Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for EX Series Switches

 

These release notes accompany Junos OS Release 16.1R7 for the EX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

New and Changed Features

This section describes the new features in Junos OS Release 16.1 for the EX Series switches.

Note

The following EX Series switches are supported in Junos OS Release 16.1R7: EX4300, EX4600, and EX9200.

Note

A new J-Web distribution model was introduced in Junos OS Release 14.1X53-D10, and that same model is supported in Release 16.1R1 and later. The model provides two packages:

  • Platform package—Installed as part of Junos OS; provides basic functionalities of J-Web.

  • Application package—Optionally installable package; provides complete functionalities of J-Web.

In Junos OS Release 16.1R1, J-Web is supported on the EX4300 and EX4600 switches in both standalone and Virtual Chassis setup.

For details about the J-Web distribution model, see Release Notes: J-Web Application Package Release 16.1A1 for EX4300 and EX4600 Switches  .

Release 16.1R7 New and Changed Features

There are no new features or enhancements to existing features for EX Series in Junos OS Release 16.1R7.

Release 16.1R6 New and Changed Features

There are no new features or enhancements to existing features for EX Series in Junos OS Release 16.1R6.

Release 16.1R5 New and Changed Features

There are no new features or enhancements to existing features for EX Series in Junos OS Release 16.1R5.

Release 16.1R4 New and Changed Features

There are no new features or enhancements to existing features for EX Series in Junos OS Release 16.1R4.

Release 16.1R3 New and Changed Features

Port Security

  • Lightweight DHCPv6 Relay Agent (LDRA) (EX4300 and EX9200)—Starting with Junos OS Release 16.1R3 for EX Series switches, you can configure a Lightweight DHCPv6 Relay Agent (LDRA) to include relay-agent information in messages sent from a DHCPv6 client to a server or to another relay agent on the same IPv6 link. When the LDRA receives a DHCPv6 Solicit message from a client, it encapsulates that message within a DHCPv6 Relay-Forward message, which it then forwards to the server or to another relay agent. Before it forwards the Relay-Forward message, the LDRA can also insert DHCPv6 options in the message. These options contain information that the server uses to assign IP addresses, prefixes, and other configuration parameters to the client.

    [See Enabling DHCPv6 options Using a Lightweight DHCPv6 Relay Agent (LDRA).]

Release 16.1R2 New and Changed Features

There are no new features or enhancements to existing features for EX Series in Junos OS Release 16.1R2.

Release 16.1R1 New and Changed Features

Hardware

  • New line cards for EX9200 switches—Starting with Junos OS Release 16.1R1, EX9200 switches support the following new line cards:

    EX9200-12QS line card: It is a line card with 12 Gigabit Ethernet rate-selectable ports, each of which can house transceivers. These ports can operate at 10-Gbps, 40-Gbps, and 100-Gbps speeds.

    [See EX9200-12QS Line Card.]

    EX9200-40XS line card: It is a line card with 40 10-Gigabit Ethernet ports with Media Access Control Security (MACsec) capability, each of which can house 10-gigabit small form-factor plus pluggable (SFP+) transceivers.

    [See EX9200-40XS Line Card.]

Authentication, Authorization, and Accounting

  • Additional attributes for RADIUS accounting (EX4300)—Starting with Junos OS Release 16.1R1, additional RADIUS accounting attributes are supported on EX4300 switches. RADIUS accounting attributes are included in Accounting Request messages sent from a network access server (NAS) to the RADIUS accounting server. These RADIUS accounting attributes contain user accounting information that is used for keeping network statistics and for general network monitoring. The following additional attributes are supported: Client-System-Name, Framed-MTU, Session-Timeout, Acct-Authentic, NAS-Port-ID, and Filter-ID. There is no configuration required for enabling these attributes.

    [See Understanding 802.1X and RADIUS Accounting on EX Series Switches.]

  • Liveness detection for captive portal (EX4300)—Starting with Junos OS Release 16.1R1, you can configure a keep-alive timer to extend a captive portal authentication session after the MAC table aging timer expires. The keep-alive timer starts when the MAC address of the authenticated host ages of out of the Ethernet switching table. If traffic is received within the keep-alive period, the timer stops and the authenticated session remains active. If there is no traffic within the keep-alive period, the authenticated session ends, and the host must reauthenticate.

    [See Understanding Authentication Session Timeout.]

Interfaces and Chassis

  • Configuration support to keep an aggregated Ethernet link in an MC-LAG up for a peer that has limited LACP capability (EX9200)—Starting with Junos OS Release 16.1R1, you can configure an aggregated Ethernet link or an interface in an MC-LAG topology to remain up even when the peer link or peer interface has limited Link Access Control Protocol (LACP) capability.

    To enable this feature, configure the force-up statement at the [edit interfaces interface-name ether-options 802.3ad lacp] hierarchy level.

    [See Forcing MC-LAG Links or Interfaces with Limited LACP Capability to Be Up.]

  • Configuration consistency check for multichassis link aggregation groups (EX9200)—Starting with Junos OS Release 16.1R1, use configuration consistency checks, which are enabled by default, to find configuration-parameter inconsistencies between multichassis link aggregation group (MC-LAG) peers. Severe inconsistencies prevent MC-LAG interfaces from coming up; the interfaces come up after you correct those inconsistencies. Moderate inconsistencies generate error messages, and you can optionally fix those inconsistencies. At each commit, the configuration on each MC-LAG peer is checked. Use show multichassis configuration-consistency list-of-parameters to view which parameters are checked and which parameters must be configured identically or uniquely across MC-LAG peers. Use show multichassis configuration-consistency redundancy-group-id redundancy-group-id (global | icl | mc-ae-id mc-ae-id) to see the consistency status for a given mc-ae ID.

    [See Understanding Multichassis Link Aggregation Group Configuration Consistency Check.]

  • Configuration synchronization for multichassis link aggregation groups (EX9200)—Starting with Junos OS Release 16.1R1, multichassis link aggregation group (MC-LAG) configuration synchronization enables you to easily propagate, synchronize, and commit configurations from one MC-LAG peer to another. Log in to either peer to manage both, and use configuration groups to simplify the configuration process. You can create one configuration group each for the local peer and the remote peer, and a global configuration common to both peers.

    Create conditional groups to specify when peer configurations are synchronized. Enable peers-synchronize at the [edit system commit] hierarchy to synchronize configurations and commits across peers by default. NETCONF over SSH provides a secure connection between peers; Secure Copy Protocol (SCP) copies configurations securely between them.

