Junos OS Release Notes for EX Series

What's New

• What’s New in Release 20.2R3

• What’s New in Release 20.2R2

• What’s New in Release 20.2R1-S1

• What’s New in Release 20.2R1

What’s New in Release 20.2R3

There are no new features or enhancements to existing features for EX Series switches in Junos OS Release 20.2R3.

What’s New in Release 20.2R2

There are no new features or enhancements to existing features for EX Series switches in Junos OS Release 20.2R2.

What’s New in Release 20.2R1-S1

Software Installation and Upgrade

• Zero touch provisioning (ZTP) with IPv6 support (EX3400, EX4300, QFX5100 and QFX5200 switches, MX-Series routers)—Starting in Junos OS Release 20.2R1-S1, ZTP supports the DHCPv6 client. During the bootstrap process, the device first uses the DHCPv4 client to request for information regarding image and configuration file from the DHCP server. The device checks the DHCPv4 bindings sequentially. If there is a failure with one of the DHCPv4 bindings, the device will continue to check for bindings until provisioning is successful. If there are no DHCPv4 bindings, however, the device will check for DHCPv6 bindings and follow the same process as for DHCPv4 until the device can be provisioned successfully. Both DHCPv4 and DHCPv6 clients are included as part of the default configuration on the device.

  The DHCP server uses DHCPv6 options 59 and 17 and applicable suboptions to exchange ZTP-related information between itself and the DHCP client.

  Note

  Only HTTP and HTTPS transport protocols are supported EX3400, EX4300, QFX5100, and QFX5200 devices.

  [See Zero Touch Provisioning.]

What’s New in Release 20.2R1

Authentication, Authorization, and Accounting

• Retain the authentication session based on DHCP or SLAAC snooping entries (EX2300, EX3400, and EX4300)—Starting in Junos OS Release 20.2R1, you can configure the authenticator to check for a DHCP, DHCPv6, or SLAAC snooping entry before terminating the authentication session when the MAC address ages out. If a snooping entry is present, the authentication session for the end device with that MAC address remains active. This ensures that the end device will be reachable even if the MAC address ages out.

  [See Authentication Session Timeouts.]

EVPN

• 802.1X authentication with EVPN-VXLAN (EX4300-48MP and EX4300-48MP Virtual Chassis)—Starting in Junos OS Release 20.2R1, EX4300-48MP switches that act as access switches can use 802.1X authentication to protect an EVPN-VXLAN network from unauthorized end devices. EX4300-48MP switches support the following 802.1X authentication features on access and trunk ports:

  • Access ports: single, single-secure, and multiple supplicant modes

  • Trunk ports: single and single-secure supplicant modes

  • Guest VLAN

  • Server fail

  • Server reject

  • Dynamic VLAN

  • Dynamic firewall filters

  • RADIUS accounting

  • Port bounce with Change of Authorization (CoA) requests

  • MAC RADIUS client authentication

  • Central Web Authentication (CWA) with redirect URL

  • Captive portal client authentication

  • Flexible authentication with fallback scenarios

  [See 802.1X Authentication.]

• Support for firewall filtering on EVPN-VXLAN traffic (EX4300-MP)—Starting with Junos OS Release 20.2R1, you can configure firewall filters and policers on the VXLAN traffic in an EVPN network (EVPN-VXLAN traffic). You set the rules that the devices uses to accept or discard packets by defining the terms for a firewall filter. For filters that you would apply to a port or VLAN, configure firewall filters at the [edit firewall family ethernet-switching] hierarchy level. For filters that you would apply to an IRB interface, configure firewall filters at the [edit firewall family inet] hierarchy level. After a firewall filter is defined, you can then apply it at an interface.

  [See Firewall Filtering and Policing Support for EVPN-VXLAN.]

• Noncolored SR-TE LSPs with EVPN-MPLS (ACX5448, EX9200, MX Series, and vMX)—Starting in Junos OS Release 20.2R1, ACX5448, EX9200, MX Series, and vMX routers support noncolored static segment routing-traffic engineered (SR-TE) label-switched paths (LSPs) with an EVPN-MPLS core network and the following Layer 2 services running at the edges of the network:

  • E-LAN

  • EVPN-ETREE

  • EVPN-VPWS with E-Line

  Without color, all LSPs resolve using a BGP next hop only.

