Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for EX Series Switches


These release notes accompany Junos OS Release 18.3R3 for the EX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at

New and Changed Features

This section describes the new features and enhancements to existing features in the Junos OS main release and the maintenance releases for the EX Series.


The following EX Series switches are supported in Release 18.3R3: EX2300, EX3400, EX4300, EX4600-40F, EX4650, EX9200, EX9204, EX9208, EX9214, EX9251, and EX9253.

Release 18.3R3 New and Changed Features

  • There are no new features or enhancements to existing features for EX Series switches in Junos OS Release 18.3R3.

Release 18.3R2 New and Changed Features

  • There are no new features or enhancements to existing features for EX Series switches in Junos OS Release 18.3R2.

Release 18.3R1 New and Changed Features


  • EX4650-48Y switches—Starting with Junos OS Release 18.3R1, the EX4650-48Y switch is available as a fixed-configuration switch with the following built-in ports:

    • Forty-eight 25-Gigabit Ethernet ports that can operate at 1-Gbps, 10-Gbps, or 25-Gbps speed and support SFP, SFP+, or QSFP28 transceivers.

    • Eight 100-Gigabit Ethernet ports that can operate at 40-Gbps or 100-Gbps speed and support QSFP+ or QSFP28 transceivers. When these ports operate at 40-Gbps speed, you can configure four 10-Gbps interfaces and connect breakout cables, increasing the total number of supported 10-Gbps ports to 80. When these ports operate at 100-Gbps speed, you can configure four 25-Gbps interfaces and connect breakout cables, increasing the total number of supported 25-Gbps ports to 80.

    A total of four models are available: two featuring AC power supplies and front-to-back or back-to-front airflow and two featuring DC power supplies and front-to-back or back-to-front airflow.

    [See EX4650 Documentation.]

Authentication, Authorization, and Accounting (AAA) (RADIUS)

  • 802.1X authentication on trunk ports (EX Series)—Starting with Junos OS Release 18.3R1, 802.1X authentication can be enabled on trunk ports. Authentication on the trunk port is supported only in single supplicant and single-secure supplicant modes.

  • Multidomain authentication (EX Series)—Starting with Junos OS Release 18.3R1, multidomain authentication is supported on EX Series switches. Multidomain authentication is an extension of multiple supplicant mode for 802.1X authentication, and allows one VoIP client and multiple data clients to authenticate to different VLANs while on the same port.

    [See Understanding 802.1X and VoIP on EX Series Switches.]

  • Disable LLDP TLVs (EX2300 and EX3400 switches)—Starting in Junos OS Release 18.3R1, you can disable specific or all nonmandatory time, length, and value (TLV) messages from being advertised by the Link Layer Discovery Protocol (LLDP) or Link Layer Discovery Protocol—Media Endpoint Discovery (LLDP-MED).

    [See LLDP Overview.]

  • Support for password change policy enhancement (EX Series)—Starting in Junos OS Release 18.3R1, the Junos password change policy for local user accounts is enhanced to comply with certain additional password policies. As part of the policy improvement, you can configure the following:

    • minimum-character-changes—The number of characters by which the new password should be different from the existing password.

    • minimum-reuse—The number of older passwords, which should not match the new password.

    [See password.]

Class of Service (CoS)

  • Support for CoS on EX4650 switches (EX4650)—Starting in Junos OS Release 18.3R1, the EX4650 switch supports CoS functionality. CoS is the assignment of traffic flows to different service levels. You can use CoS features to define service levels that provide different delay, jitter (delay variation), and packet loss characteristics to ensure quality of service (QoS) to particular applications served by specific traffic flows across the network.

    Compared to CoS functionality on EX4600 switches, EX4650 switches provide significantly more buffer memory (32 MB), but do not support hierarchical scheduling or ETS. The EX4650 also supports eight unicast and two multicast queues.

    [See CoS Support on QFX Series Switches, EX4600 Line of Switches, and QFabric Systems.]


  • EVPN P2MP bud node support (EX9200)—Starting in Junos OS Release 18.3R1, Junos OS supports configuring a point-to-multipoint (P2MP) label-switched path (LSP) as a provider tunnel on a bud node. The bud node functions both as an egress node and a transit node.

    To enable a bud node to support P2MP LSP, include the evpn p2mp-bud-support statement at the [edit routing-instances routing-instance-name protocols evpn] hierarchy level.

    [See Configuring Bud Node Support.]

General Routing

  • Layer 3 unicast features (EX4650)—Starting with Junos OS Release 18.3R1, the following Layer 3 unicast features are supported:

    • Static routing, ping, and traceroute (IPv4, IPv6)

    • OSPFv2 (IPv4) and OSPFv3 (IPv6)

    • RIPv2

    • BGP (IPv4, IPv6), BGP 4-byte ASN support, and BGP multipath

    • MBGP (IPv4)

    • IS-IS (IPv4, IPv6)

    • BFD (for RIP, OSPF, IS-IS, BGP, PIM)

    • Unicast reverse path forwarding (RPF)

    • Filter-based forwarding (FBF)

    • IP-directed broadcast traffic forwarding

    • IPv4 over GRE

    • Virtual router redundancy protocol (VRRP)

    • VRRPv3 (IPv6)

    • Neighbor Discovery Protocol (IPv6)

    • Path MTU discovery

    • IPv6 class of service—Behavior aggregate (BA) classifiers, multifield (MF) classifiers and rewrite rules, traffic-class scheduling)

    • IPv6 stateless address autoconfiguration

    • Equal-cost multipath (ECMP)—32-way

    • VXLAN Layer 3 gateway

    • MPLS over UDP

    • Virtual router (VRF-lite) IS-IS, RIP, OSPF, BGP

Interfaces and Chassis

  • Multichassis link aggregation group (MC-LAG) (EX4650 switches)—Starting with Junos OS Release 18.3R1, MC-LAG enables a client device to form a logical LAG interface using two switches. MC-LAG provides redundancy and load balancing between the two switches, multihoming support, and a loop-free Layer 2 network without running Spanning Tree Protocol (STP).

    On one end of an MC-LAG is an MC-LAG client that has one or more physical links in a LAG. This client does not need to detect the MC-LAG. On the other side of the MC-LAG are two MC-LAG switches. Each of these switches has one or more physical links connected to a single client. The switches coordinate with each other to ensure that data traffic is forwarded properly.

    To configure an MC-LAG, include the following statements:

    • mc-ae statement at the [edit interfaces interface-name aggregated-ether-options] hierarchy level

    • iccp statement at the [edit protocols] hierarchy level

    • multi-chassis statement at the [edit] hierarchy level

    [See Multichassis Link Aggregation Features, Terms, and Best Practices.]

  • Resilient hashing support for link aggregation groups and equal-cost multipath routes (EX4650 switches)—Starting with Junos OS Release 18.3R1, resilient hashing is supported by link aggregation groups (LAGs) and equal-cost multipath (ECMP) sets on EX4650 switches. A LAG combines Ethernet interfaces (members) to form a logical point-to-point link that increases bandwidth, provides reliability, and allows load balancing. Resilient hashing enhances LAGs by minimizing destination remapping when a new member is added to or deleted from the LAG. Resilient hashing works in conjunction with the default static hashing algorithm. It distributes traffic across all members of a LAG by tracking the flow’s LAG member utilization. When a flow is affected by a LAG member change, the Packet Forwarding Engine (PFE) rebalances the flow by reprogramming the flow set table. Destination paths are remapped when a new member is added to or existing members are deleted from a LAG. Resilient hashing applies only to unicast traffic and supports a maximum of 1024 LAGs, with each group having a maximum of 256 members. An ECMP group for a route contains multiple next-hop equal cost addresses for the same destination in the routing table. (Routes of equal cost have the same preference and metric values.) Junos OS uses a hash algorithm to choose one of the next-hop addresses in the ECMP group to install in the forwarding table. Flows to the destination are rebalanced using resilient hashing. Resilient hashing enhances ECMPs by minimizing destination remapping when a new member is added to or deleted from the ECMP group.

    [See Understanding the Use of Resilient Hashing to Minimize Flow Remapping in Trunk/ECMP Groups.]

  • Channelizing Interfaces on EX4650-48Y Switches—On the EX4650-48Y switch, there are a total of 56 ports. Of these 56 ports, 8 ports (labeled 48 through 56) are uplink ports that support 100-Gigabit Ethernet interfaces (QSFP28 ports) and 40-Gigabit Ethernet interfaces(QSFP+ ports). The other 48 ports (labeled 0 through 47) are SFP+ ports that support 25-Gigabit Ethernet interfaces or 10-Gigabit Ethernet interfaces. The default speed for the SFP+ ports is 10 Gbps.

