Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Changes in Behavior and Syntax

 

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 15.1R7 for the M Series, MX Series, and T Series.

Authentication, Authorization and Accounting

  • Statement introduced to enforce strict authorization—Starting in Junos OS Release 15.1R2, customers can use the set system tacplus-options strict-authorization statement to enforce strict authorization to the users. When a user is logging in, Junos OS issues two TACACS+ requests—first is the authentication request and then the authorization request. By default, when the authorization request is rejected by the TACACS+ server, Junos OS ignores this and allows full access to the user. When the set system tacplus-options strict-authorization statement is set, Junos OS denies access to the user even on failure of the authorization request.

Class of Service (CoS)

  • Change to CoS shaping rate fallback behavior (MX Series)—Starting in Junos OS Release 15.1R1, when a CoS service profile is deactivated, the traffic shaping rate falls back in the following order: ANCP shaping rate, PPPoE IA tag rate, or shaping rate configured in the traffic control profile. In earlier releases, the traffic shaping rate falls back to the ANCP adjusted rate or the traffic control profile value.

    Now when an ANCP shaping rate adjustment is removed, the rate falls back to the PPPoE IA tag rate or the traffic control profile value. In earlier releases, the rate falls back to the traffic control profile value.

    [See CoS Adjustment Control Profiles Overview.]

  • CLI commit check not performed for guaranteed-rate burst size (MX Series)—Starting in Junos OS Release 15.1R1, the CLI no longer performs a commit check to determine whether the statically configured guaranteed-rate burst size exceeds the shaping-rate burst size. A system log is generated when the guaranteed-rate burst size is higher, whether it is configured statically, dynamically with predefined variables, or by means of a change of authorization request. In earlier releases, a CLI commit check prevents a static configuration from being used; no checks are performed for the other configuration methods.

General Routing

  • The commit synchronize statement is not allowed in batch mode—When you attempt to execute commit atomic in configure batch mode, a warning message is displayed: warning: graceful-switchover is enabled, commit synchronize should be used. This is because commit synchronize is not allowed to be given in configure batch mode. In this case, issue the set system commit synchronize command followed by commit.

  • Modified output of the clear services sessions | display xml command (MX Series)—In Junos OS Release 14.1X55-D30, the output of the clear services sessions | display xml command is modified to include the <sess-marked-for-deletion> tag instead of the <sess-removed> tag. In releases before Junos OS Release 14.1X55-D30, the output of this command includes the <sess-removed> tag. The replacement of the <sess-removed> tag with the <sess-marked-for-deletion> tag aims at establishing consistency with the output of the clear services sessions command that includes the field Sessions marked for deletion.

  • The as-path-ignore command is supported for routing instances starting with Junos OS Release 14.1R8, 14.2R7, and 15.1R4.

High Availability (HA) and Resiliency

  • VRRP adjusted priority can go to zero (M Series, MX Series, and T Series)—Starting in Junos OS Release 15.1R1, the adjusted priority of a configured VRRP group can go to zero (0). A zero (0) priority value is used to trigger one of the backup routers in a VRRP group to quickly transition to the master router without having to wait for the current master to timeout. Prior to Junos OS Release 15.1, an adjusted priority could not be zero. This change in behavior prevents the VRRP group from blackholing traffic.

    [See Configuring a Logical Interface to Be Tracked for a VRRP Group or Configuring a Route to Be Tracked for a VRRP Group.]

  • A check option is added for command request chassis routing-engine masterStarting in Junos OS Release 15.1R1, a check option available with the switch, release, and acquire options checks the GRES status of the standby Routing Engine before toggling mastership. The force option is also removed.

    [See request chassis routing-engine master.]

  • GRES readiness is part of show system switchover output (M Series, MX Series, and T Series)—Starting in Junos OS Release 15.1R1, switchover readiness status is reported as part of the output for the operational mode command show system switchover. This is true for the TX Matrix Plus platform as well.

    [See show system switchover.]

  • Improved command output for determining GRES readiness in an MX Series Virtual Chassis (MX Series routers with MPCs)—Starting in Junos OS Release 15.1R1, the request virtual-chassis routing-engine master switch check command displays the following output when the member routers in a Virtual Chassis are ready to perform a graceful Routing Engine switchover (GRES):

    user@host> request virtual-chassis routing-engine master switch check

    In earlier releases, the request virtual-chassis routing-engine master switch check command displays no output to confirm that the member routers are ready for GRES.

    The output of the request virtual-chassis routing-engine master switch check command has not changed when the member routers are not yet ready for GRES.

    [See Determining GRES Readiness in a Virtual Chassis Configuration.]

  • Note

    The changes to global switchover behavior in an MX Series Virtual Chassis are not supported in Junos OS Release 15.1. Documentation for this feature is included in the Junos OS 15.1 documentation set.

    Changes to global switchover behavior in an MX Series Virtual Chassis (MX Series routers with MPCs)—Starting in Junos OS Release 15.1R1, performing a global switchover by issuing the request virtual-chassis routing-engine master switch command from the master Routing Engine in the Virtual Chassis master router (VC-M) has the same result as performing a local switchover from the VC-M.

    After a global switchover, the Virtual Chassis master router (VC-M) becomes the Virtual Chassis backup router (VC-B), and the VC-B becomes the VC-M. In addition, a global switchover now causes the local roles (master and standby, or m and s) of the Routing Engines in the former VC-M to change, but does not change the local roles of the Routing Engines in the former VC-B.

    In earlier releases, a global switchover in a Virtual Chassis caused the VC-M and VC-B to switch global roles, but did not change the master and standby local roles of the Routing Engines in either member of the Virtual Chassis.

    [See Switchover Behavior in an MX Series Virtual Chassis.]

  • New unified ISSU warning message for VCCV-BFD NSR not being supported—Starting in Junos OS Release 15.1R2, 15.1F2, and later releases, the Junos OS CLI displays a warning message (when you perform a unified in-service software upgrade (ISSU)) about NSR not being supported for Bidirectional Forwarding Detection (BFD)support for virtual circuity connectivity verification (VCCV). You must enter a “yes” or “no” to confirm whether you want to proceed with the ISSU operation or not.

Interfaces and Chassis

  • Changes to show interfaces interface-name extensive output—Starting in Junos OS Release 15.1R7, the MAC Control Frames field of the show interface interface-name extensive command for a specified 10-Gigabit Ethernet interface displays a value of zero. In previous releases, the value for this field was calculated. Because of continuous traffic and as a result of the calculations, the value displayed for this field changed continuously.

IPv6

  • IPv6 addresses with padded zeros in MIC or MS-MPC system log messages (M Series, MX Series, and T Series)—Starting with Junos OS Release 15.1R2, all system log messages originating from MIC or MS-MPC line cards displays padded zeros in IPv6 addresses to make them compatible with MS-DPC line cards. Earlier, the system log messages from MIC or MS-MPC line cards displayed IPv6 addresses with ’::’ instead of padded zeros.

Junos OS XML API and Scripting

  • Escaping of special XML characters required for request_login (M Series, MX Series, and T Series)—Beginning with Junos OS Release 15.1R2, you must escape any special characters in the username and password elements of a request_login XML RPC request. The following five symbols are considered special characters: greater than (>), less than (<), single quote (’), double quote (“), and ampersand (&). Both entity references and character references are acceptable escape sequence formats. For example, &amp; and &#38; are valid representations of an ampersand. Previously no escaping of these characters was required.

  • XML output change for show subscribers summary port command (MX Series)—Starting in Junos OS Release 15.1R5, the display format has changed for the show subscribers summary port command to make parsing the output easier. The output is now displayed as in the following example:

    user@host> show subscribers summary port | display xml

    In earlier releases, that output is displayed as in the following example:

    user@host> show subscribers summary port | display xml

Layer 2 Features

  • Support for configuring MAC move parameters globally (MX Series)—Starting in Junos OS Release 15.1R4, you can configure parameters for media access control (MAC) address move reporting by including the global-mac-move statement and its substatements at the [edit protocols l2-learning] hierarchy level. When a MAC address appears on a different physical interface or within a different unit of the same physical interface and this behavior occurs frequently, it is considered a MAC move. You can configure the router to report a MAC address move based on the following parameters: the number of times a MAC address move occurs, a specified period of time over which the MAC address move occurs, and the specified number of times a MAC address move occurs in one second.

Layer 2 VPNs

  • Support for hot standby pseudowire for VPLS instances with LDP (MX Series)—Starting with Junos OS Release 15.1R2, you can configure a routing device running a VPLS routing instance configured with the Label Distribution Protocol (LDP) to indicate that a hot-standby pseudowire is desired upon arrival of a PW_FWD_STDBY status-tlv. Include the hot-standby-vc-on statement at the [edit routing instances routing-instance-name protocols vpls mesh-group mesh-group-name neighbor address pseudowire-status-tlv] hierarchy level.

  • Logging failed KEK security association—Starting with Junos OS 15.1R6, the syslog message records a key encryption key (KEK) installation failure when the installation of the KEK security association in a group VPN fails. This is caused by a key server sending an invalid payload. We recommend using the group controller key server (GCKS) on the SRX Series platform as your key server.