  • A limited encryption Junos OS image, Junos Limited, created for customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia (EX9200)—Starting with Junos OS Release 16.1R1, customers in the Eurasian Customs Union (comprising Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia) must use the limited encryption Junos OS image, Junos Limited, instead of the Junos Worldwide image, on EX9200 switches. The Junos Limited image does not have data-plane encryption and is intended only for countries in the Eurasian Customs Union, because these countries have import restrictions on software that has data-plane encryption. Unlike the Junos Worldwide image, the Junos Limited image supports control-plane encryption through the protocols SSH and SSL, thus enabling secure management of the system.

    Note

    Customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia must use the limited encryption Junos Limited image. Customers in all other countries must use the Junos image, introduced in Release 15.1R1 to replace the Junos Domestic image.

Management

  • YANG module that defines Junos OS operational commands (EX9200)—Starting with Junos OS Release 16.1R1, Juniper Networks provides the juniper-command YANG module, which represents the operational command hierarchy and collective group of modules that define the remote procedure calls (RPCs) for Junos OS operational mode commands. You can download Juniper Networks YANG modules from the website, or you can generate the modules by using the show system schema format yang module juniper-command operational command on the local device. The juniper-command module is bound to the namespace URI http://yang.juniper.net/yang/1.1/jrpc and uses the prefix jrpc.

    [See Understanding the Juniper Networks YANG Modules for Operational Commands.]

  • YANG module that defines CLI formatting for RPC output (EX9200)—Starting with Junos OS Release 16.1R1, Juniper Networks provides the junos-extension-odl YANG module. The module contains definitions for Junos OS Output Definition Language (ODL) statements, which determine the CLI formatting for RPC output when you execute the operational command corresponding to that RPC in the CLI or when you request the RPC output in text format. You can use statements in the junos-extension-odl module in custom RPCs to convert the XML output into a more logical and human-readable representation of the data. The junos-extension-odl module is bound to the namespace URI http://yang.juniper.net/yang/1.1/jodl and uses the prefix junos-odl.

    [See Understanding Junos OS YANG Extensions for Formatting RPC Output.]

Multicast

  • MLD snooping versions 1 and 2 (EX4300)—Starting with Junos OS Release 16.1R1, EX4300 switches support Multicast Listener Discovery (MLD) snooping version 1 (MLDv1) and version 2 (MLDv2). MLD snooping constrains the flooding of IPv6 multicast traffic on VLANs. When MLD snooping is enabled on a VLAN, an EX4300 switch examines MLD messages between hosts and multicast routers and learns which hosts are interested in receiving traffic for a multicast group. On the basis of what it learns, the switch forwards multicast traffic only to those interfaces in the VLAN that are connected to interested receivers instead of flooding the traffic to all interfaces.

  • IPv6 PIM support (EX4300)—Starting with Junos OS Release 16.1R1, EX4300 switches support Protocol Independent Multicast (PIM) for IPv6. The EX4300 switches support the following IPv6 PIM modes:

    • Sparse mode

    • Dense mode

    • Sparse-dense mode

    • Source-specific mode (SSM)

    PIM sparse mode supports the following rendezvous point (RP) functionality:

    • Static RP addresses

    • Bootstrap routers

    • Automatic RP announcement and discovery

    • Embedded RPs

    • Anycast RP

    [See PIM Overview.]

Network Management and Monitoring

  • Sampling VXLAN traffic (EX9200)—Starting with Junos OS Release 16.1R1, on EX9200 switches, you can use sFlow technology to sample 128 bytes of a VXLAN packet starting from the outer IP header. When configuring sFlow technology, you must specify an interface on which VXLAN packets enter or exit.

    • Ingress packets sampled before encapsulation—At this stage, sampled packets do not have an outer IP header. Outer Layer 2, Layer 3, and VXLAN network identifier (VNI) information are added to the packets as an sFlow extended header.

    • Ingress packets sampled before de-encapsulation—At this stage, sampled packets have an outer IP header. An sFlow extended header is added for an inner header offset.

    • Egress packets sampled after encapsulation—At this stage, sampled packets have an outer IP header. An sFlow extended header is added for an inner header offset.

    • Egress packets sampled after de-encapsulation—At this stage, sampled packets do not have an outer IP header. Outer Layer 2, Layer 3, and VNI information are added to the packets as an sFlow extended header.

  • Support for IPv6 for sFlow Monitoring (EX9200)—Starting with Junos OS Release 16.1R1, on EX9200 switches, sFlow technology supports configuration of IPv6 addresses in addition to the existing IPv4 address support.

Port Security

  • Media Access Control Security (MACsec) support (EX9200 switches)—Starting with Junos OS Release 16.1R1, MACsec is supported on all SFP and SFP+ interfaces on the EX9200-40XS line card when it is installed in an EX9200 switch. MACsec is an industry-standard security technology that provides secure communication for all traffic on point-to-point Ethernet links. MACsec is capable of identifying and preventing most security threats, and can be used in combination with other security protocols to provide end-to-end network security. MACsec can be enabled only on domestic versions of Junos OS software. MACsec is standardized in IEEE 802.1AE.

    [See Understanding Media Access Control Security (MACsec).]

  • IPv6 Router Advertisement (RA) Guard (EX4300)—Starting with Junos OS Release 16.1R1 for EX Series switches, IPv6 RA guard is supported on EX4300 switches. RA guard protects networks against rogue RA messages generated either maliciously or unintentionally by unauthorized or improperly configured routers connecting to the network segment. RA guard works by validating RA messages based on whether they meet certain criteria, which is configured on the switch as a policy. RA guard inspects the RA message and compares the information contained in the message attributes to the policy. Depending on the policy, RA guard either drops or forwards the RA messages that match the conditions.

    [See Understanding IPv6 Router Advertisement Guard.]

Routing Policy and Firewall Filters

  • Filter-based forwarding for IPv6 traffic (EX4300 switches and EX4300 Virtual Chassis)—Starting with Junos OS Release 16.1R1, standalone EX4300 switches and EX4300 Virtual Chassis support the use of firewall filters in conjunction with virtual routing instances, enabling you to specify different routes for IPv6 traffic to traverse through the network. To set up this feature, called filter-based forwarding, you specify a firewall filter and match criteria and then specify the virtual routing instance to send packets to.

