Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Changes in Behavior and Syntax

 

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 14.1R9 for the M Series, MX Series, and T Series.

Authentication, Authorization and Accounting (AAA)

  • Statement introduced to enforce strict authorization—Starting in Junos OS Release 14.1R6, customers can use the set system tacplus-options strict-authorization statement to enforce strict authorization to the users. When a user is logging in, Junos OS issues two TACACS+ requests—first is the authentication request and then the authorization request. By default, when the authorization request is rejected by the TACACS+ server, Junos OS disregards this rejection and provides full access to the user. When the set system tacplus-options strict-authorization statement is set, Junos OS denies access to the user on failure of the authorization request.

Application Layer Gateways (ALGs)

  • Handling noncompliant IPv6 address in RTSP ALG (MX Series)—Starting in Junos OS Release 14.1, Real-Time Streaming Protocol (RTSP) application-level gateway (ALG) cannot convert a noncompliant IPv6 address in its payload to an IPv4 address. The packet is not dropped, but it is forwarded to the receiving end of RTSP, which decides further processing of the packet.

Class of Service (CoS)

  • Change to TWAMP connection/session—Beginning with Junos OS Release 14.1, a TWAMP connection/session comes up only if the session padding length is greater than or equal to 27 bytes on the TWAMP Client. The valid range of padding length supported by the TWAMP Server is 27 bytes through 1400 bytes.

    If IXIA is used as the TWAMP Client, packet length is supported from 41 bytes through 1024 bytes.

  • Change to interpolated WRED drop probability—In Junos OS Releases 13.2R4, 13.3R2, and 14.1 and later, the interpolated fill level of 0 percent has a drop probability of 0 percent for weighted random early detection (WRED). In earlier Junos OS releases, interpolated WRED can have a nonzero drop probability for a fill level of 0 percent, which can cause packets to be dropped even when the queue is not congested or the port is not oversubscribed.

General Routing

  • Support of as-path-ignore—Starting in Junos OS Release 14.1R8, the as-path-ignore command is supported for routing instances.

High Availability (HA) and Resiliency

  • Unified ISSU support for ATM MIC with SFP (MX Series)—Starting in Junos OS Release 14.1, the ATM MIC with SFP (MIC-3D-8OC3-2OC12-ATM) supports unified ISSU with the following guidelines:

    • The PPP keepalive interval must be 10 seconds or greater. PPP requires three keepalives to fail before it brings down the session. Thirty seconds (10 seconds x 3) provides a safe margin to maintain PPP sessions across the unified ISSU in case of any traffic loss during the operation. Configure the interval with the keepalives statement at the [edit interfaces at-interface-name] or [edit interfaces at-interface-name unit logical-unit-number] hierarchy level.

    • The OAM F5 loopback cell period must be 20 seconds or greater to maintain ATM connectivity across the unified ISSU. Configure the interval with the oam-period statement at the [edit interfaces at-interface-name unit logical-unit-number] hierarchy level.

  • Enhanced show virtual-chassis heartbeat command (MX Series routers with MPCs)—Starting in Junos OS Release 14.1R3, a new state, Detected, has been added to the show virtual-chassis heartbeat command display output. When you configure a heartbeat connection in an MX Series Virtual Chassis, the Detected state indicates that the master Routing Engine in the specified member router has successfully exchanged a heartbeat connection message with the other member router when an adjacency disruption or split occurs in the Virtual Chassis. The Detected state persists until the heartbeat connection is reset, or until the Virtual Chassis forms again and a master router (protocol master) and backup router (protocol backup) are elected.

    In previous releases, the show virtual-chassis heartbeat command displayed the Alive state for both split and merged Virtual Chassis conditions when a heartbeat message was successfully exchanged between the member routers. As a result, the only way to detect whether a heartbeat connection was in use during an adjacency split or disruption was to check for the Heartbt status in the show virtual-chassis status command. The new Detected state in the show virtual-chassis heartbeat command enables you to use a single command to determine whether or not the heartbeat message was successfully exchanged during an adjacency split.

  • Improved command output for determining GRES readiness in an MX Series Virtual Chassis (MX Series routers with MPCs)—Starting in Junos OS Release 14.1R4, the request virtual-chassis routing-engine master switch check command displays the following output when the member routers in a Virtual Chassis are ready to perform a graceful Routing Engine switchover (GRES):

    user@host> request virtual-chassis routing-engine master switch check

    In earlier releases, the request virtual-chassis routing-engine master switch check command displays no output to confirm that the member routers are ready for GRES.

