Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 14.2R8 for the M Series, MX Series, and T Series.

Authentication, Authoring, and Accounting

  • Statement introduced to enforce strict authorization—Starting in Junos OS Release 14.2R4, customers can use the set system tacplus-options strict-authorization statement to enforce strict authorization to the users. When a user is logging in, Junos OS issues two TACACS+ requests—first is the authentication request and then the authorization request. By default, when the authorization request is rejected by the TACACS+ server, Junos OS disregards this rejection and provides full access to the user. When the set system tacplus-options strict-authorization statement is set, Junos OS denies access to the user on failure of the authorization request.

General Routing

  • The as-path-ignore command is supported for routing instances starting with Junos OS Release 14.1R8 and 14.2R7.
  • Modified output of the clear services sessions | display xml command (MX Series)—In Junos OS Release 14.1X55-D30, the output of the clear services sessions | display xml command is modified to include the <sess-marked-for-deletion> tag instead of the <sess-removed> tag. In releases before Junos OS Release 14.1X55-D30, the output of this command includes the <sess-removed> tag. The replacement of the <sess-removed> tag with the <sess-marked-for-deletion> tag aims at establishing consistency with the output of the clear services sessions command that includes the field Sessions marked for deletion.

High Availability (HA) and Resiliency

  • Enhanced show virtual-chassis heartbeat command (MX Series with MPCs)—Starting in Junos OS Release 14.2, a new state, Detected, has been added to the show virtual-chassis heartbeat command display output. When you configure a heartbeat connection in an MX Series Virtual Chassis, the Detected state indicates that the master Routing Engine in the specified member router has successfully exchanged a heartbeat connection message with the other member router when an adjacency disruption or split occurs in the Virtual Chassis. The Detected state persists until the heartbeat connection is reset, or until the Virtual Chassis forms again and a master router (protocol master) and backup router (protocol backup) are elected.

    In previous releases, the show virtual-chassis heartbeat command displayed the Alive state for both split and merged Virtual Chassis conditions when a heartbeat message was successfully exchanged between the member routers. As a result, the only way to detect whether a heartbeat connection was in use during an adjacency split or disruption was to check for the Heartbt status in the show virtual-chassis status command. The new Detected state in the show virtual-chassis heartbeat command enables you to use a single command to determine whether or not the heartbeat message was successfully exchanged during an adjacency split.

    [See show virtual-chassis heartbeat.]

  • Improved command output for determining GRES readiness in an MX Series Virtual Chassis (MX Series with MPCs)—Starting in Junos OS Release 14.2R3, the request virtual-chassis routing-engine master switch check command displays the following output when the member routers in a Virtual Chassis are ready to perform a graceful Routing Engine switchover (GRES):
    {master:member0-re0}
    user@host> request virtual-chassis routing-engine master switch check
    Switchover Ready

    In earlier releases, the request virtual-chassis routing-engine master switch check command displays no output to confirm that the member routers are ready for GRES.

    The output of the request virtual-chassis routing-engine master switch check command has not changed when the member routers are not yet ready for GRES.

Interfaces and Chassis

  • Distributed denial-of-service protection policer added for system log messages (MX Series)—Starting in Junos OS Release 14.2, a new protocol-group policer is available for system log messages. This aggregate policer controls UDP traffic on port 6333, where the system log server runs on a Routing Engine. In a network where the local Routing Engine is the system log server, you can use this policer to control the rate at which system log messages reach the Routing Engine. You can configure values appropriate for your network environment at the [edit system ddos-protection protocols syslog aggregate] hierarchy level. The syslog policer is enabled by default, with a default bandwidth of 2000 packets per second and a default burst of 10,000 packets.
  • Support for LLDP frames on management interfaces (MX Series)—Starting with Junos OS Release 14.2, LLDP protocol can be enabled on management interfaces (fxp0 and me0) by including the interface interface-name statement or the interface all statement at the [edit protocols lldp] and [edit routing-instances routing-instance-name protocols lldp] hierarchy levels. The outputs of various LLDP show commands have been enhanced to display the LLDP specific local and remote neighbor information on these management ports, if LLDP is enabled on these ports.
  • Support for auto-10m-100m speed option on Tri-rate MIC (MX Series)— In Junos OS Release 14.2R7, a new option—auto-10m-100m— is introduced (for the speed statement) to allow the fixed tri-speed port to autonegotiate with ports that support a maximum of 100 Mbps or 10 Mbps. When you configure the speed auto-10m-100m statement on the Tri-rate MIC, it advertises only 10 Mbps and 100 Mbps speeds. The MIC then autonegotiates either speed on the basis of peer port advertisement.

    This option is supported on MX Series routers with Tri-rate MICs (model number: MIC-3D-40GE-TX) only.

  • Support for fabric self-pings and Packet Forwarding Engine liveness in single-chassis systems (T Series)—Starting in Junos OS Release 14.2R6, T Series single-chassis systems support the fabric self-ping and Packet Forwarding Engine liveness mechanisms to detect fabric degradation and avoid a traffic black hole. If any error is detected by these two mechanisms, the fabric manager raises a fabric degraded alarm and initiates recovery by restarting the FPC. In a single-chassis system, FPC restart is enabled by default, unlike in a multichassis system where FPC restart is disabled by default.
  • Change in show interfaces queue remaining-traffic command output (MX Series)—Starting in Junos OS Release 14.2R8 and later, the show interfaces queue remaining-traffic command displays egress remaining queue statistics on aggregated Ethernet interfaces on MX Series routers.

