Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

ON THIS PAGE

Junos OS Release Notes for NFX Series

 

These release notes accompany Junos OS Release 17.2R3 for the NFX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

New and Changed Features

This section describes the new features and enhancements to existing features in the Junos OS main release and the maintenance releases for NFX Series.

Release 17.2R3 New and Changed Features

There are no new features or enhancements to existing features for NFX Series in Junos OS Release 17.2R3.

Release 17.2R2 New and Changed Features

There are no new features or enhancements to existing features for NFX Series in Junos OS Release 17.2R2.

Release 17.2R1 New and Changed Features

Hardware

  • NFX250 Platform—The NFX250 devices constitute Juniper Network’s secure, automated, software-driven customer premises equipment (CPE) devices that deliver virtualized network and security services on demand. Leveraging Network Functions Virtualization (NFV) and built on the Juniper Cloud CPE solution, NFX250 enables service providers to deploy and service chain multiple, secure, high-performance virtualized network functions (VNFs) in a single device.

    Table 2: NFX250 Models

    Product Number

    Specifications

    Features

    NFX250-S1

    1.9 GHz 6-core Intel CPU

    16 GB of memory and 100 GB of solid-state drive (SSD) storage

    Eight 1-GbE network ports, two 1-GbE RJ-45 ports which can be used as either access ports or as uplinks, two SFP ports, two SFP+ ports, one Management port, and two Console ports

    Basic Layer 2/Layer 3

    NFX250-S2

    1.9 GHz 6-core Intel CPU

    32 GB of memory and 400 GB of SSD storage

    Eight 1-GbE network ports, two 1-GbE RJ-45 ports which can be used as either access ports or as uplinks, two SFP ports, two SFP+ ports, one Management port, and two Console ports

    Basic Layer 2/Layer 3

    NFX250-LS1

    1.6 GHz 4-core Intel CPU

    16 GB of memory and 100 GB of solid-state drive (SSD) storage

    Eight 1-GbE network ports, two 1-GbE RJ-45 ports which can be used as either access ports or as uplinks, two SFP ports, two SFP+ ports, one Management port, and two Console ports

    Supports up to 100 MBPS throughput Secure Router functionality for the following features:

    • IPSec VPN

    • NAT

    • Stateful Firewall

    • Routing services – BGP, OSPF, DHCP, IPv4 and IPv6

  • Transceivers—NFX250 supports the following optics:

    • 10-gigabit SFP+ transceivers: EX-SFP-10GE-USR, EX-SFP-10GE-SR, EX-SFP-10GE-LR, EX-SFP-10GE-ER, EX-SFP-10GE-ZR

    • 1G-gigabit SFP transceivers: EX-SFP-1GE-SX, EX-SFP-1GE-SX-ET, EX-SFP-1GE-LX, EX-SFP-1GE-LH, EX-SFP-1GE-T, EX-SFP-1GE-LX40K, EX-SFP-GE10KT13R14, EX-SFP-GE10KT14R13, EX-SFP-GE10KT13R15, EX-SFP-GE10KT15R13, EX-SFP-GE40KT13R15, EX-SFP-GE40KT15R13, EX-SFP-GE80KCW1470, EX-SFP-GE80KCW1490, EX-SFP-GE80KCW1510, EX-SFP-GE80KCW1530, EX-SFP-GE80KCW1550, EX-SFP-GE80KCW1570, EX-SFP-GE80KCW1590, EX-SFP-GE80KCW1610

  • Direct Attach Copper (DAC) Cables—NFX250 supports the following DAC cables:

    • EX-SFP-10GE-DAC-1M

    • EX-SFP-10GE-DAC-3M

    • EX-SFP-10GE-DAC-5M

Juniper Device Manager

The Juniper Device Manager (JDM) is a low-footprint Linux container that provides these functions:

Note

These features were previously supported in the 15.1X53-D40 and 15.1X53-D47 releases of Junos OS.