    The output of the request virtual-chassis routing-engine master switch check command has not changed when the member routers are not yet ready for GRES.

Interfaces and Chassis

  • Display revision number of Routing Engines (M Series, MX Series, and T Series)—Beginning with Junos OS Release 14.1, you can use the show system commit revision command to display the revision number of the Routing Engines in a dual Routing Engines-based router.

    A commit error message is issued when overlapping subnets are configured within a logical interface.

  • Changes to DDoS protection policers for PIM and PIMv6 (MX Series routers with MPCs, T4000 with FPC5)—Starting in Junos OS Release 14.1, the default values for bandwidth and burst limits have been reduced for PIM and PIMv6 aggregate policers to prevent starvation of OSPF and other protocols in the presence of high-rate PIM activity.

    Policer Limit

    New Value

    Old Value

    Bandwidth (pps)

    8000

    20,000

    Burst (pps)

    16,000

    20,000

    To see the default and modified values for DDoS protection packet-type policers, issue one of the following commands:

    • show ddos-protection protocols parameters brief—Displays all packet-type policers.

    • show ddos-protection protocols protocol-group parameters brief—Displays only packet-type policers with the specified protocol group.

    An asterisk (*) indicates that a value has been modified from the default.

  • Changes to distributed denial of service statement and command syntax—Starting in Junos OS Release 14.1, the protocol group and packet type syntax has changed for the protocols statement at the [edit system ddos-protection] hierarchy level and for the various show ddos-protection protocols commands.

    The filter-v4 and filter-v6 packet types have been moved from the unclassified protocol group to the new filter-action protocol group.

    The resolve-v4 and resolve-v6 packet types have been removed from the unclassified protocol group. They are replaced by the new mcast-v4, mcast-v6, ucast-v4, and ucast-v6 packet types in the new resolve protocol group.

    Both protocol groups also include an aggregate option for all unclassified packets in the group and an other option for unclassified packets that are not IPv4 or IPv6.

    [See protocols (DDoS) and show ddos-protection protocols.]

  • Deleting PTP clock client (MX104)—Starting with Junos OS Release 14.1, on MX104 routers, when you toggle from a secure slave to an automatic slave or vice versa in the configuration of a Precision Timing Protocol (PTP) boundary clock, you must first delete the existing PTP clock client or slave clock settings and then commit the configuration. You can delete the existing PTP clock client or slave clock settings by using the delete clock-client ip-address local-ip-address local-ip-address statement at the [edit protocols ptp master interface interface-name unicast-mode] hierarchy level. You can then add a new clock client configuration by using the set clock-client ip-address local-ip-address local-ip-address statement at the [edit protocols ptp master interface interface-name unicast-mode] hierarchy level and committing the configuration. However, if you attempt to delete the existing PTP clock client and add the new clock client before committing the configuration, the PTP slave clock remains in the free-run state and does not operate in the auto-select state (to select the best clock source). This behavior is expected when PTP client or slave settings are modified.

  • Disabling distribution of connectivity fault management sessions on aggregated Ethernet interfaces (MX Series)—Starting with Junos OS Release 14.1, connectivity fault management (CFM) sessions operate in distributed mode and are processed on the Flexible PIC Concentrator (FPC) on aggregated Ethernet interfaces by default. Starting with Junos OS Release 14.1, to disable the distribution of CFM sessions on aggregated Ethernet interfaces and to operate in centralized mode, include the no-aggregate-delegate-processing statement at the [edit protocols oam ethernet connectivity-fault-management] hierarchy level.

    [See IEEE 802.1ag OAM Connectivity Fault Management Overview.]

  • Preventing the filtering of packets by ARP policers (MX Series routers with MPCs)—Beginning with Junos OS Release 14.1, you can configure the router to disable the processing of the specified ARP policers on the received ARP packets. Disabling ARP policers can cause denial-of-service (DoS) attacks on the system. Due to this possibility, we recommend that you exercise caution while disabling ARP policers. To prevent the processing of ARP policers on the arriving ARP packets, include the disable-arp-policer statement at the [edit interfaces interface-name unit logical-unit-number family inet policer] or the [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet policer] hierarchy level. You can configure this statement only for interfaces with inet address families and on MX Series routers with MPCs. When you disable ARP policers per interface, the packets are continued to be policed by the distributed DoS (DDoS) ARP policer. The maximum rate of is 10000 pps per FPC.