IPv6

  • IPv6 addresses with padded zeros in MIC or MS-MPC system log messages (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2R4, all system log messages originating from MIC or MS-MPC line cards display padded zeros in IPv6 addresses to make them compatible with MS-DPC line cards. Earlier, the system log messages from MIC or MS-MPC line cards displayed IPv6 addresses with ’::’ instead of padded zeros.

Junos OS XML API and Scripting

  • Escaping of special XML characters required for request_login (M Series, MX Series, and T Series)—Beginning with Junos OS Release 14.2R4, you must escape any special characters in the username and password elements of a request_login XML RPC request. The following five symbols are considered special characters: greater than (>), less than (<), single quote (’), double quote (“), and ampersand (&). Both entity references and character references are acceptable escape sequence formats. For example, &amp; and &#38; are valid representations of an ampersand. Previously no escaping of these characters was required.
  • XML output change for show subscribers summary port command (MX Series)—Starting in Junos OS Release 14.2R8, the display format has changed for the show subscribers summary port command to make parsing the output easier. The output is now displayed as in the following example:
    user@host> show subscribers summary port | display xml
    <rpc-reply xmlns:junos="http://xml.juniper.net/junos/16.1R2/junos">
        <subscribers-summary-information xmlns="http://xml.juniper.net/junos/16.1R2/junos-subscribers">
            <counters junos:style="port-summary">
                <port-name>ge-1/2/0</port-name>
                <port-count>1</port-count>
             </counters>
            <counters junos:style="port-summary">
                <port-name>ge-1/2/1</port-name>
                <port-count>1</port-count>
             </counters>
    </rpc-reply>

    In earlier releases, that output is displayed as in the following example:

    user@host> show subscribers summary port | display xml
    <rpc-reply xmlns:junos="http://xml.juniper.net/junos/16.1R2/junos">
        <subscribers-summary-information xmlns="http://xml.juniper.net/junos/16.1R2/junos-subscribers">
            <counters junos:style="port-summary">
                <port-name>ge-1/2/0</port-name>
                <port-count>1</port-count>
                <port-name>ge-1/2/1</port-name>
                <port-count>1</port-count>
            </counters>
    </rpc-reply>

Layer 2 Features

  • Support for configuring MAC move parameters globally (MX Series)—Starting in Junos OS Release 14.2R7, you can configure parameters for media access control (MAC) address move reporting by including the global-mac-move statement and its substatements at the [edit protocols l2-learning] hierarchy level. When a MAC address appears on a different physical interface or within a different unit of the same physical interface and this behavior occurs frequently, it is considered a MAC move. You can configure the router such as to report a MAC address move based on the following parameters: the number of times a MAC address move occurs, a specified period of time over which the MAC address move occurs, and specified number of times a MAC address move occurs in one second.
  • Support for bridge domain MAC move action in MX104 router—Starting with Junos OS Release 14.2, the enable-mac-move-action statement is supported in MX104 router.

Layer 2 VPNs

  • Support for hot standby pseudowire for VPLS instances with LDP (MX Series)—Starting with Junos OS Release 14.2R6, you can configure a routing device running a VPLS routing instance configured with the Label Distribution Protocol (LDP) to indicate that a hot-standby pseudowire is desired upon arrival of a PW_FWD_STDBY status-tlv. Include the hot-standby-vc-on statement at the [edit routing instances routing-instance-name protocols vpls mesh-group mesh-group-name neighbor address pseudowire-status-tlv] hierarchy level.

Management

  • Support for the status deprecated statement in YANG modules (M Series, MX Series, and T Series)—Starting in Junos OS Release 14.2R8, Juniper Networks YANG modules include the status deprecated statement to indicate configuration statements, commands, and options that are deprecated.

MPLS

  • Enhanced show ldp database and show ldp overview commands—Starting in Junos OS Release 14.2, the show ldp database command includes a new option and two new output fields that provide enhanced information about LDP label accounting. The command now includes a Labels received field in the Input label database section and a Labels advertised field in the Output label database section. A new option, summary, displays how many labels are received and sent for each LDP session. The show ldp overview command includes a new field, Label allocation, that displays how many LDP labels are allocated, how many are freed, how many have experienced failure, and the number allocated by all protocols. These enhancements enable you to debug label exhaustion events more easily.

    [See show ldp database.]

  • Enhanced support for GRE interfaces for GMPLS (MX Series)—Starting in Junos OS Release 12.3R7, on GRE interfaces for Generalized MPLS control channels, you can enable the inner IP header’s ToS bits to be copied to the outer IP packet header. Include the copy-tos-to-outer-ip-header statement at the [edit interfaces gre unit logical-unit-number] hierarchy level. Previously, the copy-tos-to-outer-ip-header statement was supported for GRE tunnel interfaces only.

    [See copy-tos-to-outer-ip-header.]