  • Virtual machine (VM) life cycle management

  • Device management and isolation of host OS from user installations

  • NIC , single-root I/O virtualization (SR-IOV), and virtual input/output (VirtIO) interface provisioning

  • Support for the Network Service Orchestrator module to connect to Network Service Activator

  • Inventory and resource management

  • Internal network and image management

  • Service chaining—provides building blocks such as virtual interfaces and bridges for users to implement service chaining polices

  • Virtual console access to VNFs including vSRX and vjunos

  • Support for outbound SSH connections

  • Authentication of users using TACACS+

  • Configure SNMP, and handle SNMP queries and traps

  • Enhanced CLI to support launching VNFs, service chaining VNFs, and configuring and monitoring various system parameters and statistics

  • IPSec—The IPSec implementation for NFX250 platforms has been enhanced to protect the management traffic between JDM, VNFs and the remote SDN controller and other central servers. The IPSec implementation uses AutoKey IKE with preshared keys to authenticate the participants in an IKE session, each side must configure and securely exchange the preshared key in advance. IPSec for NFX250 devices supports only traffic selector based tunnels, multiple IPsec security associations are negotiated based on multiple traffic selectors configured. Configuration of interfaces and static routes is supported.

Junos Control Plane

Junos Control Plane (JCP) is the Junos VM running on the hypervisor. By default, JCP runs as vjunos0 on NFX250. You can use JCP to configure the network ports of the NFX250 device. You can log in to JCP from JDM by using the SSH service and CLI, which is similar to the Junos OS CLI. The JCP supports the following features:

  • Link aggregation—Link aggregation enables you to use multiple network cables and ports in parallel to increase link speed and improve redundancy.

  • Support for Layer 3 logical interfaces—A Layer 3 logical interface is a logical division of a physical interface or an aggregated Ethernet interface that operates at the network level and that can receive and forward IEEE 802.1Q VLAN tags. You can use these interfaces to route traffic between multiple VLANs along a single trunk line that connects an NFX250 device to a Layer 2 switch. Only one physical connection is required between the NFX250 device and the switch.

  • VLAN support—VLANs enable you to divide one physical broadcast domain into multiple virtual domains.

  • Link Layer Discovery Protocol (LLDP) support—LLDP enables a switch to advertise its identity and capabilities on a LAN, and to receive information about other network devices.

  • Q-in-Q tunneling support—This feature enables service providers on Ethernet access networks to extend a Layer 2 Ethernet connection between two customer sites. Using Q-in-Q tunneling, providers can also segregate or bundle customer traffic into fewer VLANs or different VLANs by adding another layer of 802.1Q tags. Q-in-Q tunneling is useful when customers have overlapping VLAN IDs, because the customer’s 802.1Q (dot1Q) VLAN tags are prepended by the service VLAN (S-VLAN) tag.

  • Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and VLAN Spanning Tree Protocol (VSTP) support—These protocols enable a switch to advertise its identity and capabilities on a LAN and receive information about other network devices.

  • OSPF support—The IPv4 OSPF protocol is an interior gateway protocol (IGP) for routing traffic within an autonomous system (AS). NFX devices support OSPFv1 and OSPFv2. You can configure OSPF at the [edit protocols ospf] hierarchy level.

  • Bidirectional Forwarding Detection (BFD) support for static routes and the OSPF and RIP protocols—BFD uses control packets and shorter detection time limits to rapidly detect failures in a network. Hello packets are sent at a specified, regular interval by routing devices. A neighbor failure is detected when a routing device stops receiving a reply after a specified interval.

  • Virtual Router Redundancy Protocol (VRRP) support—VRRP enables you to provide alternative gateways for end hosts that are configured with static default routes. You can implement VRRP to provide a highly available path to a gateway without needing to configure dynamic routing or router discovery protocols on end hosts.

  • Internet Group Management Protocol (IGMP) support—IGMP manages the membership of hosts and routers in multicast groups. IP hosts use IGMP to report their multicast group memberships to multicast routers that are their immediate neighbors . Multicast routers use IGMP to learn, for each of their attached physical networks, which groups have members.

  • IGMP Snooping support—IGMP snooping regulates multicast traffic in a switched network. With IGMP snooping enabled, a LAN switch monitors the IGMP transmissions between a host (a network device) and a multicast router, keeping track of the multicast groups and associated member interfaces. The switch uses that information to make intelligent multicast-forwarding decisions and forward traffic to the intended destination interfaces.

  • Protocol Independent Multicast (PIM) sparse mode support—PIM sparse mode enables efficient routing to multicast groups with receivers that are sparsely spread over multiple networks. To configure PIM sparse mode, include the pim statement at the [edit protocols] hierarchy level.

  • SNMP support—SNMP includes versions 1, 2, and 3 for monitoring system activity.

  • System logging (syslog) support—Syslog enables you to log system messages into a local directory on the switch or to a system log server.

  • Port mirroring support—Port mirroring copies packets entering or exiting a port or entering a VLAN and sends the copies to a local interface for local monitoring. You can use port mirroring to send traffic to applications that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring and predicting traffic patterns, and correlating events.