    Starting with Junos OS Release 18.3R1, you can channelize the 100-Gigabit Ethernet interfaces to four independent 25-Gigabit Ethernet interfaces. The default 100-Gigabit Ethernet interfaces can also be configured as 40-Gigabit Ethernet interfaces, and in this configuration can either operate as dedicated 40-Gigabit Ethernet interfaces, or can be channelized to four independent 10-Gigabit Ethernet interfaces using breakout cables on the EX4650-48Y switch.


    The uplink ports on the EX4650-48Y switches support auto-channelization.

    If you have disabled auto-channelization, then to channelize the ports, manually configure the port speed using the set chassis fpc slot-number port port-number channel-speed speed command, where the speed can be set to 10 Gbps or 25 Gbps. If a 100-Gigabit Ethernet transceiver is connected, you can only set the speed to 25 Gbps. For the SFP+ ports, you can set the speed to 25G or 1G. There is no commit check for this, however.


    You cannot configure channelized interfaces to operate as Virtual Chassis ports.

    [See Channelizing Interfaces on Switches.]

Junos Telemetry Interface

  • Routing Engine and Packet Forwarding Engine sensors for the Junos Telemetry Interface (EX4650 and QFX5120-48Y switches)—Starting with Junos OS Release 18.3R1, Routing Engine and Packet Forwarding Engine statistics are supported through the Junos Telemetry Interface on EX4650 and QFX5120-48Y switches with the same level of support found on QFX5100 switches using Junos OS Release 18.1R1.

    The following Routing Engine statistics are supported through JTI:

    • LACP state export

    • Chassis environmentals export

    • Network discovery chassis and components

    • LLDP export and LLDP model

    • BGP peer information (RPD)

    • RSVP interface export

    • RPD task memory utilization export

    • LSP event export

    • Network Discovery ARP table state

    • Network Discovery NDP table state

    The following Packet Forwarding Engine statistics are supported through JTI:

    • Congestion and latency monitoring

    • Logical interface

    • Filter

    • Physical interface

    • LSP

    • NPU/LC memory

    • Network Discovery NDP table state

    Only gRPC streaming is supported.

    To provision the sensor to export data through remote procedure call (gRPC), use the telemetrySubscribe RPC to specify telemetry parameters. Streaming telemetry data through gRPC also requires you to download the OpenConfig for Junos OS module.

    [See Guidelines for gRPC Sensors (Junos Telemetry Interface).]

  • Expanded physical interface queue and traffic statistics sensors for Junos Telemetry Interface (JTI) (ACX Series, EX Series, MX Series, PTX Series, and QFX Series)—Starting with Junos OS Release 18.3R1, additional resource paths are added to stream physical (IFD) statistics.

    Prior to Junos OS Release 18.3R1, both traffic and queue statistics for physical interfaces (IFD) are sent out together using the resource path /interfaces for gRPC streaming (which is internally used to create /junos/system/linecard/interface/) or /junos/system/linecard/interface/ for UDP (native) sensors.

    Now, traffic and queue statistics can be delivered separately. Doing so can reduce the reap time for non-queue data for platforms supporting Virtual Output Queues (VOQ).

    The following UDP resource paths can be configured:

    • /junos/system/linecard/interface/ is the existing resource path (no change). Traffic and queue statistics are sent together.

    • /junos/system/linecard/interface/traffic/ exports all fields except queue statistics.

    • /junos/system/linecard/interface/queue/ exports queue statistics.

    The gRPC resource path /interfaces now has the following behavior:

    • In releases prior to Junos OS 18.3R1, it delivers all IFD traffic and queue statistics. In Junos OS 18.3R1 and higher, it delivers statistics in two sensors:

      • /junos/system/linecard/interface/traffic/ exports all fields except queue statistics.

      • /junos/system/linecard/interface/queue/ exports queue statistics.

    To provision the sensor to export data through gRPC, use the telemetrySubcribe RPC to specify telemetry parameters. For streaming through UDP, all parameters are configured at the [edit services analytics] hierarchy level. Streaming telemetry data through gRPC also requires the OpenConfig for Junos OS module. Starting in Junos OS Release 18.3R1, OpenConfig and Network Agent packages are bundled into the Junos OS image by default. Both packages support the Junos Telemetry Interface (JTI).

    [See sensor (Junos Telemetry Interface), Configuring a Junos Telemetry Interface Sensor (CLI Procedure), and Guidelines for gRPC Sensors (Junos Telemetry Interface).]

    For exporting statistics using UDP native sensors, configure parameters at the [edit services analytics] hierarchy level.

Layer 2 Features

  • Layer 2 unicast features (EX4650 switches)—Starting with Junos OS Release 18.3R1, the following Layer 2 unicast features are supported:

    • 802.1Q VLAN trunking

    • P-VLAN

    • IRB

    • Layer 3 Vlan-tagged logical interfaces

    • 4096 VLANs

    • MAC address filtering

    • MAC address aging configuration

    • Static MAC address assignment for interfaces

    • Per-VLAN MAC learning (limit)

    • MAC learning disable

    • Persistent MAC (sticky MAC)

    • Q-in-Q tag manipulation

    • MAC address limit per port

    • MAC limiting

    • MAC limiting per port, per VLAN

    • MAC move limiting

    • P-VLAN on Q-in-Q

    • 802.1D

    • 802.1w (RSTP)

    • 802.1s (MST)

    • BPDU protection

    • Loop protection

    • Root protection

    • VSTP

    • RSTP and VSTP running concurrently

    • Link aggregation (static and dynamic) with LACP (fast and slow LACP)

    • LLDP

    • Multiple VLAN Registration Protocol (802.1ak)

    [See Ethernet Switching User Guide.]

  • Layer 2 unicast features (EX4650 switches)—Starting with Junos OS Release 18.3R1, you can use the Unified Forwarding Table (UFT) feature to allocate forwarding table resources to optimize the memory available for different address types based on the needs of your network. You can choose to allocate a higher percentage of memory for one type of address or another.

    [See Understanding the Unified Forwarding Table.]


  • MPLS support (EX4650)—Starting with Junos OS Release 18.3R1, the following MPLS features are supported:

    • LDP (tunneling over RSVP, targeted LDP, LDP over RSVP)

    • RSVP-TE

    • TE++ container LSPs

    • Automatic bandwidth allocation on LSPs

    • IPv6 tunneling over an MPLS IPv4 network (6PE and 6VPE)

    • Ethernet-over-MPLS (L2 circuit)

    • Layer 3 VPN

    • Carrier-of-carrier VPNs

    • ECMP routing

    • Segment routing


    • MPLS over IRB interfaces

    • VRF support in IRB Interfaces

    [See MPLS Feature Support on QFX Series and EX4600 Switches.]


  • IGMP snooping with private VLANs (EX4300 switches and EX4300 Virtual Chassis)—Starting in Junos OS Release 18.3R1, EX4300 switches and EX4300 Virtual Chassis support IGMP snooping with private VLANs (PVLANs). A PVLAN consists of secondary isolated and community VLANs configured within a primary VLAN. Without IGMP snooping support on the secondary VLANs, multicast streams received on a primary VLAN are flooded to the secondary VLANs. This feature extends IGMP snooping on a primary VLAN to its secondary VLANs, which further constrains multicast streams only to interested receivers on PVLANs. When IGMP snooping is enabled on a primary VLAN, it is implicitly enabled on all secondary VLANs, and the secondary VLANs learn the multicast group information on the primary VLAN.


    Ports in a secondary VLAN cannot be used as IGMP multicast router interfaces. Secondary VLANs can receive multicast data streams ingressing on promiscuous trunk ports or inter-switch links acting as multicast router interfaces.

    [See IGMP Snooping Overview.]

  • Multicast VLAN registration (MVR) (EX4300 switches and EX4300 Virtual Chassis)—Starting in Junos OS Release 18.3R1, EX4300 switches and EX4300 Virtual Chassis support multicast VLAN registration (MVR). MVR efficiently distributes IPTV multicast streams across an Ethernet ring-based Layer 2 network, reducing the bandwidth required for this traffic by using a multicast VLAN (MVLAN) over which multicast traffic is forwarded to interested listeners on other VLANs that are configured as MVR receiver VLANs. You can configure MVR at the [edit protocols igmp-snooping vlan vlan-name data-forwarding] source and receiver hierarchy levels, and use the show igmp snooping data-forwarding CLI command to view configured MVLAN and MVR receiver VLAN associations.

    [See Understanding Multicast VLAN Registration.]

  • Layer 3 multicast features (EX4650)—Starting with Junos OS Release 18.3R1, the following Layer 3 multicast features are supported:

    • IGMP version 1 (IGMPv1), version 2 (IGMPv2), and version 3 (IGMPv3)

    • IGMP filtering

    • PIM sparse mode (PIM-SM)

    • PIM dense mode (PIM-DM)

    • PIM source-specific multicast (PIM-SSM)

    • MSDP

    IGMP and PIM are also supported on virtual routers.

    [See Multicast Overview.]