    You can use filter-based forwarding to route IPv6 traffic through a firewall or security device before the traffic continues on its path. You can also use filter-based forwarding to give IPv6 traffic preferential treatment or to improve load balancing of switch traffic.

  • Filtering and policing VXLAN traffic (EX9200)—Starting with Junos OS Release 16.1R1, on EX9200 switches, you can filter and police VXLAN traffic in the following ways:

    • Per-VXLAN network identifier (VNI) filtering and policing—You can create a firewall filter that matches the VNI of a VXLAN segment. To rate-limit traffic for the VXLAN segment, you can specify policer as the action in the firewall filter. To rate-limit traffic exiting the VXLAN segment, you must apply the filter to the input traffic for the VXLAN. To rate-limit traffic entering the VXLAN segment, you must apply the filter to the output traffic for the VXLAN.

    • Per-virtual tunneling endpoint (VTEP) filtering and policing—To perform per-VTEP filtering, you create a firewall filter with one or more match conditions. In addition, you can create a dynamic profile for each dynamically created VTEP interface to filter input or output traffic. You can also create a default profile for interfaces that are not included in a dynamic profile.

      For the packets that match the per-VTEP filter, you can rate-limit the traffic for a dynamically created VTEP interface by specifying policer as the action in the firewall filter.

    • Filtering and policing based on outer header—You can create a firewall filter that matches the outer IP and UDP header contents of a VXLAN packet. When configuring this firewall filter, you must specify family inet and apply the filter to an interface on which VXLAN packets enter or exit. For the packets that match the filter, you can rate-limit traffic for the interface by specifying policer as the action in the firewall filter.

Software-Defined Networking

  • Support for ping and traceroute (EX9200) in troubleshooting overlay networks—Starting with Junos OS Release 16.1R1, EX9200 switches support overlay ping and traceroute as troubleshooting tools for overlay networks such as Virtual Extensible LANs (VXLANs). For ping and traceroute mechanisms to work in overlay networks, the ping and traceroute packets, also referred to collectively as the Operations, Administration, and Maintenance (OAM) packets, must be encapsulated with the same tunnel headers (outer headers) as the data packets forwarded over the overlay segment. The OAM packets then follow the same path as the data packets for the overlay segment. If any connectivity issues arise in the overlay segment, an OAM packet corresponding to a flow experiences the same connectivity issues as a data packet for that flow. OAM packets can collect detailed information specific to an overlay segment, and as a result, connectivity issues in the overlay network can be better detected.

User Interface and Configuration

  • Support for JSON format for configuration data (EX4300, EX4600, EX9200)–Starting with Junos OS Release 16.1, you can configure devices running Junos OS using configuration data in JavaScript Object Notation (JSON) format in addition to the existing text, Junos XML, and Junos OS set command formats. You can load configuration data in JSON format in the Junos OS CLI by using the load (merge | override | update) json command or from within a NETCONF or Junos XML protocol session by using the <load-configuration format="json"> operation. You can load JSON configuration data either from an existing file or as a data stream. Configuration data that is provided as a data stream must be enclosed in a <configuration-json> element.

    [See load, Defining the Format of Configuration Data to Upload in a Junos XML Protocol Session, and Mapping Junos OS Configuration Statements to JSON.]

VPNs

  • Support for Layer 2 VPNs (EX9200)—Starting with Junos OS Release 16.1R1, EX9200 switches support Layer 2 VPNs, allowing you to securely connect geographically diverse sites across an MPLS network. Implementing a Layer 2 VPN on the switch is similar to using other Layer 2 technologies, such as Asynchronous Transfer Mode (ATM) or Frame Relay. However, with Layer 2 VPNs, traffic is forwarded by the customer’s customer edge (CE) switch to the service provider’s provider edge (PE) switch in Layer 2 format. It is carried by MPLS over the service provider’s network and then converted back to Layer 2 format at the receiving site. Layer 2 VPNs provide complete separation between the service provider network and the customer network. This means that provider edge (PE) devices and customer edge (CE) devices do not exchange routing information, giving the customer full control over routing.

    [See Layer 2 VPNs Feature Guide for EX9200 Switches.]

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 16.1R7 for the EX Series.

Authentication and Access Control

  • Starting from Junos OS Release 16.1R1, for configuring the root login through SSH to control user access, the system services ssh root-login deny-password is the default option. In previous releases, the system services ssh root-login allow was the default option. Now, you must explicitly configure the set system services ssh root-login allow option to allow users to log in to the device as root through SSH.

General Routing

  • Enhancement to request support information command—Starting with Junos OS Release 16.1R1, the request support information command is enhanced to capture the following additional details:

    • file list detail/var/rundb/—Displays the size of the configuration databases.

    • show system configuration database usage—Displays the actual usage of the configuration databases.

      Note

      This information will be displayed only if the show system configuration database usage command is supported in the release.

    • file list detail /config/—Contains the db_ext file and shows the size of it to indicate whether extend_size is enabled or disabled.

  • New option introduced under show | display xml | display—Starting with Junos OS 16.1R1, you can use the show | display xml | display | mark-changed statement to view the mark-changed status of the nodes. This is useful for debugging purpose.

  • Modified output of the clear services sessions | display xml command—In Junos OS Release 16.1, the output of the clear services sessions | display xml command is modified to include the <sess-marked-for-deletion> tag instead of the <sess-removed> tag. In releases before Junos OS Release 14.1X55-D30, the output of this command includes the <sess-removed> tag. The replacement of the <sess-removed> tag with the <sess-marked-for-deletion> tag establishes consistency with the output of the clear services sessions command that includes the field Sessions marked for deletion.

Management

  • Support for status deprecated statement in YANG modules (EX Series)—Starting with Junos OS Release 16.1R3, Juniper Networks YANG modules include the status deprecated statement to indicate configuration statements, commands, and options that are deprecated.

Security

  • Changes to DDoS protection protocol group and packet type support (EX9200)—Starting with Junos OS Release 16.1, the following changes have been made to the protocols statement at the [edit system ddos-protection] hierarchy level and to the output of the show ddos-protection protocols command:

    • Removed the firewall-host protocol group.

    • Removed the unclassified packet type from the mcast-snoop protocol group.

    • Added the unclassified packet type to the tcp-flags protocol group.