  • Firewall filter support—You can provide rules that define whether to accept or discard packets. You can use firewall filters on interfaces, VLANs, routed VLAN interfaces (RVIs), link aggregation groups (LAGs), and loopback interfaces.

  • Policing support—You can use policing to apply limits to traffic flow and to set consequences for packets that exceed those limits.

  • Storm control support—You can enable the switch to monitor traffic levels and take a specified action when a specified traffic level—called the storm control level—is exceeded, preventing packets from proliferating and degrading service. You can configure a switch to drop broadcast and unknown unicast packets, shut down interfaces, or temporarily disable interfaces when a traffic storm occurs.

  • Class of service (CoS)—When a packet traverses a switch, the switch provides the appropriate level of service to the packet using either default class-of-service(CoS) settings or the CoS settings that you configure. On ingress ports, the switch classifies packets into appropriate forwarding classes and assigns a loss priority to the packets. On egress ports, the switch applies packet scheduling and any rewrite rules to re-mark packets.

  • Class-of-service (CoS) rewrite rules and classifier support—You can use rewrite rules to set the value of the CoS bits within a packet header, so you can alter the CoS settings of incoming packets. Packet classification maps incoming packets to a particular class-of-service (CoS) servicing level. You can use classifiers to map packets to a forwarding class and a loss priority and to assign packets to output queues based on the forwarding class.

  • Secure Boot—The Secure Boot implementation is based on the UEFI 2.4 standard. The BIOS has been hardened and serves as a core root of trust. The BIOS updates, the bootloader, and the kernel are cryptographically protected. No action is required to implement Secure Boot.

vSRX

vSRX offers the same capabilities as Juniper Networks SRX Series Services Gateways in a virtual form factor, providing perimeter security, IPsec connectivity, and filtering for malicious traffic without sacrificing reliability, visibility, and policy control. This virtual security and routing appliance ensures reliability for each application. By default, vSRX version 15.1X49-D75 is preloaded on NFX250 Network Services platform 17.2R1 release. Earlier versions of vSRX is not compatible with the Junos version 17.2R1 release on NFX250.

Changes in Behavior and Syntax

There are no changes in default behavior and syntax in Junos OS Release 17.2R3 for the NFX Series.

Known Behavior

This section lists known behavior, system maximums, and limitations in hardware and software in Junos OS Release 17.2R3 for the NFX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Juniper Device Manager

  • JDM shell configurations of interfaces override JDM CLI configurations. As a workaround, use the JDM CLI to configure interfaces. PR1155749

  • SR-IOV interfaces do not support more than 64 VLANs on NFX250.PR1156348

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 17.2R3 for the NFX Series devices.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Infrastructure

  • You might not be able to upgrade from Junos OS releases 15.1X53-D40 and 15.1X53-D45 to Junos OS release 17.2R3. As a workaround, you can use the image file on a USB, configure the NFX device to boot from the USB, and install the upgrade. PR1252323

IPSec

  • There is no CLI command to clear interface flow-statistics on ipsec-nm. PR1216474

  • Initial allocation of hugepages is not guaranteed when the srxpfe is killed or restarted. PR1233794

Juniper Device Manager

  • There might be no checks when you configure the IP address on different logical units of interfaces. The commit will go through, and will be displayed in the configuration. PR1150512

  • The following commands are not supported:

    • clear system reboot and clear system commit

    • restart gracefully, restart immediately, restart init, and restart soft

    • show ethernet-switching, show version brief, show version all members, and show system services service-deployment

    PR1154819

  • When you use the netconf command to display system information details such as model and OS, the system OS is displayed as QFX. PR1160055

  • Ubuntu package does not successfully install on the JDM container. As a workaround, install the package passwd by using the sudo apt-get install passwd command, which enables the useradd command again. PR1168680

  • When you configure a static route on JDM in enhanced-orchestration disabled mode, there might not be an explicit check to validate the IP address. PR1173039

  • System Host bridge uses a default MTU of 1500 and does not support Jumbo frames. Currently there is no CLI to configure the MTU on the host bridge. PR1192169

  • The Network Service Orchestrator module commits the configuration on JDM, Junos Control Plane, and IPSec-NM sequentially. If the commit fails on any one of these system VNFs, the Network Service Orchestrator module automatically rolls back to the older configuration on the VNF where the commit error is seen. But, all prior Network Service Orchestrator module configuration commits on the earlier VNFs continue to exist and is not reversed. PR1196253