  • Changes to MPLS protection options—In Junos OS releases prior to Release 14.2, you can configure both fast reroute and node and link protection on the same LSP. In Junos OS Release 14.2 and later releases, you can still configure both fast reroute and node and link protection on the same LSP; however, when you attempt to commit a configuration where both features are enabled, a syslog warning message is displayed that states: The ability to configure both fast-reroute and link/node-link protection on the same LSP is deprecated and will be removed in a future release.
  • Enhanced transit LSP statistics collection—Starting in Junos OS Release 14.2, RSVP no longer periodically polls for transit LSP statistics. This change does not affect the show mpls lsp statistics command or automatic bandwidth operations for ingress LSPs. To enable the polling and display of transit LSP statistics, include the transit-statistics-polling statement at the [edit protocols mpls statistics] hierarchy level. You cannot enable transit LSP statistics collection if MPLS statistics collection is disabled with the no-transit-statistics statement at the [edit protocols mpls statistics] hierarchy level.

    This issue was being tracked by PR984000.

    [See statistics.]

  • Deselecting active path on bandwidth reservation failure (MX Series)— LSP deselects the current active path if the path is not able to reserve the required amount of bandwidth and there is another path that is successful and capable of becoming active. If the current active path is not deselected, then it continues to be active despite having insufficient bandwidth. If none of the paths are able to reserve the required amount of bandwidth, then the tear-lsp option brings down the LSP.

    [See deselect-on-bandwidth-failure.]

  • RSVP LSP Attribute Order Complies with RFC6510 (M Series, MX Series, and T Series)—The Junos OS RSVP PATH/RESV messages follow the recommendations made in RFC6510 for the LSP attribute order.
  • Display of srlg names and srlg values— Starting with Junos OS Release 14.2R3, the output of the show route table lsdist.0 extensive command displays srlg names, if configured, along with srlg vlaues.

Multicast

  • Change to show pim join summary command—Starting in Junos OS Release 14.2, the XML output of the show pim join summary command has changed. The new CLI output introduces an extra XML hierarchy to separate the tags with the same name.
    user@host> show pim join summary | display xml
            [snip]
            <join-family junos:style="summary">
                <pim-instance>PIM.master< /pim-instance>
                <address-family>INET< /address-family>
                <join-summary-all>                                          
                    <join-summary>                                          
                        <multicast-route-type>(s,g)< /multicast-route-type>  
                        <multicast-route-count>1000< /multicast-route-count> 
                    </join-summary>                                         
                    <join-summary>                                          
                        <multicast-route-type>(*,g)< /multicast-route-type>  
                        <multicast-route-count>2< /multicast-route-count>    
                    </join-summary>                                         
                </join-summary-all>
            </join-family>
            [snip]</output>
    </sample>
    

Network Address Translation (NAT)

  • Support for a new option to configure sequential allocation of ports for NAT (MX Series)— Until Junos OS Release 14.1, you could include the port automatic statement at the [edit services nat pool nat-pool- name] hierarchy level without having to use the auto option with the port automatic statement. Although the default method of assignment of ports was sequential (indicated by the auto option), the auto option was not required to be specified. Starting with Junos OS Release 14.2, the sequential option is introduced to enable you to configure sequential allocation of ports. The sequential and random-allocation options available with the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level are mutually exclusive. You can include the sequential option for sequential allocation and the random-allocation option for random delegation of ports. By default, sequential allocation of ports takes place if you include only the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. The auto option is hidden and is deprecated in Junos OS Release 14.2 and later, and is only maintained for backward compatibility. It might be removed completely in a future software release.

    If you upgrade a router running a Junos OS release earlier than Release 14.2 to Release 14.2 and if the router contains the port automatic statement defined without the auto option included with the configuration, the router validates the auto option present in the configuration for sequential allocation of ports.

Network Management and Monitoring

  • SNMP proxy feature (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2R4, you must configure the interface <interface-name> statement at the [edit snmp] hierarchy level for the proxy SNMP agent. Earlier, configuring the interface for the proxy SNMP agent was not mandatory.
  • Enhancement for SONET interval counter (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2R6, only the Current Day Interval Total output field in the show interfaces interval command for SONET interfaces is reset after 24 hours. In addition, the Previous Day Interval Total output field displays the last updated time in hh:mm.

    [See show interfaces interval.]

  • Juniper Networks MIBs loading errors fixed (MX Series)—Starting with Junos OS Release 14.2R8, duplicated entries and errors while loading MIBs on a ManageEngine MIB browser are fixed for the following MIB files:
    • jnx-chas-defines.mib
    • jnx-gen-set.mib
    • jnx-ifotn.mib
    • jnx-optics.mib

    [See MIB Explorer.]

  • Updated unified container set in enterprise-specific Chassis MIB (MX Series)—Starting with Junos OS Release 14.2R2, the Juniper Networks enterprise-specific Chassis MIB (jnxBoxAnatomy) provides a unified container set that represents all supported MX Series chassis types when MX Series Virtual Chassis mode is active.
  • New system log message indicating the difference in the Packet Forwarding Engine counter value (M Series, MX Series, and T Series)—In Junos OS Release 14.2R2 and later, if the counter value of a Packet Forwarding Engine is reported lesser than its previous value, then the residual counter value is added to the newly reported value only for that specific counter. In that case, the CLI shows the MIB2D_COUNTER_DECREASING system log message for that specific counter.