  • Layer 2 multicast features (EX4650)—Starting with Junos OS Release 18.3R1, the following Layer 2 multicast features are supported:

    • IGMP snooping for IGMPv1, IGMPv2, and IGMPv3

    • IGMP proxy

    • IGMP querier

    IGMP snooping is also supported on virtual routers.

    [See Multicast Overview.]

Network Management and Monitoring

  • Customized MIBs for sending custom traps based on syslog events (EX Series)—Starting in Junos OS Release 18.3R1, there is a process whereby customers can define their own MIBs for trap notifications. The customized MIB maps a particular error message with a custom OID rather than a generic one. Juniper Networks provides two new MIB roots reserved for customer MIBs, one for the custom MIB modules and the other for the trap notifications. For this process, you must convert the MIB to YANG format, and a tool is available for that.

    [See Customized SNMP MIBs for Syslog Traps.]

  • MIB support for media attachment unit (MAU) information (EX2300, EX3400, and EX4300 switches)—As of Junos OS Release 18.3R1, remote agents can use SNMP to gather information about media attachment units (MAUs) connected to switches. These switches will populate the Entity (RFC 4133) and Entity State (RFC 4268) standard SNMP MIBs and a new MIB table, ifJnxMediaTable, which is part of the Juniper Networks enterprise-specific interface MIB extensions. The objects in the table represent MAU information such as media type, connector type, link mode, and link speed.

    [See SNMP MIB Explorer.]

  • Services support: sFlow, port mirroring, and storm control (EX4650 switches)—Starting in Junos OS Release 18.3R1, the following services are provided on EX4650 switches:

    • sFlow networking monitoring technology—Collects samples of network packets and sends them in a UDP datagram to a monitoring station called a collector. You can configure sFlow technology on a device to monitor traffic continuously at wire speed on all interfaces simultaneously.

    • Local and remote port mirroring and remote port mirroring to an IP address—Copies packets entering or exiting a port or entering a VLAN and sends the copies to a local interface (local port mirroring), to a VLAN (remote port mirroring), or to the IP address of a device running an analyzer application on a remote network (remote port mirroring to an IP address [GRE encapsulation]). (When you use remote port mirroring to an IP address, the mirrored packets are GRE-encapsulated.)

    • Storm control—Causes a device to monitor traffic levels and take a specified action when a specified traffic level—called the storm control level—is exceeded, thus preventing packets from proliferating and degrading service. You can configure devices to drop broadcast and unknown unicast packets, shut down interfaces, or temporarily disable interfaces when the storm control level is exceeded.

    [See Overview of sFlow Technology, Understanding Port Mirroring, and Understanding Storm Control.]

Operation, Administration, and Maintenance (OAM)

  • Connectivity Fault Management (CFM) Support (EX4600)—IEEE 802.1ag connectivity fault management (CFM) provides fault isolation and detection over large Layer 2 networks which can span several service provider networks. You can configure CFM to monitor, isolate, and verify faults in these interconnected provider bridge networks. Starting in Junos OS Release 18.3R1, Junos OS provides CFM support on EX4600.

    CFM support on EX4600 has the following limitations:

    • CFM support is provided via software using filters. This can impact scaling.

    • Inline Packet Forwarding Engine (PFE) mode is not supported. In Inline PFE mode, you can delegate periodic packet management (PPM) processing to the Packet Forwarding Engine (PFE) which results in faster packet handling and the CCM interval supported is 10 milliseconds.

    • Performance monitoring (ITU-T Y.1731 Ethernet Service OAM) is not supported.

    • CCM interval of less than 1 second is not supported.

    • CFM is not supported on Routed Interfaces and aggregated Ethernet (lag) interfaces.

    • MIP half function, to divide the MIP functionality into two unidirectional segments to improve network coverage, is not supported.

    • Up MEP is not supported.

    • Total number of CFM sessions supported is 30.

    [See Understanding Ethernet OAM Connectivity Fault Management for an EX Series Switch.]

Port Security

  • IPv6 router advertisement (RA) guard (EX4600)—Starting with Junos OS Release 18.3R1 for EX Series switches, IPv6 RA guard is supported on EX4600 switches. RA guard protects against rogue RA messages generated either maliciously or unintentionally by unauthorized or improperly configured routers connecting to the network segment. RA guard works by validating RA messages based on whether they meet certain criteria, which is configured on the switch as a policy. RA guard inspects the RA message and compares the information contained in the message attributes to the policy. Depending on the policy, RA guard either drops or forwards the RA messages that match the conditions.

    [See Understanding IPv6 Router Advertisement Guard.]

Restoration Procedures and Failure Handling

  • Device recovery mode introduced in Junos OS with upgraded FreeBSD (EX Series)—Starting in Junos OS Release 16.1, for devices running Junos OS with upgraded FreeBSD, provided you have saved a rescue configuration on the device, there is an automatic device recovery mode that goes into action should the system go into amnesiac mode. The new process is for the system to automatically retry to boot with the saved rescue configuration. In this circumstance, the system displays a banner "Device is in recovery mode” in the CLI (in both the operational and configuration modes). Previously, there was no automatic process to recover from amnesiac mode. A user with load and commit permission had to log in using the console and fix the issue in the configuration before the system would reboot.

    [See Saving a Rescue Configuration File.]


  • Support for firewall filters (EX4650)—Starting with Junos OS Release 18.3R1, you can configure firewall rules to filter incoming network traffic based on a series of user-defined rules. You can specify whether to accept, permit, deny, or forward a packet before it enters an interface. If a packet is accepted, you can also configure additional actions to perform on the packet, such as class-of-service (CoS) marking (grouping similar types of traffic together and treating each type of traffic as a class with its own level of service priority) and traffic policing (controlling the maximum rate of traffic sent or received). You configure firewall filters at the [edit firewall] hierarchy level.

    [See Firewall Filters Overview.]

  • Support for distributed denial-of-service protection (EX4650)—Starting with Junos OS Release 18.3R1, you can configure denial-of-service (DoS) protection on the switches to continue to function while under attack. A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. DDoS protection identifies and suppress malicious control packets while enabling legitimate control traffic to be processed. A single point of DDoS protection management enables you to customize profiles for your network control traffic. To protect against DDoS attacks, you can configure policers for host-bound exception traffic. The policers specify rate limits for all control traffic for a given protocol. You can also monitor policers, obtaining information such as the number of violations encountered and the number of packets received or dropped.

    [See Understanding Distributed Denial-of-Service Protection on QFX Series Switches.]

Software Installation and Upgrade

  • Phone-home client (EX4300 switches)—Starting with Junos OS Release 18.3R1, you can use either the legacy DHCP-options-based ZTP or the phone-home client (PHC) to provision software for the switch. If the switch boots up and there are DHCP options received from the DHCP server for ZTP, ZTP resumes. If DHCP options are not present, PHC is attempted. PHC enables the switch to securely obtain bootstrapping data, such as a configuration or software image, with no user intervention other than having to physically connect the switch to the network. When the switch first boots, PHC connects to a redirect server, which will redirect to a phone home server to get the configuration or software image.

    To initiate either DHCP-options-based ZTP or PCH, the switch must either be in a factory-default state, or you can issue the request system zeroize command.

    [See Understanding the Phone-Home Client.]

System Management

  • Secure boot (EX4650 switches)—Starting with Junos OS Release 18.3R1, a significant system security enhancement is being introduced: secure boot. The secure boot implementation is based on the UEFI 2.4 standard. The BIOS has been hardened and serves as a core root of trust. The BIOS updates, the bootloader, and the kernel are cryptographically protected. No action is required to implement secure boot.

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 18.3R3 for the EX Series.

Interfaces and Chassis

  • No support for performance monitoring on ae interfaces (EX4300)—Y.1731 performance monitoring (PM) over aggregated Ethernet interfaces is not supported on EX4300 switches.

    [See sla-iterator-profile.]

Junos OS XML API and Scripting

  • MD5 and SHA-1 hashing algorithms are no longer supported for script checksums (EX Series)—Starting in Junos OS Release 18.3R1, Junos OS does not support configuring an MD5 or SHA-1 checksum hash to verify the integrity of local commit, event, op, SNMP, or Juniper Extension Toolkit (JET) scripts or support using an MD5 or SHA-1 checksum hash with the op url url key option to verify the integrity of remote op scripts.

Layer 2 Features

  • Configuration option for LLDP VLAN name type, length, and value (TLV) (EX3400, EX4300)—Starting in Junos OS Release 18.3R1, you can configure the vlan-name-tlv-option (name | vlan-id) statement at the [edit protocols lldp] hierarchy level to select whether to transmit the VLAN name or simply the VLAN ID for the Link Layer Discovery Protocol (LLDP) VLAN name TLV when exchanging LLDP messages. By default, EX Series switches running Enhanced Layer 2 Software (ELS) transmit the VLAN ID for the LLDP VLAN name TLV, and the show lldp detail command displays the default string vlan-vlan-id for an interface’s VLAN name in the Vlan-name output field. Switches that support the vlan-name-tlv-option statement behave the same as the default if you configure the vlan-id option with this statement. If you configure the name option, the switch transmits the VLAN name instead, and the show lldp detail command displays the VLAN name in the Vlan-name output field.