User Interface and Configuration

  • New default implementation for serialization for JSON configuration data (EX Series)—Starting with Junos OS Release 16.1, the default implementation for serialization for configuration data emitted in JavaScript Object Notation (JSON) has changed. The new default is as defined in Internet drafts draft-ietf-netmod-yang-json-09, JSON Encoding of Data Modeled with YANG, and draft-ietf-netmod-yang-metadata-06, Defining and Using Metadata with YANG.

    [See Mapping Junos OS Configuration Statements to JSON.]

  • output-file-name option for show system schema command is deprecated (EX Series)—Starting with Junos OS Release 16.1, the output-file-name option for the show system schema operational command is deprecated. To direct the output to a file, use the output-directory option and specify the directory. By default, the filename for the output file uses the module name as the filename base and the format as the filename extension. If you also include the module-name option in the command, the specified module name is used for both the name of the generated module and for the filename base for the output file.

    [See show system schema.]

Known Behavior

This section lists known behavior, system maximums, and limitations in hardware and software in Junos OS Release 16.1R7 for the EX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • On EX Series and QFX Series switches, RADIUS authentication might fail when the switch receives an access-accept message containing another vendor’s vendor specific attribute (VSA). PR1095197

  • On EX4300 switches, when 802.1X single-supplicant authentication is initiated, multiple EAP Request Id Frame Sent packets might be sent. PR1163966

Interfaces and Chassis

  • If an Inter-Chassis Control Protocol (ICCP) interface on an EX9200 switch in an MC-LAG active-active topology is disabled and then reenabled, traffic might be dropped for more than 2 seconds. PR1173923

  • On EX9200 switches with MC-LAG configuration consistency check enabled and with conflicting authentication types for VRRP groups on the peer nodes of the MC-LAG, all mc-ae interfaces might go down even if the mc-ae interfaces are not members of the VLAN that has the conflict. PR1085664

Layer 2 Features

  • On EX Series switches that support Enhanced Layer 2 Software (ELS), when an interface is removed from a private VLAN (PVLAN) and then added back, the corresponding MAC entry might not be deleted from the Ethernet table. PR1036265

  • On EX9200 switches, for a MAC limit configured with a packet action of log, a packet drop might occur when interface-mac-limit is configured with mac-table-size on a specific VLAN or on a global VLAN hierarchy. PR1076546

Multicast

  • On EX4600 and QFX Series switches, IGMP snooping might not be enabled after you reboot the switch. Running a nonstop software upgrade (NSSU) on the switch might also cause the same issue. PR1082453

Platform and Infrastructure

  • On EX4300 switches, if multicast data packets that fail an RPF check are received on a nonshared tree, the packets might be trapped on the Routing Engine at a high rate, causing poor PIM convergence. PR911649

  • On EX4300 switches, in egress router-based firewall filters, IPv6 Layer 4 headers (icmp-type) might not work. PR912483

  • EX4300 switches do not support power negotiation based on LLDP-MED. Because of this, some access points that use LLDP-MED for negotiating PoE 802.3at do not work. PR1125374

  • Because of the factory default file that gets activated after zeroizing, an EX4300 can contain more interfaces to cater to a 10-member Virtual Chassis default configuration, even if the interfaces are not physically there or if there is only a standalone device. PR1238848

Port Security

  • On EX4300 switches, if either storm-control or storm-control-profiles with action-shutdown is configured, and if the storm-triggered traffic is control traffic such as LACP, then the physical interface will be put into an STP blocking state rather than turned down. Hence, valid control traffic might be trapped to the control plane and unrelated interfaces might be set down as an LACP timeout. PR1130099

  • On an EX9200-6QS line card, storm control might not work for multicast traffic. PR1191611

Security

  • On EX4300, EX4600, and QFX5100 switches, if a remote analyzer has an output IP address that is reachable through a route learned by BGP, the analyzer might be in a DOWN state. PR1007963

  • On EX9200 switches, analyzer configurations with analyzer input and output stanzas containing members of the same VLAN or the VLAN itself are not supported. With such configurations, packets can mirror in a loop, resulting in LUCHIP errors. As a workaround, use the mirror-once option if the input is for ingress mirroring. If it is for both ingress and egress mirroring, configure the output interface as an access interface. PR1068405

Software Installation and Upgrade

  • On EX4300 switches, traffic might be lost for Layer 3 protocols (such as RIP, OSPF, BGP, and VRRP) during a nonstop system upgrade (NSSU). PR1065405

  • During a unified ISSU upgrade of an EX9200 switch, BGPv6, OPSFv6, RIPng, and multicast traffic might be dropped for approximately 30 seconds. PR1195439

  • During a nonstop software upgrade (NSSU) on an EX4300, or an EX4600, or a QFX5100 Virtual Chassis, a traffic loop or loss might occur if the Junos OS software version that you are upgrading and the Junos OS software version that you are upgrading to use different internal message formats. PR1123764

  • On an EX4300 or a QFX5100 Virtual Chassis, when you perform an NSSU, there might be more than five seconds of traffic loss for multicast traffic. PR1125155

User Interface and Configuration

  • On EX9200 Virtual Chassis, commit errors might occur if commits are done frequently. PR1188816

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 16.1R7 for the EX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Authentication and Access Control

  • Changing the 802.1X (dot1x) supplicant mode from single-secure to multiple on interfaces of an EX9200-40XS line card might generate FPC core files. PR1198463

Firewall Filters

  • Sending line-rate traffic on 10G interfaces of an EX9200-40XS line card that has an ingress router firewall filter configured with actions log and syslog might generate FPC kernel core files. PR1191397

High Availability (HA) and Resiliency

  • When an ISSU from Junos OS Release 15.1R7.7 to Release 16.1R7.6 is performed on an EX9200 Routing Engine, integrated routing and bridging (IRB) IPv4 and IPv6 traffic is dropped. This traffic loss occurs toward the end of the ISSU operation when the new backup Routing Engine comes up and synchronizes with the new master Routing Engine. PR1365149

Interfaces and Chassis

  • On an EX9200-12QS line card, interfaces with the default speed of 10G are not brought down even when the remote end of a connection is misconfigured as 40G. PR1175918

  • In an EX9200 Virtual Chassis, if you create an aggregated Ethernet (AE) interface with a 40G port, the 40G port is shown as UP but is NOT able to pass LACP packets, and the corresponding AE interface is shown as DOWN. PR1349675