  The Juniper Networks routers support noncolored SR-TE LSPs in an EVPN-MPLS core network with the following configurations:

  • EVPN running in a virtual switch routing instance

  • Multihoming in active/active and active/standby modes

  The Juniper Networks routers also support noncolored SR-TE LSPs when functioning as a Data Center Interconnect (DCI) device that handles EVPN Type 5 routes.

  [See Static Segment Routing Label Switched Path.]

• MAC filtering, storm control, and port mirroring support in EVPN-VXLAN overlay networks (EX4300-48MP)—Starting with Junos OS Release 20.2R1, EX4300-48MP switches support the following features in an EVPN-VXLAN overlay network:

  • MAC filtering

  • Storm control

  • Port mirroring and analyzers

  [See MAC Filtering, Storm Control, and Port Mirroring Support in an EVPN-VXLAN Environment.]

• Layer 2 and 3 families, encapsulation types, and VXLAN on the same physical interface (EX4600)—Starting in Junos OS Release 20.2R1, you can configure and successfully commit the following on a physical interface of an EX4600 switch in an EVPN-VXLAN environment:

  • Layer 2 bridging (family ethernet-switching) on any logical interface unit number (unit 0 and any nonzero unit number).

  • VXLAN on any logical interface unit number (unit 0 and any nonzero unit number).

  • Layer 2 bridging (family ethernet-switching and encapsulation vlan-bridge) on different logical interfaces (unit 0 and any nonzero unit number).

  • Layer 3 IPv4 routing (family inet) and VXLAN on different logical interfaces (unit 0 and any nonzero unit number).

  For these configurations to be successfully committed and work properly, you must specify the encapsulation flexible-ethernet-services configuration statements at the physical interface level—for example, set interfaces xe-0 /0/5 encapsulation flexible-ethernet-services.

  [See Understanding Flexible Ethernet Services Support With EVPN-VXLAN.]

High Availability (HA) and Resiliency

• Support for failover configuration synchronization for the ephemeral database (EX Series, MX Series, MX Series Virtual Chassis, PTX Series, and QFX Series)—Starting in Junos OS Release 20.2R1, when you configure the commit synchronize statement at the [edit system] hierarchy level in the static configuration database of an MX Series Virtual Chassis or dual Routing Engine device, the backup Routing Engine will synchronize both the static and ephemeral configuration databases when it synchronizes its configuration with the master Routing Engine. This happens, for example, when a backup Routing Engine is newly inserted, comes back online, or changes roles. On a dual Routing Engine system, the backup Routing Engine synchronizes both configuration databases with the master Routing Engine. In an MX Series Virtual Chassis, the master Routing Engine on the protocol backup synchronizes both configuration databases with the master Routing Engine on the protocol master.

  [See Understanding the Ephemeral Configuration Database.]

Juniper Extension Toolkit (JET)

• Python 3 support for JET (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, Junos OS can use Python 3 to execute JET scripts. To enable unsigned JET Python applications that support Python 3 to run on devices running Junos OS, use the set system scripts language python3 command.

  [See language (Scripts), Develop Off-Device JET Applications, and Develop On-Device JET Applications.]

Junos OS XML, API, and Scripting

• Support for Rest API (EX2300, EX2300-MP, EX3400, EX4300, EX4300-MP, EX4600, EX4650, and EX9200)—Starting in Release 20.2R1, Junos OS supports the REST API on EX2300, EX2300-MP, EX3400, EX4300, EX4300-MP, EX4600, EX4650, and EX9200 switches. The REST API enables you to securely connect to the Junos OS devices, execute remote procedure calls (RPC) commands, use REST API explorer GUI to conveniently experiment with any of the REST APIs, and use a variety of formatting and display options including JavaScript Object Notation (JSON).

  [See REST API Guide.]

Junos Telemetry Interface

• Network instance (policy) statistics and OpenConfig configuration enhancements on JTI (ACX1100, ACX2100, ACX5448, ACX6360, EX4300, MX240, MX480, MX960, MX10003, PTX10008, PTX10016, QFX5110, and QFX10002)—Junos OS Release 20.2R1 provides enhancements to support the OpenConfig data models openconfig-local-routing.yang and openconfig-network-instance.yang.

