis, the "local-bias" knob causes traffic loss on a direct link when an interface is changed from Layer 3 to AE and then back to Layer 3 due to the AE programming still resides in the Packet Forwarding Engine (PFE) and hardware. PR1179960

  • The QFX5100 will exception (forward a copy of) transit IPv6 Neighbor Discovery traffic to the RE, allowing for a collateral partial local DoS attack. Refer to JSA10749 for more information. PR1183115

  • In MC-LAG scenario with igmp-snooping configuration, when one link of MC-LAG is disabled, the IGMP report packet cannot be transferred correctly. It might cause impact for multiple traffic for IGMP report failing. PR1183532

  • On EX4600/QFX Series switches, after native-vlan-id is configured and rolled back on a vlan-tagged sub-interface, ARP might not be resolved and traffic forwarding can be affected. PR1184985

  • In a QFX5100 Virtual Chassis, if the master is halted or rebooted with some limited MAC persistence timer set, then in a specific sequence the IRB/Inet MAC does not get programmed correctly in the BCM. PR1188092

  • On QFX5100 switches with MPLS and LDP enabled, for packets with incoming labels that must perform a PHP (penultimate hop popping) operation on the QFX5100 switch, occasionally the packets are not processed and are dropped. PR1190437

  • On QFX3500/QFX3600/QFX5100/EX4600 series switches, if a routing loop is created , the TTL of the packet does not reduce to 0 and eventually the packet is not dropped. PR1196354

  • On QFX3500/QFX3600/QFX5100/EX4600 series switches, if disable IRB interface then reboot the switch. After the switch rebooted then enable IRB interface, after that IRB interface might not be reachable. PR1196380

  • On QFX5100 switches, the DSCP action modifier of a family inet firewall filter does not properly modify or mark the DSCP bits on packets matching the firewall filter. PR1205072

  • On a QFX5100 switch with VRF enabled, route leaking from the default routing table (inet.0 or inet6.0) to VRF might not work as expected. PR1210620

  • On QFX5100 switches, port-range-optimize (both source and destination) might fail to be programmed into the hardware for an inet output filter. PR1211576

  • On QFX5100 and EX4600 switches, in rare cases, the FXPC process might crash and restart with a core file generated upon LPM route install failure. After the switch restarts, services are restored. PR1212685

  • On QFX5100 Series switches with Protocol Independent Multicast (PIM) configured, the system can go into swap due to low memory condition, and fxpc core dump might happen due to this out of memory condition. PR1217343

  • A filter attached to the lo0 interface with terms containing either destination-port-range-optimize or source-port-range-optimize statements will unexpectedly discard traffic. PR1228335

Storage and Fibre Channel

  • The FLOGI has come from the ENODE over a VF port on GW. The Proxy tries to find a N port for sending the FLOGI to FC switch. Due to some churn in the system the N port through which the WWNN is reachable has gone down or unavailable. This leads to the crash most likely in some race condition. PR1152334

User Interface and Configuration

  • When a VRRP group is created on Qfabric, in race conditions, vrrpd will not find the VRRP group in its database and will not transition to master state if the VRRP route notification reaches vrrpd before the VRRP config push to Server Node Group(SNG). PR1197443

Virtual Chassis

  • SDK can raise false alarms for parity error messages like "soc_mem_array_sbusdma_read" & "soc_ser_correction: mem write" on QFX5100. PR1161821

Resolved Issues: Release 14.1X53-D35

General Routing

  • mgd-bsd and java high CPU issue fixed on release 14.1X53-D17.4 and 14.1X53-D35 PR941833

  • Setting link speed to 100 Mbps does not work in the following situations: - When network interfaces are used on an EX4600 switch - When an EX4600-EM-8F expansion module is installed in a QFX5100-24Q switch or an EX4600 switch PR1032257

  • On QFX series switches, the wrong source IP address is being used when the switch initiates traffic when em0 is configured with a 192.168.1.XXX/16 subnet. PR1071517

  • On QFX3500 switches, if you remove 1- Gigabit Ethernet SFP transceivers from ports 0-5/42-47 and then insert 10-Gigabit Ethernet SFP+ transceivers in the same port, the 10GE SFP+ transceivers might not be detected. PR1085634

  • On EX9200/EX4300/EX4600/QFX Series switches, if removing/inserting one QSFP, it might cause pfe process to crash. PR1098385

  • On a QFX3500 switch with nonstop active routing (NSR) enabled, deleting a routing-instance or logical-system configuration might cause a soft assert of the rpd process. If NSR is not enabled, after you delete a routing-instance or logical-system configuration, executing "restart routing" might trigger this issue, too. This issue has no functional impact. PR1102767

  • On a QFX5100 VCF in an auto-provisioned mode, when adding a new leaf device to the VCF, should zeroize device and reboot by "request system zeroize" if new leaf device has been configured any command. But the issue (interface still up) might be observed at the time of the reboot until the PFE re-initialized the interfaces. PR1106194

  • On an EX Series or QFX Series switch configured as a DHCP client, the length of the DHCP Vendor ID is always 60 in DHCP discover packets when the vendor class ID is configured, although the actual vendor-id name is less than 60. As per RFC 2132, the code for this option ("Vendor class identifier") is 60, and its minimum length is 1. PR1123111

  • Fix for this PR is in host OS. Host OS does not get upgraded if upgrade is done using ISSU. If customers upgrades to D35 using ISSU and they need fix for this issue. they need to copy 2 scripts to host OS. 2 Scripts are attached to this PR as attachments. Customer will have to download these scripts and copy then to host OS under the path /vmm/bin/qfx_setup_disk and /vmm/bin/qfx_mount_disk. Alternate method to get the fix is, upgrade to the image which has the fix using “request system software add <path to image> force-host” command. 'force-host' is mandatory to make sure host os upgrade will be done. PR1127517

  • On QFX/EX4600 Series switches, in rare condition, the trunk interface may not get create due to data structure becomes out of sync between Packet Forwarding Engine (PFE) and control plane. PR1128316

  • On QFX5100 Series switches with Open vSwitch Database (OVSDB) management protocol configuration that act as virtual tunnel endpoints (VTEPs), traffic being forwarded from ingress AE interface to egress tagged port may not be attach 802.1Q VLAN tag if both ports are located the same device. PR1128507

  • On a QFX5100-48T switch, the 10G port is used to interconnect between QFX5100-48T and Intel X540 10G Ethernet NIC (Network Interface Card), the link speed has a chance appear to be listed as 1-Gigabit Ethernet if the 10 port on QFX5100-48T experiences a local fault. PR1131392

  • On Juniper Networks devices that support OpenFlow, the openflowd process might crash after you issue the show openflow statistics tables command. PR1131697

  • On QFX5100 switches with minimum-interval for a the Bidirectional Forwarding Detection (BFD) session configured to less than 1 second, the pre-ISSU check might be successful and continue to implement the ISSU, which causes the BFD session to flap. The expected behavior is that the pre-ISSU check for the BFD session should fail and ISSU would be aborted. PR1132797

  • On QFX5100 Series switches, the Virtual Router Redundancy Protocol (VRRP) is configured on IRB interface associated with the private VLAN (PVLAN), traffic from the hosts on secondary VLANs (isolated VLAN or community VLAN) destined to VRRP MAC address might be dropped. PR1135756

  • On QFX5100 Series switches, after disable the interface and hot swap 1G copper transceiver, link flap or link-up might be seen on SFP-T port though interface is configured as disabled explicitly. PR1137204

  • On a QFabric system, the interface might not convert to 40-Gigabit Ethernet (xle) port after configuring a block of ports to operate as 40-Gigabit Ethernet (xle) ports in a QFX3600 node device. PR1138444

  • In EVPN/VXLAN dual homed scenario with QFX5100 as leaf, after failure of a leaf which has switch or LAG interface with hold-time enabled, then some VLANs might not reconverge and traffic forwarding does not work as expected. PR1140403

  • On QFX5100 switches, the openflowd process might generate a core file. PR1142563

  • On QFX Series switches with Data Center Bridging and Exchange Capability (DCBX) enabled, when you are configuring a guaranteed minimum rate of transmission for a CoS traffic control profile, the Layer 2 Control Protocol daemon (l2cpd) might crash during the initial LACP setup. PR1143216

  • On EX4600/QFX5100 switches, after performing command "show version detail", an error message Error: abnormal communication termination with app-engine-management-service daemon might be seen at the end of the output. PR1144234

  • On QFX5100 and EX4600 switches, the Gigabit Ethernet (ge) interface might stop forwarding traffic when you hot-swap a transceiver from SFP-SX to SFP-T. PR1144485

  • On EX4300 and QFX Series switches with PVLAN configured, if secondary VLANs (isolated VLANs or community VLANs) are configured with vlan-name, after binding or unbinding the isolated or community VLANs in the primary VLAN, packets loss might occur between existing VLANs. PR1144667

  • On QFX5100 switches, if you delete an auto-negotiate configuration on a 10-gigabit interface (xe), the interface goes down as expected because the auto-negotiate setting is not matching with that on the peer interface. However, the interface might come up after the reboot even though auto-negotiate is still disabled. For release versions D37 and above, this situation will not be observed anymore. Also, to disable AN on Nirvana xe port, the speed of the interface must be set to 100M explicitly. PR1144718

  • After the number of DHCP server IPs in the dhcp-relay configuration is modified (increased or decreased), messages log file will be filled with following error messages and eventually cause DHCP process (jdhcpd) to crash. jdhcpd: %USER-3-DH_SVC_SENDMSG_FAILURE: sendmsg() from 10.161.102.1 to port 67 at 0.0.0.0 via interface 615 and routing instance VR08_v881_900_office_system failed: Can't assign requested address PR1147831

  • On a QFX5100 Virtual Chassis, if you configure an aggregated Ethernet interface as an OVSDB interface with multiple subinterfaces that are configured under different VXLAN domains, removal of the last but one AE subinterface might reset VXLAN settings on the physical port that are part of the AE interface, resulting in packet drops. PR1150467

  • On EX4600/QFX Series switches, in corner cases, the PFE manager (fxpc) might crash when an SFP-T transceiver is removed/inserted too quickly or the interface is deleted. PR1152097

  • On EX4300/EX4600/QFX5100 Series switches, when an STP configuration is initially applied to an interface and the interface is down at that moment, executing "show/clear spanning-tree statistic interface" might cause the Layer 2 control protocol process (l2cpd) to crash. PR1152396

  • On QFX5100 switches, a child member might drop the incoming Link Aggregation Control Protocol (LACP) frames when this child member is moved from an access-mode VXLAN LAG interface to a trunk-mode VXLAN LAG interface. PR1153042

  • On a Qfabric system with the QFX3500/QFX3600 as a node device or the QFX3600-IC as a interconnect device, executing the "show snmp mib walk jnxMibs" command causes the chassis daemon (chassisd) process to crash. PR1157857

Class of Service (CoS)

  • On a QFX5100-VC platform, when gr interface is configured, and then if it is deleted or deactived, unicast traffic might not be forwarded well on the underlying L3 interface. PR1154812

EVPN

  • On QFX5100 Series switches using EVPN with VXLAN, the Ethernet Segment Identifier (ESI) value of the most significant octet (type byte) must be 00 when manually configuring an ESI even though the switch accepts other configuration values. PR1085837