    [See Network Interfaces, Protocol Family and Interface Address Properties.]

IPv6

  • IPv6 support for SNMP traps (M Series, MX Series, and T Series)—In Release 14.1R3 and later, Junos OS supports IPv6 source addresses of the SNMP traps.

Junos OS XML API and SCRIPTING

  • XML output change for show subscribers summary port command (MX Series)—Starting in Junos OS Release 14.1R9, the display format has changed for the show subscribers summary port command to make parsing the output easier. The output is now displayed as in the following example:

    user@host> show subscribers summary port | display xml

    In earlier releases, that output is displayed as in the following example:

    user@host> show subscribers summary port | display xml

MPLS

  • Enhanced support for GRE interfaces for GMPLS (MX Series)—Starting in Junos OS Release 14.1, on GRE interfaces for Generalized MPLS control channels, you can enable the inner IP header’s ToS bits to be copied to the outer IP packet header. Include the copy-tos-to-outer-ip-header statement at the [edit interfaces gre unit logical-unit-number] hierarchy level. Previously, the copy-tos-to-outer-ip-header statement was supported for GRE tunnel interfaces only.

    [See copy-tos-to-outer-ip-header.]

  • Changes to MPLS protection options—In Junos OS releases earlier than Release 14.1, you can configure both fast reroute and node and link protection on the same LSP. Starting in Junos OS Release 14.1, you can still configure both fast reroute and node and link protection on the same LSP; however, when you attempt to commit a configuration where both features are enabled, a syslog warning message is displayed that states: The ability to configure both fast-reroute and link/node-link protection on the same LSP is deprecated and will be removed in a future release.

  • Enhanced transit LSP statistics collection—Starting in Junos OS Release 14.1R3, RSVP no longer periodically polls for transit LSP statistics. This change does not affect the show mpls lsp statistics command or automatic bandwidth operations for ingress LSPs. To enable the polling and display of transit LSP statistics, include the transit-statistics-polling statement at the [edit protocols mpls statistics] hierarchy level. You cannot enable transit LSP statistics collection if MPLS statistics collection is disabled with the no-transit-statistics statement at the [edit protocols mpls statistics] hierarchy level.

  • Bandwidth underflow sample on LSPs (MX Series)—Starting in Junos OS Release 14.1R9, all zero value bandwidth samples are considered as underflow samples, except for the zero value samples that arrive after an LSP comes up for the first time, and the zero value samples that arrive first after a Routing Engine switchover.

Network Management and Monitoring

  • New system log message indicating the difference in the Packet Forwarding Engine counter value (M Series, MX Series, and T Series)—Effective in Junos OS Release 14.1R3, if the counter value of a Packet Forwarding Engine is reported less than its previous value, then the residual counter value is added to the newly reported value only for that specific counter. In that case, the CLI shows the MIB2D_COUNTER_DECREASING system log message for that specific counter.

    [See MIB2D_COUNTER_DECREASING.]

  • SNMP proxy feature (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.1R6, you must configure the interface <interface-name> statement at the [edit snmp] hierarchy level for the proxy SNMP agent. In previous releases, configuring the interface for the proxy SNMP agent was not mandatory.

  • Enhancement for SONET interval counter (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.1R6, only the Current Day Interval Total output field in the show interfaces interval command for SONET interfaces are reset after 24 hours. In addition, the Previous Day Interval Total output field displays the last updated time in hh:mm.

    [See show interfaces interval.]

  • Improved usage of wildcard in SNMP notify-filter OID (M Series, MX Series, and T Series)—Starting in Junos OS Release 14.1R9, the filter subtree using an asterisk (*) is correctly read as a wildcard character and not as an ASCII value of 42. This issue previously occurred in the following routers:

    • M Series running Junos OS Release 11.4R13.5 and Release 13.3R7-S1

    • ACX2000 Series running Junos OS Release 12.3X54-D20.9

    • MX Series running Junos OS Release 14.1X50-D125

    A sample of the change appears in the output of the show snmp v3 command:

    Old Output

    New Output

    See the SNMP MIB Explorer.