Multicast Protocols

  • The mcsnoopd process is generating a core file in this scenario. When mcsnoopd tries to terminate gracefully, it tries to clean up all the resources it has used. For this cleanup to happen, the task infrastructure waits for 10 minutes. In these 10 minutes, the KRT task cleanup is not happening properly and it generates a core file. PR1305239

Platform and Infrastructure

  • On EX9200 switches, SNMP queries to retrieve jnxRpmResSumPercentLost return the RPM/TWAMP probe loss percentage as an integer value, whereas the precise value (including decimal points) can be retrieved through the CLI by using the show services rpm probe-results and show services rpm twamp client probe-results commands. PR1104897

  • On EX4300 switches, packets whose size is larger than 1452 bytes are dropped after generic routing encapsulation (GRE) because fragmentation of payload and GRE path MTU discovery are not supported on EX4300 switches. PR1293787

  • On EX Series and QFX Series switches, when a media access control (MAC) source address filter is configured with accept-source-mac, if a MAC move limit is also configured, then the filter does not work as expected. PR1341520

  • On EX4300 Virtual Chassis running under Junos Releases 16.1R5 and 16.1R6, Junos OS code is unable to send firewall syslog files to the syslog server due to syslog messages being sent to the Routing Engine through a syslog vector that is set to NULL. Because of this, the Packet Forwarding Engine is unable to send any log messages to the Routing Engine. PR1351548

Port Security

  • On an EX9200-40XS line card, if you toggle the MACsec encryption option multiple times, encryption and protected MACsec statistics might be updated incorrectly. As a workaround, restart the line card. PR1185659

  • On EX4300 10G links, preexisting MACsec sessions might not come up after the following events:

    • Process (pfex, dot1x) restart or system restart

    • Link flaps

    PR1294526

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases.

For the most complete and latest information about known Junos OS defects, use the Juniper online Junos Problem Report Search application.

Resolved Issues: 16.1R7

Authentication and Access Control

  • On EX Series standalone switches or their Virtual Chassis with dot1x configured, there will be memory leaks for PNACAUTH in dot1xd. Once the memory block of PNACAUTH used by dot1xd grows to its limit size, the switch might not process the clients’ authentication further and results in dot1x clients reauthenticating constantly. The dot1xd process always runs irrespective of the configuration and as part of its initialization it tries to connect with authd; if authd is not running, then there is a memory leak in dot1xd. PR1313578

  • The dot1xd process might crash if ports in multiple-supplicant mode flap. PR1332957

Infrastructure

  • On EX4300 switches, the firewall filter match condition ip-options with a value other than any does not provide the expected results. PR1173347

  • Monitor interface traffic does not show incoming ICMP packets. PR1303947

  • The file system might be corrupted multiple times during an image upgrade or a commit operation. PR1317250

  • On EX4600, priority-based flow control (PFC) frames might not work. PR1322439

  • ifinfo core files can be created on EX4600 Virtual Chassis.PR1324326

Interfaces and Chassis

  • On EX Series platforms with an MC-LAG deployment, a vmcore file might be created after an interchassis link (ICL) is changed from an aggregated Ethernet (AE) interface to a physical interface, causing the device to reboot. PR1318929

  • For EX Series switches, in a rare condition (for example, reboot or reloadconfiguration), the MAC address of an AE interface and its member links might be inconsistent, causing unexpected behavior for some routing protocols. PR1272973

  • When the interface is configured as a member of interface-set, it might not work properly after an unrelated FPC (not the one where the interface resides) restarts. The affected FPC is the restarted one. PR1329896

  • The MAC address assigned to an AE member interface is not the same as that of its parent AE interface upon master node removal. PR1333734

Layer 2 Features

  • On EX9200, when an anchor FPC has no active child, BPDUs are not sent out on the active VSTP or MSTP.PR1333872

Platform and Infrastructure

  • On EX4300 switches with Multicast Listener Discovery (MLD) snooping enabled, neighbor solicitation messages might be dropped, which can result in IPv6 ping not working. PR1263535

  • The IRB interface does not turn down when the master chassis is rebooted or halted. PR1273176

  • Running load replace terminal and attempting to replace the interface stanza might terminate the current CLI session and leave the user session hanging. PR1293587

  • On EX4300 switches, some functions of IPv6 Router Advertisement (RA) guard do not work. PR1294260

  • Inconsistent IEEE P-bit marking in the 802.1Q header for OSPF packets. PR1306750

  • A multicast receiver connected to an EX4300 switch might not be able to get the multicast streaming. PR1308269

  • IGMP snooping might not learn the multicast router interface dynamically. PR1312128

  • The interface with a 1G SFP might go down if no-auto-negotiation is configured. PR1315668

  • An l2cpd core file might be seen if the interface is disabled under VSTP and enabled under RSTP. PR1317908

  • High latency might be observed between the master Routing Engine and other FPCs. PR1319795

  • A VLAN might not be processed, leading to improper STP convergence. PR1320719

  • Multicast traffic might not be forwarded to one of the receivers. PR1323499

  • A MAC learning issue and new VLANs creation failures might happen for some VLANs on EX4300 platforms. PR1325816

  • The l2cpd process might generate a core file. PR1325917

  • On EX4300 switches, when the TCAM table is exhausted, a filter is still programmed. PR1330148

  • EX9200—Major Errors—MQSS Error code: 0x2203cb. PR1334928

  • The statistics daemon pfed might generate a core file on an upgrade between certain releases. PR1346925

  • An EX4600 switch detects a LATENCY OVER-THRESHOLD event with an incorrect value. PR1348749

  • EX4300 switches do not generate storm control action logs after an RTG configuration is added. PR1335256

  • IGMP packets are forwarded out of the RTG backup interface. PR1335733

  • MSTP might not work normally after permitting a commit. PR1342900

  • The VLAN translation feature does not work for control plane traffic. PR1348094

  • Traffic might be dropped if LLC packets are sent with DSAP and SSAP as 0x88 and 0x8e. PR1348618

Port Security

  • On EX4600 switches, when LACP is configured together with MACsec, the links in the bundle might not all work. Rebooting the switch might solve the problematic links but might also create the same issue on other child interfaces. PR1093295

Routing Protocols

  • OSPF routes cannot be installed to the routing table until the lsa-refresh timer expires. PR1316348

  • IGMP snooping might be enabled unexpectedly. PR1327048

Resolved Issues: 16.1R6

Authentication and Access Control

  • On EX4300 switches, if traffic is flooded while a VLAN configuration commit is in progress, dot1x might crash. PR1293011