  [See Mapping OpenConfig Routing Policy Commands to Junos Configuration and Mapping OpenConfig Network Instance Commands to Junos Operation.]

• Support for OpenConfig configuration model version 4.0.1 for BGP with JTI (EX2300, EX3400, EX4300, EX4600, and EX9200)— Junos OS Release 20.2R1 provides support for the OpenConfig version 4.0.1 data models openconfig-bgp-neighbor.yang and openconfig-bgp-policy.yang using Junos telemetry interface (JTI) and remote procedure call (gRPC) services. Using JTI and gRPC services, you can stream telemetry statistics to an outside collector.

  The following major resource paths are supported with gRPC and JTI:

  • /network-instances/network-instance/protocols/protocol/bgp/global/

  • /network-instances/network-instance/protocols/protocol/bgp/global/afi-safis/afi-safi/

  • /network-instances/network-instance/protocols/protocol/bgp/neighbors/neighbor/

  • /network-instances/network-instance/protocols/protocol/bgp/peer-groups/peer-group/

  [See Guidelines for gRPC and gNMI Sensors (Junos Telemetry Interface and OpenConfig Data Model Version.]

• Support for OpenConfig configuration model version 1.0.0 for local routing with JTI (EX2300, EX3400, EX4300, EX4600, and EX9200)— Junos OS Release 20.2R1 provides support for the OpenConfig version 1.0.0 data model openconfig-local-routing.yang using Junos telemetry interface (JTI) and remote procedure call (gRPC) services. Using JTI and gRPC services, you can stream telemetry statistics to an outside collector.

  The following major resource paths are supported with gRPC and JTI:

  • /local-routes/static-routes/static/

  • /local-routes/local-aggregates/aggregate/

  [See Guidelines for gRPC and gNMI Sensors (Junos Telemetry Interface and OpenConfig Data Model Version.]

• Packet Forwarding Engine and Routing Engine sensor support with JTI (EX2300, EX2300-MP, and EX3400)—Starting in Junos OS Release 20.2R1, you can use Junos telemetry interface (JTI) with remote procedure call (gRPC) services to export Packet Forwarding Engine statistics and Routing Engine statistics from EX2300, EX2300-MP, and EX3400 switches to an outside collector. These statistics can also be exported through UDP (native) sensors.

  Supported Packet Forwarding Engine sensors are:

  • Sensor for CPU (ukernel) memory (resource path /junos/system/linecard/cpu/memory/)

  • Sensor for firewall filter statistics (resource path /junos/system/linecard/firewall/)

  • Sensor for physical interface traffic (resource path /junos/system/linecard/interface/)

  • Sensor for logical interface traffic (resource path /junos/system/linecard/interface/logical/usage/). Not supported on EX2300 or 2300-MP switches.

  • Sensor for software-polled queue-monitoring statistics (resource path /junos/system/linecard/qmon-sw/). Not supported on EX2300 or 2300-MP switches.

  Supported Routing Engine sensors are:

  • Sensor for LACP state export (resource path /lacp/)

  • Sensor for chassis environmentals export (resource path /junos/system/components/component/)

  • Sensor for chassis components export (resource path /components/)

  • Sensor for LLDP statistics export (resource path /lldp/interfaces/interface[name='name’]/)

  • Sensor for BGP peer information export (resource path /network-instances/network-instance/protocols/protocol/bgp/). Not supported on EX2300 or 2300-MP switches.

  • Sensor for RPD task memory utilization export (resource path /junos/task-memory-information/)

  • Sensor network discovery ARP table state (resource path /arp-information/)

  • Sensor for network discovery NDP table state (resource path /nd6-information/)

  [See Understanding OpenConfig and gRPC and gNMI on Junos Telemetry Interface, sensor (Junos Telemetry Interface), and Guidelines for gRPC and gNMI Sensors (Junos Telemetry Interface.]