    [See MIB2D_COUNTER_DECREASING.]

Routing Policy and Firewall Filters

  • New option for show firewall command—Starting in Junos OS Release 14.2, the show firewall command supports a new option, filter regex regular-expression, that enables you to display information about a subset of firewall filters. For regular-expression, include a regular expression that matches the specific names of filters for which you want to display information. Previously, the command only allowed you to display information either about all filters or a specific filter. This enhancement enables devices configured with a very large number of filters to display information about a subset of filters more efficiently.

    [See show firewall.]

  • Support for shared firewall filters across multiple routing instances (MX Series routers with MPCs)—Starting in Junos OS Release 14.2, on MX Series routers with Modular Port Concentrators (MPCs) only, you can specify to share one or more firewall filters across multiple routing instances. Multiple firewall filters can be shared only when network services for the device are configured with enhanced IP mode. By default, firewall filters are not shared automatically across multiple routing instances. Include the instance-shared statement at the [edit firewall family protocol-family-name filter filter-name] hierarchy level. You can configure a combination of shared and nonshared filters on the same routing device. This feature can be used with the following protocol families: Bridge, IPv4, IPv6, Layer 2 CCC, MPLS, and VPLS.

    [See Guidelines for Configuring Firewall Filters.]

Routing Protocols

  • Support for loss-of-continuity check per remote MEP (MX Series)—Beginning with Junos OS Release 14.2, you can specify that Ethernet OAM continuity checks are performed for an individual remote maintenance end point (MEP) by including the detect-loc statement at the [edit protocols oam ethernet connectivity-fault-management maintenance-domain md-name maintenance-association ma-name mep mep-id remote-mep mep-id] hierarchy level. A loss-of-continuity (LOC) defect is declared if no continuity check message is received from the remote MEP within a period equal to 3.5 times the continuity check interval configured for the maintenance association. If this occurs, the show oam ethernet connectivity-fault-management interfaces detail command displays a value of yes for the Remote MEP not receiving CCM defect field. The error also generates a syslog CFMD_CCM_DEFECT_RMEP message.
  • Support for BFD for IS-IS IPv6 interfaces—Starting in Junos OS Release 14.1R2, bidirectional forwarding detection (BFD) is supported for IS-IS IPv6 interfaces. Include the bidirectional-forwarding-detection statement at the [edit protocols isis interface interface-name] hierarchy level. By default, multiple BFD sessions over a single adjacency for IPv4 and IPv6 interfaces that belong to the same IS-IS instance are not automatically created. To enable BFD on IPv4 and IPv6 interfaces configured on the same IS-IS instance, you must also include the new bfd-per-address-family statement at the [edit protocols isis interface interface-name] hierarchy level. When BFD is enabled for both IPv4 and IPv6 interfaces in a single IS-IS instance, a BFD session is created for each protocol family interface. If either the IPv4 or IPv6 session fails, the adjacency is torn down.

    [See Example: Configuring BFD for IS-IS.]

  • Introduction of the all keyword to prevent accidental execution of certain clear commands—The all keyword is introduced in Junos OS Release 14.2 (as an optional keyword). This makes users explicitly select the all keyword to clear all protocol or session information. Thus, it prevents accidental clearing or resetting of protocols or neighbor sessions, which might disrupt network operations.

    The all keyword is introduced for the following clear commands:

    • clear arp
    • clear bgp neighbor
    • clear bfd adaptation
    • clear bfd session
    • clear igmp membership
    • clear isis adjacency
    • clear isis database
    • clear ldp neighbor
    • clear ldp session
    • clear mld membership
    • clear mpls lsp
    • clear msdp cache
    • clear multicast forwarding-cache
    • clear (ospf | ospf3) database
    • clear (ospf | ospf3) neighbor
    • clear pim join
    • clear pim join-distribution
    • clear pim register
    • clear rsvp sessions
  • Support for RFC 6996, RFC 7300, and Internet draft-ietf-idr-as0-06—Beginning with Junos OS Release 14.2, RFC 6996, Autonomous System (AS) Reservation for Private Use, RFC 7300, Reservation of Last Autonomous System (AS) Numbers, and Internet draft-ietf-idr-as0-06 are supported.

    RFC 6996, Autonomous System (AS) Reservation for Private Use, defines the range of the reserved, private AS numbers. The set of reserved 16-bit AS numbers is in the range from 64,512 through 65,535 and the reserved 32-bit AS numbers range from 4200000000 through 4294967294. Even though the use of the last 16-bit AS numbers are reserved, private AS number 65535 is allowed in Junos OS configurations. However, we do not recommend using this restricted AS number.

    RFC 7300, Reservation of Last Autonomous System (AS) Numbers, and the Internet draft draft-ietf-idr-as0-06 restrict the use of 4-byte AS number 4294967295UL, and AS number 0 in a configuration. When you use these restricted AS numbers, the commit operation fails.

    [See 4-Byte Autonomous System Numbers Overview.]