Management

  • Support for status deprecated statement in YANG modules (M Series, MX Series, and T Series)—Starting with Junos OS Release 15.1R5, Juniper Networks YANG modules include the status deprecated statement to indicate configuration statements, commands, and options that are deprecated.

MPLS

  • Deselecting active path on bandwidth reservation failure (MX Series)—LSP deselects the current active path if the path is not able to reserve the required amount of bandwidth and there is another path that is successful and capable of becoming active. If the current active path is not deselected, then it continues to be active despite having insufficient bandwidth. If none of the paths are able to reserve the required amount of bandwidth, then the tear-lsp option brings down the LSP.

    [See deselect-on-bandwidth-failure.]

  • Point-to-multipoint LSP ping echo reply ignored on Juniper side in Cisco-Juniper interoperability (M Series, MX Series, and T Series)—Curently, in a Juniper-Cisco interoperation network scenario, a point-to-multipoint LSP ping echo reply message from a Cisco device in a different IGP area is dropped on the Juniper device when the source address of the reply message is an interface address other than the loopback address or router ID.

    Starting with Junos OS Release 14.2R6, 15.1R4, 16.1, and later releases, such point-to-multipoint LSP ping echo reply messages are accepted by the Juniper device and the messages get logged as uncorrelated responses.

  • Bandwidth underflow sample on LSPs (MX Series)—Starting in Junos OS Release 14.1R9 and 15.1R7, all zero value bandwidth samples are considered as underflow samples, except for the zero value samples that arrive after an LSP comes up for the first time, and the zero value samples that arrive first after a Routing Engine switchover.

Multicast

  • Disabling igmp-snooping on VPLS (MX Series)–In order to make configuration and debugging easier, starting in Junos OS Release 15.1R1, multiple Group VPNv2 groups can use the same gateway. The commit check for a unique tuple of <local_address, remote_address, routing_instance> across groups has been removed. The same tuple is now checked for uniqueness across all gateways. This allows multiple groups to share the same gateway for their Group VPNv2 traffic.

Network Management and Monitoring

  • Enhanced service type information in an SNMP MIB walk operation for jnxSpSvcSet—Starting with Junos OS Releases 13.3R7, 14.1R6, 14.2R4, and 15.1R2, Junos OS provides enhanced service type (SvcType) information in a MIB walk operation for the jnxSpSvcSet MIB table. Stateful firewall, NAT, and IDS service sets are now categorized under the SFW/NAT/IDS service type. IPsec services are categorized as IPSEC service type, while all other services are grouped as EXT-PKG.

    In Junos OS Release 13.3R6 and earlier, the show snmp mib walk command for the jnxSpSvcSet MIB table displays the service type as EXT-PKG for all services.

  • SNMP proxy feature (M Series, MX Series, and T Series)—Starting with Junos OS Release 15.1R2, you must configure the interface <interface-name> statement at the [edit snmp] hierarchy level for the proxy SNMP agent. Earlier, configuring an interface for the proxy SNMP agent was not mandatory.

  • Change in how used memory is calculated in Junos OS with upgraded FreeBSD (MX Series)—Starting in Junos OS Release 15.1R1, for platforms running Junos OS with upgraded FreeBSD, the way used memory is calculated has changed. Inactive memory is no longer included in the calculation for memory utilization. This change is reflected in the value given for memory utilization in the output for the show chassis routing-engine command. This change also affects the SNMP representation of this value at jnxOperatingBuffer.

    [For platforms that run Junos OS with upgraded FreeBSD, see Understanding Junos OS with Upgraded FreeBSD.]

  • Change in the output of snmp mib walk of the jnxVpnIfStatus MIB object (M Series, MX Series, and T Series)—Starting with Junos OS Release 15.1R4, the show snmp mib walk jnxVpnIfStatus command provides information of all interfaces, except the Juniper Networks specific dynamic interfaces.

  • New 64-bit counter of octets for interfaces (M Series, MX Series, and T Series)—Starting with Junos OS Release 15.1R3, Junos OS supports two new Juniper Networks enterprise-specific Interface MIB Extension objects—ifHCIn1SecOctets and ifHCOut1SecOctets—that act as 64-bit counters of octets passing through an interface.

  • Enhancement for SONET interval counter (M Series, MX Series, and T Series)—Starting with Junos OS Release 15.1R3, only the Current Day Interval Total output field in the show interfaces interval command for SONET interfaces is reset after 24 hours. In addition, the Previous Day Interval Total output field displays the last updated time in hh:mm.

    [See show interfaces interval.]

  • Hard-coded RFC 3635 MIB OIDs updated (MX Series)—Starting in Junos OS Release 15.1R7, the following RFC 3635 MIB OIDs have been updated as default values:

    • dot3StatsFCSErrors and dot3HCStatsFCSErrors, framing errors

    • dot3StatsInternalMacReceiveErrors and dot3HCStatsInternalMacReceiveErrors, MAC statistics: Total errors (Receive)

    • dot3StatsSymbolErrors and dot3HCStatsSymbolErrors, code violations

    • dot3ControlFunctionsSupported, flow control

    • dot3PauseAdminMode, flow control

    • dot3PauseOperMode, autonegotiation

    [See the SNMP Explorer.]

  • SNMP syslog messages changed (MX Series)—Starting in Junos OS Release 15.1R7, two misleading SNMP syslog messages have been rewritten to accurately describe the event:

    • OLD ---AgentX master agent failed to respond to ping. Attempting to re-register

      NEW-– –- AgentX master agent failed to respond to ping, triggering cleanup!

    • OLD -––- NET-SNMP version %s AgentX subagent connected

      NEW-– --- NET-SNMP version %s AgentX subagent Open-Sent!

    [See the MIB Explorer.]

  • MIB buffer overruns only be counted under ifOutDiscard (MX Series)––The change done via PR 1140400 Introduced a CVBC where qdrops (buffer overruns) were counted under ifOutErrors along with ifOutDiscards. This is against RFC 2863 where buffer overruns should only be counted under ifOutDiscards and not under ifOutErrors. In Junos OS Release 15.1R7, this is now fixed.

  • New context-oid option for trap-options configuration statement to distinguish the traps that come from a non-default routing instance and non-default logical system (MX Series)—Starting in Junos OS Release 15.1R1, a new option, context-oid, for the trap-options statement allows you to handle prefixes such as <routing-instance name>@<trap-group> or <logical-system name>/<routing-instance name>@<trap-group> as an additional varbind.

    [See trap-options.]

  • A decrease in the MPLS label-switched path (LSP) statistics pauses the SNMP MIB mplsLspInfoAggrOctets count for one MPLS statistics gathering interval. In such cases, the mplsLspInfoAggrOctets value is updated only after completing one more interval of the MPLS statistics gathering.

Platform and Infrastructure

  • Increase in length of TACACS messages—Starting in Junos OS Release 15.1R7, the length of TACACS messages allowed on routers running Junos OS has been increased from 8150 to 65,535 bytes.

Routing Policy and Firewall Filters

  • Command completion for the [show firewall prefix-action-stats filter filter-name prefix-action] hierarchy on all compatible platforms–In releases earlier than Junos OS Release 15.1R1, you could not utilize the command completion feature at the [show firewall prefix-action-stats filter filter-name prefix-action] hierarchy level. This meant that you had to know the name of the prefix-action in order to complete any command at that hierarchy level. This involved running a show configuration command, getting the prefix-action name, and using it in the command.

    Starting in Junos OS Release 15.1R1, command completion is available so that pressing the Tab key at the [show firewall prefix-action-stats filter filter-name prefix-action] hierarchy level lists all currently configured prefix-action names.

  • Support for logical queue-depth in the Packet Forwrading Engine for IP options packets for a given protocol (M Series, MX Series, and T Series)— Starting with Junos OS Release 15.1R4, you can configure logical queue-depth in the Packet Forwrading Engine for IP options packets for a given protocol. The queue-depth indicates the number of IP options packets which can be enqueued in the Packet Forwrading Engine logical queue, beyond which it would start dropping the packets.

Routing Protocols

  • Optimization of link-state packets (LSPs) flooding in IS-IS (MX Series)—Starting in Junos OS Release 15.1R5, flooding of LSPs in IS-IS no longer occurs as a result of the commitment of configuration changes unrelated to IS-IS. Now, when the router is not in the restart state, every time a new LSP is generated after a CLI commit, the contents of the new LSP are compared to the contents of the existing LSP already installed in the link-state database (LSDB) between Intermediate Systems. When the contents of the two LSPs do not match, the system does not process the new LSP or install it in the LSDB, and consequently does not flood it through the IS-IS network. The new behavior does not affect the rebuilding of LSPs after they refresh in the LSDB. No configuration is required to invoke the new behavior.

    In earlier releases, IS-IS generates new LSPs even when the configuration changes are not related to IS-IS. Because the new LSPs are flooded across the network and synchronized in the LSDB, this flooding process is time-consuming and CPU intensive in a scaled network environment.