Infrastructure

  • EX4300 aggregated Ethernet interface down when interface member VLAN is PVLAN and LACP is enabled. PR1264268

Platform and Infrastructure

  • On EX4300 Virtual Chassis, commit synchronize throws an error message error: patch generation error - not syncing patch. PR1175810

  • During boot up, EX4300 switches might have no display or might display gibberish on the LCD. It is an LCD corruption issue. PR1233580

  • On EX4300 Virtual Chassis, a 10-gigabit VCP might not get a neighbor after a system reboot. PR1261363

  • EX4300, pfex_junos usage goes high by loading a small amount of DHCP relay traffic. PR1276995

  • On EX4300 switches, when unknown unicast ICMP packets are received by an interface, packets are routed, so TTL is decremented. PR1302070

Spanning-Tree Protocols

  • On EX Series switches with a high Multiple Spanning Tree Protocol (MSTP) scale, MSTP bridge protocol data unit (BPDU) packets might not be sent out. This might result in MSTP not converging. PR1247566

Virtual Chassis

  • On EX4300 Virtual Chassis, the FRU PSU removal and insertion traps are not generated for master or backup FPCs. PR1302729

Resolved Issues: 16.1R5

Authentication and Access Control

  • On a dot1x-enabled interface, sometimes when you log in, log off, and then log in within a short interval (within subseconds), the logical interface plus the bridge domain or VLAN remain in a pending state, and you will not be able to access the network. PR1230073

  • On an EX4300 switch or a Virtual Chassis with 802.1X (dot1x) enabled, in a scenario with more than 254 clients (supplicants), plenty of clients might be going to the server-reject VLAN and have limited access to the server-reject VLAN although the clients have correct credentials. For a few authenticated clients, the authentication method might be displayed as "Server-Reject" although the client was authenticated in the correct VLAN—that is, the data VLAN. PR1251530

EVPN

  • If an EX9200 switch is configured as a PE router connected to a multihomed site in an EVPN/MPLS network, RPD core files might be created on the EX9200 when more than 255 logical interfaces from the same physical interface or ESI are added to the virtual switch instance configuration. Then some logical interfaces are removed from the ESI (that is, rollback of the configuration). PR1251473

High Availability (HA) and Resiliency

  • On EX9200 switches, if unified ISSU is used to upgrade Junos OS, it is possible that an unnecessary thread will run on an FPC after the upgrade procedure. This thread can potentially enter into a loop and trigger a stop of forwarding traffic on that particular FPC. PR1249375

Interfaces and Chassis

  • Restarting an EX9200-40XS card with MC-LAG ICL, ICCP, and MC-AE interfaces configured on different interfaces of the same EX9200-40XS card might cause the system to shut down. PR1183135

  • On QFX5100 and EX4600 switches, if traceroute is used between endpoints and the path travels through a GRE tunnel, then hops in the tunnel are displayed by an asterisk in the traceroute output. PR1236343

Network Management and Monitoring

  • After the reboot of the EX4600 Virtual Chassis, authentication of SNMPv3 users fails due to the change of the local engine ID. PR1256166

Platform and Infrastructure

  • On EX4300 switches, starting with Junos OS Release 15.1R3, a pfex_junos core file might be generated when you add or delete a native VLAN configuration with flexible-vlan-tagging. PR1089483

  • On EX9200 switches with an MPC5E installed, in a high-temperature situation, the temperature thresholds for triggering the high temperature alarm and controlling fan speed are based on the FPC level. Any sensor values in the FPC that exceed the temperature threshold of the FPC trigger the actions associated with temperature thresholds. PR1199447

  • On EX4300 switches, Layer 2 traffic is dropped in some cases. PR1157058

  • On EX Series or QFX Series switches, if the switch is power cycled, then some processes (such as jdhcp, lacp, and lldpd) might stop working after the switch reboots. PR1222504

  • On EX4300 switches with redundant trunk groups (RTGs) configured, Layer 3 protocol packets such as OSPF or RIP packets might not be sent. PR1226976

  • On an EX4300, EX4600, EX9200, or QFX5100 standalone switch or its Virtual Chassis or VCF, with a port configured in access mode and with dot1x enabled, if this port is converted to trunk mode, then this port might not be able to learn a MAC address or might drop packets silently. PR1239252

  • On EX4300 switches, when a policer with the action of loss of priority is applied to the lo0 interface, all ICMP packets might be dropped. PR1243666

  • On EX4300 switches, certain multicast traffic might impact the network, for example, cause OSPF to flap. Issues might occur when multicast packets use the same interface queue as certain network protocol packets (for example, OSPF, RIP, PIM, and VRRP). PR1244351

  • An SFP+ might not be recognized after an EX4300 reboots. PR1247172

  • On EX4300 switches, problems of connectivity might arise on 100 Mbps interfaces set to full/half duplex or on 10 Mbps interfaces set to full/half duplex. The interface will show up, but connectivity to end devices might not work. The interface does not transmit packets even though interface statistics show packets are transmitted. PR1249170

  • The egress PE device (EX4300) sends out LLDP frames toward the CE device with the destination MAC address of 01:00:0c:cd:cd:d0, which is a duplicated frame and is rewritten by the ingress (PE) device. PR1251391

  • On EX4300 switches, traffic is not forwarded through the GRE tunnel in some cases. PR1254638

  • On Enhanced Layer 2 Software (ELS) platforms, due to a memory leak issue, the l2ald process might crash when many dot1x clients are being reauthenticated, for example, 150 clients with transmit-period set to 5. It is around 40–60 bytes memory leak per reauthentication for one dot1x client. Here the leak is due to the interaction between dot1x and the l2ald process; with more frequent reauthentication and more clients, the crash will be observed more often. PR1269945

Port Security

  • On EX9208 switches, after a unified ISSU, storm control is taking effect only after deletion and re-creation. PR1151346

  • On EX4600 or QFX5100 standalone switches and Virtual Chassis, MACsec connections are deleted randomly after a switch reboot, optics removal, deactivation or activation of a MACsec configuration, or fxpc process restart. PR1234447

  • On EX4300 switches, there is no option to enable DHCP snooping without having to enable other port security features such as IP source guard or DAI. PR1245559

  • On EX4600 and QFX5100 switches, MACsec statistics are collected as part of the Ethernet periodic thread (for example, collected every 1 second), causing significant utilization of the CPU with MACsec sessions. The utilization is also proportional to the number of MACsec sessions, which can result in some problems such as high CPU and MACsec session drop. PR1247479