  • Include IGP metric values in BGP-LS advertisement—Beginning with Junos OS Release 14.2R1, the show ted database extensive and show ted link detail operational commands are enhanced to include the IGP metric values.
  • BGP hides a route received with a label block size greater than 256—Beginning with Junos OS Release 14.2R2, when a BGP peer (running Junos OS) sends a route with a label block size greater than 256, the local speaker hides the route and does not re-advertise this route. The output of show route detail/extensive hidden/all displays the hidden route and states the reason as label block size exceeds max supported value. In earlier Junos releases, when a peer sent a route with a label block size greater than 256, the routing protocol process (rpd) terminated abnormally.
  • OSPFv3-TTL propagation policy for TE-Shortcuts and FA-LSPs in-line with other modules in the system (MX Series)—Starting in Junos OS Release 14.2, the OSPFv3-TTL propagation policy is dictated by the MPLS-TTL propagation policy which, by default, allows propagation of TTL.

    This change makes the behavior of OSPFv3 inline with the default behavior of the rest of the system, allowing you to disable TTL propagation for the above-mentioned LSPs and for traffic-engineering-shortcuts (TE-Shortcuts) and forwarding adjacency LSPs (FA-LSPs) using OSPFv3 as the IGP, by configuring the no-propagate-ttl statement at the [edit protocols mpls] hierarchy level.

  • Configure and establish targeted sessions with third-party controllers using LDP targeted neighbor (M Series and MX Series)— Starting with Junos OS Release 14.2R3, you can configure LDP targeted neighbor to third-party controllers for applications such as route recorder that wants to learn label-FEC bindings of an LSR. LDP targeted neighbor helps to establish a targeted session with controllers for a variety of applications.

Security

  • Packet types added for DDoS protection L2TP policers (MX Series with MPCs, T4000 with FPC5)—The following eight packet types have been added to the DDoS protection L2TP protocol group to provide flexibility in controlling L2TP packets:

    cdn

    scccn

    hello

    sccrq

    iccn

    stopccn

    icrq

    unclassified

    Previously, no individual packet types were available for this protocol group and all L2TP packets were policed the same based on the aggregate policer value. The default values for the bandwidth and burst policers for all packet types is 20,000 pps. The default recover-time is 300 seconds for each of the L2TP packet types.

  • BGP route is hidden when AS path length is more than the configured maximum AS size —Beginning with Junos OS Release 14.1, BGP hides a route when the length of the AS path does not match the number of ASs in the route update. In earlier Junos releases when a route with AS path size over 2048 was advertised, it could cause session flaps between BGP peers because of the mismatch. Therefore, to avoid session flaps, such routes are now hidden by Junos. You can see this behavior when bgp-error-tolerance is configured.

    If you want BGP to advertise the hidden route to an OSPF neighbor, we recommend to add the AS path statically in the default route configuration. For example:

    [edit routing-instances instance-name routing options]
    user@host# set aggregate route 0.0.0.0/0 as-path path 1267
  • Changes to distributed denial of service (DDoS) protection protocol groups and packet types (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, the following syntax changes have been made:
    • The mlp protocol group has been modified as follows to provide DDoS protection with full control of the bandwidth:
      • The aging-exc, packets, and vxlan packet types have been removed from the mlp protocol group.
      • The add, delete, and lookup packet types have been added to the mlp protocol group. These packets correspond to the MAC learning command codes.
    • The keepalive protocol group has been renamed to tunnel-ka.
    • The firewall-host protocol group and the mcast-copy packet type in the unclassified protocol groups have been removed from the CLI. They are now classified by the internal host-bound classification engine on the line card.
  • Changes to distributed denial of service (DDoS) protection default values for MLP packets (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, the following default bandwidth (pps) and burst (packets) values apply for MLP packets by line card:

    Policer

    MPC1, MPC2, MPC5, and MPC6

    MPC3, MPC4, and FPC5

     

    Bandwidth

    Burst

    Bandwidth

    Burst

    aggregate

    10,000

    20,000

    5000

    10,000

    add

    4096

    8192

    2048

    4096

    delete

    4096

    8192

    2048

    4096

    lookup

    1024

    2048

    512

    1024

    unclassified

    1024

    1024

    512

    512

  • Changes to distributed denial of service (DDoS) protection flow detection defaults (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, flow detection defaults to disabled for the following protocol groups and packet type, because they do not have typical Ethernet, IP, or IPv6 headers. Global flow detection does not enable flow detection for these groups and the packet type.
    • Protocol groups: fab-probe, frame-relay, inline-ka, isis, jfm, mlp, pfe-alive, pos, services.
    • Packet type: unclassified in the ip-opt protocol group.
  • Changes to show ddos-protection protocols command output (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, when you disable DDoS protection policers on the Routing Engine or on an FPC for a specific packet type, an asterisk is displayed next to that field in the CLI output. For example, if you issue the following statements:
    user@host# set system ddos-protection protocols mlp lookup disable-routing-engine
    user@host# set system ddos-protection protocols mlp lookup fpc 1 disable-fpc

    the fields are marked as in the following sample output:

    user@host> show ddos-protection protocols mlp lookup
    Currently tracked flows: 0, Total detected flows: 0
       * = User configured value
    