  • Enable forwarding IPv6 solicited router advertisements as unicast—Beginning with Junos OS Release 15.1R1, you can configure devices to send router advertisements as unicast in response to the router solicitation message sent by IPv6 routers. In earlier Junos OS releases, IPv6 router advertisements were sent as periodic multicast, which caused a battery drain in all the other devices. A new configuration statement solicit-router-advertisement-unicast is introduced at the [edit protocols router-advertisement interface interface-name] hierarchy level.

    [See solicit-router-advertisement-unicast.]

  • DSCP bit not copied into IPv6 ICMP reply packets (MX Series)—Beginning with Junos OS Release 15.1R1, the Differentiated Services code point (DSCP) field from the IPv6 header of the incoming ICMP request packet is copied into the ICMP reply packet. The value of the DSCP field represents the class of service, and transmission of packets is prioritized based on this value. In earlier Junos OS releases, the value of the DSCP field was set to 0, which is undesirable because the class of service information is lost. Junos OS now retains the value of the DSCP field in the incoming packet and copies it into the ICMP reply packet.

  • New option to remove peer loop check (M Series, MX Series, and T Series)—Starting in Junos OS Release 15.1R1, the new option no-peer-loop-check to remove the peer loop check for private AS numbers is available under the remove-private statement at the following hierarchy levels:

  • BGP hides a route received with a label block size greater than 256 (M Series, MX Series, and T Series)—Starting in Junos OS Release 15.1R1, when a BGP peer (running Junos OS) sends a route with a label block size greater than 256, the local speaker hides the route and does not re-advertise this route. The output of the show route detail/extensive hidden/all displays the hidden route and states the reason as label block size exceeds max supported value. In earlier Junos OS releases, when a peer sent a route with a label block size greater than 256, the routing protocol process (rpd) terminated abnormally.

  • RPD refreshes the route record database only if there is a new update (MX Series)—Beginning with Junos OS Release 15.1R1, when you commit a minor configuration change, the rpd sends only AS paths that are active routes to the FPCs. Not all known AS paths are sent to the FPC, thereby considerably reducing the memory and CPU usage, resulting in a faster route record database update. Route record now keeps track of configuration and reconfiguration times. At client startup, all the routes are sent to the client, but at reconfiguration, route record now checks the timestamp of the route.

    In earlier Junos OS releases, when a configuration change was committed, the Routing Engine CPU usage and the FPC CPU usage would go high for an extended period of time. This occurred even if there was a minor change to the configuration. The FPCs and the client were running out of memory due to the high number of AS paths sent by route record. This was especially evident in very large-scale configurations where the number of AS paths and the number of routes were large. This took a lot of CPU time and memory to process because at reconfiguration, route record sent all routes to the client again, even if there were no route changes.

  • Enhanced show isis overview command (M Series, MX Series, and T Series)—Beginning with Junos OS Release 15.1R1, the show isis overview command display output includes details, such as Hostname, Sysid, and Areaid. This additional information facilitates troubleshooting IS-IS adjacency issues.

    [See show isis overview.]

  • Configure and establish targeted sessions with third-party controllers using LDP targeted neighbor (M Series and MX Series)— Starting with Junos OS Release 15.1R1, you can configure LDP targeted neighbor to third-party controllers for applications such as route recorder that wants to learn label-FEC bindings of an LSR. LDP targeted neighbor helps to establish a targeted session with controllers for a variety of applications.

  • Enhanced BGP log message when prefix limit is exceeded—Beginning with Junos OS Release 13.3, BGP generates an enhanced log message when the prefix limit exceeds the configured limit. The log message now includes the instance name in addition to the peer address and address family.

    [See prefix-limit.]

  • BGP route is hidden when AS path length is more than the configured maximum AS size —Beginning with Junos OS Release 13.2, BGP hides a route when the length of the AS path does not match the number of ASs in the route update. In earlier Junos OS releases when a route with AS path size over 2048 was advertised, it could cause session flaps between BGP peers because of the mismatch. Therefore, to avoid session flaps, such routes are now hidden by Junos OS. You can see this behavior when bgp-error-tolerance is configured.

    If you want BGP to advertise the hidden route to an OSPF neighbor, we recommend to add the AS path statically in the default route configuration. For example:

  • BGP link state value modified to 29 (M Series, MX Series, and T Series)—Starting in Junos OS Release 14.2R3, the value of the BGP LINK-STATE (LS) path attribute is modified to 29, which is IANA's officially assigned value. In earlier Junos OS releases, the LINK-STATE path attribute had a private value of 99 that was used for interoperability testing with other vendors. The previous versions of BGP LS are not compatible with this new value of BGP LS. Therefore, BGP LS users cannot use unified ISSU with the BGP LS value of 29.

  • New IS-IS adjacency holddown CLI command (MX Series)—Beginning with Junos OS Release 15.1R1, a new operational command show isis adjacency holddown is introduced to display the adjacency holddown status. This command is useful to verify whether the adjacency holddown is enabled and facilitates troubleshooting when there are adjacency issues due to IS-IS adjacency holddown.

    [See show isis adjacency holddown.]

  • Eliminate fe80::/64 direct routes from RIB for IPv6 interfaces—Beginning with Junos OS Release 15.1R1, the fe80::/64 direct routes for IPv6 addresses are not installed in the routing table. Therefore, when you issue a show route command, the fe80::/64 routes for IPv6 addresses are not displayed in the output. In earlier releases, Junos OS added the fe80::/64 direct routes to the routing table when inet6 family was enabled on an interface. These fe80::/64 direct routes are neither routable nor used for routing decisions and hence their absence in the routing table does not impact any functionality.

  • Support for RFC 5492, Capabilities Advertisement with BGP-4—Beginning with Junos OS Release 15.1R4, BGP sessions can be established with legacy peers that do not support optional parameters, such as capabilities. In earlier Junos OS releases from 15.1R1 through 15.1R3 and 15.1F1 through 15.1F4, BGP sessions with legacy routers without BGP capabilities was not supported. Starting with Junos OS Release 15.1R4, support for BGP sessions with legacy routers without BGP capabilities is restored.

Security

  • Packet types added for DDoS protection L2TP policers (MX Series routers with MPCs, T4000 routers with FPC5)—Starting in Junos OS Release 15.1R6, the following eight packet types have been added to the DDoS protection L2TP protocol group to provide flexibility in controlling L2TP packets:

    cdn

    scccn

    hello

    sccrq

    iccn

    stopccn

    icrq

    unclassified

    Previously, no individual packet types were available for this protocol group and all L2TP packets were policed the same based on the aggregate policer value. The default values for the bandwidth and burst policers for all packet types is 20,000 pps. The default recover-time is 300 seconds for each of the L2TP packet types.

    [See protocols (DDoS).]

  • Changes to distributed denial of service (DDoS) protection protocol groups and packet types (MX Series, T4000 with FPC5)—Starting in Junos OS Release 15.1R1, the following syntax changes have been made:

    • The mlp protocol group has been modified as follows to provide DDoS protection with full control of the bandwidth:

      • The aging-exc, packets, and vxlan packet types have been removed from the mlp protocol group.

      • The add, delete, and lookup packet types have been added to the mlp protocol group. These packets correspond to the MAC learning command codes.

    • The keepalive protocol group has been renamed to tunnel-ka.

    • The firewall-host protocol group and the mcast-copy packet type in the unclassified protocol groups have been removed from the CLI. They are now classified by the internal host-bound classification engine on the line card.

  • Changes to distributed denial of service (DDoS) protection default values for MLP packets (MX Series, T4000 with FPC5)—Starting in Junos OS Release 15.1R1, the following default bandwidth (pps) and burst (packets) values apply for MLP packets by line card:

    Policer

    MPC1, MPC2, MPC5, and MPC6

    MPC3, MPC4, and FPC5

     

    Bandwidth

    Burst

    Bandwidth

    Burst

    aggregate

    10,000

    20,000

    5000

    10,000

    add

    4096

    8192

    2048

    4096

    delete

    4096

    8192

    2048

    4096

    lookup

    1024

    2048

    512

    1024

    unclassified

    1024

    1024

    512

    512

  • Changes to distributed denial of service (DDoS) protection flow detection defaults (MX Series, T4000 with FPC5)—Starting in Junos OS Release 15.1R1, flow detection defaults to disabled for the following protocol groups and packet type, because they do not have typical Ethernet, IP, or IPv6 headers. Global flow detection does not enable flow detection for these groups and the packet type.

    • Protocol groups: fab-probe, frame-relay, inline-ka, isis, jfm, mlp, pfe-alive, pos, services.

    • Packet type: unclassified in the ip-opt protocol group.