  • input-native-vlan-push (EX2300, EX3400, EX4600, EX4650, and the QFX5000 line of switches)—From Junos OS Release 18.3R3, the configuration statement input-native-vlan-push at the [edit interfaces interface-name] hierarchy level is introduced. You can use this statement in a Q-in-Q tunneling configuration to enable or disable whether the switch inserts a native VLAN identifier in untagged frames received on the C-VLAN interface, when the configuration statement input-vlan-map with a push operation is configured.

    [See input-native-vlan-push.]

Network Management and Monitoring

  • Junos OS does not support management of YANG packages in configuration mode (EX Series)—Starting in Junos OS Release 18.3R1, adding, deleting, or updating YANG packages using the run command in configuration mode is not supported.

  • The NETCONF server omits warnings in RPC replies when the rfc-compliant statement is configured and the operation returns <ok/> (EX Series)—Starting in Junos OS Release 18.3R2, when you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level to enforce certain behaviors by the NETCONF server, if the server reply after a successful operation includes both an <ok/> element and one or more <rpc-error> elements with a severity level of warning, the warnings are omitted. In earlier releases, or when the rfc-compliant statement is not configured, the NETCONF server might issue an RPC reply that includes both an <rpc-error> element with a severity level of warning and an <ok/> element.


  • Firewall warning message (EX2300 switches)—Starting in 18.3R1, a warning message is displayed whenever a firewall term includes log or syslog with the accept filter action.

  • Syslog or log action on firewall drops packets (EX4600 switches) —Starting in 18.3R2, if you configure a syslog or log action on an ingress firewall filter, control packets and ICMP packets sent to the Routing Engine might be dropped.

Subscriber Management and Services

  • DHCPv6 lease renewal for separate IA renew requests (EX Series)—Starting in Junos OS Release 18.3R1, the jdhcpd process handles the second renew request differently in the situation where the DHCPv6 client CPE device does both of the following:

    • Initiates negotiation for both the IA_NA and IA_PD address types in a single solicit message.

    • Sends separate lease renew requests for the IA_NA and the IA_PD and the renew requests are received back-to-back.

    The new behavior is as follows:

    1. When the reply is received for the first renew request, if a renew request is pending for the second address type, the client stays in the renewing state, the lease is extended for the first IA, and the client entry is updated.

    2. When the reply is received for the second renew request, the lease is extended for the second IA and the client entry is updated again.

    In earlier releases:

    1. The client transitions to the bound state instead of staying in the renewing state. The lease is extended for the first IA and the client entry is updated.

    2. When the reply is received for the second renew request, the lease is not renewed for the second address type and the reply is forwarded to the client. Consequently, when that lease ages out, the binding for that address type is cleared, the access route is removed, and subsequent traffic is dropped for that address or address prefix.

    [See Using DHCPv6 IA_NA with DHCPv6 Prefix Delegation Overview.]

Virtual Chassis

  • New configuration option to disable automatic Virtual Chassis port conversion (EX4300 and EX4600 Virtual Chassis)—Starting in Junos OS Release 18.3R1, you can use the no-auto-conversion statement at the [edit virtual-chassis] hierarchy level to disable automatic Virtual Chassis port (VCP) conversion in an EX4300 or EX4600 Virtual Chassis. Automatic VCP conversion is enabled by default on these switches. When automatic VCP conversion is enabled, if you connect a new member to a Virtual Chassis or add a new link between two existing members in a Virtual Chassis, the ports on both sides of the link are automatically converted into VCPs when all of the following conditions are true:

    • LLDP is enabled on the interfaces for the members on both sides of the link. The two sides exchange LLDP packets to accomplish the port conversion.

    • The Virtual Chassis must be preprovisioned with the switches on both sides of the link already configured in the members list of the Virtual Chassis using the set virtual-chassis member command.

    • The ports on both ends of the link are supported as VCPs and are not already configured as VCPs.

    Automatic VCP conversion is not needed when using default-configured VCPs on both sides of the link to interconnect two members. On both ends of the link, you can also manually configure network or uplink ports that are supported as VCPs, whether or not the automatic VCP conversion feature is enabled.

    Deleting the no-auto-conversion statement from the configuration returns the Virtual Chassis to the default behavior, which reenables automatic VCP conversion.

Known Behavior

This section lists known behavior, system maximums, and limitations in hardware and software in Junos OS Release 18.3R3 for the EX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Class of Service (CoS)

  • On EX4650 switches if the CoS configurations are modified when egress traffic is shaped at very low rate (less than 50 Mbps), packets might get stuck in the MMU buffers permanently. It might cause ingress or egress traffic drops. When low rate shapers (less than 50 Mbps) are applied on egress queues, we suggest that you deactivate shaping before any CoS modification or ensure traffic is stopped before doing CoS modification. PR1367432

Ethernet Switching

  • With software MAC learning enabled, for example, with features such as MAC limiting, MAC move limit, 802.1X authentication, and source MAC filters, MAC learning is slower than with hardware MAC learning. PR1355758


  • Issue is specific to downgrade (17.4T) and core file is seen only once during downgrade due to timing issue in SDK toolkit upgradation, after file after which dcpfe recovers on its own and no issues will be seen after that. PR1337008

Layer 2 Features

  • For EX4650 the switch might learn its own MAC address on the network interface if it is attached to an IRB interface to a VLAN. As a result of the wrong MAC learning, it might result in wrong forwarding in an MC-LAG scenario. PR1365942

Interfaces and Chassis

  • Previously, the same IP address could be configured on different logical interfaces from different physical interfaces in the same routing instance (including master routing instance), but only one logical interface was assigned with the identical address after commit. There was no warning during the commit, only syslog messages indicating incorrect configuration. This issue is fixed and it is now not allowed to configure the same IP address (the length of the mask does not matter) on different logical interfaces. PR1221993

Platform and Infrastructure

  • On EX2300 and EX3400 switches, L2PT will not work with tag-protocol-id 0x9100. PR1333475

  • Smartd verification is not supported on EX4300-48-MP. Instead, "ssd-stats" can be used from Host-OS to get an overall current health status of SSD. PR1343091

  • On EX4300-48MP, when primary ROOT Partition is corrupted and switch is power cycled, then switch will get stuck at Linux after boot. Switch needs to be manually rebooted from secondary SSD partition and recover corrupted primary partition. PR1344938

  • Broadcast route is not pingable when NTP is configured in broadcast mode. PR1347480

  • DIRECTORY CORRUPTED I=149350 OWNER=0 MODE=40755 messages continuously printed in console during device boot up after power cycle of the device The error logs are coming from inside Junos VM. As soon as any disk write operation is initiated from inside the VM, it will be written on host disk as well. However, if power cycle happens before disk write completes, this issue is bound to occur. PR1361094

  • Logical interfaces statistics are not supported for L2 and aggregated Ethernet interfaces. They are supported only for Layer 3 interfaces (Layer 3 interface should not be member of aggregated Ethernet). Make sure you have only normal Layer 3 interfaces. PR1361185

  • Bidirectional optics channelization is not supported. PR1361891

  • In QFX5000 switches when more than one interface is attached to an output VLAN for remote port mirroring, the traffic will be received by only one of the interfaces. PR1363358

  • A few error messages related to function rt_mesh_group_add_check() will be seen during reboot and are harmless. PR1365049

  • Auto-channelization is not supported for 40GBASE-BXSR QSFP+40GE-LX4 QSFP-100G-PSM4 100GBASE-BXSR. PR1366103

  • On EX4650 with 288,000 MAC addresses, Routing Engine command show ethernet-switching table summary output will show the learned scale entries after a delay of around 60 seconds. PR1367538

  • Subsecond BFD interval timer is not supported for EX4650 switches. PR1368671

  • Because the system is VM-based, the recovery is done from Linux recovery. PR1371014

  • Intermittently after Junos OS reboots, two of the channelized 25-Gigabit Ethernet ports using 4 x 25-Gigabit Ethernet breakout cable might not come up. PR1384898

  • Junos OS can hang trying to acquire the SMP IPI lock while rebooting when it is running as a VM on Linux and QEMU hypervisor. Device can be recovered using power-cycle of the device. PR1385970

Routing Protocols

  • You can scale IS-IS v4, 254 neighbors and 200,000 routes together. Beyond 200,000 routes with 254 neighbors, adjacency flaps and traffic drop are noticed. However, with 40 neighbors, 351,000 routes got scaled. PR1368106

  • Because the flex counters are shared among IFPs and other tables, in a unidimensional testing, IPMC statistics counter created will not be equivalent to the number of IPMC entries created and statistics counter creation will fail with error No resources for operation after 60,000 entries. PR1371399