Platform and Infrastructure

  • Increase in length of TACACS messages—Starting in Junos OS Release 14.1R9, the length of TACACS messages allowed on routers running Junos OS has been increased from 8150 to 65,535 bytes.

Routing Policy and Firewall Filters

  • New firewall filter match condition supported on MPCs—Starting in Release 13.3R2, Junos OS supports the gre-key firewall filter match condition on MPC line cards on MX Series 3D Universal Edge Routers. To configure the gre-key firewall filter match condition, include the gre-key statement at the [edit firewall family inet filter filter term term from] hierarchy level.

Routing Protocols

  • Modification to the default BGP extended community value (M Series, MX Series, and T Series)—Starting in Junos OS Release 14.1, the default BGP extended community value used for MVPN IPv4 VRF route import (RT-import) has been modified to the IANA-standardized value. Thus, the default behavior has changed such that the behavior of the mvpn-iana-rt-import statement has become the default. The mvpn-iana-rt-import statement is deprecated; we recommend that you remove it from configurations.

  • Removal of support for provider backbone bridging (MX Series)—Starting with Junos OS Release 14.1, the provider backbone bridging (PBB) capability is disabled and not supported on MX Series routers. The pbb-options statement and its substatements at the [edit routing-instances routing-instance-name] hierarchy level, and the pbb-service-options statement and its substatements at the [edit routing-instances routing-instance-name service-groups service-group-name] hierarchy level are no longer available for configuring customer and provider routing instances for PBB.

  • BGP route advertisement—Starting in Junos OS Release 14.1, if you include the advertise-peer-as statement in a BGP configuration, BGP advertises routes learned from one external BGP (EBGP) peer back to another EBGP peer in the same autonomous system (AS) but not back to the originating peer. In earlier Junos OS releases, if you include the advertise-peer-as statement in the configuration, BGP advertises routes learned from one EBGP peer back to another EBGP peer in the same AS and also to the originating peer.

  • BGP hides a route received with a label block size greater than 256 (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.1R5, when a BGP peer (running Junos OS) sends a route with a label block size greater than 256, the local speaker hides the route and does not re-advertise this route. The output of the show route detail/extensive hidden/all commands displays the hidden route and states the reason as label block size exceeds max supported value. In earlier Junos OS releases, when a peer sent a route with a label block size greater than 256, the routing protocol process (rpd) terminated abnormally.

  • Configuring and establish targeting sessions with third-party controllers using LDP targeted neighbor (M Series and MX Series)— Starting with Junos OS Release 14.1R5, you can configure LDP targeted neighbor to third-party controllers for applications such as route recorder that wants to learn label-FEC bindings of an LSR. LDP targeted neighbor helps to establish a targeted session with controllers for a variety of applications.

  • BGP route is hidden when AS path length is more than the configured maximum AS size —Beginning with Junos OS Release 13.2, BGP hides a route when the length of the AS path does not match the number of ASs in the route update. In earlier Junos OS releases, when a route with AS path size over 2048 was advertised, it could cause session flaps between BGP peers because of the mismatch. Therefore, to avoid session flaps, such routes are now hidden by Junos OS. You can see this behavior when bgp-error-tolerance is configured.

    If you want BGP to advertise the hidden route to an OSPF neighbor, we recommend that you add the AS path statically in the default route configuration. For example:

Security

  • Packet types added for DDoS protection L2TP policers (MX Series with MPCs, T4000 with FPC5)—The following eight packet types have been added to the DDoS protection L2TP protocol group to provide flexibility in controlling L2TP packets:

    cdn

    scccn

    hello

    sccrq

    iccn

    stopccn

    icrq

    unclassified

    Previously, no individual packet types were available for this protocol group and all L2TP packets were policed the same based on the aggregate policer value. The default values for the bandwidth and burst policers for all packet types is 20,000 pps. The default recover-time is 300 seconds for each of the L2TP packet types.

Services Applications

  • Restrictions for maximum blocksize for NAT port block allocation—Beginning with Junos OS Release 14.1, the maximum blocksize for NAT port block allocation (PBA) is 32,000.

  • Support for display of NAT type for EIF flows (MX Series routers with MS-MICs and MS-MPCs)—In the output of the show services sessions extensive command, the Translation Type field displays the value as NAPT-44 for Endpoint Independent Filtering (EIF) flows. Also, the label, EIF, is displayed beside the translation type parameter to enable easy identification of EIF flows.