  • Changes to show ddos-protection protocols command output (MX Series, T4000 with FPC5)—Starting in Junos OS Release 15.1R1, when you disable DDoS protection policers on the Routing Engine or on an FPC for a specific packet type, an asterisk is displayed next to that field in the CLI output. For example, if you issue the following statements:

    the fields are marked as in the following sample output:

    user@host> show ddos-protection protocols mlp lookup

Services Applications

  • Support for configuring TWAMP servers on routing instances (MX Series)—Starting in Junos OS Release 15.1R1, you can specify the TWAMP servers on specific routing instances, instead of associating the TWAMP server at the system level. To apply the TWAMP server to a routing instance configured on a router, include the routing-instance-list instance-name port port-number statement at the [edit services rpm twamp server] hierarchy level. The port number of the specified routing instance is used for TWAMP probes that are received by a TWAMP server. The default routing instance is Internet routing table inet.0. If you do not specify a routing instance, the TWAMP probe applies to all routing instances. To apply the TWAMP probe to only the default routing instance, you must explicitly set the value of instance-name to the default. If an interface is not part of any routing instance, the default port is used for TWAMP probes. You can configure up to 100 routing instances for a TWAMP server.

  • Optional inclusion of Flags field in DTCP LIST messages (MX Series)—Starting in Junos OS Release 15.1R1, the Flags field is not a required parameter in the DTCP LIST message. The LIST request is not rejected if the LIST message does not contain the Flags field. If the DTCP LIST message contains the Flags field, the value of that field is processed. If the LIST message does not contain the Flags field, the CRITERIA field parameter is used for the Flags field.

  • Change in support for service options configuration on service PICs at the MS and AMS interface levels (MX Series)—Starting in Junos OS Release 15.1R1, when a multiservices PIC (ms- interface) is a member interface of an AMS bundle, you can configure the service options to be applied on the interface only at the ms- interface level or the AMS bundle level by including the services-options statement at the [edit interfaces interface-name] hierarchy level at a point in time. You cannot define service options for a service PIC at both the AMS bundle level and at the ms- interface level simultaneously. When you define the service options at the MS level or the AMS bundle level, the service options are applied to all the service-sets, on the ms- interface or the AMS interface defined at ms-fpc/pic/port.logical-unit or amsN, respectively.

  • Changes in the format of session open and close system log messages (MX Series routers with MS-MICs and MS-MPCs)—Starting with Junos OS Release 15.1R1, with the Junos OS Extension-Provider packages installed and configured on the device for MS-MPCs and MS-MICs, the formats of the MSVCS_LOG_SESSION_OPEN and MSVCS_LOG_SESSION_CLOSE system log messages are modified to toggle the order of the destination IPv4 address and destination port address displayed in the log messages to be consistent and uniform with the formats of the session open and close logs of MS-DPCs.

  • Support for bouncing service sets for dynamic NAT (MX Series routers with MS-MPCs and MS-MICs)—Starting in Junos OS Release 15.1R1, for service sets associated with aggregated multiservices (AMS) interfaces, you can configure the enable-change-on-ams-redistribution statement at the [edit services service-set service-set-name service-set-options] hierarchy level to enable the service set to be bounced (reset) for dynamic NAT scenarios (dynamic NAT, NAT64, and NAT44) when a member interface of an AMS bundle rejoins or a member interface failure occurs. When a member interface fails, the application resources (NAT pool in the case of dynamic NAT scenarios) and traffic load need to be rebalanced. For application resources to be rebalanced, which is the NAT pool for dynamic NAT environments, the NAT pool is split and allocated by the service PIC daemon (spd).

  • Changed range for maximum lifetime for PCP mapping—Starting in Junos OS Release 15.1R1, the range for the maximum lifetime, in seconds, for PCP mapping that you can configure by using the mapping-lifetime-max mapping-lifetime-max statement at the [edit services pcp] hierarchy level is modified to be from 0 through 4294667, instead of the previous range from 0 through 2147483647.

  • Change in the test-interval range for RPM tests (MX Series)—Starting in Junos OS Release 15.1R2, the minimum period for which the RPM client waits between two tests (configured by using the test-interval interval statement at the [edit services rpm probe owner test test-name] hierarchy level is modified to be 1 second instead of 0 seconds. Also, if you do not configure the test interval, the default value is 0 seconds. A test interval of 0 seconds causes the RPM test to stop after one iteration.

  • Change to show services nat pool command output—Starting in Junos OS Release 15.1R3, the show services nat pool command output includes this new field: AP-P port limit allocation errors. When AP-P is configured, this field indicates the number of out-of-port errors that are due to a configured limit for the number of allocated ports in the limit-ports-per-address statement at the [edit services nat pool nat-pool-name] hierarchy level.

  • Class pcp-logs and alg-logs are not configured for ms-interface (MX Series)—Starting with Junos OS release 15.1R3, for multiservices (ms-) interfaces, you cannot configure system logging for PCP and ALGs by including the pcp-logs and alg-logs statements at the [edit services service-set service-set-name syslog host hostname class] hierarchy level. An error message is displayed if you attempt to commit a configuration that contains the pcp-logs and alg-logs options to define system logging for PCP and ALGs for ms- interfaces.

  • Support for deterministic NAPT (MX Series)—You can configure deterministic port block allocation for Network Address Port Translation (NAPT) on MX Series routers with MS-MPCs or MS-MICs. By configuring deterministic NAPT, you ensure that translation of the internal host IP(private IP to public IP and vice versa) is deterministic, thus eliminating the need for address translation logging for each connection. To use deterministic port block allocation, you must specify deterministic-napt44 as the translation type in your NAT rule.

  • Anycast address 0/0 must not be accepted in the from-clause of Detnat rule (MX Series)—Starting with Junos OS Release 15.1R4, for multiservices (ms-) interfaces, anycast configuration is not allowed as the source-address when translation type is deterministic NAT.

  • Deprecated security idp statements (MX Series)—Starting in Junos OS 15.1R6, the [edit security idp] configuration statements are deprecated.

  • Changes to the PGCP service (MX, M and T Series)—Starting in Junos OS Release 15.1R6, the Packet Gateway Control Protocol (PGCP) is removed from the list of processes during boot. The configuration statements, commands, and options for PGCP process are deprecated. In earlier releases, PGCP process configures the PGCP that is required for the border gateway function (BGF) feature.

Subscriber Management and Services (MX Series)

  • Support for specifying preauthentication port and password (MX Series)—Starting in Junos OS Release 15.1R1, you can configure a router that operates as the RADIUS client to contact a RADIUS server for authentication and preauthentication requests on two different UDP ports and using different secret passwords. Similar to configuring the port numbers for authentication and accounting requests, you can define a unique port number that the router uses to contact the RADIUS server for logical line identification (LLID) preauthentication requests. You can also define a unique password for preauthentication requests. If you do not configure a separate UDP port or secret for preauthentication purposes, the same UDP port and secret that you configure for authentication messages is used.

    To configure a unique UDP port number and the password to be used to contact the RADIUS server for pre-authentication requests, include the preauthentication-port port-number and preauthentication-secret password statements, respectively, at the [edit access radius-server server-address] or [edit access profile profile-name radius-server server-address] hierarchy level.

    [See Configuring a Port and Password for LLID Preauthentication Requests.]

  • Addition of pw-width option to the nas-port-extended-format statement (MX Series)—Starting in Junos OS Release 15.1R1, you can configure the number of bits for the pseudowire field in the extended-format NAS-Port attribute for Ethernet subscribers. Specify the value with the pw-width option in the nas-port-extended-format statement at the [edit access profile profile-name radius options] hierarchy level. The configured fields appear in the following order in the binary representation of the extended format:

    aggregated-ethernet slot adapter port pseudo-wire stacked-vlan vlan

    The width value also appears in the Cisco NAS-Port-Info AVP (100). In addition to Junos OS Release 15.1R1, the pw-width option is available in Junos OS Release 13.3R4; it is not available in Junos OS Release 14.1 or Junos OS Release 14.2.

    [See CoS Adjustment Control Profiles Overview.]

  • Enhanced support for Calling-Station-ID (RADIUS attribute 31) (MX Series)—Starting in Junos OS Release 15.1R1, you can specify optional information that is included in the Calling-Station-ID that is passed to the RADIUS server. You can now include the following additional information when configuring the calling-station-id-format statement at the [edit access profile profile-name radius options] hierarchy level:

    • interface-text-description—Interface description text string

    • stacked-vlan—Stacked VLAN ID

    • vlan—VLAN ID

    [See Configuring a Calling-Station-ID with Additional Attributes.]

  • Unique RADIUS NAS-Port attributes (MX Series)—Starting in Junos OS Release 15.1R1, you can configure unique values for the RADIUS NAS-Port attribute (attribute 5), to ensure that a single NAS-Port attribute is not used by multiple subscribers in the network. You can create NAS-Port values that are unique within the router only, or that are unique across all MX Series routers in the network. To create unique NAS-Port attributes for subscribers, the router uses an internally generated number and an optional unique chassis ID, which you specify. The generated number portion of the NAS-Port provides uniqueness within the router only. The addition of the optional chassis ID configuration ensures that the NAS-Port is unique across all MX Series routers in the network.

    [See Enabling Unique NAS-Port Attributes (RADIUS Attribute 5) for Subscribers.]