  • The mcsnoopd error messages are seen in logs while adding or deleting IGMP PIM configuration. These are debug messages and are not harmful. PR1371662

Virtual Chassis

  • A Virtual Chassis internal loop might happen at a node coming up from a reboot. During nonstop software upgrade (NSSU) on a QFX5100 Virtual Chassis, a minimal traffic disruption or traffic loop (greater than 2 seconds) might occur. PR1347902

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 18.3R3 for the EX Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

General Routing

  • ARPs queue limit has been changed from 100 pps to 3000 pps. PR1165757

  • On an EX9200-12QS line card, interfaces with the default speed of 10-Gigabit Ethernet are not brought down even when the remote end of a connection is misconfigured as 40-Gigabit Ethernet. PR1175918

  • On an EX2300 switch, the output of the command show chassis routing-engine might display an incorrect value of "mac reset" for the "last reboot reason" field. PR1331264

  • There is no support of interface range for channelized interfaces on EX9253. You must configure interfaces individually. PR1350635

  • On EX3400 when me0 ports are connected between two EX3400 switches, the link does not come up. The link comes up when me0 is connected to a network port. PR1351757

  • When VLAN is added as an action for changing the VLAN in both ingress and egress filters, the filter will not be installed. PR1362609

  • On EX4650, after deleting SFLOW configuration, every five minutes the error message sflow_net_socket_init, 423sflow socket connect failed (socket closed) will be displayed on the VTY console. PR1363381

  • On EX4650 platforms, if lcmd is restarted, a chassisd core file is generated with a traffic drop for few seconds. PR1363652

  • When an ISSU from Junos OS Release 15.1R7.7 to Release 16.1R7.6 is performed on an EX9200 Routing Engine, integrated routing and bridging (IRB) IPv4 and IPv6 traffic is dropped. This traffic loss occurs toward the end of the ISSU operation when the new backup Routing Engine comes up and synchronizes with the new master Routing Engine. PR1365149

  • Traffic drops might be observed with a swap out of a Virtual Chassis of QFX5100 to the EX9253 for testing some heavy multicast traffic, even when IRB interface comes up. PR1369099

  • An EX4300 configured with a firewall filter on lo0 and DHCP security on VLAN simultaneously might drop legitimate DHCP renew requests from clients on the corresponding VLANs. This occurs due to implementation design and Broadcom chipset limitation. PR1376454

  • On EX9208, few XE interfaces go down with error if_msg_ifd_cmd_tlv_decode ifd xe-0/0/0 #190 down with ASIC Error. PR1377840

  • After the Media Access Control Security (MACsec) session is deleted, the corresponding interfaces would lose their MACsec function if LACP is enabled on them and the command exclude lacp configured under the [security macsec] hierarchy. PR1378710

  • After a unified ISSU from Junos OS Release 18.2R1, 18.1R1, to 18.3R1, the interfaces of EX9200 32x10G SFP are flapped with error IFRT: 'IFD add' (opcode 3) failed on EX9214 with MC-LAG configurations. PR1384670

  • On EX4650, the installation error rcu_sched self-detected stall is seen on CPU. PR1384791

  • Junos OS can hang trying to acquire the SMP IPI lock while rebooting when it is running as a VM on Linux and QEMU hypervisor. Device can be recovered using Power-cycle of the device. PR1385970

  • For EX4300-48MP switches, active SSD firmware upgrade is supported where Power-cycle to switch is not required after SSD firmware upgrade. PR1389543

  • DCPFE did not come up in some instances of abrupt power-off/power-on of EX4650, Power-cycle of the device or host reboot will recover the device. PR1393554

  • If PTP transparent clock is configured on the QFX5200, and if IGMP-snooping is configured for the same VLAN as PTP traffic, the PTP over Ethernet traffic might be dropped. PR1395186

  • On EX9200 device with MC-LAG configuration and other features enabled, there is a loss of approximately 20 seconds during restart of routing daemon. This traffic loss varies with the configuration that is done. PR1409773

  • On QFX5110 and QFX5120 platforms, uRPF check in strict mode will not work properly. PR1417546

  • With DAC cable used between EX46XX Series device and EX Series device, during rebooting the EX46XX Series device, the ports on EX Series device might still stay up. PR1441035

  • Errors might be seen for a short period of time during initialization and might not have any functionality impact. PR1449043


  • The data carrier detect (DCD) modem control signal is not implemented in UART driver for EX3400 and EX2300 platforms. Hence, log-out-on-disconnect feature will not be functional on these platforms. PR1351906

  • Junos OS can hang trying to acquire the SMP IPI lock while rebooting when it is running as a VM on Linux and QEMU hypervisor. PR1359339

  • When an SNMP poll is performed for the following OIDs, the backup Routing Engine returns the value 6 (6=down) for the fan and 1 (1=unknown) for the PSUs, even though the fan and PSU's are up. Fan: PSU: As a workaround, upgrade the chassis to Junos OS Release 15.1R8 or later. PR1360962

  • On EX Series platforms, if configuring large-scale number of firewall filters on some interfaces, the FPC might crash and generate a core file. PR1434927

  • On EX2300, EX2300-C, and EX2300-MP platforms, if Junos OS is with FreeBSD kernel version 11 with the build date on or after 2019-02-12, the switch might stop forwarding traffic or responding to console. A reboot is required to restore the service. PR1442376

Interfaces and Chassis

  • On GRES switchover, VSTP port cost on aggregated Ethernet interfaces might get changed, leading to topology change. PR1174213

  • VRRP-V6 state is flapping with init and idle states after configuring vlan-tagging. PR1445370

Junos Fusion Enterprise

  • It could take 6 to 30 seconds for the traffic to converge when the aggregation device running Junos Fusion Enterprise is powered OFF or powered ON. PR1257057

Layer 2 Ethernet Services

  • On EX9200 platforms configured for DHCP-Relay, the GIADDR field in the DHCP Offer/Reply/Ack packets is stripped/set to, which might cause some DHCP clients to not accept the offered IP address. PR1443516

Layer 2 Features

  • The message eswd[1200]: ESWD_MAC_SMAC_BRIDGE_MAC_IDENTICAL: Bridge Address Add: XX:XX:db:2b:26:81 SMAC is equal to bridge mac hence don't learn is seen in syslog every few minutes on ERPS owner. The logs occur during ERPS PDU in ERPS setup. This message can be ignored. PR1372422


  • IGMP query packets might be duplicated between L2 interfaces with IGMP snooping is enabled. PR1391753

Platform and Infrastructure

  • IGMPv3 neighborship information is now in sync with the kernel entries. PR1317141

  • There are multiple failures when events like node reboots, ICL, and ICCP flaps. Even with enhanced convergence configured, there is no guarantee that subsecond convergence will be achieved. PR1371493

Routing Protocols

  • BGP IPv4and IPv6 convergence and RIB install or delete time is degraded in Junos OS 19.1R1, 19.2R1, and 19.3R1 mainline releases. PR1414121

Subscriber Access Management

  • The authd reuse address too quickly before jdhcpd completely cleanup the old subscriber which flooding error log . For example, jdhcpd: %USER-3-DH_SVC_DUPLICATE_IPADDR_ERR: Failed to add as it is already used by 1815. PR1402653

Resolved Issues

This section lists the issues fixed in the Junos OS Release 18.3R3 for the EX Series switches.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 18.3R3

Authentication and Access Control

  • Without dot1x configuration, the syslog message dot1xd[2192]: task_connect: task PNACAUTH./var/run/authd_control addr /var/run/authd_control: Connection refused is generated repeatedly. PR1406965


  • The device might send the ARP probe packets to the proxy server in an EVPN environment PR1427109

  • Configuring ESI on a single-homed 25-Gigabit Ethernet port might not work PR1438227

Forwarding and Sampling

  • Enable interface with input/output vlan-maps to be added to a routing-instance configured with vlan-id/vlan-tags (instance type virtual-switch/vpls). PR1433542

  • Committing configuration might fail when the firewall policer action is configured with forwarding-class. PR1446556

General Routing

  • Certain EX Series and QFX Series devices are vulnerable to Etherleak memory disclosure in Ethernet padding data. PR1063645

  • Transit OSPF traffic over Q-in-Q tunneling might be dropped if a firewall filter is applied to Lo0 interface PR1355111

  • The l2ald process might crash and generate a core file on EX2300 Virtual Chassis when converted a trunk port to dot1x access port with tagged traffic flowing. PR1362587

  • Convergence delay between PE1 and P router link is more than expected delay value. PR1364244

  • IPv6 router advertisement (RA) messages can increase internal kernel memory usage. PR1369638

  • The DHCP discover packets are forwarded out of an interface incorrectly if DHCP snooping is configured on that interface PR1403528

  • MAC address movement might not happen in Flexible Ethernet Services mode when family inet/inet6 and vlan-bridge are configured on the same physical interface. PR1408230