  • There is no commit check if the PCI address is reused for different interfaces in a VNF. It is recommend to stop the VNF and then add or delete interfaces. PR1205497

  • Certain VNFs support hot plugging of virtio interfaces when the VNF is running. When a VLAN mapped interface is hot plugged to VNFs such as Centos, it is seen that the interface is not reachable from the vjunos0 VM. As a workaround, delete the VNF configuration and re-commit the complete configuration along with the new interface. PR1213451

  • After enabling or disabling the ipsec-nm service on the NFX250 platform, a warning message might not be displayed asking for a consent to reboot the device. The enabling or disabling action will be effective only after the device is rebooted. Similarly, no warning is displayed when Enhanced orchestration is either enabled or disabled. PR1213489

  • Pre-allocation of hugepages might not consider the available memory and proper commit check is required. It is advisable to use the feature based on free system memory availability. By default, the system requires up to 6 to 7 gigabytes of memory for various operations. The system might not function properly if more memory than what is available is allocated. PR1213944

  • While spawning a VNF, there might not be a commit check for the valid image type supported. PR1221642

  • If a VNF requests for more memory than the available system memory, commit might go through without any errors resulting in VNF going into a shut off state. As a workaround, use the show system visibility memory command to check the available free memory before spawning a VNF. Alternatively, check the log files and the VNF shut off reason will be captured in /var/log/syslog file. PR1221647

  • The following commands are not supported:

    • show host

    • request system software delete

    • request system software rollback

    • request system storage cleanup

    PR1219972

  • DHCP service can be configured on custom system bridges for service chaining. There might be no commit check if the lower and higher values of the pool range are swapped. PR1223247

  • If the configured TACACS+ server has an IP that can be accessed from JDM, the tacplus pam might not wait till timeout in case TACACS+ server is unreachable. PR1224420

  • The Swap memory information displays incorrect values in the show system visibility jdm command output for NFX250 platforms with optimized SSD layouts. PR1227528

  • With enhanced-orchestration mode enabled and routing over management configured on vSRX for WAN redundancy for critical traffic, the system CPU utilization will reach 100% if WAN link goes down and traffic routes through out-of-band management. vSRX may not respond to ping or management requests. Egress traffic through management might be throttled. PR1233478

  • Removing the IRB configuration along with the DHCP configuration on JDM and rolling back the configuration might result in the DHCP service not functioning for service chaining of VNFs. PR1234055

  • Hugepages that are pre-configured through CLI are not used if a custom init-descriptor is used. PR1245330

  • When a VLAN tag is configured through a JDM CLI on a VNF that is provisioned to a DPDK enabled VM and the VM is spawned, the VLAN filtering or striping configuration on the VNF stops taking effect. Removing and recommitting the JDM VLAN ID configuration on the VNF can resolve the issue unless the system or the VNF is rebooted. PR1251596

  • show system visibility cpu command on JDM has the field values for IOWait and Intr always set to zero. PR1258361

  • Configuring more than the available number of SR-IOV interfaces in Enhanced mode might result in a state where the used MAC addresses for such interfaces are not released back to the system MAC pool on deletion of the VNF. PR1259975

Junos Control Plane

  • The Alarm LED will be amber for a major alarm instead of red. In the NFX250-S1E model, the Alarm LED does not blink for any alarms. PR1146307

  • Configuring DSCP and DSCPv6 classifiers together on a Layer 2 interface is not supported. PR1169529

  • When the option accept-source-mac mac-address is configured on an interface and then deleted, no additional MAC's will be learnt on the interface. Only the MAC's which were earlier configured will be available. PR1168197

  • When LLDP is configured on vjunos0 on an NFX250 Network Services platform, the system name TLV(5) might not be advertised. PR1169479

  • There might a traffic drop in IPv4 multicast traffic on JCP when flow-control is configured on interfaces and multicast traffic is more than 400pps. PR1191794

  • On an interface with family inet configured, you might not be able to configure a classifier or rewrite rules. PR1262840

  • If the traffic in the out-of-band interface is more, the control plane connectivity might get blocked for sometime while the packets are processed. If this interruption persists, the connection between the PFE and control plane is cleared, which results in a PFE restart or shutdown. You must ensure that there is no heavy traffic flow in the management VLAN. PR1270689

vSRX

  • On an NFX250-S1E platform running vSRX VNF, the performance of SR-IOV with UTM and IDP is lower than VirtIO with UTM and IDP. PR1214118

  • If per-unit-scheduler is not configured, the IFD shaping fails and no packet is queued. PR1264556

  • After configuring the IFD shaping, the ingress interface cannot receive packets. PR1264850

  • The current maximum number of concurrent SIP calls is below the specified maximum limit. PR1273356

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases. The identifier following the description is the tracking number in the Juniper Networks Problem Report (PR) tracking system.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 17.2R3

There are no resolved issues for NFX Series in Junos OS Release 17.2R3.