  • RADIUS VSA support for IANA Private Enterprise Number 311 primary and secondary DNS servers (MX Series)—Starting in Junos OS Release 15.1R1, the Junos OS AAA implementation supports RADIUS VSAs that identify the primary and secondary DNS servers for IANA private enterprise number 311 (Microsoft Corporation). The two VSAs are shown in the following list, and are described in RFC 2548, Microsoft Vendor-specific RADIUS Attributes:

    • MS-Primary-DNS-Server (VSA 26-28)—The 4-octet address of the primary Domain Name Server. This VSA can be included in Access-Accept and Accounting-Request packets.

    • MS-Secondary-DNS-Server (VSA 26-29)—The 4-octet address of the secondary Domain Name Server. This VSA can be included in Access-Accept and Accounting-Request packets.

    [See RADIUS Support for Microsoft Corporation VSAs for DNS Server Addresses.]

  • Filters for duplicate RADIUS accounting interim reports (MX Series)—Starting in Junos OS Release 15.1R1, subscriber management provides a duplication filter feature that enables you to specify which accounting servers receive RADIUS accounting interim reports when RADIUS accounting duplicate reporting is active. You configure the filters in the AAA access profile, and the router then applies the filters to subscribers associated with that profile.

    Subscriber management supports the following filtering for RADIUS accounting duplicate reporting:

    • Duplicated accounting interim messages

    • Original accounting interim messages

    • Excluded RADIUS attributes

    Subscriber management also provides additional attribute support for the exclude statement at the [edit access profile profile-name radius attributes] hierarchy level.

    [See Configuring Duplication Filters for RADIUS Accounting Duplicate Reporting.]

  • LAC configuration no longer required for L2TP tunnel switching with RADIUS attributes (MX Series)—Starting in Junos OS Release 15.1R1, when you use Juniper Networks VSA 26-91 to provide tunnel profile information for L2TP tunnel switching, you no longer have to configure a tunnel profile on the LAC. In earlier releases, tunnel switching failed when you did not also configure the LAC, even when the RADIUS attributes were present.

    [See Configuring L2TP Tunnel Switching and L2TP Tunnel Switching Overview.]

  • Changes to ANCP triggering of RADIUS immediate interim accounting updates (MX Series)—Starting in Junos OS Release 15.1R1, the AAA daemon immediately sends a RADIUS interim-accounting request to the RADIUS server when it receives notification of ANCP actual downstream or upstream data rate changes, even when the update-interval statement is not included in the subscriber session access profile. In earlier releases, the update-interval statement is required. This feature still requires that the ancp-speed-change-immediate-update statement is included in the access profile.

    [See Configuring Immediate Interim Accounting Updates to RADIUS in Response to ANCP Notifications.]

  • DHCP behavior when renegotiating while in bound state (MX Series)—Starting in Junos OS Release 15.1R1, DHCPv4 and DHCPv6 local server and relay agent all use the same default behavior when receiving a DHCPv4 Discover or DHCPv6 Solicit message with a matching client ID, while in a bound state. In the default behavior, DHCP maintains the existing client entry when receiving a new Discover or Solicit message that has a client ID that matches the existing client. In Junos OS releases prior to 15.1R1, DHCPv6 local server and DHCPv6 relay agent use the opposite default behavior, and tear down the existing client entry when receiving a Solicit message with a matching client ID, while in a bound state.

    You use the delete-binding-on-renegotiation statement to override the default behavior and configure DHCP local server and relay agent to delete the existing client entry when receiving a Discover or Solicit message while in a bound state.

    [See DHCP Behavior When Renegotiating While in Bound State.]

  • Optional CHAP-Challenge attribute configuration (MX Series)—Starting in Junos OS Release 15.1R1, you can configure the router to override the default behavior and insert the random challenge generated by the NAS into the Request Authenticator field of Access-Request packets. In the default behavior, the authd process sends the random challenge as the CHAP-Challenge attribute (RADIUS attribute 60) in Access-Request packets.

    The optional behavior requires that the value of the challenge must be 16 bytes. If the challenge is not 16 bytes long, authd ignores the optional configuration and sends the challenge as the CHAP-Challenge attribute.

    To configure the optional behavior, you use the chap-challenge-in-request-authenticator statement at the [edit access profile profile-name radius options] hierarchy level.

    [See Configuring RADIUS Server Options for Subscriber Access.]

  • NAS-Port-ID string values and order (MX Series)—Starting in Junos OS Release 15.1R1, you can specify additional optional information in the NAS-Port-ID (RADIUS attribute 87), which identifies the physical interface used to authenticate subscribers. In addition, you can override the default order in which the optional values appear in the NAS-Port-ID and specify a customized order for the optional values.

    You can now include the following additional information when configuring the nas-port-id-format statement at the [edit access profile profile-name radius options] hierarchy level:

    • interface-text-description—interface’s description string

    • postpend-vlan-tags—VLAN tags using :<outer>-<inner>

    Use the order option at the [edit access profile profile-name radius options nas-port-id-format] hierarchy level to specify the non-default order in which the optional information appears in the NAS-Port-ID string.

    [See Configuring a NAS-Port-ID with Additional Options.]

  • Changes to LAC connect speed derivation (MX Series)—Starting in Junos OS Release 15.1R1, the following changes are made to the methods that specify a source for the LAC to derive values for the Tx-Connect-Speed and Rx-Connect-Speed that it sends to the LNS in AVP 24 and AVP 38:

    • The static method is no longer supported for specifying a source, but it is still configurable for backward compatibility. If the static method is configured, the LAC falls back to the port speed of the subscriber access interface.

    • The default method has changed from static to actual.

    • The actual method now has the highest preference when multiple methods are configured; in earlier releases, the ancp method has the highest preference.

    • When the pppoe method is configured and a value is unavailable in the PPPoE IA tags for the Tx speed, Rx speed, or both, the LAC falls back to the port speed. In earlier releases, it falls back to the static method.

  • Change to show services l2tp tunnel command (MX Series)—Starting in Junos OS Release 15.1R1, the show services l2tp tunnel command displays tunnels that have no active sessions. In earlier releases, the command does not display tunnels without any active sessions.

  • Support for LAC sending AVP 46 (MX Series)—Starting in Junos OS Release 15.1R1, when the LAC terminates a PPP session, it generates a PPP disconnect cause and includes this information in the PPP Disconnect Cause Code (AVP 46) when it sends a Call-Disconnect-Notify (CDN) message to the LNS. The code value is 0, which indicates a global error with no information available.

  • New option to limit the maximum number of logical interfaces (MX Series routers with MS-DPCs)—Starting in Junos OS Release 15.1R1, you can include the limited-ifl-scaling option with the network-services enhanced-ip statement at the [edit chassis] hierarchy level to impose a limitation on the maximum number of logical interfaces on MX Series routers with MS-DPCs to be 64,000 for enhanced IP network services mode. Using the limited-ifl-scaling option prevents the problem of a collision of logical interface indices that can occur in a scenario in which you enable enhanced IP services mode and an MS-DPC is also present in the same chassis. A cold reboot of the router must be performed after you set the limited-ifl-scaling option with the network-services enhanced-ip statement. When you enter the limited-ifl-scaling option, none of the MPCs are moved to the offline state. All the optimization and scaling capabilities supported with enhanced IP mode apply to the limited-ifl-scaling option.

  • Local DNS configurations available when authentication order is set to none (MX Series)—Starting in Junos OS Release 15.1R2, subscribers get the DNS server addresses when both of the following are true:

    • The authentication order is set to none at the [edit access profile profile-name authentication-order] hierarchy level.

    • A DNS server address is configured locally in the access profile with the domain-name-server, domain-name-server-inet, or domain-name-server-inet6 statement at the [edit access profile profile-name] hierarchy level.

    In earlier releases, subscribers get an IP address in this situation, but not the DNS server addresses.

  • Change in support for L2TP statistics-related commands (MX Series)—Starting in Junos OS Release 15.1R2, statistics-related show services l2tp commands cannot be issued in parallel with clear services l2tp commands from separate terminals. In earlier releases, you can issue these show and clear commands in parallel. Now when any of these clear commands is running, you must press Ctrl+c to make the clear command run in the background before issuing any of these show commands. The relevant commands are listed in the following table:

    clear services l2tp destination

    show services l2tp destination extensive

    clear services l2tp session

    show services l2tp destination statistics

    clear services l2tp tunnel

    show services l2tp session extensive

    show services l2tp session statistics

    show services l2tp summary statistics

    show services l2tp tunnel extensive

    show services l2tp tunnel statistics

    Note

    You cannot run multiple clear services l2tp commands from separate terminals. This behavior is unchanged.

  • Improved result code reporting in stopCCN and CDN messages (MX Series)—Starting in Junos OS Release 15.1R3, the LAC provides more accurate result codes and always includes error messages in the Result-Error Code AVP (1) included in the stopCCN and CDN messages that it sends to the LNS. Packet captures display the relevant information in the Result code, Error code, and Error Message fields of the AVP.

    In earlier releases, the result code is does not provide sufficient information about the cause of the event and the error message is omitted for some result codes.