  • storm-control: SC profile still shows up on PFE after it is removed from config PR1099377

  • On QFX5100 Series switches with virtual extensible local area network (VXLAN) configured, the SIP/DIP (source IP/destination IP) to be 0.0.0.0 in VXLAN traffic after the device reboot due to sometimes VTEP Gateway daemon (vgd) might push remote MACs to the layer 2 learning daemon (l2ald) before the source VETP logical interface (IFL) is created. PR1109838

  • On a QFX Series switch or Virtual Chassis which is performing a nonstop software upgrade (NSSU) and that has aggregated Ethernet link bundles with member links on multiple switches or line cards, traffic traversing the aggregated ethernet interface might be lost when the backup Routing Engine (RE) reboots as part of the NSSU. PR1126855

  • On an aggregated ethernet OVSDB interface with member links connecting to multiple member switches on a QFX5100 Virtual Chassis, a reboot of one member switch might impact VXLAN traffic encapsulation traversing the member links on other FPCs. PR1126915

  • On QFX5100-96S standalone/VC/VCF mode, the packet forwarding engine manager daemon (fxpc) process might crash continuously when the SFP/SFP+ transceivers is removed and then inserted in the specific 10-gigabit ethernet (xe) interface (xe-*/0/95) which has extended-vlan-bridge/flexible-vlan-tagging configuration. PR1159156

High Availability (HA) and Resiliency

  • On EX4300/EX4600 Series switches and a Virtual Chassis Fabric (VCF), an in-service software upgrade (ISSU) from a release between 14.1X53-D30 and 14.1X53-D34 to 14.1X53-D35 might show traffic loss on ECMP links. PR1129004

Interfaces and Chassis

  • On a QFabric system with the IGMP snooping is enabled, every time the IGMP join/leave was allocated by sockaddr memory, but the memory is not freed accordingly. This might cause the fabric control protocol (rpdf) memory leak of 32-bytes and 48-bytes on the Network Node Group. When rpdf reaches its max memory limit, rpdf process crash will be seen. PR1121875

  • On a Qfabric system without any config related to dot1x, a memory leak might occur in the dot1x daemon (dot1xd), this issue cause is dot1x is running on Redundant Server Node Group (RSNG) node despite it is not supported on Qfabric. PR1131121

  • On QFX5100 switches, if an mc-ae member link is deleted and then re-added on an MC-LAG node, there could be a traffic loss of about 2 seconds. PR1146206

Layer 2 Features

  • On QFX5100 switches, if you configure a PVLAN inter-switch-link on an existing working trunk port, normal VLAN traffic might break. PR1118728

  • On EX4300, EX4600, and QFX Series switches, traffic received on the backup redundant trunk group (RTG) link might get forwarded to other interfaces following an RTG link failover. PR1119654

  • If you reboot one FPC in a two-member Virtual Chassis, the traffic might not exit from the FPC after the FPC comes back online and rejoins the Virtual Chassis, and local registers might be incorrectly cleared, if the port number is the same on both the master and backup. PR1124162

  • On QFX3500/5100 Series switches, while committing et interface inet plus mpls config with no-redirects knob having MTU setting, the protocol ARP might not be configured for the IFL in PFE. PR1138310

  • On QFX VC/VCF, when firewall filter with "vlan" action is applied to the ingress interface of one member, traffic may not pass the inter-member to egress interface of another member. PR1138714

  • On QFX5100 and EX4600 switches, after you delete one logical interface from one VLAN that is configured with multiple logical interfaces, the MAC address for other logical interfaces might not be learned again. PR1149396

  • On an EX4300 switch in a VCF, if a Layer 3 AE interface is looped back with a Layer 2 port in the same VLAN, then traffic with the same destination MAC to the AE interface is dropped (for example, the ping address of the AE interface). PR1157283

Multiprotocol Label Switching (MPLS)

  • On QFX/EX4600 Series switches, while receiving an IPv6 packet whose destination IPv6 address does not have an entry in the IPv6 neighbor table, they would fail to send out an IPv6 neighbor discovery packet and traffic to these IPv6 hosts might be dropped. PR1134599

  • On QFX5100 switches, a ping from the CE to the PE (LHR) lo0 interface does not go through with explicit-null (RSVP). PR1145437

  • On QFX Series switches, when action "load-balance" and match condition "rib mpls.0" are configured on two different terms of a policy, the commit operation might fail and produce an error message. PR1147463

Network Management and Monitoring

  • On Junos Platform with private and internal interfaces used, whenever there is a software upgrade from any prior to 12.3 to any newer version, where kernel is holding older version value and mib2d comes with newer index value, mib2d might core and crash. There is no service impact. PR1109009

  • On a QFabric system QFX3000-G/QFX3000-M, when big/large files in event capture directory /var/opt/dgscan/nodes/node/, the dgsnmp daemon might run at high CPU utilization. And at such times snmp polling does not work, and the sfcsnmpd and the dgsnmpd don't log any messages. As a workaround move or delete large files (>50mb) from /var/opt/dgscan/nodes/node/ to /var/tmp/. PR1139852

Platform and Infrastructure

  • "show chassis forwarding-options" CLI output for 'l2-profile-three -> num-65-127-prefix' is incorrect (NONE) even if it is configured correctly. Configuration is applied as 'set chassis forwarding-options l2-profile-three num-65-127-prefix 3' but CLI command '> show chassis forwarding-options' still shows the output as 'NONE' for 'num-65-127-prefix' PR1069535

  • On QFX5100 switches, adding or removing virtual routing and forwarding (VRF) instances that have many logical interfaces in the link aggregation group (LAG) might cause Link Aggregate Control Protocol (LACP) flapping. PR1087615

  • On a QFX Series Virtual Chassis Fabric (VCF), rebooting a leaf node might change the size of the VCF, resulting in a flood loop of the unicast or multicast traffic. To fix the issue, use the new CLI statement fabric-tree-root. See http://www.juniper.net/techpubs/en_US/junos14.1/topics/reference/configurat ion-statement/fabric-tree-root-virtual-chassis.html. PR1093988

  • When we issue the PFE command "show brcmfm ifd all" there might be an FXPC core-dump on QFX5100 running 14.1X53-D12 PR1119567

  • Multiple PFEMAN disconnects and reconnects between the master and backup within a short period of time can cause the backup to generate core files. PR1123379

  • On QFX Series and EX4600 switches, if an AE interface is used as an ECMP next hop (load balance), traffic is not hashed evenly to all member interfaces correctly. PR1141571

  • On MX Series routers, and EX Series and QFX Series switches, SSH authentication might fail due to improper file ownership. PR1142992

Routing Protocols

  • On EX4600 and QFX5100 switches with Q-in-Q, if the native VLAN is configured on a Q-in-Q interface connected to a customer device (CE), the packets going out with the native VLAN ID (Customer-Vlan) are still tagged. PR1105247

  • On QFX5100/EX4600 Series switches, when eRACL (Egress routing ACL filter) is applied to more then 64 interfaces, a memory corruption issue might occur, resulting in the Packet Forwarding Engine manager (fxpc) process to crash. PR1123374

  • On QFX5100 series switches configuring gre interface over irb interface, then gre interface can become up but not able to ping IP address of gre interface in remote end. PR1124149

  • On QFX5100 switches, you might see the "soc_mem_read: invalid index -1 for memory EGR_L3_INTF" log message. You can ignore the message; there is no functional impact on the switch. PR1126035

  • This PR changed the behavior when using flexible vlan tagging and native-vlan-id to egress packets untagged for packets that are part of the native vlan. Previous these packets would egress tagged. PR1130192

  • On a Qfabric system, the DHCPv6 packets are getting dropped in Network Node Group (NNG) due to internal filters. PR1132341

  • Configuring analyzers might lead to sub-optimal use of allocated TCAM space. When this happens, the following logs might be displayed: [Sat Nov 21 08:45:18 2015 LOG: Err] PFE: Unknown next-hop (nh_id 2532) for sampling [Sat Nov 21 08:45:19 2015 LOG: Err] PFE: Unknown next-hop (nh_id 2532) for sampling PR1136837

  • On QFX/EX4600 Series switches with dual-stacked interface, if the interface is configured to be part of a non default routing-instance and input IPv4 Filter Based Forwarding (FBF) with no matching condition is applied, the IPv6 packets received might be dropped. PR1145667

  • On QFX5100 and EX4600 switches, if you use the Network Configuration Protocol (NETCONF) to add or delete firewall filters on an integrated bridging and routing (IRB) interface, the Packet Forwarding Engine Manager (fxpc) might generate a core file. PR1155692

  • Loopback filter not working due to higher priority system dynamic filter. Implicit DHCPv6/v4_l3_tag filter installed is conflicting with the configured loopback filter PR1159024

Storage and Fibre Channel

  • On EX4500 and QFX Series switches or a QFabric Fabric system with DCBX enabled, when the DCBX neighbor is up and then receives a normal LLDP packet (without DCBX TLVs) on the same port as the DCBX packets, the device might ignore the DCBX packets, causing session timeouts and a reset of the priority-based flow control (PFC) settings. PR1095265

Resolved Issues: Release 14.1X53-D30

General Routing

  • On EX Series switches with integrated routing and bridging (IRB) interface configured, if the JSRV interface is created prior to the IRB interface after restarting the device or chassis daemon (chassisd), it might cause all IRB interfaces to be disappeared. PR965097

  • On a Virtual Chassis Fabric (VCF), a small amount of Layer 3 unicast packet loss (for example, 0.2 - 0.3 sec) might be seen when a leaf node that is not in the traffic path is rebooted. PR976080

  • On a QFX5100 platform, when to upgrade junos by topology-independent in-service software upgrade(TISSU), during "FPC Warm Booting" period of TISSU, a few packets drop might be seen on an SFP-T interface, this issue not seen with SFP-SX interface. PR1027336

  • On EX4600 and QFX5100 switches, the Link Aggregation Control Protocol (LACP) in either slow mode or fast mode might go down and then come back up, causing a timeout and a service outage during an In-Service Software Upgrade (ISSU) or a Nonstop Software Upgrade (NSSU). In addition, after the master Routing Engine is rebooted, the switches might experience intermittent traffic loss on non-LAG interfaces, and redundant trunk group (RTG) convergence times might be long. PR1031338

  • On any EX/QFX Series switches with support to Media Access Control Security (MACsec) it might generate the error message following as below: "dot1xd[1634]: knl_ifcheck_chunk: Starting interface state recovery". This is a cosmetic issue, it has no functional impact. PR1045144

  • Inconsistent/Incorrect AE IFD stats because of incorrect handling the child IFD stat flags. As AE stats is an aggregate of the child IFD stats, these requests are processed differently as compared to stand alone interfaces thereby introducing inconsistencies in the next poll cycle. PR1048276

  • EDITED MP 8/28 On a QFX5100-48T switch, interfaces numbered 0 to 23 are sometimes not turned down during device reboot. This issue might be seen when a peer device is using 1G link speed. PR1059876

  • In certain environments - with certain narrow operating temperatures or changing operating temperatures, there is a statistical probability of the QFX5100 850W AC power supply shutting itself down due to a bug in the power supply firmware logic comparing measured fan speed versus target speed at temperature. PR1062224

  • On a QFabric system, if configuring management address for LLDP on the Network Node group (NW-NG) interfaces, the Link Layer Discovery Protocol daemon (lldpd) might be continuous crashed. PR1062445