       Protocol Group: MLP
    
         Packet type: lookup (MLP lookup request)
           Individual policer configuration:
             Bandwidth:        1024 pps
           ...
           Routing Engine information:
             Bandwidth: 1024 pps, Burst: 2048 packets, disabled*
             Policer is never violated
             Received:  0                   Arrival rate:     0 pps
             Dropped:   0                   Max arrival rate: 0 pps
               Dropped by aggregate policer: 0
           FPC slot 1 information:
             Bandwidth: 100% (1024 pps), Burst: 100% (2048 packets), disabled*
             Policer is never violated
             Received:  0                   Arrival rate:     0 pps
             Dropped:   0                   Max arrival rate: 0 pps
               Dropped by aggregate policer: 0
               Dropped by flow suppression:  0

Services Applications

  • Changed range for maximum lifetime for PCP mapping—Starting in Junos OS Release 14.2R3, the range for the maximum lifetime, in seconds, for PCP mapping that you can configure by using the mapping-lifetime-max mapping-lifetime-max statement at the [edit services pcp] hierarchy level is modified to be 0–4294667, instead of the previous range that existed of 0–2147483647.
  • Increase in the default rate of transmission of system logs to an external syslog server (MX Series)—Starting with Junos OS Release 14.2 the maximum number of system log messages per second to an external syslog server has been increased from 200,000 to 800,000 logs.
  • Interoperation of ingress sampling and PIC-based flow monitoring (MX Series)—If PIC-based flow monitoring is enabled on an ms- logical interface, a commit check error occurs when you attempt to configure ingress traffic sampling on that particular ms- logical interface. This error occurs because a combination of ingress sampling and PIC-based flow monitoring operations on an ms- logical interface causes undesired flow monitoring behavior and might result in repeated sampling of a single packet. You must not configure ingress traffic sampling on ms- logical interfaces on which PIC-based flow monitoring is enabled.
  • Change in support for service options configuration on service PICs at the MS and AMS interface levels (MX Series)—Starting in Junos OS Release 14.2R3, when a multiservices PIC (ms- interface) is a member interface of an AMS bundle, you can configure the service options to be applied on the interface only at the ms- interface level or the AMS bundle level by including the services-options statement at the [edit interfaces interface-name] hierarchy level at a point in time. You cannot define service options for a service PIC at both the AMS bundle level and at the ms- interface level simultaneously. When you define the service options at the MS level or the AMS bundle level, the service options are applied to all the service-sets on the ms- interface or AMS interface defined at ms-fpc/pic/port.logical-unit or amsN, respectively.
  • Generation of mspmand core file for flow control (MX Series routers with MS-MICs and MS-MPCs)—Starting with Junos OS Release 14.2R3, instead of an eJunos kernel core file, the multiservices PIC management daemon core file is generated when a prolonged flow control occurs and when you configure the setting to generate a core dump during prolonged flow control (by using the dump-on-flow-control option). The watchdog functionality continues to generate a kernel core file in such scenarios.
  • Support for RPM probes for IPv4 and IPv6 sources and targets (TX Matrix Plus)—Starting with Junos OS Release 14.2R3, you can configure the TXP-T1600, TXP-T1600-3D, TXP-T4000-3D, or TXP-Mixed-LCC-3D router as the real-time performance monitoring (RPM) client device (the router or switch that originates the RPM probes). The client device can send probe packets to the RPM probe server (the device that receives the RPM probes) that contains an IPv4 or IPv6 address. RPM enables you to configure active probes to track and monitor traffic. The support for configuring RPM probes and RPM clients on TX Matrix Plus routers is in addition to the support for RPM that existed on M Series, MX Series, T1600 and T4000 routers in previous releases.
  • Changes in the format of session open and close system log messages (MX Series routers with MS-MICs and MS-MPCs)—Starting with Junos OS Release 14.2R3, with the Junos OS Extension-Provider packages installed and configured on the device for MS-MPCs and MS-MICs, the formats of the MSVCS_LOG_SESSION_OPEN and MSVCS_LOG_SESSION_CLOSE system log messages are modified to toggle the order of the destination IPv4 address and destination port address displayed in the log messages to be consistent and uniform with the formats of the session open and close logs of MS-DPCs.

    The following is the modified format of the MSVCS_LOG_SESSION_OPEN and MSVCS_LOG_SESSION_CLOSE system log messages:

    month date hh:mm:ss syslog-server-ip-address yyyy-mm-dd hh:mm:ss {NAT-type}<MSVCS_LOG_SESSION_CLOSE or MSVCS_LOG_SESSION_OPEN>:App: application, source-interface-name fpc/pic/port\address in hexadecimal format source-address:source-port source-nat-information -> destination-address:destination-port destination-nat-information (protocol-name)

    The following is an example of the session closure message generated for MS-MPCs and MS-MICs:

    Nov 26 13:00:07 10.137.159.1 2014-11-26 07:22:44: {Dynamic-NAT-64-SS-NHS-1}MSVCS_LOG_SESSION_CLOSE: application:none, ae4.454 2402:8100:1:160:1:2:d384:463c:36822 [49.14.64.37:12261] -> [141.101.120.14] 64:ff9b::8d65:780e:80 (TCP)