  • Including termination reason for user logout events (MX Series)—Starting in Junos OS Release 15.1R2, when the you enable the user-access flag at the [edit system processes general-authentication-service traceoptions] hierarchy level, the system log messages generated for authd include a termination reason for user logout events. In earlier releases, the log does not report any termination reasons.

    Sample output before the behavior change:

    Sample output after the behavior change:

  • Change in displayed value of LCP State field for tunneled subscriber sessions (MX Series)—Starting in Junos OS Release 15.1R3, when a subscriber session has been tunneled from the LAC to the LNS, the LCP State field displayed by the show interfaces pp0.unit command has a value of Stopped, which correctly reflects the actual state of the LCP negotiation (because at this stage LCP is terminated at the LNS).

    In earlier releases, this field incorrectly shows a value of Opened, reflecting the state of LCP negotiation before tunneling started. In earlier releases, you must issue the show ppp interface.unit command to display the correct LCP state.

  • Change in Routing Engine-based CPCD (MX Series)—Starting in Junos OS Release 15.1R3, you must specify a URL with the redirect statement. You must also specify destination-address address with the rewrite statement. In earlier releases, you can successfully commit the configuration without these options.

  • Increased maximum limits for accounting and authentication retries and timeouts (MX Series)—Starting in Junos OS Release 15.1R3, you can configure a maximum of 100 retry attempts for RADIUS accounting (accounting-retry statement) or authentication (retry statement). In earlier releases, the maximum value is 30 retries. You can also configure a maximum timeout of 1000 seconds for RADIUS accounting (accounting-timeout statement) or authentication (timeout statement). In earlier releases the maximum timeout is 90 seconds.

    Note

    The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.

  • Support for longer CHAP challenge local names (MX Series)—Starting in Junos OS Release 15.1R3, the supported length of the CHAP local name is increased to 32 characters. In earlier releases, only 8 characters are supported even though the CLI allows you to enter a longer name. You can configure the name with the local-name statement at the [edit dynamic-profiles profile-name interfaces pp0 unit “$junos-interface-unit” ppp-options] or [edit dynamic-profiles profile-name interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit” ppp-options] hierarchy levels. The maximum length of the local name for PAP authentication remains unchanged at 8 characters.

  • Change to test aaa commands (MX Series)—Starting in Junos OS Release 15.1R4, the following changes have been made to the test aaa ppp user, test aaa dhcp user, and test aaa authd-lite user commands:

    • Attributes not supported by Junos OS no longer appear in the output.

    • The Virtual Router Name and Routing Instance fields have been combined into the new Virtual Router Name (LS:RI) field. The value of this field matches the Juniper Networks Virtual-Router VSA (26-1), if present; otherwise the field displays default:default.

    • The value for any attribute that is not received (except for 26-1), or set locally,is displayed as <not set>.

    • The Redirect VR Name field has been renamed to Redirect VR Name (LS:RI).

    • In the CLI output header section, the Attributes area has been renamed to User Attributes.

    • Supported attributes now always appear in the display, even when their values are not set.

    • The IGMP field has been renamed to IGMP Enable.

    • The IGMP Immediate Leave and the MLD Immediate Leave default values have changed from disabled to <not set>.

    • The Chargeable user identity value has changed from an integer to a string.

    • The Virtual Router Name field has been added to the display for the DHCP client.

  • Change to using the UID as part of a variable expression (MX Series)—Starting in Junos OS Release 15.1R4, you cannot use the UID (the unique identifier of variables defined in dynamic profiles) as part of a variable expression, because the hierarchy of evaluation is as follows:

    • The user variable expressions are first evaluated for the UIDs to be resolved.

    • If the expression contains UIDs, it might result in unpredictable results.

    Using a variable expression with a UID now results in a commit check failure.

  • Subscriber management 64-bit mode support (MX Series)—Starting in Junos OS Release 15.1R4, subscriber management is now supported when the routing protocol daemon (rpd) is running in 64-bit mode. In earlier releases, subscriber management support required rpd to run in 32-bit mode.

  • Subscriber secure policies and service change of authorization requests (MX Series)—Starting in Junos OS Release 15.1R4, a subscriber secure policy cannot be instantiated by a CoA that includes any other subscriber service activation or deactivation. Use a separate CoA to apply a subscriber secure policy.

  • Configuration support for L2TP hashing (MX Series)—Starting in Junos OS Release 15.1R4, you can enable or disable the inclusion of the L2TP tunnel ID and session ID in the L2TP packet header in the hash computation for L2TP data packets on an aggregated Ethernet interface to more accurately balance the traffic load over multiple active links. By default, tunnel and session IDs are not considered. To enable the IDs to be used, include the l2tp-tunnel-session-identifier statement at the [edit forwarding-options enhanced-hash-key family inet] hierarchy level. To disable the inclusion of the IDs, remove the statement from your configuration.

    In earlier releases, tunnel and session IDs are included by default for L2TP hashing over aggregated Ethernet links and cannot be disabled.

  • Extended range for RADIUS request rate (MX Series)—Starting in Junos OS Release 15.1R4, the range for the request-rate statement at the [edit access radius-options] hierarchy level has been extended to 100 through 4000 requests per second. In earlier releases, the range is 500 through 4000 requests per second. The default value is unchanged at 500 requests per second.

  • VLAN demux interfaces over pseudowire interfaces (MX Series)—Starting in Junos OS Release 15.1R3, VLAN demux interfaces are supported over pseudowire subscriber logical interfaces.

  • Error messages generated for L2TP access concentrator (LAC) logins can be prevented from appearing in the syslogs—Starting with Junos OS Release 15.1R4, setting the syslogs log level to WARNING or higher prevents error messages generated for Layer 2 Tunneling Protocol (L2TP) subscribers from appearing in the syslogs. The syslogs are L2TP packet statistics counters (Rx/Tx) that are displayed every minute. If no packets are received or L2TP is not configured, these messages do not appear in the syslogs.

    In earlier releases, the severity of the log level was ERROR, which now has changed to NOTICE. The error messages are filtered out if the log level is set to WARNING or higher (ERROR, CRITICAL, ALERT, or EMERGENCY). Setting the log level to NOTICE or lower (INFORMATIONAL or DEBUG) allows the error messages to appear in the syslogs.

  • Configuring a pseudowire subscriber interface for a logical tunnel (MX Series)—Starting in Junos OS release 15.1R4, you can configure a pseudowire subscriber interface and anchor it to a logical tunnel interface without explicitly specifying the tunnel bandwidth. In earlier releases, if you do not explicitly specify the tunnel bandwidth, or the tunnel bandwidth is anything other than 1G or 10G, the pseudowire interface is not created.

  • L2TP statistics now included in the output of the show system subscriber-management statistics command—Starting in Junos OS Release 15.1R4, a new option displays the L2TP plugin statistics in the output of the show system subscriber-management statistics command.

    The possible completions for the show system subscriber-management statistics command are:

    • <[Enter]> executes this command

    • all—Displays all statistics

    • dhcp—Displays the DHCP statistics

    • dvlan—Displays the DVLAN statistics

    • l2tp—Displays the L2TP statistics

    • ppp—Displays the PPP statistics

    • pppoe—Displays the PPPoE statistics

    • /—Pipes through a command

  • Changes to the test aaa ppp user command (MX Series)—Starting in Junos OS Release 15.1R1, the following changes have been made to the test aaa ppp user command:

    • Subscriber management supports only the default logical system.

    • Two contexts that now need to be considered:

      • AAA context:

        • The context (LS:RI) is used to authenticate the subscriber.

          The Virtual Router Name and the Routing Instance attributes have been combined into a single attribute in the (LS:RI) notation.

        • The test aaa ppp command specified on the command line has the following possible completions:

          • agent-remote-id—Tests the DSL Forum Agent Remote Id (VSA 26-2)

          • l2tp-terminate-code—Tests the L2TP terminate code associated subscriber termination

          • logical-system—Tests the logical system in which the user is authenticated

          • password—Tests the password associated with the username

          • profile—Tests the access profile name associated with the user

          • routing-instance—Tests the routing instance in which the user is authenticated

          • service-type—Tests the Service type (1-255)

          • terminate-code—Tests the PPP terminate code associated with subscriber termination

          • user—Tests the username

      • Subscriber context:

        • The context (LS:RI) in which the subscriber is placed. This is established by either Juniper Networks VSA Virtual-Router (26-1) or Juniper Networks VSA Redirect-VRouter-Name (26-25) using (LS:RI) notation, where the routing instance may be different than the AAA context routing instance.

      • Both contexts perform subscriber placement, but the redirect re-authenticates with the RADIUS server in the subscriber context (for example, for L3 wholesale) and may be used for duplicate accounting.

    • Changed items:

      • The Chargeable user identity value has changed from int to string.

      • All not set, NULL, and Null outputs have been changed to <not set>.

      • Almost all display attributes now show <not set> when no value exists and zero is not a valid value for those attributes.

      • Both of the IGMP_Immediate_Leave and MLD Immediate Leave default values have changed from disabled to <not set>.

      • The Redirect VR Name display format for PPP clients has been changed to (LS:RI) notation.