  • On an EX4300 switch that has IPv6 Router Advertisement (RA) guard enabled, after deleting IPv6 RA guard, you can still see the output of the command show access-security router-advertisement-guard statistics. PR1257697

  • After a MACsec session flaps, data traffic sent over the MACsec-enabled link might not be properly received and the receiving device might report the received frames as "framing errors" in the show interfaces command output. PR1269229

Routing Policy and Firewall Filters

  • On EX4300 switches, if a filter is configured with a policer action ( for example, with action then loss-priority low or discard) and is applied to the lo0 interface, BGP transit packets might hit the TTL 0 entry of the loopback filter and might be dropped. PR1258038

Spanning-Tree Protocols

  • On EX9200 switches, the command set protocols rstp interface all edge configures all interfaces to go into BPDU block even if an interface is explicitly disabled under the [edit protocols rstp] hierarchy level. PR1266035

Virtual Chassis

  • When you add an EX4300 switch to the VCF, the following error message is seen: ch_qfx5100_map_alarm_id alarm ignored: object 0x7e reason. PR1234780

  • An FPC might crash and a PFEX core file might be generated on one member of an EX4300 Virtual Chassis. It is likely that this core file will be generated on the backup member. PR1261852

Resolved Issues: 16.1R4

Authentication and Access Control

  • On EX4300 switches, dot1x server fail might not work as expected. PR1147894

  • On EX4300 and EX9200 switches, in dot1x scenarios involving single-supplicant mode, mac-radius and server-fail deny or no server-fail action configured, the supplicant authentication sessions might not recover after the Quiet While timer expires after it enters the Held state. As a workaround, disable and enable the interface to bring the authentication session back to the Connecting state. PR1193944

  • On EX9200 Virtual Chassis, MAC address learning might fail on an authenticated interface assigned to a voice VLAN by dynamic VLAN assignment in single-secure mode. PR1212826

  • On EX9200 switches, a MAC address corresponding to an authenticated session (dot1x) might age out as soon as traffic is not received from this MAC address for more than a few seconds (approximately 10 seconds). This leads to deletion of the authenticated session and a corresponding traffic loss. As a workaround, you can prevent the session deletion by configuring the no-mac-table-binding statement in the dot1x configuration. PR1233261

Firewall Filters

  • On EX4300 switches, if you configure a firewall filter on a loopback (lo0) interface to accept BGP flow and another term with the discard action, and the receiving host-inbound traffic with a designated TCP port 179 to the Routing Engine, existing BGP sessions might go down. PR1090033

  • On EX4300 switches, if you configure a firewall filter policer with action forwarding-class on an egress filter, the software might allow the configuration to commit although that action is not supported. PR1104868

  • On EX9200 switches, if a firewall filter that has action tcp-reset is applied to an IRB interface, action tcp-reset does not work properly. PR1219953

  • On EX4300 switches, a firewall filter might not be programmed correctly when multiple action modifiers (such as forwarding-class, priority, loss-priority) are performed in the same firewall filter term. PR1203251

  • On an EX4300, if you install a firewall filter with filter-based forwarding rules to multiple bind points, it might exhaust the available TCAM, deleting the filter from all the bind points. As a workaround, apply the filter to the bind points with a series of commits, applying the filter to some of the bind points with each commit. PR1214151

  • On EX4300 switches, EBGP packets with ttl=1 and non-EBGP packets with ttl=1, whether destined for the device or even transit traffic, go to the same queue. In the event of a heavy inflow of non-EBGP ttl=1 packets, occasionally valid EBGP packets might be dropped, causing EBGP to flap. As a workaround, apply a firewall filter to lo0 to discard non-eBGP ttl=1 packets. PR1215863

  • On an EX4300 switch, a loopback policer might not work. PR1219946

Hardware

  • On an EX4600 switch, when you remove the 40GBASE-ER4 QSFP+ module, the show chassis hardware command still shows that the module is inserted. PR1208805

High Availability (HA) and Resiliency

  • On an EX4300 Virtual Chassis, when a switchover with GRES enabled is performed, this warning might appear: All Packet Forwarding Engines are not ready for RE switchover and may be reset. PR1158881

Infrastructure

  • On EX4600 and QFX5100 switches that are configured with native-vlan-id, the switch sends untagged traffic. But if you delete native-vlan-id, the switch keeps sending untagged traffic. PR1186436

  • On an EX Series or QFX Series Virtual Chassis, during an upgrade, failover, or switchover operation on the backup Routing Engine member, you might see vmcore and ksyncd core files generated and see the log message /kernel: Nexthop index allocation failed: regular index space exhausted. PR1212075

  • On EX4300 switches with DHCP relay configured, DHCP return packets—for example, DHCPREPLY and DHCPOFFER—that are received across a GRE tunnel might not be forwarded to clients, which can impact DHCP services. PR1226868

  • On EX4300 Virtual Chassis, DHCPv6 binding might not work with a lightweight DHCPv6 relay agent (LDRA) configuration. PR1227938

Interfaces and Chassis

  • On an EX4300 switch or an EX4300 Virtual Chassis that has a generic routing encapsulation (GRE) tunnel configured on an integrated routing and bridging interface (IRB), the associated GRE statistical counters might not be updated after the GRE interface is deactivated and then reactivated. PR1183521

  • Mismatches of ICL physical interface or logical interface mandatory parameters are not detected by the MC-LAG configuration consistency check feature on EX9200 switches. PR1191197

  • On EX9200 switches, the interface fxp0 might flap upon some specific commit; this might impact the normal work of out-of-band management. PR1213171

  • On an EX9200 switch with MC-LAG, when the enhanced-convergence statement is enabled, and when the kernel sends a next-hop message to the Packet Forwarding Engine, the full Layer 2 header is not sent and a packet might be generated with an invalid source MAC address for some VLANs. PR1223662

  • On EX4600 switches, when temperatures for FPCs are polled, the temperatures might not be polled for all SNMP members. PR1232911

Multicast Protocols

  • On EX4300 switches with IGMP snooping enabled with flexible-vlan-tagging configured on ingress and egress interfaces for passthrough multicast traffic, IGMPv2 membership report messages might not be forwarded from the receiver to the sender. PR1175954