  • Optional inclusion of Flags in DTCP LIST messages (MX Series)—Starting in Junos OS Release 14.2R3, the Flags field is not a required parameter in the DTCP LIST message. The LIST request is not rejected if the LIST message does not contain the Flags field. If the DTCP LIST message contains the Flags field, the value of that field is processed. If the LIST message does not contain the Flags field, the CRITERIA field parameter is used for the Flags field.
  • Support for bouncing service sets for dynamic NAT (MX Series with MS-MPCs and MS-MICs)— Starting in Junos OS Release 14.2R2, for service sets associated with aggregated multiservices (AMS) interfaces, you can configure the enable-change-on-ams-redistribution statement at the [edit services service-set service-set-name service-set-options] hierarchy level to enable the service set to be bounced (reset) for dynamic NAT scenarios (dynamic NAT, NAT64, and NAT44) when a member interface of an AMS bundle rejoins or a member interface failure occurs. When a member interface fails, the application resources (NAT pool in the case of dynamic NAT scenarios) and traffic load need to be rebalanced. For application resources to be rebalanced, which is the NAT pool for dynamic NAT environments, the NAT pool is split and allocated by the service PIC daemon (spd).
  • Change in the test-interval range for RPM tests (MX Series)—Starting in Junos OS Release 14.2R5, the minimum period for which the RPM client waits between two tests (configured by using the test-interval interval statement at the [edit services rpm probe owner test test-name] hierarchy level is modified to be 1 second instead of 0 seconds. Also, if you do not configure the test interval, the default value is 0 seconds. A test interval of 0 seconds causes the RPM test to stop after one iteration.
  • Class pcp-logs and alg-logs are not configured for ms-interface (MX Series)—Starting with Junos OS release 14.2R5, for multiservices (ms-) interfaces, you cannot configure system logging for PCP and ALGs by including the pcp-logs and alg-logs statements at the [edit services service-set service-set-name syslog host hostname class] hierarchy level. An error message is displayed if you attempt to commit a configuration that contains the pcp-logs and alg-logs options to define system logging for PCP and ALGs for ms- interfaces.
  • Support for deterministic NAPT (MX Series)—You can configure deterministic port block allocation for Network Address Port Translation (NAPT) on MX Series routers with MS-MPCs or MS-MICs. By configuring deterministic NAPT, you ensure that translation of internal host IP(private IP to public IP and vice versa) is deterministic thus eliminating the need for address translation logging for each connection. To use deterministic port block allocation, you must specify deterministic-napt44 as the translation type in your NAT rule.

  • Deprecated security idp statements (MX Series)—Starting in Junos OS Release 14.2R8 and later, the statements at the edit security idp configuration hierarchy level are deprecated for the MX Series.
  • Change in enforcement of flow-key restriction for VPLS templates—Starting in Junos OS Release 14.2R4, a commit error occurs when you include both the flow-key and vpls-template statements under the [edit services flow-monitoring version-ipfix template template-name] hierarchy. The flow-key statement is not supported for VPLS templates. In Junos OS Releases 14.2R2 and 14.2R3, a commit error was not displayed when this restriction was violated.

Subscriber Management and Services

Note: Subscriber management is not supported in 14.2R6.

Although present in the code, the subscriber management features are not supported in Junos OS Release 14.2R6. Documentation for subscriber management features is included in the Junos OS Release 14.2 documentation set.

  • Locally configured DNS addresses displayed in the result of the test aaa (dhcp | ppp) command (MX Series)—Starting in Junos OS Release 14.2, if RADIUS does not return any DNS addresses, then the output of the test aaa (dhcp | ppp) command includes any locally configured DNS addresses.

    [See Testing a Subscriber AAA Configuration.]

  • Support for applying access profiles to DHCP local server and DHCP relay agent—Access profiles enable you to specify subscriber access authentication and accounting parameters. After access profiles are created, you can attach them at the [edit system services dhcp-local-server] hierarchy level on a DHCP local server for DHCP or DHCPv6 subscribers and at the [edit forwarding-options dhcp-relay] hierarchy level on a DHCP relay agent for DHCP or DHCPv6 subscribers, group of subscribers, or group of interfaces.

    If you configured a global access profile at the [edit access profile profile-name] hierarchy level for all DHCP or DHCPv6 clients on a router that functions as a DHCP local server or a DHCP relay agent, the access profile configured at the [edit system services dhcp-local-server] or [edit system services dhcpv-local-server dhcpv6] hierarchy level on a DHCP local server for DHCP or DHCPv6 subscribers and at the [edit forwarding-options dhcp-relay] or [edit forwarding-options dhcp-relay dhcpv6] hierarchy level on a DHCP relay agent for DHCP or DHCPv6 subscribers take precedence over the global access profile.

    Configuring an access profile for DHCP subscribers at the DHCP relay agent level or the DHCP local server level provide you with the flexibility and effectiveness of enabling DHCP authentication and accounting for specific subscribers instead of enabling them at a global level. If no access profile is configured at the DHCP relay agent level or the DHCP local server level, the global access profile becomes effective.