  • On QFX5100 switches, enabling error-correcting code (ECC) ELV. PR1064567

  • On QFX5100 switches that are configured with the "include-option-82 nak" option so that Dynamic Host Configuration Protocol (DHCP) servers include option 82 information in NAK messages, two copies of option-82 might be appended to DHCP ACK packets. PR1064969

  • On EX4600 switches and QFX Series switches, when a pair of devices configured for multichassis link aggregation (MC-LAG) are both using active mode when rebooting, traffic can drop for a while on one of the switches. PR1069644

  • The SNMP walk for the dot1dBasePortIfIndex object might return a value of 0, which is not a valid SNMP ifindex for an interface. PR1070532

  • On a QFabric system, if configuring "system accounting events", the device creates audit process(auditd) child processes for every accounting events, but multiple child processes may not terminate, which result in high CPU utilization of the auditd. PR1070701

  • On EX Series and QFX Series switches, issuing the "show interfaces extensive" command or polling SNMP OID ifOutDiscards provides a drop count of zero. PR1071379

  • On a QFX5100-24Q-AA switch, in few of the cases, after the switch reboot, the guest virtual machine (VM) may not get the field-programmable gate array (FPGA) devices for use. Consequently any application or utility trying to use the FPGA device will fail. PR1073076

  • On a QFX5100-24Q-AA switch, if the PFE manager (FXPC) restarts due to any reason (crash or planned restart), then the guest virtual machine (VM) will loose its PCIe devices. Consequently, any utility or application using those devices will lose the access to them. This may result in failures of the utilities and/or applications. PR1073084

  • On QFX5100 Series switches, when approximately 3000 Virtual Extensible LANs (VXLANs) are configured and associated with logical interfaces for the same OVSDB-managed interface, a high level of memory usage might occur. As a workaround, disable the 802.1X and multicast snooping processes using the "set system processes dot1x-protocol disable" and "set system processes multicast-snooping disable" statements. PR1073677

  • After powercycling QFX5100 in QFabric chassis status LEDs are going off PR1074310

  • On QFX5100 Series switches, the SFP management interfaces might fail to come online. PR1075001

  • QFX Series: Insufficient entropy on QFX systems (CVE-2016-1273); Refer to https://kb.juniper.net/JSA10746 for more information. PR1075067

  • On QFX5100 switches, if more than 1K virtual extensible LAN network identifiers (VNIs) are created by Open vSwitch Database (OVSDB), the VTEP gateway daemon (vgd) might generate a core file. PR1075189

  • On a QFX5100 Virtual Chassis, the log messages as "fpc0 vccpd irt socket connect failed (no route to host)" are seen continuously, it is harmless. PR1075437

  • A QFX5100 switch with a BIOS version older than V18.7 does not have error-correcting code (ECC) memory enabled by default. This might cause issues because it limits correction of memory corruption. PR1075915

  • On QFX5100/EX9200 Series switches, when configuring the VLAN name and Logical Switch(LS) for OVSDB, if the VLAN name or LS using the UUID format, the configuration would not to commit. PR1075919

  • On QFX5100 Series switches, if you configure both Q-in-Q tunneling and IGMP snooping, IGMP reports do not egress. As a result, multicast traffic is flooded instead of being sent to requested receivers. PR1076324

  • On a QFabric system, if configuring Internet Group Management Protocol (IGMP) snooping, the Virtual Router Redundancy Protocol (VRRP) multicast packets might be dropped. PR1077085

  • On a QFabric system, the sfid-bcm memory might be leaked with a core file generated during multicast data packet handling. PR1077678

  • On QFX/OCX1100 Series switches, when the Encapsulated Remote Switched Port Analyzer (ERSPAN) output IP address is reachable via more than one route, the analyzer goes down. PR1077700

  • On EX4600, QFX5100, QFX3500, and QFX3600 Series switches, when the device acts a transit router between the DHCP server and the DHCP relay agent, and DHCP server/relay is not configured, the device might not forward the DHCP ack packets to the destination address. Instead, packets are sent to Routing Engine(RE) if the packets' destination port was 68. PR1079826

  • On EX9200 and QFX5100 switches, if you configure DHCP relay with the DHCP server and the DHCP client in separate routing instances, unicast DHCP reply packets (for example, a DHCP ACK in response to a DHCP RENEW) might be dropped. PR1079980

  • On QFX5100-48T Series switches, if rebooting the device, the 10gbase-T interfaces do not go down until after the software has reloaded. It might cause the peer device service impact due to failover invalid. PR1081105

  • On QFX5100 switches, the maximum number of LAGs is now 1000. PR1082043

  • On QFX5100 Series switches, if Class of Service (CoS) configuration is changed on a physical interface while running traffic, the host inbound packets might be affected and cannot be processed, and the PFE manager (fxpc) process crash with a core file generated, which result in Aggregated Ethernet (AE) interface goes down due to LACP time out. PR1082224

  • On EX4600 switches and QFX Series switches, you must use the -C and -S option with a DHCP request - if you do not, the client might not receive the DHCP ack packets. PR1082473

  • On QFX5100 Series switches, if installing license for VCF feature and with Junos OS release 14.1X53-D25, the device might raise an error information "license not valid for this product" and fail to install. PR1084235

  • On a QFabric system, if using CLI command "request system reboot all" or switchover Director Group (DG) mastership, it might cause the Packet Forwarding Engine manager(pafxpc) crash and generates the core file. PR1087420

  • On a QFabric system with Junos OS release 14.1X53-D15 only, the device could not forward the DHCP unicast packets in VLAN. PR1088393

  • On QFX Series switches, when a large number of small form factor pluggables (SFPs) with Digital Optical Monitor (DOM) support are inserted, the CPU utilization of the of the PFE manager daemon (fxpc) might increase (maximum value 50%) due to a large number of iterations of SFP diagnostics polling. The thread that causes the high CPU to have a low priority might not cause any problems to the functionality. As a workaround, if DOM statistics are not important, disable the diagnostics by issuing the <vty> test sfp diagnostics disable command, or increase the diagnostic-interval (default is 3 seconds) to bring down the CPU utilization by issuing the <vty> test sfp periodic diagnostic-interval 10 command. PR1091512

  • On a Virtual Chassis Fabric, if configuring VCF in autoprovisioned or preprovisioned mode, and enable LLDP on em0 interface to connect other VCF members. When the VCP interface flap, it might cause the Virtual Chassis Control Protocol Daemon(vccpd) to crash and generates the core file. PR1095199

  • On QFX5100 Series switches, in a corner case, the BIOS upgrade is getting updated with soft reboot might cause device got stuck at "RE-FPGA-DRV: Please standby while rebooting" message. PR1097318

  • On QFX5100 Series switches, when the Open vSwitch Database(OVSDB) controller is configured, and then changing the inactivity-probe-duration and/or SSL port might cause the controller port to get overwritten with default values. As a workaround, configured the controller port number after configuring inactivity-probe-duration. PR1098869

  • On EX4300/EX4600/QFX Series switches, when VLANs name contains "-vlan" and then add the interface to this VLAN, it might cause VLAN does not work. As a workaround, change the name of VLANs to another. PR1100609

  • On QFX5100 Series switches, the unsigned Python scripts might not execute successfully due to no executable permissions, which result in the Zero Touch Provisioning (ZTP) process fails. As a workaround, use chmod command to change the permissions of Python scripts file. PR1101680

  • On the QFX5100 with the maximum-ecmp 16, the ECMP scale will be 256 groups though it should be 1k groups. PR1105851

  • On a QFX Series Virtual Chassis Fabric (VCF) or Virtual Chassis with GRES enabled, the backup Routing Engine might continuously reboot after you configure "forward-and-send-to-re" or "forward-only" under the [edit interface interface-name unit unit-number family inet targeted-broadcast] hierarchy. PR1106151

  • On a QFX5100 VCF in an auto-provisioned mode, when adding a new leaf device to the VCF, should zeroize device and reboot by "request system zeroize" if new leaf device has been configured any command. But the issue (interface still up) might be observed at the time of the reboot until the PFE re-initialized the interfaces. PR1106194

  • On a QFX5100 Virtual Chassis, the MAC address is not learned on an AE interface configured as a VXLAN Layer 2 port and with the interface mode configured as access. The issue is observed only with AE interfaces that span multiple Virtual Chassis members and when the member node is rebooted or power cycled. PR1112790

  • On QFX5100 Series switches in the Open vSwitch Database (OVSDB) scenario with VxLAN configured, MAC learning might not work well across the interface which is dynamic changed, and the interface is bounded on the link from vrouters between Bare-metal Server (BMS) to vrouter connected locally and also between BMS to vrouter connected through spine. PR1115546

  • On QFX3000-G or QFX3000-M QFabric System with a 14.1X53 release, configure few VLANs as needed. When deleting this configuration and then reconfigure them. The flood traffic for a specific VLAN might not reach the interfaces within the same VLAN on another Node. PR1116817

  • On QFX/EX4600 Series switches, in rare condition, the trunk interface may not get create due to data structure becomes out of sync between Packet Forwarding Engine (PFE) and control plane. PR1128316

  • On QFX5100 Series switches with Open vSwitch Database (OVSDB) management protocol configuration that act as virtual tunnel endpoints (VTEPs), traffic being forwarded from ingress AE interface to egress tagged port may not be attach 802.1Q VLAN tag if both ports are located the same device. PR1128507

  • On QFX5100 Series switches, after disable the interface and hot swap 1G copper transceiver, link flap or link-up might be seen on SFP-T port though interface is configured as disabled explicitly. PR1137204

  • From 14.1X53-D36, there is a commit check added to prevent more than one IFL per physical interface(IFD) assigned to one single VLAN. PR1144123

  • On EX4300/EX4600/QFX3500/QFX3600/QFX5100 series switches, if you insert bad SFP or SFP+ optic in a port and replace it with a good optic, then the good optic might not come up. PR1144190

  • On a QFX5100 Virtual Chassis, if you configure an aggregated Ethernet interface as an OVSDB interface with multiple subinterfaces that are configured under different VXLAN domains, removal of the last but one AE subinterface might reset VXLAN settings on the physical port that are part of the AE interface, resulting in packet drops. PR1150467

  • On QFX5100 switches, a child member might drop the incoming Link Aggregation Control Protocol (LACP) frames when this child member is moved from an access-mode VXLAN LAG interface to a trunk-mode VXLAN LAG interface. PR1153042

  • On Junos based platforms, if they are configured as DHCP client, DHCP offer packet which giaddress is not zero might be dropped. PR1191452

  • On QFX5100-96S with 850W AC power supply inserted, in certain environments, because of a software defect, there is a statistical probability of the QFX5100 850W AC power supply shutting itself down. PR1203591

Class of Service (CoS)

  • On QFX Series switches, applying a class-of-service (CoS) configuration globally (using the * wildcard) to all interfaces on a device can cause inconsistency in the packet forwarding state if the device has interfaces that are members of a link aggregation (LAG) interface bundle and also interfaces that are not members of a LAG interface. When there is a mix of LAG interface bundles and interfaces that are not LAG members on a device, do not use * wildcard to apply the CoS configuration globally to all device interfaces. PR1001605

  • On EX4600/QFX Series switches, when applying fixed classifier to the ingress port, the IEEE802.1p CoS values of the egress packets are incorrectly, which result in the peer device handle the packets with the wrong way. PR1099187