Layer 2 Features

• L2PT support (EX4650 and QFX5120-48Y switches, and QFX5100 and QFX5110 switches and Virtual Chassis)—Starting in Junos OS Release 20.2R1, you can configure Layer 2 protocol tunneling (L2PT) to tunnel any of the following Layer 2 protocols: CDP, E-LMI, GVRP, IEEE 802.1X, IEEE 802.3AH, LACP, LLDP, MMRP, MVRP, STP (including RSTP and MSTP), UDLD, VSTP, and VTP.

  [See Layer 2 Protocol Tunneling.]

Multicast

• Static multicast route leaking for VRF and virtual router instances (EX4650 and QFX5120-48Y)—Starting with Junos OS Release 20.2R1, you can configure the switch to statically share (leak) IPv4 multicast routes for IGMPv3 (S,G) traffic among different virtual router or virtual routing and forwarding (VRF) instances. You can only leak static multicast routes per group, not per source and group. The destination prefix length must be 32.

  To configure multicast route leaking to the VRF or virtual router instance routing-instance-name, configure the next-table routing-instance-name.inet.0 statement at the [edit routing-instances routing-instance-name routing-options static route destination-prefix/32] hierarchy level.

  [See Understanding Multicast Route Leaking for VRF and Virtual Router Instances.]

• Multicast-only fast reroute (MoFRR) (EX4650 and QFX5120-48Y)—Starting in Junos OS Release 20.2R1, you can configure MoFRR to minimize multicast packet loss in PIM domains when link failures occur. With MoFRR enabled, the switch maintains primary and backup traffic paths, forwarding traffic from the primary path and dropping traffic from the backup path. If the primary path fails, the switch can quickly start forwarding the backup path stream (which becomes the primary path). The switch creates a new backup path if it detects available alternative paths. MoFRR applies to all multicast (S,G) streams by default, or you can configure a policy for the (S,G) entries where you want MoFRR to apply.

  [See Understanding Multicast-Only Fast Reroute.]

Network Management and Monitoring

• Python 3 support for YANG scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, Junos OS uses Python 3 to execute YANG action and translation scripts that are written in Python. Junos OS does not support using Python 2.7 to execute YANG Python scripts as of this release.

  [See Understanding Python Automation Scripts for Devices Running Junos OS.]

• NETCONF sessions over outbound HTTPS (EX Series, MX Series, PTX1000, PTX3000, PTX5000, PTX10001, PTX10002, PTX10008, PTX10016, QFX Series, SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Junos OS Release 20.2R1, the Junos OS with upgraded FreeBSD software image includes a Juniper Extension Toolkit (JET) application that supports establishing a NETCONF session using outbound HTTPS. The JET application establishes a persistent HTTPS connection with a gRPC server over a TLS-encrypted gRPC session and authenticates the NETCONF client using an X.509 digital certificate. A NETCONF session over outbound HTTPS enables you to remotely manage devices that might not be accessible through other protocols, for example, if the device is behind a firewall.

  [See NETCONF Sessions over Outbound HTTPS.]

Routing Policy and Firewall Filters

• Support for MPLS firewall filter on loopback interface (EX4650, QFX5120-32C, and QFX5120-48Y)—Starting with Junos OS Release 20.2R1, you can apply an MPLS firewall filter to a loopback interface on a Label switching router (LSR). For example, you can configure an MPLS packet with ttl=1 along with MPLS qualifiers such as label, exp, and Layer 4 tcp/udp port numbers. Supported actions include accept, discard, and count.

  You configure this feature at the [edit firewall family mpls] hierarchy level. You can only apply a loopback filters on family mpls in the ingress direction.

  [See Overview of MPLS Firewall Filters on Loopback Interface.]

Routing Protocols

• Support for Layer 2 circuit, Layer 2 VPN, and VPLS services with BGP labeled unicast (MX Series, EX9204, EX9208, EX9214, EX9251, and EX9253 devices)—Starting with Junos OS Release 20.2R1, MX Series, EX9204, EX9208, EX9214, EX9251, and EX9253 devices support BGP PIC Edge protection for Layer 2 circuit, Layer 2 VPN, and VPLS (BGP VPLS, LDP VPLS and FEC 129 VPLS) services with BGP labeled unicast as the transport protocol. BGP PIC Edge using the BGP labeled unicast transport protocol helps to protect traffic failures over border nodes (ABR and ASBR) in multi-domain networks. Multi-domain networks are typically used in metro-aggregation and mobile backhaul networks designs.