  • On EX4300, EX4600, and QFX5100 switches in a Virtual Chassis configuration, IPv6 multicast packets might not be flooded in a VLAN if IGMP snooping is enabled and the ingress interface is on a different FPC than the egress interface. PR1205416

  • On EX4300 switches and EX4300 Virtual Chassis, Hot Standby Router Protocol (HSRP) packets might be dropped in a VLAN if IGMP snooping is configured. As a workaround, configure the switch to flood multicast 224.0.0.2. PR1211440

Platform and Infrastructure

  • On EX4300 switches and EX4300 Virtual Chassis, PIM register messages are not forwarded to a rendezvous point (RP) when the RP is not directly connected to the first-hop router of the multicast source. PR1134235

  • On an EX4300 Virtual Chassis with Q-in-Q enabled, when vlan-id-list is configured on a C-VLAN interface and, for example, if the VLAN range vlist element is in [1-3] or [5-50], C-VLAN traffic is not sent properly across the Q-in-Q network from the C-VLAN interface. PR1159854

  • On EX4300 switches, when xSTP is configured, if you unplug a loopback cable between ports of different FPCs and then plug it back in, the interface might go down and a BPDU error might be detected on this port, causing traffic to drop on another egress port. As a workaround, clear the Ethernet-switching table. PR1160114

  • When you install an SFP in an operating EX4300 switch, the SFP might be recognized as either unsupported or as an SFP+-10G. As a workaround, reboot the switch. PR1202730

  • When set vlans xxx interface all is configured on EX4300, EX4600, or QFX Series switches, the Junos device control process (dcd) might crash as this is an unsupported configuration on these platforms. PR1221803

  • On EX4300 switches, if a Layer 3 interface receives a frame with the CFI/DEI bit set to 1, this frame might be dropped and not be processed further. PR1237945

Virtual Chassis

  • On EX4300 Virtual Chassis, a message such as /kernel: %KERN-5: tcp_timer_keep: Dropping socket connection due to keepalive timer expiration might be seen repeatedly. There is no service impact from the condition that causes the message (a Packet Forwarding Engine timeout trying to connect to a daemon that is not active). As a workaround, you can use a system-logging (syslog) filter to mask the messages. PR1209847

Resolved Issues: 16.1R3

Firewall Filters

  • On an EX4300 egress VLAN-based firewall filter on a Q-in-Q interface, after a switch reboot, firewall counters might not increment as expected. PR1165450

  • On EX4600 switches, when traffic enters an MPLS interface and is destined to the loopback interface in the routing instance, the firewall filter might not work properly. PR1205626

Interfaces and Chassis

  • On EX4300 switches, after disabling MC-LAG member interfaces, more than 3 seconds of traffic loss might occur. PR1164228

  • On EX4300 Virtual Chassis, Layer 2 multicast might not work properly when both Layer 2 and Layer 3 entries are present for the same group on two different integrated routing and bridging (IRB) interfaces. PR1183531

  • PoE might not work on all EX4300 ports on a mixed-mode Virtual Chassis (mixed-mode EX4600 and EX4300 or mixed-mode QFX5100). PR1195946

Layer 2 Features

  • On EX9200, EX4300, and EX4600 switches on which any type of spanning-tree protocol (STP, RSTP, MSTP, or VSTP) is configured, the MAC address part of the bridge ID might be set to all zeros (for example, 4096.00:00:00:00:00:00) after you power cycle the device without issuing the request system halt command. As a workaround, issue the restart l2-learning command. PR1201293

  • On EX4300, EX4600, and EX9200 switches, if set protocols xstp interface all edge is configured in combination with set protocols xstp bpdu-block-on-edge, interfaces do not go down (transition into Disabled - Bpdu-Inconsistent) when they receive BPDUs; they transition to nonedge. If an interface is configured specifically with set protocols xstp interface interface-name edge, then when that interface receives a BPDU, it goes down or transitions into Disabled - Bpdu-Inconsistent correctly. As a workaround, configure set protocols layer2-control bpdu-block interface all. PR1210678

Network Analytics

  • On EX4300 switches, although the network analytics feature is configured, the analytics daemon might not run. As a result, the network analytics feature might be unable to collect traffic and queue statistics and generate reports. PR1184720

Platform and Infrastructure

  • On EX4300 switches, if you configure a policer on the loopback filter, host-bound traffic might drop even though the traffic does not exceed the specified limit. PR1196822

  • On EX9200 MC-LAG interfaces, broadcast, unknown unicast, and multicast (BUM) traffic might not flood on random 10-Gigabit interfaces on an EX9200-32XS line card. As a workaround, disable and then reenable the problem interfaces. PR1198653

  • On EX9200 switches, part of the configuration is not applied after a reboot when REST is configured as in the following example:

    PR1212425

  • On EX4300 switches, if you activate DHCP security features for IPv6, a JDHCPD core file might be generated. PR1212425

Port Security

  • On EX4300 switches, the routing table entry for an integrated routing and bridging (IRB) interface on which a connection with a DHCPv6 server is configured might be removed if the snooping device in the topology is configured with neighbor discovery inspection. PR1201628

Routing Protocols

  • On EX4600 switches, the FXPC process might occasionally crash and restart, generating a core file when an LPM route install fails. After the switch restarts, services are restored. PR1212685

Software Installation and Upgrade

  • When performing a unified ISSU (FRU upgrade) on EX9200-40T, EX9200-40F, EX9200-40F-M, EX9200-32XS, EX9200-2C-8XS, and EX9200-4QS line cards, an issue occurs with the buffer size in the line cards. As a result, the unified ISSU cannot be performed on EX9200 switches with these line cards. PR1175240

  • After a unified ISSU upgrade from Junos OS Release 15.1R3 to Junos OS Release 16.1 on EX4600 and QFX5100 switches, LLDP neighbor discovery might fail. PR1187729

Documentation Updates

There are no errata or changes in Junos OS Release 16.1R7 for the EX Series switches documentation.

Migration, Upgrade, and Downgrade Instructions

This section contains the upgrade and downgrade support policy for Junos OS for the EX Series. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. For information about software installation and upgrade, see the Installation and Upgrade Guide.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 14.1, 14.2, 15.1 and 16.1 are EEOL releases. You can upgrade from Junos OS Release 14.1 to Release 15.1 or from Junos OS Release 15.1 to Release 16.2. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and the special compatibility guidelines with the release, see the Hardware Guide for the product.

To determine the features supported on EX Series switches in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at https://pathfinder.juniper.net/feature-explorer/.