  • On QFX5100 and EX4600 switches, if you channelize a 40-Gigabit Ethernet QSFP+ interface into four 10-Gigabit Ethernet ports and try to apply the CoS configuration to one of the specific channels, multicast traffic might get dropped. PR1108103

EVPN

  • On a QFX5100-VC platform, while rebooting a spine node which has active route to reach other Vxlan Tunnel End Points (VTEPs), Packet Forwarding Engine manager(fxpc) might create core files and crash. PR1088992

  • On QFX5100 Series switches VXLAN ports, while receiving DHCP discover packets, there will be incorrect/additional headers on the VXLAN encapsulated DHCP frames, and when these frames are sent by PFE to Kernel, the kernel might drop these incorrect VXLAN udp frames. PR1107793

  • On QFX5100 Series switches with virtual extensible local area network (VXLAN) configured, the SIP/DIP (source IP/destination IP) to be 0.0.0.0 in VXLAN traffic after the device reboot due to sometimes VTEP Gateway daemon (vgd) might push remote MACs to the layer 2 learning daemon (l2ald) before the source VETP logical interface (IFL) is created. PR1109838

  • On QFX5100 Series switches, when the logging action is set on VXLAN port in firewall filter, the forwarding traffic may get duplicated due to the device encapsulated the packet in VXLAN header using both multicast and unicast destination address. PR1110818

  • On a QFX Series switch or Virtual Chassis which is performing a nonstop software upgrade (NSSU) and that has aggregated Ethernet link bundles with member links on multiple switches or line cards, traffic traversing the aggregated ethernet interface might be lost when the backup Routing Engine (RE) reboots as part of the NSSU. PR1126855

  • On an aggregated ethernet OVSDB interface with member links connecting to multiple member switches on a QFX5100 Virtual Chassis, a reboot of one member switch might impact VXLAN traffic encapsulation traversing the member links on other FPCs. PR1126915

  • On QFX5100 switches, if a trunk interface is a VXLAN port, tagged frames matching the native VLAN ID might be sent out with the native VLAN tagged. PR1164850

Interfaces and Chassis

  • The log message "DCD_CONFIG_WRITE_FAILED" repeatedly appears in the log file. PR1088577

  • On EX4600/QFX Series switches with MC-LAG Inter-chassis Link (ICL) configured, when multiple servers are connected to the MC-LAG peers, if the server side configures LACP behind the EX4600/QFX switches and only negotiates LACP on one of the interfaces, it might lead to MC-LAG link failure. PR1113903

Junos Fusion Provider Edge

  • On a Junos Fusion topology, if a QFX5100 switch is running Junos OS Release 14.1X53-D16 with Enhanced Automation, and you try to autoconvert the switch into a satellite device from the aggregation device, the conversion might fail. As a workaround, install the regular version of Junos OS Release 14.1X53-D16 on the switch prior to the conversion. PR1072806

Layer 2 Features

  • In a mixed QFX3500 and EX4300 Virtual Chassis that has configured persistent MAC and MAC limiting, traffic is not received on Aggregated Ethernet (AE) interfaces on EX4300 switches when the EX4300 switches are acting as the linecard role. PR1033618

  • On EX4600 switches and QFX Series switches, if the extended-vlan-bridge statement is configured for an interface and igmp-snooping is enabled, the interface might drop multicast traffic. PR1071436

  • On QFX5100 Series switches, if the device manage by Open vSwitch Database(OVSDB) with large scale (i.e 2k vni, 4k sub-interface, 40k MAC), it might cause the PFE manager(fxpc) process to crash with a core file generated. PR1078118

  • On EX4600 switches and QFX Series switches, the PFE manager process (FXPC) might crash, with a core file generated, under either of two circumstances - when an interface is flapping or when you issue the CLI command "clear ether-switch table" PR1080132

  • On EX4600 switches and QFX Series switches, when an interface without spanning tree protocol (STP) configured receives a VSTP or PVST+ packet where the frame is tagged with a VLAN that is not configured on the device, the switch might change the packet's VLAN ID to a wrong VLAN ID for the VSTP/PVST+ frame and forward it (rather than dropping the frame). PR1081275

  • On QFX5100 Series switches, when device configured VXLAN, at VXLAN l2-side, the egress ports are always selected based on layer2-headers of the inner packets instead of default layer2-payload. If the VXLAN traffic with inner MAC address are fixed. It might cause VXLAN decapsulated packets can not be load-balanced at AE interfaces. PR1084591

  • On a QFX5100 Virtual Chassis, when device were part of an OVSDB-managed VXLAN, and if configuring multiple LAG interface on different switch member over Equal-cost multipath (ECMP) for Layer 3 VXLAN interfaces, the load balancing of the LAG member interface does not work. PR1090791

  • On a EX4300/EX4600/QFX VC/VCF except EX4300 VC, when configuring Protocol Independent Multicast(PIM) on the integrated bridging and routing (IRB) interface and enable IGMP-snooping on related VLAN, if the multicast send and receive interface both on the non-master Flexible PIC Concentrator(FPC), then failover the Routing Engine(RE) mastership might cause multicast traffic to drop. PR1091645

  • On EX4600/QFX5100 Series switches with L3VPN scenario, ping packets sent from CE to remote CE may not work for back to back PE connection. PR1096698

  • On QFX5100 and EX4600 switches running under Junos OS Release 14.1X53-D10 or later, when DHCPv6 solicitation packets go through the device with Q-in-Q configured, the packets might be dropped by peers due to the S-tag not being added. PR1103793

  • On EX4300, EX4600, and QFX Series switches, traffic received on the backup redundant trunk group (RTG) link might get forwarded to other interfaces following an RTG link failover. PR1119654

  • If you reboot one FPC in a two-member Virtual Chassis, the traffic might not exit from the FPC after the FPC comes back online and rejoins the Virtual Chassis, and local registers might be incorrectly cleared, if the port number is the same on both the master and backup. PR1124162

  • On QFX3500/5100 Series switches, while committing et interface inet plus mpls config with no-redirects knob having MTU setting, the protocol ARP might not be configured for the IFL in PFE. PR1138310

  • On QFX5100/QFX3500, buffer is corrupted on port 0 (*/*/0) and error message MACDRAINTIMEOUT and dcbcm_check_stuck_buffers are observed, which could eventually lead to port 0 (*/*/0) flapping. PR1162947

  • On QFX5100 switch, syslog may contain repeated messages like so: fpc12 Unit: 0 port 47 start error detected. PR1164096

Multiprotocol Label Switching (MPLS)

  • On EX4600/QFX Series switches, when configuring the "labeled-unicast" in BGP, the incoming labeled packets might be dropped. PR1080528

  • On QFX5100 Series switches with MPLS and ECMP enabled. By default, the ECMP policy effects for all protocol families that running on the box include MPLS. Because the QFX5100 does not support ECMP MPLS, so the box will install a UNILIST (ECMP route) as multiple UNICAST (a common route). In that case, Packet Forwarding Engine will install multiple copies of MPLS swap label in the egress MPLS table when multiple egress layer 3 nexthops pointing to the same swap label. When plenty of such MPLS routes are installed in the PFE, it might cause MPLS routing table exceedings its scale limit. This will result in a new MPLS route cannot be installed on the PFE. It might affect traffic when this issue happens. This optimization ensures Junos installs a unique entry in the egress MPLS swap table in the PFE when multiple egress layer 3 next hops are pointing to the same MPLS swap label. PR1087476

  • When QFX/EX4600 Series switches are acted as Provider Edge (PE) devices with multiple L3VPNs configured, while pushing 3 labels either through VPN/LDP/RSVP or VPN/BGP/LDP, they might apply the incorrect bottom labels. PR1089648

  • On EX4600/QFX5100 Series switches, when the device configured Ethernet-over-MPLS(L2 circuit) with high scale routes, if restarting the Routing Protocol Daemon (rpd) many times in continuously, it might cause the L2 circuit drops the forwarding traffic. PR1091867

  • On EX4600/QFX Series switches, if LDP/MPLS explicit-null is set on egress PE Devices, packets with label value of 0 are not hitting the IPv4 firewall filter, which is configured under the core-facing interfaces ( PE-P ). PR1099334

  • QFX5100 don't support the ECMP load balancing for mpls, But no commit errors when configured the ECMP to match on rib table mpls.0 on the code 14.1X53-D12 PR1102230

  • Ping over LSP shows different behavior in regards to HLIM. PR1179518

  • For 2 label PUSH cases, both labels are consuming entries in the same label table. This might result in instabilities of MPLS tunnels and packets drop when add/delete routes. Correct behavior should be that tunnel label goes in one table and VRF label should go in another table. PR1185550

Network Management and Monitoring

  • On a QFabric system, when configuring SNMP to communicate with SNMP server, the device might stop responding to SNMP requests and SNMP polling is not working at random intervals. PR1061518

  • On a QFabric system, if replacing old RSNG node to new RSNG node, it might cause the status of Director Group (DG) still showing the old node as "CONNECTED". PR1071067

  • On a QFabric system, the SNMP process (snmpd) may restart and generate a core file when clients send excessive queries to Juniper Networks enterprise-specific Class-of-Service (CoS) MIB (mib-jnx-cos). PR1078596

Platform and Infrastructure

  • The CPU utilization value is incorrect in the Cloud Analytics Engine probe response statistics. PR1024840

  • QFX Series: PFE panic while processing VXLAN packets (CVE-2016-1274); Refer to https://kb.juniper.net/JSA10747 for more information. PR1074501

  • On EX4600 and QFX Series switches, MAC addresses on one VLAN might be installed in the hardware but missing from the Ethernet-switching table if the following steps were taken: 1. Configured "vlan-id-list" for a VLAN range "A" with commit 2. Deleted the VLAN range "A" and re-added the VLAN range "B" in the same commit 3. If A + B >= 4096 PR1074919

  • On EX4300, EX4600, and QFX5100 Series switches, when Multiple Spanning-Tree Protocol (MSTP) is used for a VLAN and the link aggregation group (LAG) interface belongs to the VLAN but the LAG interface is not part of MSTP, then that VLAN traffic does not pass on the LAG interface. PR1084616

  • On a QFX5100 Virtual Chassis, frequent MAC move events can put the system into an inconsistent state, which results in a PFE manager (FXPC) process crash with a core file generated. PR1086108

  • On a QFX5100-24Q/QFX5100-24Q-AA switch, if configuring flexible-vlan-tagging and encapsulation on the expansion module(eg. QFX-EM-4), it might cause multicast traffic loss which sent to the interface on the expansion module. PR1087014

  • On QFX5100 switches, adding or removing virtual routing and forwarding (VRF) instances that have many logical interfaces in the link aggregation group (LAG) might cause Link Aggregate Control Protocol (LACP) flapping. PR1087615

  • On EX4600 and QFX5100 switches, when Spanning Tree Protocol (STP) is enabled on an S-VLAN, that S-VLAN's spanning tree protocol (STP) bridge data protocol unit (BPDU) packets might be dropped by the S-VLAN interface if the S-VLAN interface is an aggregated Ethernet (AE) interface. PR1089331