  • Increased maximum number of logical interfaces for services (MX Series routers with MS-MPCs and MS-MICs)—Until Junos OS Release 13.3, for every media logical interface on which services were configured (interface style services), a logical interface alias was internally created. This interface alias stores the topology chains for features that are performed on the logical interface after an input service was processed to avoid packet loops in the system. With interface aliases, the maximum number of logical interfaces supported with services was reduced to half the supported maximum number because each logical interface consumed two entries, namely, one for the interface itself and the other for the interface alias.

    Starting with Junos OS Release 14.1R4, input interface aliases are not created for MS-MPCs and MS-MICs. As a result, the maximum number of logical interfaces that are supported with services PICs is equal to the maximum number supported on the system. After input service processing by MS-MPCs and MS-MICs, the services PIC sends the packet to the Packet Forwarding Engine on the multiservices (ms-) logical interface where the corresponding service is configured. Post-services are not supported on MS-MPCs and MS-MICs in Junos OS Release 13.2 and later.

  • Interoperation of ingress sampling and PIC-based flow monitoring (MX Series)—If PIC-based flow monitoring is enabled on an ms- logical interface, a commit check error occurs when you attempt to configure ingress traffic sampling on that particular ms- logical interface. This error occurs because a combination of ingress sampling and PIC-based flow monitoring operations on an ms- logical interface causes undesired flow monitoring behavior and might result in repeated sampling of a single packet. You must not configure ingress traffic sampling on ms- logical interfaces on which PIC-based flow monitoring is enabled.

  • Changed range for maximum lifetime for PCP mapping—Starting in Junos OS Release 14.1R5, the range for the maximum lifetime, in seconds, for PCP mapping that you can configure by using the mapping-lifetime-max mapping-lifetime-max statement at the [edit services pcp] hierarchy level is modified from 0 through 4294667, instead of the previous range that existed from 0 through 2147483647.

  • Change in support for service options configuration on service PICs at the MS and AMS interface levels (MX Series)—Starting in Junos OS Release 14.1R4, when a multiservices PIC (ms- interface) is a member interface of an AMS bundle, you can configure the service options to be applied on the interface only at the ms- interface level or the AMS bundle level by including the services-options statement at the [edit interfaces interface-name] hierarchy level at a point in time. You cannot define service options for a service PIC at both the AMS bundle level and at the ms- interface level simultaneously. When you define the service options at the MS level or the AMS bundle level, the service options are applied to all the service sets on the ms- interface or AMS interface defined at ms-fpc/pic/port.logical-unit or amsN, respectively.

  • Generation of mspmand core file for flow control (MX Series with MS-MICs and MS-MPCs)—Starting with Junos OS Release 14.1R5, instead of an eJunos kernel core file, the multiservices PIC management daemon core file is generated when a prolonged flow control occurs and when you configure the setting to generate a core dump during prolonged flow control (by using the dump-on-flow-control option). The watchdog functionality continues to generate a kernel core file in such scenarios.

  • Optional inclusion of Flags in DTCP LIST Messages (MX Series)—Starting in Junos OS Release 14.1R4, the Flags field is not a required parameter in the DTCP LIST message. The LIST request is not rejected if the LIST message does not contain the Flags field. If the DTCP LIST message contains the Flags field, the value of that field is processed. If the LIST message does not contain the Flags field, the CRITERIA field parameter is used for the Flags field.

  • Support for RPM probes for IPv4 and IPv6 sources and targets (TX Matrix Plus)—Starting with Junos OS Release 14.1R5, you can configure the TXP-T1600, TXP-T1600-3D, TXP-T4000-3D, or TXP-Mixed-LCC-3D router as the real-time performance monitoring (RPM) client router (the router or switch that originates the RPM probes) which send probe packets to the RPM probe server (the device that receives the RPM probes) that contains an IPv4 or IPv6 address. RPM enables you to configure active probes to track and monitor traffic. The support for configuring RPM probes and RPM clients on TX Matrix Plus routers is in addition to the support for RPM that existed on M Series, MX Series, T1600, and T4000 routers in previous releases.