      • The Virtual Router Name display format for PPP clients has been changed to (LS:RI) notation.

    • Added items:

      • Virtual Router Name has been added to the display for the DHCP client.

    • Removed items:

      • The Routing Instance display has been removed from the output.

      • The Ignore_DF_Bit display has been removed from the output.

      • Both Ingress Statistics and Egress Statistics have been removed from the output.

    • Renamed items:

      • The IGMP display has been renamed to IGMP Enable.

      • Attributes has been renamed User Attributes.

  • RADIUS VSA support for IANA Private Enterprise Number 311 primary and secondary DNS servers (MX Series)—Starting in Junos OS Release 15.1R1, the Junos OS AAA implementation supports RADIUS VSAs that identify the primary and secondary DNS servers for IANA private enterprise number 311 (Microsoft Corporation). The two VSAs are shown in the following list, and are described in RFC 2548, Microsoft Vendor-specific RADIUS Attributes:

    • MS-Primary-DNS-Server (VSA 26-28)—The 4-octet address of the primary Domain Name Server. This VSA can be included in Access-Accept and Accounting-Request packets.

    • MS-Secondary-DNS-Server (VSA 26-29)—The 4-octet address of the secondary Domain Name Server. This VSA can be included in Access-Accept and Accounting-Request packets.

    [See RADIUS Support for Microsoft Corporation VSAs for DNS Server Addresses.]

  • Support deprecated for retaining DHCP subscriber binding during interface deletion (MX Series)—Starting in Junos OS Release 15.1R4, when enhanced subscriber management is enabled, the MX Series routers no longer support the retention of DHCP bindings during an interface deletion. The maintain-subscriber stanza at the [edit system services subscriber-management] hierarchy level is deprecated for MX Series routers.

  • Automatic limit set for transmit window size (MX Series)—Starting in Junos OS Release 15.1R5, when the LAC receives a receive window size of more than 128 in the Start-Control-Connection-Reply (SCCRP) message, it sets the transmit window size to 128 and logs an Error level syslog message.

    In earlier releases, the LAC accepts any value sent in the Receive Window Size attribute-value pair (AVP 10) from an L2TP peer. Some implementations send a receive window size as large as 65530. Accepting such a large value causes issues in the L2TP congestion/flow control and slow start. The router may run out of buffers because it can support only up to a maximum of 60,000 tunnels.

  • Change in PPP keepalive interval for inline services subscribers (MX Series)—Starting in Junos OS Release 15.1R5, you can configure the PPP keepalive interval for subscriber services in the range 1 second through 600 seconds. Subscriber PPP keepalives are handled by the Packet Forwarding Engine. If you configure a value greater than 600 seconds, the number is accepted by the CLI, but the Packet Forwarding Engine limits the interval to 600 seconds. The interval is configured in a PPP dynamic profile with the interval statement at the [edit dynamic-profiles profile-name interfaces pp0 unit $junos-interface-unit keepalives] hierarchy level.

    In earlier Junos OS releases, the range is from 1 second through 60 seconds. The Packet Forwarding Engine limits any higher configured value to an interval of 60 seconds.

    PPP keepalives for non-subscriber services are handled by the Routing Engine with an interval range from 1 second through 32,767 seconds.

  • DNS servers displayed by the show subscribers extensive command (MX Series)—Starting in Junos OS Release 15.1R6, the display of DHCP Domain Name System (DNS) by the show subscribers extensive command has changed. When DNS addresses are configured at multiple levels, the command displays only the preferred address according to this order of precedence: RADIUS > access profile > global access. The command does not display DNS addresses configured as DHCP local pool attributes.

    DNS addresses from RADIUS appear in the following fields: Primary DNS Address, Secondary DNS Address, IPv6 Primary DNS Address, and IPv6 Secondary DNS Address.

    DNS addresses from the access profile or the global access configuration appear in the following fields: Domain name server inet and Domain name server inet6.

    In earlier releases, the command displays only DHCP DNS addresses provided by RADIUS.

  • Default L2TP resynchronization method changed and statement deprecated (MX Series)—Starting in Junos OS Release 15.1R6, the default resynchronization method for L2TP peers in the event of a control connection failure is changed to silent failover. In earlier releases, the default method is failover-protocol-fall-back-to-silent-failover. The silent failover method is preferred because it does not keep tunnels open without traffic flow, waiting for the failed peer to recover and resynchronize. You can use the new failover-resync statement at the edit services l2tp tunnel hierarchy level to specify either failover protocol or silent failover as the resynchronization method.

    Because silent failover is now the default, the disable-failover-protocol statement is no longer needed and has been deprecated. If you upgrade to this release with a configuration that includes this statement, it is supported, but the CLI notifies you it is deprecated.

  • IPv6 link local addresses assigned to underlying static demux interfaces (MX Series)—Starting in Junos OS Release 15.1R6, when you are using Router Advertisement for IPv6 subscribers on dynamic demux interfaces that run over underlying static demux interfaces, configure the software to use the same link-local address for both interfaces. In this case, the link-local address for the underlying interface should be based the MAC address of the underlying interface. The following statement causes the system to assign an address using the 64-bit Extended Unique Identifier (EUI-64) as described in RFC 2373:

  • Traffic shaping and tunnel switches (MX Series)—Starting in Junos OS Release 15.1R6, when a dynamic profile attaches a statically configured firewall filter to an L2TP tunnel switch (LTS) session, the filter polices traffic from the LTS (acting as a LAC) to the ultimate endpoint LNS, in addition to the previously supported traffic from the LAC to the LTS (acting as an LNS). In previous releases, the firewall filter applied to only the traffic from the LAC to the LTS.

  • Memory mapping statement removed for Enhanced Subscriber Management (MX Series)— Starting in Junos OS Release 15.1R7, use the following command when configuring database memory for Enhanced Subscriber Management:

    set system configuration-database max-db-size

    CLI support for the set configuration-database virtual-memory-mapping process-set subscriber-management command has been removed to avoid confusion. Using the command for subscriber management now results in the following error message:

    WARNING: system configuration-database virtual-memory-mapping not supported. error: configuration check-out failed.

    [See Interface Configuring Junos OS Enhanced Subscriber Management for an example of how to use the max-db-size command.]

  • Wildcard supported for show subscribers agent-circuit-identifier command (MX Series)—Starting in Junos OS Release 15.1R7, you can specify either the complete ACI string or a substring when you issue the show subscribers agent-circuit-identifier command. To specify a substring, you must enter characters that form the beginning of the string, followed by an asterisk (*) as a wildcard to substitute for the remainder of the string. The wildcard can be used only at the end of the specified substring; for example:

    In earlier releases, starting with Junos OS Release 14.1, the command requires you to specify the complete ACI string to display the correct results. In Junos OS Release 13.3, you can successfully specify a substring of the ACI without a wildcard.

  • Enhancements for subscriber secure policy mirroring (MX Series)—Starting in Junos OS 15.1R7, the following changes increase the security of trap notifications and restrict authorization for configuring the target mediation devices:

    • You must configure the target parameters for mediation devices so that the SNMPv3 traps are sent with privacy (encrypted). Targets without privacy configured cannot receive the trap notifications. In earlier releases, you can configure target parameters without privacy, allowing unencrypted notifications to be sent to the mediation devices.

    • You must explicitly configure a list of trap targets with the notify-targets statement at the [edit services radius-flow-tap snmp] hierarchy level. This means that authorization to configure the target mediation devices is limited to users with flow-tap-control permission; that is, only users allowed to configure subscriber secure policies. In earlier releases, any user with snmp-control permission can configure targets to receive the trap messages, and notifications are sent to all targets in a trap group.

    [See Subscriber Secure Policy Overview.]

System Logging

  • System log message for key encryption key (KEK)creation or activation—Starting with Junos OS Release 15.1, messages similar to the following system log message are generated by the gkmd process when a KEK is created or deleted:

  • New JSERVICES system log messages (MX Series)—Starting in Junos OS Release 15.1 R3, you can configure MX Series routers with MS-MPCs to log the following messages:

    Table 2: JSERVICES System Logs

    Name

    System Log Message

    Description

    Severity

    JSERVICES_ALG_FTP_ACTIVE_ACCEPT

    softwire-string src-ip:src-port [xlated-src-ip:xlated-src-port]->[xlated-dst-ip: xlated-dst-port]dst-ip:dst-port (protocol-name)

    A FTP data connection from client to server is established. The matching packet contains the indicated information about its protocol name, application, source (logical interface name, IP address, and port number), and destination (IP address and port number). If the flow requires NAT services, NAT information appears in the message.

    LOG_NOTICE

    JSERVICES_ALG_FTP_PASSIVE_ACCEPT

    softwire-string src-ip:src-port [xlated-src-ip:xlated-src-port]->[xlated-dst-ip: xlated-dst-port]dst-ip:dst-port (protocol-name)

    A FTP data connection from server to client is established. The matching packet contains the indicated information about its protocol name, application, source (logical interface name, IP address, and port number), and destination (IP address and port number). If the flow requires Network Address Translation (NAT) services, NAT information appears in the message.