  A prerequisite for BGP PIC Edge protection is to program the Packet Forwarding Engine (PFE) with expanded next-hop hierarchy.

  To enable BGP PIC Edge protection, use the following CLI configuration statements:

  • Expand next-hop hierarchy for BGP labeled unicast family:

  • BGP PIC for MPLS load balance nexthops:

  • Fast convergence for Layer 2 circuit and LDP VPLS:

  • Fast convergence for Layer 2 VPN, BGP VPLS, and FEC129:

  [See Load Balancing for a BGP Session.]

What's Changed

• What’s Changed in Release 20.2R3

• What’s Changed in Release 20.2R2

• What’s Changed in Release 20.2R1

What’s Changed in Release 20.2R3

Junos OS XML API and Scripting

• Refreshing scripts from an HTTPS server requires a certificate (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When you refresh a local commit, event, op, SNMP, or Juniper Extension Toolkit (JET) script from an HTTPS server, you must specify the certificate (Root CA or self-signed) that the device uses to validate the server's certificate, thus ensuring that the server is authentic. In earlier releases, when you refresh scripts from an HTTPS server, the device does not perform certificate validation.

  When you refresh a script using the request system scripts refresh-from operational mode command, include the cert-file option and specify the certificate path. Before you refresh a script using the set refresh or set refresh-from configuration mode command, first configure the cert-file statement under the hierarchy level where you configure the script. The certificate must be in Privacy-Enhanced Mail (PEM) format.

  [See request system scripts refresh-from and cert-file.]

• The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX commit scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX commit scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified RPC. If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

  [See invoke() Function (SLAX and XSLT).]

• The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX event scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX event scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified RPC. If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

  [See invoke() Function (SLAX and XSLT).]

Network Management and Monitoring

• Support for specifying the YANG modules to advertise in the NETCONF capabilities and supported schema list (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—You can configure devices to emit third-party, standard, and Junos OS native YANG modules in the capabilities exchange of a NETCONF session by configuring the appropriate statements at the edit system services netconf hello-message yang-module-capabilities hierarchy level. In addition, you can specify the YANG schemas that the NETCONF server should include in its list of supported schemas by configuring the appropriate statements at the edit system services netconf netconf-monitoring netconf-state-schemas hierarchy level.

  [See hello-message.]

  [See netconf-monitoring.]

• Changes to <commit> RPC responses in RFC-compliant NETCONF sessions (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—When you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level, the NETCONF server's response for <commit> operations includes the following changes:

  • If a successful <commit> operation returns a response with one or more warnings, the warnings are redirected to the system log file, in addition to being omitted from the response.

  • The NETCONF server response emits the <source-daemon> element as a child of the <error-info> element instead of the <rpc-error> element.

  • If you also configure the flatten-commit-results statement at the [edit system services netconf] hierarchy level, the NETCONF server suppresses any <commit-results> XML subtree in the response and emits only an <ok> or <rpc-error> element.

  [See Configuring RFC-Compliant NETCONF Sessions.]

User Interface and Configuration

• Verbose format option to export JSON configuration data (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The Junos OS CLI exposes the verbose statement at the [edit system export-format json] hierarchy level. We changed the default format to export configuration data in JSON from verbose to ietf starting in Junos OS Release 16.1R1. You can explicitly specify the default export format for JSON configuration data by configuring the appropriate statement at the [edit system export-format json] hierarchy level. Although the verbose statement is exposed in the Junos OS CLI as of the current release, you can configure this statement starting in Junos OS Release 16.1R1.

  [See export-format.]

What’s Changed in Release 20.2R2

General Routing

• IPv6 address in the prefix TIEs displayed correctly—The IPv6 address in the prefix TIEs are displayed correctly in the show rift tie output.