  • On EX2300-24P, the error message dc-pfe: BRCM_NH-,brcm_nh_resolve_get_nexthop(),346:Failed to find if family is seen. PR1410717

  • PEM alarm for backup FPC will remain on master FPC even though backup FPC is detached from Virtual Chassis. PR1412429

  • On EX4300-48MP chassis status LED shows yellow instead of amber. PR1413194

  • The upgrade of the PoE firmware might fail on EX3400. PR1413802

  • On EX3400, show chassis environment repeats OK and Failed at short intervals. PR1417839

  • The EX3400 Virtual Chassis status might be unstable during the Virtual Chassis startup or after the Virtual Chassis port flap. PR1418490

  • Traffic drop might be observed when transit static LSP is configured on EX4650/QFX5120 platforms. PR1420370

  • Virtual Chassis might become unstable and fxpc process generates a core file when there are a lot of configured filter entries. PR1422132

  • Ensure phone-home works in factory-default configuration. PR1423015

  • IPv6 multicast traffic received on one Virtual Chassis member might be dropped when egressing on another Virtual Chassis member if MLD snooping is enabled PR1423310

  • On EX3400, the autonegotiation status shows incomplete on ge-0/2/0 using SFP-SX. PR1423469

  • Multicast traffic might be silently dropped on ingress port with igmp-snooping enabled. PR1423556

  • MACsec connection on EX4600 platforms might not come back up after interface disconnect/reconnect PR1423597

  • On MX204 Optics "SFP-1GE-FE-E-T" I2C read errors are seen when an SFP-T is inserted into a disabled state port PR1423858

  • MAC address pools are overlapping between different switches. PR1425123

  • The jdhcpd might consume 100 percent CPU and crash if dhcp-security is configured. PR1425206

  • Virtual Chassis split after network topology changed. PR1427075

  • The fxpc and Packet Forwarding Engine might crash on EX2300 and EX3400 platforms PR1427391

  • Rebooting or halting Virtual Chassis member might cause 30 seconds of down time on RTG link. PR1427500

  • On EX2300-24P, the l2ald core file is generated after removal and re-addition of multiple supplicant mode with LAN on interface. PR1428469

  • Verification of ND inspection with a dynamically bound client moved to a different VLAN on the same port is failing. PR1428769

  • The delay in transmission of BPDUs after GRES might result in loss of traffic on EX2300/3400 Virtual Chassis. PR1428935

  • EX4300-48MP switch cannot learn MAC address through some access ports that are directly connected to a host when autonegotiation is used. PR1430109

  • Disabling DAC QSFP port might not work on EX9251 switches. PR1430921

  • Incorrect model information is received while polling via SNMP from Virtual Chassis. PR1431135

  • Packet drop might be seen if native VLAN is configured along with flexible VLAN tagging. PR1434646

  • The mc-ae interface might get stuck in waiting state in dual mc-ae scenario. PR1435874

  • Need i40e NVM upgrade support for EX9200 platform. PR1436223

  • Commit check error for VSTP on EX9200s xSTP:Trying to configure too many interfaces for given protocol. PR1438195

  • LED turns on even after you power-off the Virtual Chassis members. PR1438252

  • The DHCP snooping table might be cleared for VLAN ID 1 after adding a new VLAN ID to it. PR1438351

  • The dot1x might not work when captive-port is also configured on the interface on backup/non-master FPC. PR1439200

  • Clients in isolated VLAN might not get IP addresses after completing authentication when both dhcp-security and dot1x are configured. PR1442078

  • EX3400 FAN alarm (Fan X not spinning) appears and disappears repeatedly after removing the fan tray (Absent). PR1442134

  • DHCPv6 client might fail to get an IP address. PR1442867

  • Non-designated port is not moving to backup port role. PR1443489

  • The /var/host/motd does not exist message is flooded every 5 seconds in chassisd logs. PR1444903

  • Major alarm log messages occur for temperature conditions for EX4600 at 56 degrees celsius. PR1446363

  • The traffic might be dropped when a firewall filter rule uses then vlan as the action in a Virtual Chassis scenario. PR1446844

  • Phone home on device fails because sysctl cannot read device serial number. PR1447291

  • Added configuration on-disk-failure on EX3400. PR1447853

  • Unicast ARP requests are not replied to with no-arp-trap option. PR1448071

  • EX3400 -- IPv6 routes received via BGP do not show correct age time. PR1449305

  • Incoming L3-encapsulated packets are dropped on L3VPN MPLS PE-CE interface. PR1451032

  • dhcp-snooping static binding statement is not effective after deleting or issuing the configuration. PR1451688

  • Configuration change in VLAN all option might affect the per-VLAN configuration. PR1453505

  • Version compare in PHC might to make PHC to download the same image. PR1453535


  • Packet Forwarding Engine is flooded with mesages // pkt rx on ifd NULL unit 0. PR1381151

  • The traffic to the NLB server might not be forwarded if the NLB cluster works in multicast mode. PR1411549

  • The operations on console might not work if the statement system ports console log-out-on-disconnect is configured. PR1433224

  • EX3400 might reset with vmcore by panic. PR1456668

Interfaces and Chassis

  • Missing mandatory ICCP configuratation statement redundancy-group-id-list produces misleading error message. PR1402606

  • The logical interfaces in EVPN routing instances might flap after committing the configurations. PR1425339

  • EX9200 unexpected duplicate VLAN-ID commit error. PR1430966

  • VRRP-V6 state is flapping with init and idle states after configuring vlan-tagging. PR1445370

Junos Fusion Enterprise

  • The traffic might get silently dropped or discarded in Junos Fusion Enterprise scenario with dual-aggregated device (AD). PR1417139

  • Loop-detect feature is not working in Junos Fusion Enterprise. PR1426757

  • Reachability issue of the host connected to the SD might be affected in Junos Fusion Enterprise environment with EX9200 series devices as AD. PR1447873

Layer 2 Ethernet Services

  • The DHCP DECLINE packets are not forwarded to DHCP server when forward-only is set within dhcp-reply. PR1429456

  • The jdhcpd_era log files constantly consume 121M of space out of 170M, resulting into file system full and traffic impact. PR1431201

Network Management and Monitoring

  • Over Temperature trap is not sent out even though there is Temperature Hot alarm. PR1412161

Platform and Infrastructure

  • EX9251/EX9253/EX9208: DDoS violation for LLDP, MVRP, provider MVRP, and dot1x is incorrectly reported as LACP DDoS violation. PR1409626

  • Untagged traffic is single-tagged in Q-in-Q scenario on EX4300 platforms. PR1413700

  • EX4300-48MP-18.3R1.9 //Over Temperature SNMP trap generated incorrectly for LC (EX4300-48P) based on master Routing Engine (EX4300-48MP) temperature threshold value. PR1419300

  • On EX4300, the runt counter never incremented. PR1419724

  • The pfex process might crash and generate a core file when you reinsert the SFP. PR1421257

  • Traffic loss occurs when one of the logical interfaces on LAG is deactivated or deleted. PR1422920

  • Adding the second IRB to an aggregated Ethernet interface and rolling it back might cause the first IRB to stop working. PR1423106

  • Auditd crashed when accounting RADIUS server is not reachable. PR1424030

  • The native VLAN ID of packets might fail to be removed when being forwarded out. PR1424174

  • SNMP (ifHighSpeed) value is not getting appearing properly for VCP interfaces. It shows as zero. PR1425167

  • Interface flapping scenario might lead to ECMP next-hop install failure on EX4300. PR1426760

  • IPv6 traffic might be dropped when static /64 IPv6 routes are configured. PR1427866

  • VIP might not forward the traffic if VRRP is configured on an aggregated Ethernet interface. PR1428124

  • EX4300 does not drop FCS frames with CRC error on XE interfaces. PR1429865

  • Unicast ARP requests are not replied with no-arp-trap option. PR1429964

  • EX4300 is without soft error recovery (parity check, correction, and memory scan) enabled. PR1430079

  • The jdhcpd_era log files constantly consume 121M of space out of 170M, resulting in a full file system and traffic impact. PR1431201

  • The ERPS failover does not work as expected on EX4300 device. PR1432397

  • The device might not be accessible after the upgrade. PR1435173

  • FPC/pfex crash might be observed due to DMA buffer leaking. PR1436642

  • The PoE might not work after upgrading the PoE firmware on EX4300 platforms. PR1446915

  • The firewall filters might not be created due to TCAM issues. PR1447012

Routing Protocols

  • Host-destined packets with filter log action might not reach the Routing Engine if log/syslog is enabled. PR1379718

  • ICMPv6 RA packets generated by the Routing Engine might be dropped on the backup member of the Virtual Chassis if igmp-snooping is configured. PR1413543

  • The EX Series and QFX Series switches might not install all IRB MAC addresses in the initialization. PR1416025