  • Support for processing Cisco VSAs in RADIUS messages for service provisioning—Starting with Junos OS Release 14.2, Cisco VSAs are supported for provisioning and management of services in RADIUS messages, in addition to the supported Juniper Networks VSAs for administration of subscriber sessions. In a deployment in which a customer premises equipment (CPE) is connected over an access network to a broadband remote access gateway, the Steel-Belted Radius Carrier (SBRC) application might be used as the authentication and accounting server using RADIUS as the protocol, and the Cisco BroadHop application might be used as the Policy Control and Charging Rules Function (PCRF) server for provisioning services using RADIUS change of authorization (CoA) messages. Both the SBRC and the Cisco BroadHop servers are considered to be connected with the broadband gateway in such a topology.

    By default, service accounting is disabled. If you configure service accounting using both RADIUS attributes and the CLI interface, the RADIUS setting takes precedence over the CLI setting. To enable service accounting using the CLI, include the accounting statement at the [edit access profile profile-name service] hierarchy level. To enable interim service accounting updates and configure the amount of time that the router waits before sending a new service accounting update, include the update-interval minutes statement at the [edit access profile profile-name service accounting] hierarchy level.

    You can configure the router to collect time statistics, or both volume and time statistics, for the service accounting sessions being managed by AAA. To configure the collection of statistical details that are time-based only, include the statistics time statement at the [edit access profile profile-name service accounting] hierarchy level. To configure the collection of statistical details that are both volume-time-based only, include the statistics volume-time statement at the [edit access profile profile-name service accounting] hierarchy level.

  • Specifying the UDP port for RADIUS dynamic-request servers—Starting in Junos OS Release 14.2, you can define the UDP port number to configure the port on which the router that functions as the RADIUS dynamic-request server must receive requests from RADIUS servers. By default, the router listens on UDP port 3799 for dynamic requests from remote RADIUS servers. You can configure the UDP port number to be used for dynamic requests for a specific access profile or for all of the access profiles on the router. To define the UDP port number, include the dynamic-request-port port-number statement at the [edit access profile profile-name radius-server server-address] or [edit access radius-server server-address] hierarchy level.
  • LAC configuration no longer required for L2TP tunnel switching with RADIUS attributes (MX Series)—Starting in Junos OS Release 14.2R3, when you use Juniper Networks VSA 26-91 to provide tunnel profile information for L2TP tunnel switching, you no longer have to configure a tunnel profile on the LAC. In earlier releases, tunnel switching failed when you did not also configure the LAC, even when the RADIUS attributes were present.
  • Change to show services l2tp tunnel command (MX Series)—Starting in Junos OS Release 14.2R4, the show services l2tp tunnel command also includes in its display tunnels that have no active sessions. In earlier releases, the command does not display tunnels without any active sessions.

User Interface and Configuration

  • Changed destination file format for transfer-on-commit feature (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2, the format of the destination filename for the transfer-on-commit feature is changed from router-name_juniper.conf.n.gz_YYYYMMDD_HHMMSS to router-name_YYYYMMDD_HHMMSS_juniper.conf.n.gz.

    [See archive-sites and Using Junos OS to Configure a Router or Switch to Transfer Its Configuration to an Archive Site.]

  • New warning message for the configurational changes to extend-size (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2R5, any operation on the system configuration-database extend-size configuration statement such as, deactivate, delete, or set, generates the following warning message:

    Change in 'system configuration-database extend-size' will be effective at next reboot only.

  • New command to view configuration database memory usage (M Series, MX Series, and T Series)—Starting from Junos OS Release 14.2R3, you use show system configuration database usage to view the usage statistics of configuration database memory.

    [See show system configuration database usage.]

Virtual Chassis

  • SNMP MIB walk on MX series Virtual Chassis —Starting with Junos OS Release 14.2R6, snmp mib walk operations no longer return invalid PCMCIA card information for Routing Engines on MX Series Virtual Chassis.

VLAN Infrastructure

  • Applying VLAN Check with vlan-id all Configured (MX Series routers)—Frames with VLAN identifier tags configured might have their inner or outer VLAN identifiers checked at egress. However, the exact circumstances of the VLAN check vary with configuration parameters.

    In particular, for a routing instance or bridge domain with the vlan-id all statement configured, then the VLAN check is enabled only in following conditions.

    • If the routing instance or bridge domain has the vlan-id all statement configured and there is a discrete outer VLAN identifier configured (that is, the logical interface is single tagged), then the VLAN check is enabled for the outer VLAN identifier.
    • If the routing instance or bridge domain has the vlan-id all statement configured and the inner VLAN identifier is a range, then the VLAN check is enabled for the inner VLAN identifier range.
    • If the routing instance or bridge domain has the vlan-id all statement configured and the outer VLAN identifier is a range, then the VLAN check is enabled for the outer VLAN identifier range.
    • If the routing instance or bridge domain has the vlan-id all statement configured and there is a discrete inner VLAN identifier (that is, the logical interface is dual-tagged), then the VLAN check is enabled for the inner VLAN identifier value.

VPNs

  • Support for ping on a virtual gateway address—Starting in Junos OS Release 14.2R8, Junos OS supports pinging an IPv4 or IPv6 address on the preferred virtual gateway interface. To set up support for ping, you must include both the virtual-gateway-accept-data and the preferred statements at the [edit interfaces irb unit] hierarchy level of the preferred virtual gateway. This enables the interface on the preferred virtual gateway to accept all packets for the virtual IP address, including ping packets.

Modified: 2017-12-12