Routing Protocols

• Advertising /32 secondary loopback addresses to traffic engineering database as prefixes (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—We've made changes to export multiple loopback addresses to the lsdist.0 and lsdist.1 routing tables as prefixes. This eliminates the issue of advertising secondary loopback addresses as router IDs instead of prefixes. In earlier releases, multiple secondary loopback addresses in the traffic engineering database were added to the lsdist.0 and lsdist.1 routing tables as part of node characteristics and advertised as router IDs.

What’s Changed in Release 20.2R1

General Routing

• Support for full inheritance paths of configuration groups to be built into the database by default (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting with Junos OS Release 20.2R1, the persist-groups-inheritance option at the [edit system commit] hierarchy level is enabled by default. To disable this option, use no-persist-groups-inheritance.

  [See commit (System).]

• Command to view summary information for resource monitor (EX9200 line of switches and MX Series)—You can use the show system resource-monitor command to view statistics about the use of memory resources for all line cards or for a specific line card in the device. The command also displays information about the status of load throttling, which manages how much memory is used before the device acts to reduce consumption.

  [See show system resource-monitor and Resource Monitoring for Subscriber Management and Services.]

Juniper Extension Toolkit (JET)

• PASS keyword required for Python 3 JET applications (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—If you are writing a JET application using Python 3, include the PASS keyword in the Exception block of the script. Otherwise, the application throws an exception when you attempt to run it.

  [See Develop Off-Device JET Applications and Develop On-Device JET Applications.]

• Updates to IDL for RIB service API bandwidth field (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The IDL for the RouteGateway RIB service API has been updated to document additional rules for the bandwidth field. You must set bandwidth only if a next hop has more than one gateway, and if you set it for one gateway on a next hop, you must set it for all gateways. If you set bandwidth when there is only a single usable gateway, it is ignored. If you set bandwidth for one or more gateways but not all gateways on a next hop, you see the error code BANDWIDTH_USAGE_INVALID.

  [See Juniper EngNet.]

Network Management and Monitoring

• Junos OS only supports using Python 3 to execute YANG Python scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.2R1, Junos OS uses Python 3 to execute YANG action and translation scripts that are written in Python. In earlier releases, Junos OS uses Python 2.7 to execute these scripts.

  [See Understanding Python Automation Scripts for Devices Running Junos OS.]

Known Limitations

• EVPN

• General Routing

• Infrastructure

• Layer 2 Ethernet Services

EVPN

• When only one link is present between the leaf devices, it goes down, resulting in traffic drop. PR1480847

• InterVNI multicast is not supported in EVPN-VXLAN edge routing model on EX4650. PR1517082

General Routing

• Junos OS might hang trying to acquire the SMP IPI lock while rebooting when it is running as a VM on Linux and QEMU hypervisor. As a workaround, you can power cycle the device. PR1385970

• The interfaces on certain EX9251 line of switches might get stuck in a down state, if the remote interface sends invalid code to the local interface. Link might not come up even after the remote peer has begun sending a good signal. The "Failed to complete DFE tuning" syslog might appear. This syslog message has no functional impact. PR1473280

• On all Junos OS platforms, in a QinQ environment, xSTP is enabled on the interface having logical interface with vlan-id-list configured, then it will only run on those logical interfaces whose vlan-id range includes native-vlan-id configured and all others will in discarding state. This might lead to traffic drop. PR1532992

Infrastructure

• Depending on the actual traffic pattern and the order in which the MACs are learned, the actual MAC DB scale may vary. This is due to the way the MACs are internally stored in the hardware. PR1485319

• On EX-4300MP, 9000 IPv6 MC routes can be installed. If you try to add more IPv6 MC routes, error messages will be seen. PR1493671

• EX4650 ASIC uses a static hashing and RTAG7 hash algorithm that might be alike on each chipset. Hence, we recommend that you fine-tune hash parameters based on the traffic profile used when deviation in load balance is observed. On TD3 chipset based platforms, the following configuration is required to fine-tune hashing deviation; 1. set forwarding-options enhanced-hash-key hash-parameters ecmp offset 29. 2. set forwarding-options enhanced-hash-key hash-parameters ecmp preprocess. PR1516883

Layer 2 Ethernet Services

• Sometimes image upgrade through ZTP might fail because of the insufficient space on EX3400. For information on how to free up the space see KB31198. PR1515013