  • Changes in the format of session open and close system log messages (MX Series router with MS-MICs and MS-MPCs)—Starting with Junos OS Release 14.1R5, with the Junos OS Extension-Provider packages installed and configured on the device for MS-MPCs and MS-MICs, the formats of the MSVCS_LOG_SESSION_OPEN and MSVCS_LOG_SESSION_CLOSE system log messages are modified to toggle the order of the destination IPv4 address and destination port address displayed in the log messages to be consistent and uniform with the formats of the session open and close logs of MS-DPCs.

    The following shows the modified format of the MSVCS_LOG_SESSION_OPEN and MSVCS_LOG_SESSION_CLOSE system log messages:

    month date hh:mm:ss syslog-server-ip-address yyyy-mm-dd hh:mm:ss {NAT-type}<MSVCS_LOG_SESSION_CLOSE or MSVCS_LOG_SESSION_OPEN>:App: application, source-interface-name fpc/pic/port\address in hexadecimal format source-address:source-port source-nat-information -> destination-address:destination-port destination-nat-information (protocol-name)

    The following shows an example of the session closure message generated for MS-MPCs and MS-MICs:

    Nov 26 13:00:07 10.137.159.1 2014-11-26 07:22:44: {Dynamic-NAT-64-SS-NHS-1}MSVCS_LOG_SESSION_CLOSE: application:none, ae4.454 2402:8100:1:160:1:2:d384:463c:36822 [49.14.64.37:12261] -> [141.101.120.14] 64:ff9b::8d65:780e:80 (TCP)

  • Change in the test-interval range for RPM tests (MX Series)—Starting in Junos OS Release 14.1R6, the minimum period for which the RPM client waits between two tests (configured by using the test-interval interval statement at the [edit services rpm probe owner test test-name] hierarchy level is modified to be 1 second instead of 0 seconds. Also, if you do not configure the test interval, the default value is 0 seconds. A test interval of 0 seconds causes the RPM test to stop after one iteration.

Subscriber Management and Services

Note

Although present in the code, the subscriber management features are not supported in Junos OS Release 14.1R8. Documentation for subscriber management features is included in the Junos OS Release 14.1 documentation set.

  • CLI prompt to confirm clearing of all current PPPoE subscriber sessions (M Series, MX Series, and T Series)—Starting in Junos OS Release 14.1, when you enter the clear pppoe sessions command and fail to include the name of an interface associated with the subscriber session that you want to gracefully terminate, the CLI prompts you to confirm that you want to clear all current PPPoE subscriber sessions. In earlier releases, the CLI does not prompt you and instead immediately terminates all the sessions.

  • Change to unicast reverse path forwarding (RPF) check and filter-based forwarding (FBF) compatibility (MX Series)—Starting in Junos OS Release 14.1, the unicast RPF check is compatible with FBF actions. uRPF check is processed for source address checking before any FBF actions are enabled for static and dynamic interfaces. This applies to both IPv4 and IPv6 families.

  • Support for processing Cisco VSAs in RADIUS messages for service provisioning—Starting with Junos OS Release 14.1, Cisco VSAs are supported for provisioning and management of services in RADIUS messages, in addition to the supported Juniper Networks VSAs for administration of subscriber sessions. In a deployment in which customer premises equipment (CPE) is connected over an access network to a broadband remote access gateway, the Steel-Belted Radius Carrier (SBRC) application might be used as the authentication and accounting server using RADIUS as the protocol, and the Cisco BroadHop application might be used as the Policy Control and Charging Rules Function (PCRF) server for provisioning services using RADIUS change of authorization (CoA) messages. Both the SBRC and the Cisco BroadHop servers are considered to be connected with the broadband gateway in such a topology.

    By default, service accounting is disabled. If you configure service accounting using both RADIUS attributes and the CLI interface, the RADIUS setting takes precedence over the CLI setting. To enable service accounting using the CLI, include the accounting statement at the [edit access profile profile-name service] hierarchy level. To enable interim service accounting updates and configure the amount of time that the router waits before sending a new service accounting update, include the update-interval minutes statement at the [edit access profile profile-name service accounting] hierarchy level.

    You can configure the router to collect time statistics, or both volume and time statistics, for the service accounting sessions being managed by AAA. To configure the collection of statistical details that are time-based only, include the statistics time statement at the [edit access profile profile-name service accounting] hierarchy level. To configure the collection of statistical details that are both volume-time-based only, include the statistics volume-time statement at the [edit access profile profile-name service accounting] hierarchy level.