Resolved Issues: 17.2R2

There are no resolved issues for NFX Series in Junos OS Release 17.2R2.

Resolved Issues: 17.2R1

Juniper Device Manager

  • User-defined login class is not supported on JDM. PR1155965

  • On the device, ping with the record-route option does not work for VirtIO interfaces. PR1162659

  • The default gateway assigned by phone-home client (PHC) for clients connected through the front panel ports is 10.10.10.254. PR1168284

  • The CLI to configure the time zone is not functional. PR1169675

  • SNMP trap is not supported on JDM. PR1173216

Junos Control Plane

Documentation Updates

There are no errata or changes in Junos OS Release 17.2R3 documentation for NFX Series.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS for the NFX Series. Upgrading or downgrading Junos OS might take several hours, depending on the size and configuration of the network.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information on EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

Basic Procedure for Upgrading to Release 17.2

When upgrading or downgrading Junos OS, use the jinstall package. For information about the contents of the jinstall package and details of the installation process, see the Installation and Upgrade Guide. Use other packages, such as the jbundle package, only when so instructed by a Juniper Networks support representative.

Note

Back up the file system and the currently active Junos OS configuration before upgrading Junos OS. This allows you to recover to a known, stable environment if the upgrade is unsuccessful. Issue the following command:

Note

The installation process rebuilds the file system and completely reinstalls Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the router, such as configuration templates and shell scripts (the only exceptions are the juniper.conf and ssh files), might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the Junos OS Administration Library.

Note

We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process.

To download and install Junos OS Release 17.2R2:

  1. Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage:

    https://www.juniper.net/support/downloads/

  2. Select the name of the Junos OS platform for the software that you want to download.
  3. Select the release number (the number of the software version that you want to download) from the Release drop-down list to the right of the Download Software page.
  4. Select the Software tab.
  5. In the Install Package section of the Software tab, select the software package for the release.
  6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
  7. Review and accept the End User License Agreement.
  8. Download the software to a local host.
  9. Copy the software to the routing platform or to your internal software distribution site.
  10. Install the new jinstall package on the router.Note

    After you install a Junos OS Release 17.2R2 jinstall package, you cannot return to the previously installed software by issuing the request system software rollback command. Instead, you must issue the request system software add validate command and specify the jinstall package that corresponds to the previously installed software.

    The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is for a different release. Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process might take 5 to 10 minutes. Rebooting occurs only if the upgrade is successful.

    Customers in the United States and Canada, use the following command:

    user@host> request system software add validate reboot source/jinstall-17.2R2.13-domestic-signed.tgz

    All other customers, use the following command:

    user@host> request system software add validate reboot source/jinstall-17.2R2.13-export-signed.tgz

    Replace the source with one of the following values:

    • /pathname—For a software package that is installed from a local directory on the router.

    • For software packages that are downloaded and installed from a remote location:

      • ftp://hostname/pathname

      • http://hostname/pathname

      • scp://hostname/pathname (available only for Canada and U.S. version)

    The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release.

    Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process might take 5 to 10 minutes.

    Rebooting occurs only if the upgrade is successful.

Note

You need to install the Junos OS software package and host software package on the routers with the RE-PTX-X8 Routing Engine. For upgrading the host OS on this router with VM Host support, use the junos-vmhost-install-x.tgz image and specify the name of the regular package in the request vmhost software add command. For more information, see the VM Host Installation topic in the Software Installation and Upgrade Guide.

Note

After you install a Junos OS Release 17.2 jinstall package, you cannot return to the previously installed software by issuing the request system software rollback command. Instead, you must issue the request system software add validate command and specify the jinstall package that corresponds to the previously installed software.

Note

Most of the existing request system commands are not supported on routers with RE-PTX-X8 Routing Engines. See the VM Host Software Administrative Commands in the Installation and Upgrade Guide.

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product.

To determine the features supported on NFX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: https://pathfinder.juniper.net/feature-explorer/.

Hardware Compatibility Tool

For a hardware compatibility matrix for optical interfaces and transceivers supported across all platforms, see the Hardware Compatibility tool.