  • On EX4300, EX4600, and QFX Series switches with a firewall filter configured, BGP sessions can go down under certain circumstances. When a BGP traffic term with accept action is configured in the firewall filter, and a log action is configured in the firewall filter with a discard/reject action in another term, BGP sessions might go down when this firewall filter is applied to the lo0 (loopback) interface. PR1089360

  • On a Virtual Chassis Fabric(VCF) with Junos OS release 14.1X53-D25 onwards, when the switch member of VCF rebooting, Broadcast/Unknown/Multicast(BUM) traffic which pass through the Virtual Chassis Port(VCP) will be dropped until rebooted member joins back. PR1093606

  • On QFX5100 Series switches, when device installs large scale route entries but not exceed than the max limitation(16k), the multicast route entry might not be added in the Packet Forwarding Engine(PFE) with "Table full" log messages. PR1093665

  • On QFX5100 Series switches with VXLAN configured, after delete/add the VXLAN Network Identifier (VNI), the traffic is not getting load-balanced across layer 3 links to remote vxlan-tunnel-end-point(VTEP). PR1094547

  • On EX4600 and QFX5100 switches, when flow control is configured on an interface, and pause frames are sent to this interface, the interface might go down. PR1098055

  • On EX4300, EX4600, and QFX Series switches, while creating trunk interfaces that carry a large number for VLAN members which include a VLAN of IRB,multicast or broadcast traffic such as OSPF and ARP that are sent through the VLAN might be dropped, thereby impacting the protocol adjacency PR1100001

  • On QFX5100 Series switches, when VLAN interface mac limit is configured, mac limit is not applied on VXLAN/OVSDB interfaces. PR1101203

  • On EX4300, EX4600, and QFX5100 switches, when you configure a Layer 3 link aggregation group with Link Aggregation Control Protocol (LACP) enabled, and an aggregated Ethernet (AE) interface goes down due to LACP failures, the AE interface still accepts and forwards traffic. PR1101273

  • On EX4300/EX4600/QFX Series switches, when configuring preemptive-cutover timer for a redundant trunk group (RTG), when the primary goes down, is replaced by the secondary link, if the secondary link goes down within the preemptive cutover time (by default, it is 120 seconds), even at this moment the primary link is up, the primary link is still in the blocked state. PR1101678

  • When we issue the PFE command "show brcmfm ifd all" there might be an FXPC core-dump on QFX5100 running 14.1X53-D12 PR1119567

  • Multiple PFEMAN disconnects and reconnects between the master and backup within a short period of time can cause the backup to generate core files. PR1123379

  • If DHCP packets with MPLS tags are sent to the CPU on a QFX5100 node acting as a PHP node, the logical interfaces index on the packet notification might not be set correctly, and the DHCP packets might be dropped. PR1164675

QFabric Systems

  • On a QFabric system, if configuring "remote-debug-permission", the Directer Group(DG) should allow a login without providing the password to the component. However, it was observed that the DG have to prompted password to login to a node device. PR1068276

Routing Protocols

  • On EX4600/QFX Series switches, if configuring a filter term to permit the VSTP BPDU packets, it might not work to match the packets. PR1016394

  • On EX4600 and QFX Series switches, if filter-based forwarding (FBF) is configured on an IRB interface that is enabled for Virtual Router Redundancy Protocol(VRRP) also, when the host uses the VIP address as the gateway, the switch will not forward packets from that host to the destination routing instance via FBF. This is expected behavior based on the implementation of family inet filters. As a workaround, configure the hosts to use the physical IP address of the IRB interface, rather than the VRRP VIP address, as the gateway. PR1025312

  • On EX4300 switches, EX4600 switches, and QFX Series switches, after you configure a hold-time timer for an interface member of a multichassis link aggregated Ethernet (MC-AE), and then reboot the active node device, a loop can occur with the hold timer. PR1077019

  • On QFX5100 Serise switches, if a link aggregation group (LAG) member is added or removed from a LAG port that is bound to a filter-based forwarding (FBF) filter, packets hit this filter may be not forwarded to the right destination. PR1078195

  • On EX/QFX Series switches, when IGMP snooping for IGMPv3 is configured, IGMP snooping may not correctly while receiving an IGMPv3 report with "to exclude" followed by another IGMPv3 report with "to exclude {null}"/"ALLOW_NEW_SOURCES". PR1081093

  • On EX4600 and QFX Series switches, you might not be able to commit the configuration when the arp-type match condition is configured in a firewall filter. PR1084579

  • On an EX4600 or QFX Virtual Chassis, if you reboot the master routing engine (RE), traffic might be lost due to an RE failover delay of around 15-20 seconds. PR1085148

  • On a standalone QFX Series switch, if you configure a nested firewall filter and then attempt to commit the configuration, the firewall compiler process (dfwc) might crash and generate a core file, leading to commit failure. PR1094428

  • On a QFX VCF, if the switch works as part of a target subnet, while receiving the targeted broadcast traffic, the packets might be forwarded to the destination with the swith's MAC address as the destination MAC address, where it should be converted into a Layer 2 broadcast frame with destination MAC address FFFF.FFFF.FFFF. PR1114717

  • On QFX5100/EX4600 Series switches, when eRACL (Egress routing ACL filter) is applied to more then 64 interfaces, a memory corruption issue might occur, resulting in the Packet Forwarding Engine manager (fxpc) process to crash. PR1123374

  • On QFX5100 series switches configuring gre interface over irb interface, then gre interface can become up but not able to ping IP address of gre interface in remote end. PR1124149

  • This PR changed the behavior when using flexible vlan tagging and native-vlan-id to egress packets untagged for packets that are part of the native vlan. Previous these packets would egress tagged. PR1130192

  • On QFX5100 and EX4600 switches, if you use the Network Configuration Protocol (NETCONF) to add or delete firewall filters on an integrated bridging and routing (IRB) interface, the Packet Forwarding Engine Manager (fxpc) might generate a core file. PR1155692

  • FXPC crash may happen during an ECMP route delete from LPM table. This might have happened due to large scale route change operation. SDK vendor provided a fix as a resolution. PR1158517

  • On QFX3500 or QFX5100 switches, when parity errors occur on interfaces, they might affect the memory management unit ( MMU ) memories. MMU counters can be corrupted, the interface buffers might be stuck, and there might be interface flaps and traffic loss on the affected ports. As a workaround (restoration only), reboot the system. PR1169700

  • On EX4600/QFX5100 switches, in rare cases, route insert failure in _soc_alpm_128_write_pivot function will lead to a loop in the code resulting in a watchdog timeout. This will result in the FPC crash and restart with a core dump. PR1173980

  • On EX4600 and QFX5100 series switches, there are several profiles that allocate memory differently for MAC addresses and host addresses. These profiles can be configured as "l2-profile-one, l2-profile-two, l2-profile-three, l3-profile, lpm-profile". If multicast and unicast host entries reach the maximum number of the L3 host table in related profile, then multicast traffic will be dropped. PR1177430

  • In some scenarios after ECMP route flapping on QFX switches traffic is blackholed. RIB programming is fine: root@qfx> show route 172.16.2.1 inet.0: 843 destinations, 2707 routes (843 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.16.2.0/25 *[BGP/170] 6d 12:24:13, MED 106, localpref 100, from 10.1.32.2 AS path: ?, validation-state: unverified to 172.16.5.101 via ae2.0 > to 172.16.6.101 via ae4.0 [BGP/170] 6d 12:20:20, MED 106, localpref 100, from 10.1.32.4 AS path: ?, validation-state: unverified > to 172.16.6.101 via ae4.0 [BGP/170] 6d 12:20:24, MED 111, localpref 100, from 10.1.32.1 AS path: ?, validation-state: unverified > to 172.16.5.21 via ae1.0 [BGP/170] 6d 12:24:09, MED 111, localpref 100, from 10.1.32.3 AS path: ?, validation-state: unverified > to 172.16.6.21 via ae3.0 FIB programming is fine: root@qfx> show route forwarding-table destination 172.18.2.0/25 Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif 172.16.2.0/25 user 0 ulst 131157 4 indr 131098 19 172.16.5.101 ucst 2349 9 ae2.0 indr 131154 16 172.16.6.101 ucst 2397 9 ae4.0 But kernel nexthops point to discard nexthop in sdk. Hence traffic to destination is blackholed. PR1179610

  • The QFX5100 will exception (forward a copy of) transit IPv6 Neighbor Discovery traffic to the RE, allowing for a collateral partial local DoS attack. Refer to JSA10749 for more information. PR1183115

  • On QFX3500/QFX3600/QFX5100/EX4600 series switches, if a routing loop is created , the TTL of the packet does not reduce to 0 and eventually the packet is not dropped. PR1196354

User Interface and Configuration

  • On EX4300/EX4600/EX9200/QFX Series switches, when configuring an interface range, if the interface range includes large-scale physical interfaces, and is configured with the "family" option set to "ethernet-switching", committing the configuration might take a long time to complete. PR1072147

Resolved Issues: Release 14.1X53-D27

General Routing

  • On EX Series switches with integrated routing and bridging (IRB) interface configured, if the JSRV interface is created prior to the IRB interface after restarting the device or chassis daemon (chassisd), it might cause all IRB interfaces to be disappeared. PR965097

  • On a QFX5100 platform, when to upgrade junos by topology-independent in-service software upgrade(TISSU), during "FPC Warm Booting" period of TISSU, a few packets drop might be seen on an SFP-T interface, this issue not seen with SFP-SX interface. PR1027336

  • On QFX5100 switches, enabling error-correcting code (ECC) ELV. PR1064567

  • On a QFX5100 Virtual Chassis, the MAC address is not learned on an AE interface configured as a VXLAN Layer 2 port and with the interface mode configured as access. The issue is observed only with AE interfaces that span multiple Virtual Chassis members and when the member node is rebooted or power cycled. PR1112790

EVPN

  • On a QFX5100-VC platform, while rebooting a spine node which has active route to reach other Vxlan Tunnel End Points (VTEPs), Packet Forwarding Engine manager(fxpc) might create core files and crash. PR1088992

  • On QFX5100 Series switches VXLAN ports, while receiving DHCP discover packets, there will be incorrect/additional headers on the VXLAN encapsulated DHCP frames, and when these frames are sent by PFE to Kernel, the kernel might drop these incorrect VXLAN udp frames. PR1107793

  • On QFX5100 Series switches, when the logging action is set on VXLAN port in firewall filter, the forwarding traffic may get duplicated due to the device encapsulated the packet in VXLAN header using both multicast and unicast destination address. PR1110818

Layer 2 Features

  • On a QFX5100 Virtual Chassis, when device were part of an OVSDB-managed VXLAN, and if configuring multiple LAG interface on different switch member over Equal-cost multipath (ECMP) for Layer 3 VXLAN interfaces, the load balancing of the LAG member interface does not work. PR1090791

  • On a EX4300/EX4600/QFX VC/VCF except EX4300 VC, when configuring Protocol Independent Multicast(PIM) on the integrated bridging and routing (IRB) interface and enable IGMP-snooping on related VLAN, if the multicast send and receive interface both on the non-master Flexible PIC Concentrator(FPC), then failover the Routing Engine(RE) mastership might cause multicast traffic to drop. PR1091645

Multiprotocol Label Switching (MPLS)

  • When QFX/EX4600 Series switches are acted as Provider Edge (PE) devices with multiple L3VPNs configured, while pushing 3 labels either through VPN/LDP/RSVP or VPN/BGP/LDP, they might apply the incorrect bottom labels. PR1089648