  • Sometimes, IGMP snooping might not work. Workaround is to restart multicast-snooping process PR1420921

  • The multicast traffic might be dropped when proxy mode is used for igmp-snooping. PR1425621

  • Error message RPD_DYN_CFG_GET_PROF_NAME_FAILED: Get profile name for session XXX failed: -7, might be seen in syslog after restarting routing daemon. PR1439514

  • The bandwidth value of the DDoS-protection might cause packet loss after the device reboots. PR1440847

  • IPv6 connectivity between MC-LAG peers might fail when multiple IRB interfaces are present. PR1443507

  • Junos OS BFD sessions with authentication flaps after a certain time. PR1448649

  • Loopback address exported into another VRF instance might not work on ACX Series, EX Series, and QFX Series platforms. PR1449410

  • MPLS LDP might still use the stale MAC address of the neighbor, and even the LDP neighbor's MAC address changes. PR1451217

Subscriber Access Management

  • EX4300 /var showing full /var/log/dfcd_enc file grows in size. PR1425000

User Interface and Configuration

  • EX4600 and QFX5100 were unable to commit baseline configuration after returning to zero. PR1426341

Virtual Chassis

  • Current MAC address might change when deleting one of the multiple L3 interfaces. PR1449206


  • MVPN using PIM dense mode does not prune the OIF when PIM prune is received. PR1425876

Resolved Issues: 18.3R2

Authentication and Access Control

  • DHCPv6 client is not supported in this release for EX4300-48MP. PR1373691


  • A few minutes of traffic loss might be observed during recovery from link failure. PR1396597

General Routing

  • The Routing Engine Packet Forwarding Engine out-of-sync errors might be seen in syslog. PR1232178

  • The EX4300-32F MACsec session stays down on 1-Gigabit and 10-Gigabit Ethernet links after certain events, when events are performed with traffic running. PR1299484

  • On EX3400 and EX2300 platforms, a redirect message is sent from the switch even when no-redirect is set for the specified interface. PR1333153

  • The FXPC process might crash after adding or deleting a Q-in-Q VLAN to an interface on EX2300 and EX3400 platforms. PR1334850

  • The 40G interfaces might not forward traffic. PR1349675

  • FPM board status is missing in SNMP MIB walk result. PR1364246

  • OAM Ethernet connectivity-fault-management configured on aggregated Ethernet interfaces is not supported but no commit error. PR1367588

  • Unable to use Ansible to collect RSI from EX9200. PR1367913

  • MAC refresh packet might not be sent out from the new primary link after the RTG failover. PR1372999

  • The interface in SFP-T module on EX2300 and EX3400 might be down while its peer connected interface is up. PR1374522

  • EX4600VC might not send RIPv2 updates when igmp-snooping is enabled. PR1375332

  • The interface AE480 or above might be in STP discarding state on the EX9200 switches. PR1378272

  • ARP request packets might be sent out with 802.1Q VLAN tag PR1379138

  • All interfaces belonging to certain FPCs might be lost after multiple GRES in Virtual Chassis. PR1379790

  • On EX3400 switches, the error messages are seen after applying firewall filter to loopback interface. PR1380544

  • The dot1x does not work with Microsoft NPS server. PR1381017

  • Constant memory leak might lead to FPC memory exhaustion PR1381527

  • Commit error is observed for the first time while loading the mini-PDT base configurations. PR1383469

  • On the EX4650 switch, occasionally two of the channelized 25-Gigabit Ethernet ports that are using 4x25G breakout cable will not come up after Junos OS reboots. PR1384898

  • ARP and ethernet-table entry in pointing to an aggregated Ethernet interface whose state is down. PR1385199

  • On EX4300-48MP, the session-option stanza under the [access profile] hierarchy for EX Series platforms is not applicable. PR1385229

  • On EX9200 platforms, the warning message prefer-status-control-active is used with status-control standby might be seen whenever you commit an operation. PR1386479

  • On EX2300 with Q-in-Q flexible-vlan-tagging is unable to obtain DHCP IP for IRB after a reboot/power-cycle. PR1387039

  • On EX3400 Virtual Chassis, Error tvp_status_led_set" and " Error:tvp_optics_diag_eeprom_read syslog errors are seen. PR1389407

  • MAC learning might stop working on some LAG interfaces. PR1389411

  • "Input rate pps" is not increased on EX2300-MP uplink ports if the packet is a pure Layer 2 packet like non-etherII or non-EtherSnap. PR1389908

  • EX3400VC - When an interface in a Virtual Chassis member switch that is not master, is flapped, IGMP query packets are sent to all the ports of members except the master FPC. PR1393405

  • PTP over Ethernet traffic might be dropped when IGMP and PTP TC are configured together. PR1395186

  • On EX2300, MAC table is not populated after interface-mode change. PR1396422

  • High jsd or na-grpcd CPU usage might be seen even if JET or JTI is not used. PR1398398

  • After upgrading Junos OS Release 15.1X53 to Junos OS Release 18.2R1.9, the EX3400 cannot learn 30,000 MAC addresses. PR1399575

  • The FBF routing-instance instance-type "forwarding" is missed for EX Series (EX3400). PR1400163

  • MAC-limit with persistent MAC is not working after reboot. PR1400507

  • The authd might crash when you issue the show network-access requests pending command during authd restart. PR1401249

  • The STP does not work when aggregated interfaces number is ae1000 or above in QFX5110 and QFX5200 and ae480 or above in other QFX Series switches. PR1403338

  • The l2cpd might crash if the VSTP traceoptions and VSTP VLAN all commands are configured. PR1407469

  • EX3400 PSU status is still taking "check" status even though PSU module has been removed PR1408675

  • The chassisd output power budget is received continuously for 5 seconds without any alarm after upgrading to Junos OS Release 18.1R3. PR1414267

  • VXLAN encapsulation next hop (VENH) does not get installed during BGP flap or restart routing. PR1415450


  • IfSpeed and IfHighSpeed erroneously reported as zero on EX2300. PR1326902

Junos Fusion Enterprise

  • PoE over LLDP negotiation is not supported on Junos Fusion Enterprise setup. PR1366106

  • An error peer_daemon: bad daemon: scpd is seen on EX9251 switch running Junos OS Release 18.1R1 and 18.1R2. PR1369646

  • Juniper Fusion Enterprise : Cannot login to SD cluster though it is recognized by AD properly. PR1395570

  • The l2ald might crash and generate a core file when the clear ethernet-switching table persistent-learning command is executed. PR1409403

  • Extended ports do not adjust MTU in Junos Fusion Enterprise on VOIP-enabled ports. PR1411179

Layer 2 Features

  • RTG MAC refresh packets are sent out from non-RTG ports if the RTG interface belonging to the Virtual Chassis master flaps. PR1389695

Layer 3 Features

  • The l2ald might crash when the clear ethernet-switching table persistent-learning command is issued. PR1381739

Platform and Infrastructure

  • Ping does not go through device after WTR timer expires in ERPS scenario. PR1132770

  • On EX4300 switches, in a rare situation the remote interface starts flapping unexpectedly. PR1361483

  • Login lockout might never expire because the timestamps of Lockout start and Lockout end are same. PR1373803

  • On EX4300-48MP, unsupported 1 Gigabit optics in the 10 Gigabit uplink module might cause interface traffic to be dropped. PR1374390

  • Traffic might be silently discarded with indirect next hop and load balancing. PR1376057

  • EX4300 upgrade fails during validation of slax script. PR1376750

  • ECMP route installation failure with log messages such as unilist install failure might be observed on EX4300 device. PR1376804

  • Packet drops on interface if the statement gigether-options loopback is configured. PR1380746

  • IRB interface does not turn down when the master Chassis is rebooted or halted. PR1381272

  • Traffic loss seen in Layer 2 VPN with GRE tunnel. PR1381740

  • On the EX4300 switch, if a loss priority value of high is set for multicast packets by a classifier at the ingress interface, the configuration is overridden by the storm-control filter. PR1382893

  • The EX4300 device chooses an incorrect bridge ID as the RSTP Bridge ID. PR1383356

  • On EX4300-48MP mixed Virtual Chassis, the Power over Ethernet interface maximum power configuration on a member EX4300 gives an error if the power is configured to be more than 30 W. PR1383717

  • Unicast DHCP request get misforwarded to backup RTG link on EX4300-VC. PR1388211

  • Layer 3 IP route is destroyed after the Layer 2 next hop is changed. PR1389688

  • Continuous log messages get printed in EX4300: 17.4 / MCSNOOPD ICCP Context./var/run/iccpd_control addr /var/run/iccpd_control: Connection refused. PR1391942

  • EX4300 OAM LFM might not work on extended-vlan-bridge interface with native vlan configured PR1399864

  • Traffic drop is seen on EX4300 when 10G fiber port is using 1 Gigabit Ethernet SFP optics with autonegotiation enabled. PR1405168