    LOG_NOTICE

    JSERVICES_DROP_FLOW_DELETE

    softwire-string src-ip:src-port [xlated-src-ip:xlated-src-port]->[xlated-dst-ip: xlated-dst-port]dst-ip:dst-port (protocol-name)

    The session with the indicated characteristics is removed and it had drop flow. The NAT data is available in the message if the session requires NAT.

    LOG_NOTICE

    JSERVICES_ICMP_ERROR_DROP

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The ICMP error packet was dropped because it did not belong to an existing flow.

    LOG_NOTICE

    JSERVICES_ICMP_HEADER_LEN_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The ICMP packet was discarded because the length field in the packet header was shorter than the minimum 8 bytes required for an ICMP packet.

    LOG_NOTICE

    JSERVICES_ICMP_PACKET_ERROR_LENGTH

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The ICMP packet was discarded because the packet contained fewer than 48 bytes or more than 576 bytes of data.

    LOG_NOTICE

    JSERVICES_IP_FRAG_ASSEMBLY_TIMEOUT

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet and all related IP fragments previously received were discarded because all fragments did not arrive within the reassembly timeout period of four seconds.

    LOG_NOTICE

    JSERVICES_IP_FRAG_OVERLAP

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the contents of two fragments overlapped.

    LOG_NOTICE

    JSERVICES_IP_PACKET_CHECKSUM_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because checksum was incorrect.

    LOG_NOTICE

    JSERVICES_IP_PACKET_DST_BAD

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because its destination address was either a multicast address or was in the range reserved for experimental use (248.0.0.0 through 255.255.255.254).

    LOG_NOTICE

    JSERVICES_IP_PACKET_FRAG_LEN_INV

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the length of a fragment was invalid.

    LOG_NOTICE

    JSERVICES_IP_PACKET_INCORRECT_LEN

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The IP packet is discarded because packet length was invalid.

    LOG_NOTICE

    JSERVICES_IP_PACKET_LAND_ATTACK

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because its source and destination address for the packet were the same (referred to as a land attack).

    LOG_NOTICE

    JSERVICES_IP_PACKET_LAND_PORT_ATTACK

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because its source and destination address for the packet were the same and also its source and destination ports were same (referred to as a land port attack).

    LOG_NOTICE

    JSERVICES_IP_PACKET_NOT_VERSION_4

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet version was not IP version 4 (IPv4).

    LOG_NOTICE

    JSERVICES_IP_PACKET_NOT_VERSION_6

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet version was not IP version 6 (IPv6).

    LOG_NOTICE

    JSERVICES_IP_PACKET_PROTOCOL_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because it used invalid IP protocol.

    LOG_NOTICE

    JSERVICES_IP_PACKET_SRC_BAD

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because its source address was one of the following: (1) a multicast address (2) a broadcast address (3) in the range 248.0.0.0 through 255.255.255.254, which is reserved for experimental use.

    LOG_NOTICE

    JSERVICES_IP_PACKET_TTL_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet with the indicated characteristics is discarded because the packet had a time-to-live (TTL) value of zero.

    LOG_NOTICE

    JSERVICES_IP_PACKET_TOO_LONG

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the packet contained more than 64 kilobytes (KB) of data (referred to as a ping-of-death attack).

    LOG_NOTICE

    JSERVICES_IP_PACKET_TOO_SHORT

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet did not contain the minimum amount of data required.

    LOG_NOTICE

    JSERVICES_NO_IP_PACKET

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    Packet received was not an IPv4 or IPv6 packet.

    LOG_NOTICE

    JSERVICES_SYN_DEFENSE

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet with the indicated characteristics was discarded because the Transmission Control Protocol (TCP) handshake that is used to establish a session did not complete within the set time limit. The time limit is set by the 'open-timeout' statement at the [edit interfaces <services-interface> services-options] hierarchy level. If the time limit is not set, the session uses the default timeout value.

    LOG_NOTICE

    JSERVICES_SFW_NO_POLICY

    source-ip:destination-ip No policy

    The stateful firewall received packets with the indicated source and destination addresses. There was no matching policy for the traffic.

    LOG_NOTICE

    JSERVICES_SFW_NO_RULE_DROP

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The stateful firewall discarded the packet with the indicated characteristics, because the packet did not match any stateful firewall rules. In this case, the default action is to discard the packet. The discarded packet contained the indicated information about its protocol (numerical identifier and name), source (logical interface name, IP address, and port number), and destination (IP address and port number).

    LOG_NOTICE

    JSERVICES_TCP_FLAGS_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the flags in the packet were set in one of the following combinations: (1) FIN and RST (2) SYN and one or more of FIN, RST, and URG.

    LOG_NOTICE

    JSERVICES_TCP_HEADER_LEN_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the length field in the packet header was shorter than the minimum 20 bytes required for a TCP packet.

    LOG_NOTICE

    JSERVICES_TCP_NON_SYN_FIRST_PACKET

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The TCP packet was discarded because it was the first packet in the TCP session but the SYN flag was not set.

    LOG_NOTICE

    JSERVICES_TCP_PORT_ZERO

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the source or destination port specified in the packet was zero.

    LOG_NOTICE

    JSERVICES_TCP_SEQNUM_AND_FLAGS_ZERO

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the packet's sequence number was zero and no flags were set.

    LOG_NOTICE

    JSERVICES_TCP_SEQNUM_ZERO_FLAGS_SET

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the packet's sequence number was zero and one or more of the FIN, PSH, and URG flags were set.

    LOG_NOTICE

    JSERVICES_UDP_HEADER_LEN_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The UDP packet was discarded because the length field in the packet header was shorter than the minimum 8 bytes required for an UDP packet.

    LOG_NOTICE

    JSERVICES_UDP_PORT_ZERO

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The UDP packet was discarded as the source or destination port specified in the packet was zero.

    LOG_NOTICE

System Management

  • Change to process health monitor process (MX Series)--Starting in Junos OS Release 15.1R2, the process health monitor process (pmond) is enabled by default on the Routing Engines of MX Series routers, even if no service interfaces are configured. To disable the pmond process, include the disable statement at the [edit system processes process-monitor] hierarchy level.

User Interface and Configuration

  • Space character not a valid name or value in CLI—Starting in Junos OS Release 15.1, you cannot create a name or value in the CLI using only single or multiple space characters. Existing configurations that include names or values consisting of only the space character cannot upgrade to Junos OS Release 15.1. The space character can still be used as part of a name or value in the CLI, as long as other characters are present.

  • New flag to control errors when executing multiple RPCs through a REST interface (M Series, MX Series, and T Series)—Starting with Junos OS Release 15.1R1, you can stop on an error when executing multiple RPCs through a REST interface by specifying the stop-on-error flag in the HTTP POST method.

    [See Submitting a POST Request to the REST API.]

  • Changed available REST interface cipher suites when Junos OS is in FIPS mode (M Series, MX Series, and T Series)—Starting with Junos OS Release 15.1R1, when Junos OS is in FIPS mode, you can only configure cipher suites with a FIPS-compliant hash algorithm for the REST interface to the device. To configure a cipher suite, specify the cipher-list statement at the [edit system services rest https] hierarchy level.

    [See cipher-list (REST API).]

  • New command to view disk space usage in configuration database (M Series, MX Series, and T Series)—Starting in Junos OS Release 15.1R1, you can use the show system configuration database usage command to see how much of the disk space is allocated for storing previous versions of the committed configurations and how much space is used by the configuration data.

    [See show system configuration database usage.]

  • New warning message for the configurational changes to extend-size (M Series, MX Series, and T Series)—Starting with Junos OS Release 15.1R2, any operation on the system configuration-database extend-size configuration statement, such as deactivate, delete, or set, generates the following warning message:

    Change in 'system configuration-database extend-size' will be effective at next reboot only.

Virtual Chassis

  • SNMP MIB walk on MX series Virtual Chassis —Starting with Junos OS Release 15.1R3, snmp mib walk operations no longer return invalid PCMCIA card information for Routing Engines on MX Series Virtual Chassis.

VLAN Infrastructure

  • ACI and ARI from PADI messages included in Access-Request messages for VLAN authentication (MX Series)—Starting in Junos OS Release 15.1R5, when the PPPoE PADI message includes the agent circuit identifier (ACI), agent remote identifier (ARI), or both, these attributes are stored in the VLAN shared database entry. If the VLAN needs to be authenticated, then these attributes are included in the RADIUS Access-Request message as DSL Forum VSAs 26-1 and 26-2, respectively (vendor ID 3561). The presence of these attributes in the Access-Request enables the RADIUS server to act based on the attributes.

VPNs

  • Group VPNv2 member devices allow multiple Group VPNv2 groups to share the same gateway (MX Series)–In order to make configuration and debugging easier, starting in Junos OS Release 15.1, multiple Group VPNv2 groups can use the same gateway. The commit check for a unique tuple of <local_address, remote_address, routing_instance> across groups has been removed. The same tuple is now checked for uniqueness across all gateways. This allows multiple groups to share the same gateway for their Group VPNv2 traffic.