  • On EX4600/QFX5100 Series switches, when the device configured Ethernet-over-MPLS(L2 circuit) with high scale routes, if restarting the Routing Protocol Daemon (rpd) many times in continuously, it might cause the L2 circuit drops the forwarding traffic. PR1091867

Platform and Infrastructure

  • On a QFX5100-24Q/QFX5100-24Q-AA switch, if configuring flexible-vlan-tagging and encapsulation on the expansion module(eg. QFX-EM-4), it might cause multicast traffic loss which sent to the interface on the expansion module. PR1087014

  • On QFX5100 Series switches with VXLAN configured, after delete/add the VXLAN Network Identifier (VNI), the traffic is not getting load-balanced across layer 3 links to remote vxlan-tunnel-end-point(VTEP). PR1094547

Resolved Issues: Release 14.1X53-D26

General Routing

  • On a QFX5100 platform, when to upgrade junos by topology-independent in-service software upgrade(TISSU), during "FPC Warm Booting" period of TISSU, a few packets drop might be seen on an SFP-T interface, this issue not seen with SFP-SX interface. PR1027336

  • On a QFX5100-48T switch, interfaces numbered 0 to 23 are sometimes not turned down during device reboot. This issue might be seen when a peer device is using 1G link speed. PR1059876

  • In certain environments - with certain narrow operating temperatures or changing operating temperatures, there is a statistical probability of the QFX5100 850W AC power supply shutting itself down due to a bug in the power supply firmware logic comparing measured fan speed versus target speed at temperature. PR1062224

  • On QFX5100 switches, enabling error-correcting code (ECC) ELV. PR1064567

  • On EX4600 switches and QFX Series switches, when a pair of devices configured for multichassis link aggregation (MC-LAG) are both using active mode when rebooting, traffic can drop for a while on one of the switches. PR1069644

  • The SNMP walk for the dot1dBasePortIfIndex object might return a value of 0, which is not a valid SNMP ifindex for an interface. PR1070532

  • On a QFX5100-24Q-AA switch, in few of the cases, after the switch reboot, the guest virtual machine (VM) may not get the field-programmable gate array (FPGA) devices for use. Consequently any application or utility trying to use the FPGA device will fail. PR1073076

  • On a QFX5100-24Q-AA switch, if the PFE manager (FXPC) restarts due to any reason (crash or planned restart), then the guest virtual machine (VM) will loose its PCIe devices. Consequently, any utility or application using those devices will lose the access to them. This may result in failures of the utilities and/or applications. PR1073084

  • On QFX5100 Series switches, when approximately 3000 Virtual Extensible LANs (VXLANs) are configured and associated with logical interfaces for the same OVSDB-managed interface, a high level of memory usage might occur. As a workaround, disable the 802.1X and multicast snooping processes using the "set system processes dot1x-protocol disable" and "set system processes multicast-snooping disable" statements. PR1073677

  • On QFX5100 switches, if more than 1K virtual extensible LAN network identifiers (VNIs) are created by Open vSwitch Database (OVSDB), the VTEP gateway daemon (vgd) might generate a core file. PR1075189

  • On a QFX5100 Virtual Chassis, the log messages as "fpc0 vccpd irt socket connect failed (no route to host)" are seen continuously, it is harmless. PR1075437

  • A QFX5100 switch with a BIOS version older than V18.7 does not have error-correcting code (ECC) memory enabled by default. This might cause issues because it limits correction of memory corruption. PR1075915

  • On QFX5100/EX9200 Series switches, when configuring the VLAN name and Logical Switch(LS) for OVSDB, if the VLAN name or LS using the UUID format, the configuration would not to commit. PR1075919

  • On QFX5100 Series switches, if you configure both Q-in-Q tunneling and IGMP snooping, IGMP reports do not egress. As a result, multicast traffic is flooded instead of being sent to requested receivers. PR1076324

  • On EX4600, QFX5100, QFX3500, and QFX3600 Series switches, when the device acts a transit router between the DHCP server and the DHCP relay agent, and DHCP server/relay is not configured, the device might not forward the DHCP ack packets to the destination address. Instead, packets are sent to Routing Engine(RE) if the packets' destination port was 68. PR1079826

  • On EX9200 and QFX5100 switches, if you configure DHCP relay with the DHCP server and the DHCP client in separate routing instances, unicast DHCP reply packets (for example, a DHCP ACK in response to a DHCP RENEW) might be dropped. PR1079980

  • On QFX5100 Series switches, if Class of Service (CoS) configuration is changed on a physical interface while running traffic, the host inbound packets might be affected and cannot be processed, and the PFE manager (fxpc) process crash with a core file generated, which result in Aggregated Ethernet (AE) interface goes down due to LACP time out. PR1082224

  • On EX4600 switches and QFX Series switches, you must use the -C and -S option with a DHCP request - if you do not, the client might not receive the DHCP ack packets. PR1082473

  • On QFX5100 Series switches, if installing license for VCF feature and with Junos OS release 14.1X53-D25, the device might raise an error information "license not valid for this product" and fail to install. PR1084235

Layer 2 Features

  • On QFX5100 Series switches, if the device manage by Open vSwitch Database(OVSDB) with large scale (i.e 2k vni, 4k sub-interface, 40k MAC), it might cause the PFE manager(fxpc) process to crash with a core file generated. PR1078118

  • On EX4600 switches and QFX Series switches, the PFE manager process (FXPC) might crash, with a core file generated, under either of two circumstances - when an interface is flapping or when you issue the CLI command "clear ether-switch table" PR1080132

  • On QFX5100 Series switches, when device configured VXLAN, at VXLAN l2-side, the egress ports are always selected based on layer2-headers of the inner packets instead of default layer2-payload. If the VXLAN traffic with inner MAC address are fixed. It might cause VXLAN decapsulated packets can not be load-balanced at AE interfaces. PR1084591

Multiprotocol Label Switching (MPLS)

  • On EX4600/QFX Series switches, when configuring the "labeled-unicast" in BGP, the incoming labeled packets might be dropped. PR1080528

Platform and Infrastructure

  • On EX4600 and QFX Series switches, MAC addresses on one VLAN might be installed in the hardware but missing from the Ethernet-switching table if the following steps were taken: 1. Configured "vlan-id-list" for a VLAN range "A" with commit 2. Deleted the VLAN range "A" and re-added the VLAN range "B" in the same commit 3. If A + B >= 4096 PR1074919

  • On EX4300, EX4600, and QFX5100 Series switches, when Multiple Spanning-Tree Protocol (MSTP) is used for a VLAN and the link aggregation group (LAG) interface belongs to the VLAN but the LAG interface is not part of MSTP, then that VLAN traffic does not pass on the LAG interface. PR1084616

  • On EX4300, EX4600, and QFX Series switches with a firewall filter configured, BGP sessions can go down under certain circumstances. When a BGP traffic term with accept action is configured in the firewall filter, and a log action is configured in the firewall filter with a discard/reject action in another term, BGP sessions might go down when this firewall filter is applied to the lo0 (loopback) interface. PR1089360

Routing Protocols

  • On EX4600/QFX Series switches, if you configure a multiple user-vlan-id term in a firewall filter and then apply it, only the first VLAN uses the term entry. PR1065060

  • On QFX5100 Serise switches, if a link aggregation group (LAG) member is added or removed from a LAG port that is bound to a filter-based forwarding (FBF) filter, packets hit this filter may be not forwarded to the right destination. PR1078195

User Interface and Configuration

  • On EX4300/EX4600/EX9200/QFX Series switches, when configuring an interface range, if the interface range includes large-scale physical interfaces, and is configured with the "family" option set to "ethernet-switching", committing the configuration might take a long time to complete. PR1072147

Resolved Issues: Release 14.1X53-D25

General Routing

  • On an QFX3500 configured for Layer 2 Protocol Tunneling, if the customer facing ports are configured as LAG interfaces then the LLDP packets are not tunneled across the switch. PR871079

  • In case you are using QFX5100-48T-6Q, show chassis hardware displays QFX5100-48C-6Q like below. -------------------------------- root@host> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis TR0214999999 QFX5100-48C-6Q --------------------------------. PR1006271

  • On QFabric node devices, interface flaps and resulting traffic drops can occur as a result of a Network Time Protocol (NTP) update. When this problem occurs, the string "SCHED_SLIP" appears in the log files. PR1008869

  • On EX4600 and QFX5100 switches, the Link Aggregation Control Protocol (LACP) in either slow mode or fast mode might go down and then come back up, causing a timeout and a service outage during an In-Service Software Upgrade (ISSU) or a Nonstop Software Upgrade (NSSU). In addition, after the master Routing Engine is rebooted, the switches might experience intermittent traffic loss on non-LAG interfaces, and redundant trunk group (RTG) convergence times might be long. PR1031338

  • To avoid a traffic loop, an ingress check is implemented on the vcp port for ingress traffic coming from a fpc which has been disconnected from VC or VCF. PR1041995

  • On a QFX5100-48T switch that uses QSFP+ transceivers (QSFP-40G-SR4), if you upgrade the switch software to Junos OS Release 14.1X53-D15, the QSFP+ transceivers might not be detected after the upgrade. PR1051903

  • On EX4300, EX9200, QFX Series, and MX Series platforms, naming a VLAN "vlan-rewrite" causes an error when you commit the configuration. PR1054996

  • On a QFabric system, the Terminal Access Controller Access Control System (TACACS+) authentication fails to work in Junos OS release 14.1X53-D15. Other platform or other release is not affected. PR1055775

  • SNMP polling may not work in QFabric with Junos OS Release 14.1X53-D15.2 code. PR1058886

  • On a QFX5100-48T switch, interfaces numbered 0 to 23 are sometimes not turned down during device reboot. This issue might be seen when a peer device is using 1G link speed. PR1059876

  • On a QFabric system, if any QSFP+ optics on 40-gigabit data plane (fte) uplink port is removed or inserted in a QFX3600 node device, it might cause other fte port and 40-Gigabit Ethernet(xle) port get detached. As a workaround, remove and re-insert the detached optics. PR1060463

  • When you use the SNMP GET request to poll jnxOperatingState for FPCs that are not present on a Virtual Chassis Fabric (VCF) or an EX Series Virtual Chassis, incorrect results are displayed. Non-existent FPCs might be reported to be UP and RUNNING. This issue does not affect SNMP walks. PR1061960

  • On QFX5100 switches, when a Gigabit Ethernet interface on a fiber Small Form-factor Pluggable (SFP) is configured with the speed of 1G, and full duplex and no auto-negotiation are enabled, the interface goes down. PR1063118

  • On EX4600/QFX Series switches Virtual Chassis(VC) or Virtual Chassis Fabric(VCF) mode, when Redundant Trunk Groups(RTG) link failover, Media Access Control(MAC) refresh packets will be sent out from non RTG interface which belong the same Virtual Local Area Network(VLAN) with the RTG interface, it might cause the traffic drop because of MAC flapping. PR1063202

  • When a Redundant Trunk Group's (RTG) primary link is down and the backup link is an active link, when the primary link comes back online to once again become the active link, other interfaces using that RTG can drop MAC addresses. This applies to EX4600 and QFX5100 switches, and QFX3500 and QFX3600 switches using Virtual Chassis (VC) or Virtual Chassis Fabric (VCF). PR1063226