  • Specifying the UDP port for RADIUS dynamic-request servers—Beginning with Junos OS Release 14.1, you can define the UDP port number to configure the port on which the router that functions as the RADIUS dynamic-request server must receive requests from RADIUS servers. By default, the router listens on UDP port 3799 for dynamic requests from remote RADIUS servers. You can configure the UDP port number to be used for dynamic requests for a specific access profile or for all of the access profiles on the router. To define the UDP port number, include the dynamic-request-port port-number statement at the [edit access profile profile-name radius-server server-address] or [edit access radius-server server-address] hierarchy level.

  • Support for applying access profiles to DHCP local server and DHCP relay agent—Access profiles enable you to specify subscriber access authentication and accounting parameters. After access profiles are created, you can attach them at the [edit system services dhcp-local-server] hierarchy level on a DHCP local server for DHCP or DHCPv6 subscribers and at the [edit forwarding-options dhcp-relay] hierarchy level on a DHCP relay agent for DHCP or DHCPv6 subscribers, group of subscribers, or group of interfaces.

    If you configured a global access profile at the [edit access profile profile-name] hierarchy level for all DHCP or DHCPv6 clients on a router that functions as a DHCP local server or a DHCP relay agent, the access profile configured at the [edit system services dhcp-local-server] or [edit system services dhcpv-local-server dhcpv6] hierarchy level on a DHCP local server for DHCP or DHCPv6 subscribers and at the [edit forwarding-options dhcp-relay] or [edit forwarding-options dhcp-relay dhcpv6] hierarchy level on a DHCP relay agent for DHCP or DHCPv6 subscribers take precedence over the global access profile.

    Configuring an access profile for DHCP subscribers at the DHCP relay agent level or the DHCP local server level provides you with the flexibility and effectiveness of enabling DHCP authentication and accounting for specific subscribers instead of enabling them at a global level. If no access profile is configured at the DHCP relay agent level or the DHCP local server level, the global access profile becomes effective.

  • Support for specifying preauthentication port and password—Starting in Junos OS Release 14.1, you can configure a router that operates as the RADIUS client to contact a RADIUS server for authentication and preauthentication requests on two different UDP ports and using different secret passwords. Similar to configuring the port numbers for authentication and accounting requests, you can define a unique port number that the router uses to contact the RADIUS server for logical line identification (LLID) preauthentication requests. You can also define a unique password for preauthentication requests. If you do not configure a separate UDP port or secret for preauthentication purposes, the same UDP port and secret that you configure for authentication messages is used.

    To configure a unique UDP port number to be used to contact the RADIUS server for preauthentication requests, include the preauthentication-port port-number statement at the [edit access radius-server server-address] or [edit access profile profile-name radius-server server-address] hierarchy level.

    To configure the password to be used to contact the RADIUS preauthentication server, include the preauthentication-secret password statement at the [edit access radius-server server-address] or [edit access profile profile-name radius-server server-address] hierarchy level.

    The output of the show network-access aaa radius-servers command has been enhanced to display the preauthentication port number. The output of the show network-access aaa radius-servers detail command has been enhanced to display statistical information on the RADIUS messages exchanged during the preauthentication phase and the port number used for preauthentication.

  • On-demand IPv4 address re-allocation for dual-stack PPP subscribers—Beginning in Junos OS Release 14.1R4, the behavior of the on-demand IPv4 address re-allocation process when there are no IPv4 addresses available is changed. During IPv4 address negotiation, if the RADIUS server sends an Access-Reject response to the broadband network gateway (BNG) that includes the Unisphere-ipv4-release-control VSA, the BNG sends an IPCP terminate request to the CPE. The CPE is then allowed to renegotiate NCP and request another IP address without the need to renegotiate the link.

  • LAC configuration no longer required for L2TP tunnel switching with RADIUS attributes (MX Series)—Starting in Junos OS Release 14.1R5, when you use Juniper Networks VSA 26-91 to provide tunnel profile information for L2TP tunnel switching, you no longer have to configure a tunnel profile on the LAC. In earlier releases, tunnel switching failed when you did not also configure the LAC, even when the RADIUS attributes were present.

User Interface and Configuration

  • Configuring regular expressions (M Series, MX Series, and T Series)—In all supported Junos OS releases, you can no longer configure regular expressions if they require more than 64 MB of memory or more than 256 recursions for parsing.