Routing Protocols

  • The PPM mode for BFD session in EX4300 is centralized and not distributed by default. PR1361800

  • On EX4300-48MP, stale VLAN entries are seen after continuous script run involving split, merge, and reboot. PR1363739

  • On EX4650 switches, the output of the show pfe route summary hw command shows different scale values for the IPv4 and IPv6 LPM routes rather than the supported scale. PR1366579

  • EX4300 might drop incoming IS-IS hello packets when IGMP or MLD snooping is configured. PR1400838

  • Sometimes, IGMP snooping might not work. As a workaround, restart multicast snooping process. PR1420921

Subscriber Access Management

  • EX4300 line of switches /var showing full /var/log/dfcd_enc file grows in size. PR1420921

Resolved Issues: 18.3R1


  • On EVPN-VXLAN scenarios, a traffic black-hole condition might occur on interfaces that are down, but LACP is up. PR1343515

  • Proxy ARP might not work as expected in an EVPN environment. PR1368911

High Availability (HA) and Resiliency

  • The Backup Routing Engine might go to db prompt after configuration remove and restore is performed. PR1269383


  • Unable to provide management when the em0 interface of FPC is connected to another FPC Layer 2 interface of the same Virtual Chassis. PR1299385

  • Upgrade might fail and the file system might be corrupted if there are blocks in the flash/filesystem. PR1317628

  • PFC feature might not work on EX4600. PR1322439

  • Archiving dmesg file -/var/run/dmesg.boot. PR1327021

  • Enabling mac-move-limit stops ping on flexible-vlan-tagging enabled interface. PR1357742

  • Core files are generated when an attempt is made to commit the configuration. PR1376362

Interfaces and Chassis

  • On EX4300- Virtual Chassis platforms, the MAC address assigned to an aggregated Ethernet member interface is not the same as that of its parent aggregated Ethernet interface upon master Routing Engine halt. PR1333734

  • PoE device does not receive PoE power. PR1345234

  • Packets might drop on the ICL of an MC-LAG peer when MC-LAG is up. PR1345316

Layer 2 Features

  • The dcpfe/fxpc process might crash when you try to allocate large memory on Packet Forwarding Engines with low memory. PR1362332

Network Management and Monitoring

  • On EX4600 platforms, unsupported CLI configurations or show commands from the CFM hierarchy or sub-hierarchy are allowed. PR1359052

  • CFM: Even after toggling multiple times between baseline and CFM configurations, all 30 CFM sessions are not up. PR1360907

Platform and Infrastructure

  • The mismatch of VLAN IDs between an logical interface and VLAN configuration might result in a traffic black-hole condition. PR1259310

  • On an EX2300 or EX3400 the bridge ID 02:00:00:00:00:10 is assigned irrespective of base MAC addresses. PR1315633

  • Incorrect value of optical power is displayed. PR1326642

  • CoS is wrongly applied on Packet Forwarding Engine, leading to egress traffic drop. PR1329141

  • When exhausting TCAM table, the filter might be incorrectly programmed. PR1330148

  • The FXPC process might crash after adding or deleting a QinQ VLAN to an interface on EX2300/EX3400 platforms. PR1334850

  • The configured VOIP VLAN scenario does not work when the P-VLAN is configured as VOIP VLAN. PR1335600

  • The device might not learn source MAC addresses, which might be stuck in the Hit Pending state. PR1341518

  • MAC source address filter with accept-source-mac command does not work if MAC move limit is configured. PR1341520

  • On EX4300-MP platforms, the backup Linux cannot be installed first when both SSD partitions are corrupted. PR1342168

  • A firewall filter might not be programmed in the Packet Forwarding Engine even though TCAM entries are available. PR1345296

  • All the DHCP-Reply or DCHP-Offer packets might be discarded by DHCP snooping if the DHCP snooping is not enabled on that VLAN. PR1345426

  • On MPC5, the inline-ka PPP echo requests are not transmitted when the anchor-point is lt-x/2/x or lt-x/3/x in pseudowire deployment. PR1345727

  • After an EX9200 FPC comes online, the CPU usage on other FPCs might be 100% usage and lead to traffic loss for near 30 seconds. PR1346949

  • On EX4300 and EX4600s the VLAN translation feature does not work for the control-plane traffic. PR1348094

  • On EX4300 platforms, traffic drop might happen if LLC packets are received with DSAP and SSAP as 0x88 and 0x8e, respectively. PR1348618

  • Running RSI through console port might cause system crash and reboot. PR1349332

  • On EX2300 or 3400 platforms, L2PT LACP MAC rewrite on a PE device sends duplicate BPDUs to the CE devices. PR1350329

  • The transit traffic for ECMP might not work after the EX2300 switch reboots. PR1351418

  • On EX4300 platforms (Virtual Chassis and standalone) running Junos OS Release 16.1 and later, a firewall filter with action then syslog is unable to send syslog messages to the syslog server. PR1351548

  • A high usage chassis alarm in the /var partition persists on the EX4300 Virtual Chassis when a file is copied from fpc1 (master) to fpc0 (backup). PR1354007

  • The ports using the SFP-T transceiver might continue to be up after system halt. PR1354857

  • A commit error is observed if the switch is downgraded from Junos OS Release 18.2 or Release 18.3 to Release 17.3R3. PR1355542

  • EX4300-48MP: When DAI and IPSG are configured for many VLANs in one go then DAI Statistics for one interface shows garbage (very large) value. PR1355963

  • The FPC stops responding because of a memory leak caused by the VTEP traffic. PR1356279

  • On EX2300, EX3400, EX4300-MP platforms in a Virtual Chassis setup, dynamic ARP inspection (DAI) might fail after Virtual Chassis switchover when VSTP is enabled along with no-mac-table-binding. PR1359753

  • On EX2300, EX3400, EX4300-MP and EX2300-MP platforms used as transit switches, the routed traffic sent out of IRB interfaces uses an old MAC address instead of the configured MAC address for the IRB interface. PR1359816

  • On EX2300-MP platforms, a wrong fan count of four is shown, instead of three, in jnxFruName, jnxFilledDescr, and jnxContainersCount. PR1361025

  • On EX4300-48MP, the 802.1X protocol subsystem takes a long time to respond to management requests and the following error message is displayed: the dot1x-protocol subsystem is not responding to management requests. PR1361398

  • A nonexistent fan tray 1 is reported by chassisd on EX2300. PR1361696

  • On EX4300-MP switches, MACsec AES-GCM-128-XPN and AES-GCM-256-XPN cipher suites are not supported for mge ports. PR1362035

  • Unexpected DCD_PARSE_ERROR_SCHEDULER messages are logged when MS-MPC/MS-MIC is brought offline/online. PR1362734

  • Some interfaces cannot be added under the MSTP configuration. PR1363625

  • On EX4300 or EX4600 platforms, the l2ald process might crash in an 802.1X scenario. PR1363964

  • On EX2300 switches, the show filter hardware summary command displays incomplete output. PR1364930

  • EX3400 l2cpd crashes when configuring MVRP with Private VLAN and RSTP interface all. PR1365937

  • The Packet Forwarding Engine might crash if encounters frequent MAC moves. PR1367141

  • Issuing the request system zeroize command through noninteractive SSH might not erase the configuration on an EX4300. PR1368452

  • Unicast ARP packet loop might be observed in a DAI scenario. PR1370607

  • NTP broadcast packets are not forwarded out on L2 ports. PR1371035

  • On EX4300 platform with LLDP enabled, LLDP advertisement with incorrect auto-negotiation values might be sent. PR1372966

  • BOOTP packets may be dropped if BOOTP-support is not enabled at the global level. PR1373807

  • The port access list group does not reallocate TCAM slices properly. PR1375022

  • EX4300-48MP: Syslog error ?Error in bcm_port_sample_rate_set(ifl_cmd) : Reason Invalid port. PR1376504

Documentation Updates

There are no errata or changes in Junos OS Release 18.3R3 documentation for the EX Series switches.

Migration, Upgrade, and Downgrade Instructions

This section contains the upgrade and downgrade support policy for Junos OS for the EX Series. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. For information about software installation and upgrade, see the Installation and Upgrade Guide.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 17.1, 17.2 and 17.3 are EEOL releases. You can upgrade from Junos OS Release 17.1 to Release 17.2 or from Junos OS Release 17.1 to Release 17.3.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see

Product Compatibility

Hardware Compatibility

To obtain information about the components that are supported on the devices, and the special compatibility guidelines with the release, see the Hardware Guide for the product.

To determine the features supported on EX Series switches in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at

Hardware Compatibility Tool

For a hardware compatibility matrix for optical interfaces and transceivers supported across all platforms, see the Hardware Compatibility tool.

Release History Table
Starting in Junos OS Release 18.3R1, OpenConfig and Network Agent packages are bundled into the Junos OS image by default. Both packages support the Junos Telemetry Interface (JTI).