  • On QFX5100-48T Series switches, wrong description is shown in "show chassis hardware", description for PIC 0 is displayed 48x10BaseT-6x40G, but it should be 48x10GBaseT-6x40G. PR1071557

  • On QFX5100 switches, if more than 1K virtual extensible LAN network identifiers (VNIs) are created by Open vSwitch Database (OVSDB), the VTEP gateway daemon (vgd) might generate a core file. PR1075189

EVPN

  • On a QFX5100 switch, traceroute does not work as expected when troubleshooting VXLAN packets if ECMP is enabled because the traceroute packets are not forwarded to the same interfaces as the data packets. PR1035730

Interfaces and Chassis

  • On EX4300 switches, EX4600 switches, and QFX switches with Spanning Tree Protocol (STP) enabled, if you have configured an interface as an edge port when spanning-tree interface mode is configured as point-to-point, enabling Bridge Protocol Data Unit (BPDU) protection on those edge ports might not work as expected. This is a typical configuration for multichassis link aggregation (MC-LAG) interfaces. PR1063847

Junos Fusion Provider Edge

  • On a Junos Fusion topology, if a QFX5100 switch is running Junos OS Release 14.1X53-D16 with Enhanced Automation, and you try to autoconvert the switch into a satellite device from the aggregation device, the conversion might fail. As a workaround, install the regular version of Junos OS Release 14.1X53-D16 on the switch prior to the conversion. PR1072806

Layer 2 Features

  • On QFX/EX4300/EX4600 Series switches, traffic flooding or forwarding might cease completely whenever the administrator change the vlan-id for PVLAN to vlan-id-list with range of vlan-ids. PR1046792

  • sfid-bcm memory leak will be seen on RSNG side when sflow setting is existing even if that Node does not have route for collector PR1053813

  • On EX4600/QFX switches, with LAG interface enabled. In some rare scenarios, certain AE member might not inherit STP FORWARD state from its parent AE interface, resulting in the member interface STP state staying in DISABLE. consequently, data packets going through the affected member interface will get dropped. Disable and enable the fault member link will restore AE member interface with correct STP state. PR1059718

  • On EX4600 switches and QFX Series switches, if the extended-vlan-bridge statement is configured for an interface and igmp-snooping is enabled, the interface might drop multicast traffic. PR1071436

Multiprotocol Label Switching (MPLS)

  • MPLS auto-bandwidth does not reset MAX Avg Bandwidth when overflow or underflow threshold limit is configured. It may lead to wrong bandwidth reservations occasionally. PR954663

  • On QFX5100/EX4600, DHCP Relay packets having MPLS tag are getting dropped on RE (Routing Engine), so DHCP client cannot obtain a valid address from DHCP server. RE expect packets with pure IP and not MPLS. After the fix, strip the MPLS tag from the DHCP Relay packet first, and then send pure IP DHCP Relay packet to RE for further process. PR1060988

Platform and Infrastructure

  • On a Virtual Chassis Fabric (VCF), when the master routing engine (RE) is rebooting, traffic passing through the Virtual Chassis Port ( VCP) will be dropped. This applies to broadcast traffic, unknown traffic, and multicast (BUM) traffic. PR1006753

  • In situations where QFX Series Switches are expected to generate ICMP redirects, they will also duplicate the incoming packet, causing duplicate responses by the end device. Configuring no-redirects will stop the generation of ICMP redirect packets, however it will not stop the duplication of the packet. To stop the duplication of the packets, ICMP redirects need to be turned off at the Packet Forwarding Engine (PFE) level. PR1022354

  • On QFX Series, EX4300, or EX4600 switches or Virtual Chassis, if you delete aggregated Ethernet (AE) interfaces to which many VLANs are associated, the CPU usage of the Packet Forwarding Engine manager (fxpc/pfex) process might become high. The duration of the high CPU utilization is proportional to the number of AE interfaces deleted. PR1035669

  • On QFX5100 platform in standalone/VC/VCF scenario, the packet forwarding engine manager daemon (fxpc) may crash occasionally. This issue might be caused by multiple events (eg. the fxpc process does not handle signals properly or change the configuration of VC/VCF or after the NSSU etc). However, the issue is more likely to happen if there are any QFX-SFP-1GE-T plugged in. PR1055331

  • On QFX/EX4600 Series switches, when Dynamic Host Configuration Protocol(DHCP) packets with double tag going through the trunk interface which configured Virtual Local Area Network(VLAN) members was bound Layer 3 (IRB) interface, it might be cause the DHCP packets dropped. PR1059557

  • On QFX5100/EX4600 Series switches, installing routes beyond maximum limit might cause the PFE manager (fxpc) process crash and generates the core file. PR1062349

  • On EX4300/EX4600/QFX Series switch, traffic might be flooded out of an interface where the destination MAC address is present in MAC table. PR1066405

QFabric Systems

  • On a QFabric system, CLI command "show interface descriptions" may provide incomplete output or may not provide any output. PR1057104

  • The SSH sessions are flapping between Junos Space and QFABRIC when it is being managed by SPACE/ND. PR1062750

Routing Protocols

  • If a QFX Series switch with per-packet load balancing enabled has multiple Equal Cost Multiple Paths (ECMP) next hops and these also have multiple ECMP next hops, ECMP entries might be installed twice if they have overlapping members. The duplicate entries result in those links carrying twice the traffic of the other links in the ECMP group. PR936707

  • On QFX Series switches, if configure a firewall filter that redirects traffic to a different interface (by using the interface action modifier), rebooting the switch might cause the Packet Forwarding Engine daemon (fxpc) to crash and and generate core files. PR1037563

  • On QFX5100 Series switches with a large number of firewall terms configured, if an In-Service Software Upgrade (ISSU) is performed from versions 13.2X51-D25 and below to versions 13.2X51-D26 and above, firewall filters configured after this upgrade method will not be programmed. PR1051779

  • In a rare condition, the routing protocol daemon (rpd) might crash and create a core file if there is internal BGP (IBGP) route churn and BGP next hop fails to update. PR1060133

  • On QFX and EX4600 Series switches, moving the integrated routing and bridging (IRB) interface to other routing instance, it might cause the traffic drop because of the Address Resolution Protocol (ARP) resolve fail. PR1063949

  • On EX4600/QFX Series switches, if you configure a multiple user-vlan-id term in a firewall filter and then apply it, only the first VLAN uses the term entry. PR1065060

VPNs

  • "ESI TLV not received for ifd" seen very often in the logs. There is no service impact. PR1060609

Resolved Issues: Release 14.1X53-D16

General Routing

  • In case you are using QFX5100-48T-6Q, "show chassis hardware" displays QFX5100-48C-6Q like below. -------------------------------- root@QFX5100-48T> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis TR0214999999 QFX5100-48C-6Q --------------------------------. PR1006271

  • On a QFX Series switch, when you reboot the switch with an enabled 40-Gigabit Ethernet interface, the interface might be disabled after the reboot. As a workaround, remove and then reinsert the attached cable. PR1014139

  • On EX4600 and QFX5100 switches, the Link Aggregation Control Protocol (LACP) in either slow mode or fast mode might go down and then come back up, causing a timeout and a service outage during an In-Service Software Upgrade (ISSU) or a Nonstop Software Upgrade (NSSU). In addition, after the master Routing Engine is rebooted, the switches might experience intermittent traffic loss on non-LAG interfaces, and redundant trunk group (RTG) convergence times might be long. PR1031338

  • To avoid a traffic loop, an ingress check is implemented on the vcp port for ingress traffic coming from a fpc which has been disconnected from VC or VCF. PR1041995

  • On a QFX5100 switch, issuing the request system reboot command might not shut down the SFP-T interfaces. PR1050650

  • In a mixed-mode Virtual Chassis Fabric with storm control enabled, if autonegotiation is enabled on a 1-gigabit interface (the default setting), the storm-control value for allowed bandwidth might be set to 0, which would cause traffic to be dropped. As a workaround, manually configure the link speed instead of using autonegotiation. PR1051756

  • On a QFX5100-48T switch that uses QSFP+ transceivers (QSFP-40G-SR4), if you upgrade the switch software to Junos OS Release 14.1X53-D15, the QSFP+ transceivers might not be detected after the upgrade. PR1051903

  • Packets are not mirrored when mirror IP address is configured on remote device. PR1052028

  • On QFX Series or EX4600 switches with a primary link as an aggregated Ethernet (AE) interface and a secondary link on a redundant trunk group, if the primary link fails, the secondary link might not take over. PR1052977

  • On EX4300, EX9200, QFX Series, and MX Series platforms, naming a VLAN "vlan-rewrite" causes an error when you commit the configuration. PR1054996

  • On a QFabric system, the Terminal Access Controller Access Control System (TACACS+) authentication fails to work in Junos OS release 14.1X53-D15. Other platform or other release is not affected. PR1055775

  • SNMP polling may not work in QFabric with 14.1X53-D15.2 code PR1058886

  • On a QFabric system, if any QSFP+ optics on 40-gigabit data plane (fte) uplink port is removed or inserted in a QFX3600 node device, it might cause other fte port and 40-Gigabit Ethernet(xle) port get detached. As a workaround, remove and re-insert the detached optics. PR1060463

  • When you use the SNMP GET request to poll jnxOperatingState for FPCs that are not present on a Virtual Chassis Fabric (VCF) or an EX Series Virtual Chassis, incorrect results are displayed. Non-existent FPCs might be reported to be UP and RUNNING. This issue does not affect SNMP walks. PR1061960

  • On QFX5100 switches, when a Gigabit Ethernet interface on a fiber Small Form-factor Pluggable (SFP) is configured with the speed of 1G, and full duplex and no auto-negotiation are enabled, the interface goes down. PR1063118

  • When a Redundant Trunk Group's (RTG) primary link is down and the backup link is an active link, when the primary link comes back online to once again become the active link, other interfaces using that RTG can drop MAC addresses. This applies to EX4600 and QFX5100 switches, and QFX3500 and QFX3600 switches using Virtual Chassis (VC) or Virtual Chassis Fabric (VCF). PR1063226

Layer 2 Features

  • On QFX Series switches, when if a routed VLAN interface is configured with family ISO, the ISO maximum transmission unit (MTU) of the interface is reduced from 1500 (default) to 1497 bytes. Any transit ISO traffic larger than 1497 bytes might be sent to the CPU and cause latency issues. PR955710

  • On QFX Series switches, adding or deleting a subinterface from an aggregated Ethernet (AE) interface might cause momentary packet loss when class of service (CoS) is applied on AE interfaces, even though the traffic is not on this particular AE interface. PR1045466

  • sfid-bcm memory leak will be seen on RSNG side when sflow setting is existing even if that Node does not have route for collector PR1053813

  • On EX4600/QFX switches, with LAG interface enabled. In some rare scenarios, certain AE member might not inherit STP FORWARD state from its parent AE interface, resulting in the member interface STP state staying in DISABLE. consequently, data packets going through the affected member interface will get dropped. Disable and enable the fault member link will restore AE member interface with correct STP state. PR1059718

Multiprotocol Label Switching (MPLS)

  • On QFX5100/EX4600, DHCP Relay packets having MPLS tag are getting dropped on RE (Routing Engine), so DHCP client cannot obtain a valid address from DHCP server. RE expect packets with pure IP and not MPLS. After the fix, strip the MPLS tag from the DHCP Relay packet first, and then send pure IP DHCP Relay packet to RE for further process. PR1060988