    This change in the behavior of Junos OS is in line with the FreeBSD limit. The change was made in response to a known consumption vulnerability that allows an attacker to cause a denial-of-service (resource exhaustion) attack by using regular expressions containing adjacent repetition operators or adjacent bounded repetitions. Junos OS uses regular expressions in several places within the CLI. Exploitation of this vulnerability can cause the Routing Engine to crash, leading to a partial denial of service. Repeated exploitation can result in an extended partial outage of services provided by the routing protocol process (rpd).

  • Change in show route protocol evpn output—In all supported Junos OS releases prior to Release 14.1, the output of the command show route protocol evpn does not provide any information for correlating the routes installed in the forwarding plane with routes exchanged in the signaling plane.

    Starting with Junos OS Release 14.1, the command show route protocol evpn output provides additional correlation detail between forwarding plane and signaling plane routes.

    [See show route protocol.]

  • New warning message for the configuration changes to extend-size (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.1R6, any operation on the system configuration-database extend-size configuration statement, such as deactivate, delete, or set, generates the following warning message:

    Change in 'system configuration-database extend-size' will be effective at next reboot only.

VLAN Infrastructure

  • Applying VLAN check with vlan-id all configured (MX Series)—Frames with VLAN identifier tags configured might have their inner or outer VLAN identifiers checked at egress. However, the exact circumstances of the VLAN check vary with configuration parameters.

    In particular, for a routing instance or bridge domain with the vlan-id all statement configured, then the VLAN check is enabled only in following conditions.

    • If the routing instance or bridge domain has the vlan-id all statement configured and there is a discrete outer VLAN identifier configured (that is, the logical interface is single tagged), then the VLAN check is enabled for the outer VLAN identifier.

    • If the routing instance or bridge domain has the vlan-id all statement configured and the inner VLAN identifier is a range, then the VLAN check is enabled for the inner VLAN identifier range.

    • If the routing instance or bridge domain has the vlan-id all statement configured and the outer VLAN identifier is a range, then the VLAN check is enabled for the outer VLAN identifier range.

    • If the routing instance or bridge domain has the vlan-id all statement configured and there is a discrete inner VLAN identifier (that is, the logical interface is dual-tagged), then the VLAN check is enabled for the inner VLAN identifier value.

VPNs

  • Group VPN ike proposal commit check (M Series, MX Series, and T Series)—Starting in Junos OS Release 14.1, the proposals option for the policy statement under the following hierarchies is mandatory and is checked on a commit:

    Prior to Junos OS Release 14.1, the proposals option was not checked on a commit.

  • New output field added to the show route forwarding-table family vpls command—Starting in Junos OS Release 14.1, the show route forwarding-table family vpls command output contains an extra field to show “Enabled Protocols” for a routing table instance. The following sample output of the show route forwarding-table family vpls command shows the Enabled Protocols field when broadcast, unknown unicast, and multicast (BUM) hashing is enabled by configuring the bum-hashing statement at the [edit routing-instances green protocols vpls] hierarchy level:

    show route forwarding-table family vpls

    user@host> show route forwarding-table family vpls

    The following sample output of the show route forwarding-table family vpls command shows the Enabled Protocols field when broadcast, unknown unicast, and multicast (BUM) hashing is enabled by configuring the bum-hashing statement at the [edit routing-instances green protocols vpls] hierarchy level and MAC Statistics is enabled by configuring the mac-statistics statement at the set routing-instances green protocols vpls hierarchy level:

    show route forwarding-table family vpls

    user@host> show route forwarding-table family vpls
  • EVPN interface status commit check—Starting in Junos OS Release 14.1, there is a commit check enforced for disabled interfaces in EVPN-type routing instances and for bridge domains that have EVPN configured.

    Prior to Junos OS Release 14.1, there was a warning displayed when using the show routing-instance or show routing-instance instance-name configuration command at the [edit] hierarchy level, which stated: interface not defined, but later commits did still succeed.

  • XML validate output for show evpn mac-table command (MX Series)—Starting in Junos OS Release 14.1R7, the XML output has changed when entering the display xml validate option for the following show commands:

    • show bridge mac-table

    • show evpn mac-table

    • show vpls mac-table

    In earlier releases, these show commands generated an XML invalid error in the output. Additionally, two new XML tags have been added to the XML output: l2-mac-entry and l2-mac-entry-pvlan.

    Note

    You must update any existing scripts that are capturing XML tags.