Platform and Infrastructure

  • The CPU utilization value is incorrect in the Cloud Analytics Engine probe response statistics. PR1024840

  • The commit synchronize command fails because the kernel socket gets stuck. PR1027898

  • On QFX Series, EX4300, or EX4600 switches or Virtual Chassis, if you delete aggregated Ethernet (AE) interfaces to which many VLANs are associated, the CPU usage of the Packet Forwarding Engine manager (fxpc/pfex) process might become high. The duration of the high CPU utilization is proportional to the number of AE interfaces deleted. PR1035669

  • On QFX/EX4600 Series switches, when the device receive a lot of Address Resolution Protocol (ARP) request packets with high rate, ARP reply packets loss might be seen. PR1041195

  • On QFX5100 and EX4600 switches, disabling a member link of an AE interface might cause packets to be sent to a port that is down, which results in traffic loss. As a workaround, to restore service, bring the port that is down back up again. PR1050260

  • On QFX5100 platform in standalone/VC/VCF scenario, the packet forwarding engine manager daemon (fxpc) may crash occasionally. This issue might be caused by multiple events (eg. the fxpc process does not handle signals properly or change the configuration of VC/VCF or after the NSSU etc). However, the issue is more likely to happen if there are any QFX-SFP-1GE-T plugged in. PR1055331

  • On QFX/EX4600 Series switches, when Dynamic Host Configuration Protocol(DHCP) packets with double tag going through the trunk interface which configured Virtual Local Area Network(VLAN) members was bound Layer 3 (IRB) interface, it might be cause the DHCP packets dropped. PR1059557

QFabric Systems

  • On EX4300/EX4600/QFX Series switches with Junos OS release 14.1X53-D10 onwards, the multicast routes aging might not work, it would the stale multicast route entries to remain. PR1053316

  • The SSH sessions are flapping between Junos Space and QFABRIC when it is being managed by SPACE/ND. PR1062750

Routing Protocols

  • On QFX Series switches, if configure a firewall filter that redirects traffic to a different interface (by using the interface action modifier), rebooting the switch might cause the Packet Forwarding Engine daemon (fxpc) to crash and and generate core files. PR1037563

  • In a rare condition, the routing protocol daemon (rpd) might crash and create a core file if there is internal BGP (IBGP) route churn and BGP next hop fails to update. PR1060133

  • On QFX and EX4600 Series switches, moving the integrated routing and bridging (IRB) interface to other routing instance, it might cause the traffic drop because of the Address Resolution Protocol (ARP) resolve fail. PR1063949

Resolved Issues: Resolved Before Release 14.1X53-D16

Interfaces and Chassis

  • On QFX5100 switches, traffic might be dropped on a 40G channelized port. PR1015221

  • On a QFX5100 switch, after performing an in-service software upgrade (ISSU), Layer 3 traffic might be interrupted on a configured VLAN or IRB interface. PR1014130

Layer 3 Protocols

  • On a QFX5100 switch, if you perform an in-service software upgrade on a QFX5100 switch with the virtual routing redundancy protocol (VRRP) configured and there are a large number of VRRP groups or there are many VRRP transitions, you might see duplicate VRRP my_station_tcam entries. PR1028607

OVSDB

  • If you enter a show configuration command after installing the OVSDB software package (jsdn-i386-release) on a QFX5100 Virtual Chassis or VCF, you see the warning ddl_sequence_number_match: sequence numbers don't match. PR1019087

Software Installation and Upgrade

  • ISSU does not work with VXLANs on QFX5100 switches. PR1024457

VXLAN

  • On a QFX5100 switch with a VXLAN configured, (S,G) interface entries downstream from a VXLAN interface might be missing from the multicast routing table but be present in the kernel and Packet Forwarding Engine. In this circumstance, traffic is forwarded as expected. PR1027119

  • If a 32-member VCF loads the MDconfig without any routes and traffic and receives the nh_comp_msg_parse message, the FXPC might create a core file. PR1029884

  • The interface-mac-limit statement is not supported with VXLANs. If you configure this statement with a VXLAN, MAC learning might not occur and traffic might not be forwarded. In this circumstance, delete the interface-mac-limit statement and the VXLAN configuration, then reconfigure the VXLAN. PR1032552

Documentation Updates

This section lists the errata or changes in Junos OS Release 14.1X53 documentation for QFX Series.

Bridging and Learning

  • Two new MIBs related to MAC notification are provided with Junos OS Release 14.1X53-D10:

    • jnxL2aldMacHistoryEntry

    • jnxL2aldMacNotificationMIBGlobalObjects

    These MIBs are not yet described in the documentation.

Network Management and Monitoring

  • The Network Management and Monitoring on the QFX Series user guide at Junos OS Release 14.1X53-D10 erroneously contained topics that applied to QFabric systems but not to QFX Series standalone switches. Those QFabric systems topics have been removed from the guide.

Virtual Chassis and Virtual Chassis Fabric (VCF)

  • The support plan for the maximum number of member devices in a Virtual Chassis Fabric (VCF) has been revised to support for a maximum of 20 devices for all platforms that support VCF. The announcement for 32-device support has been removed from New Features in Junos OS Release 14.1X53-D15 in these release notes.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrading to a Controlled Version of Junos OS

Starting in Junos OS Release 14.1X53-D15, you can install a controlled version of Junos OS software on a QFX Series switch. The controlled version of Junos OS software is required to enable Media Access Control security (MACsec).

If you are upgrading your switch between a domestic version of Junos OS and a controlled version of Junos OS, keep the following issues in mind:

  • You cannot use NSSU to upgrade or downgrade from a controlled version of Junos OS to a domestic version of Junos OS.

  • In a Virtual Chassis, all member switches must be running the same release of Junos OS. A Virtual Chassis with member switches that are running domestic and export versions of the same Junos OS release does form.

  • In a Virtual Chassis, all member switches must be running the same release of Junos OS.

    To support MACsec, however, all member switches in the Virtual Chassis must be running the controlled version of Junos OS.

The upgrade or downgrade procedure from a domestic version of Junos OS to a controlled version of Junos OS is, otherwise, identical to any other Junos OS upgrade. See Installing Software Packages on QFX Series Devices for more information.

Upgrading Software on QFX5100 Standalone Switches

When upgrading or downgrading Junos OS, always use the jinstall package. Use other packages (such as the jbundle package) only when so instructed by a Juniper Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the Junos OS Installation and Upgrade Guide and Junos OS Basics in the QFX Series documentation.

Note

On Junos Release 14.1X53-D35.3, autonegotation is disabled by default.

Note

On QFX5100 and EX4600 switches, the Host OS is not upgraded automatically, so you must use the force-host option if you want the Junos OS and Host OS versions to be the same.

However, pay attention to these notes regarding Junos OS and Host OS versions:

  • The Junos OS and Host OS versions do not need to be the same.

  • During an ISSU, the Host OS cannot be upgraded.

  • Upgrading the Host OS is not required for every software upgrade, as noted above.

Note

On QFX5100 and EX4600 switches, you must use the force-host option if you are downgrading from Junos OS Release 14.1X53-D40 to any release earlier than 14.1X53-D40 otherwise the switch will issue core dumps.

The download and installation process for Junos OS Release 14.1X53-D10 is the same as for previous Junos OS releases.

If you are not familiar with the download and installation process, follow these steps:

  1. In a browser, go to https://www.juniper.net/support/downloads/junos.html.

    The Junos Platforms Download Software page appears.

  2. In the QFX Series section of the Junos Platforms Download Software page, select the QFX Series platform for which you want to download the software.
  3. Select 14.1 in the Release pull-down list to the right of the Software tab on the Download Software page.
  4. In the Install Package section of the Software tab, select the QFX Series Install Package for the 14.1 release.

    An Alert box appears.

  5. In the Alert box, click the link to the PSN document for details about the software, and click the link to download it.

    A login screen appears.

  6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
  7. Download the software to a local host.
  8. Copy the software to the device or to your internal software distribution site.
  9. Install the new jinstall package on the device.Note

    We recommend that you upgrade all software packages out of band using the console, because in-band connections are lost during the upgrade process.

    Customers in the United States and Canada use the following command:

    user@host> request system software add source/jinstall-qfx-5-14.1X53-D25-domestic-signed.tgz reboot

    Replace source with one of the following values:

    • /pathname—For a software package that is installed from a local directory on the switch.

    • For software packages that are downloaded and installed from a remote location:

      • ftp://hostname/pathname

      • http://hostname/pathname

      • scp://hostname/pathname (available only for Canada and U.S. version)

    Adding the reboot command reboots the switch after the upgrade is installed. When the reboot is complete, the switch displays the login prompt. The loading process can take 5 to 10 minutes.

    Rebooting occurs only if the upgrade is successful.

Note

After you install a Junos OS Release 14.1 jinstall package, you can issue the request system software rollback command to return to the previously installed software.

Performing an In-Service Software Upgrade (ISSU)

You can use an in-service software upgrade to upgrade the software running on the switch with minimal traffic disruption during the upgrade.

Note

ISSU is supported in Junos OS Release 13.2X51-D15 and later.

Perform the following tasks:

Preparing the Switch for Software Installation

Before you begin software installation using ISSU:

  • Ensure that nonstop active routing (NSR), nonstop bridging (NSB), and graceful Routing Engine switchover (GRES) are enabled. NSB and GRES enable NSB-supported Layer 2 protocols to synchronize protocol information between the master and backup Routing Engines.

    To verify that nonstop active routing is enabled:

    Note

    If nonstop active routing is enabled, then graceful Routing Engine switchover is enabled.

    If nonstop active routing is not enabled (Stateful Replication is Disabled), see Configuring Nonstop Active Routing on Switches for information about how to enable it.

  • Enable nonstop bridging (NSB). See Configuring Nonstop Bridging on Switches (CLI Procedure) for information on how to enable it.

  • (Optional) Back up the system software—Junos OS, the active configuration, and log files—on the switch to an external storage device with the request system snapshot command.

Upgrading the Software Using ISSU

This procedure describes how to upgrade the software running on a standalone switch.

To upgrade the switch using ISSU:

  1. Download the software package by following the procedure in the Downloading Software Files with a Browser section in Installing Software Packages on QFX Series Devices.

  2. Copy the software package or packages to the switch. We recommend that you copy the file to the /var/tmp directory.

  3. Log in to the console connection. Using a console connection allows you to monitor the progress of the upgrade.

  4. Start the ISSU:

    • On the switch, enter:

      where package-name.tgz is, for example, jinstall-132_x51_vjunos.domestic.tgz.

    Note

    During the upgrade, you will not be able to access the Junos OS CLI.

    The switch displays status messages similar to the following messages as the upgrade executes:

    Note

    An ISSU might stop instead of abort if the FPC is at the warm boot stage. Also, any links that go down and up will not be detected during a warm boot of the Packet Forwarding Engine (PFE).

    Note

    If the ISSU process stops, you can look at the log files to diagnose the problem. The log files are located at /var/log/vjunos-log.tgz.

  5. Log in after the reboot of the switch completes. To verify that the software has been upgraded, enter the following command:

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide for the product.

To determine the features supported on QFX Series switches in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: https://pathfinder.juniper.net/feature-explorer/