Open Issues

• General Routing

• Infrastructure

• Interfaces and Chassis

• Layer 2 Features

• Layer 2 Ethernet Services

• Platform and Infrastructure

• Routing Protocols

General Routing

• On the MX204 and MX10003 routers, the following garbage value on syslog messages from craftd demon is observed: craftd[xxxx]: fatal error, failed to open smb device: JÎÈ. PR1359929

• When VLAN is added as an action for changing the VLAN in both ingress and egress filters, the filter is not installed. PR1362609

• On EX2300, when watchdog is induced, the last reboot reason is shown as Swizzle Reboot. PR1369924

• On an EX9208 switch, a few xe- interfaces go down with the error message if_msg_ifd_cmd_tlv_decode ifd xe-0/0/0 #190 down with ASIC Error. PR1377840

• On EX4300-48MP, EX2300-24T, and EX4650 platforms, either unicast RPF in strict mode or ICMP redirect does not work properly. PR1417546

• On the EX9214 device, if the MACsec-enabled link flaps after reboot, the error errorlib_set_error_log(): err_id(-1718026239) is observed. PR1448368

• On Junos OS platforms with next generation Routing Engine installed, the vehostd process might crash without generating a core file and automatic restart might fail. PR1448413

• In overall commit time, the evaluation of mustd constraints is taking two seconds more than usual. This is because the persist-group-inheritance feature has been made a default feature in the latest Junos OS releases. Eventually, this feature helps improve the subsequent commit times for scaled configurations significantly. The persist-group-inheritance feature is useful in customer scenarios where groups and nested groups are used extensively. In those scenarios, the group inheritance paths are not built every time, thus subsequent commits are faster. PR1457939

• EX2300-48MP Virtual Chassis is rebooted silently and randomly without generating a core file. Syslogs and console logs are not generated before rebooting the switch, because the reboot reason is shown as a normal reboot. PR1463583

• On EX4300 switches, when packets entering a port exceed a size of 144 bytes, they might get dropped in few cases. PR1464365

• On EX4650 platform, after using force reboot, the output of CLI command 'show version' might show the model as QFX5120-48y-8c and after committing the http services, J-Web of the device might be inaccessible due to model issue. PR1480252

• On BCM Packet Forwarding Engine-based EX Series platforms frame higher than MTU+4 and lesser then MTU+8 bytes, with invalid FCS, code error, or IEEE length check error, is treated as Jabber frame. PR1487709

• On EX Series platforms using chipset with SFP+ implemented, interface on the platforms might be in active status when TX or RX connector is removed. As a result, traffic might drop. PR1495564

• SNMP POE MIB walk produce withers no results or sometimes result from the master Virtual Chassis whenever the Virtual Chassis is renamed as one. PR1503985

• On the EX4300-48MP device, the reboot time, FPC uptime, and interface uptime are degraded by 20 percent when compared with Junos OS Releases 19.1R3, 19.2R2, and 19.4R2. PR1514364

• Traffic not load balanced by EX4300-48MP and EX4300-VC over ESI links with evpn_vxlan configured. PR1550305

• On the EX4300 device, script fails while committing the IPsec authentication configuration due to the missing algorithm statement. PR1557216

• When dot1x server-fail-voip vlan-name is configured, ensure that both server-fail-voip vlan-name and voip vlan are configured using vlan name and not by using vlan-id. PR1561323

• On EX4600 platform, internal comment 'Placeholder for QFX platform config' might be seen on show config output. PR1567037

Infrastructure

• On EX Series switches except EX4300/EX4600/EX9200, an interface is configured for single VLAN or multiple VLANs, if all these VLANs of this interface have igmp-snooping enabled, then this interface will drop hot standby router protocol for IPv6 (HSRPv2) packets. But, if some VLANs do not have igmp-snooping enabled, then this interface works fine. PR1232403

• On EX Series switches, If you are configuring a large-scale number of firewall filters on some interfaces, the FPC might crash and generate core files. PR1434927

• IFDE: Null uint32 set vector, ifd and IFFPC: 'IFD Ether uint32 set' (opcode 151) error message is observed continuously in AD with base configurations. PR1485038

• Power loss during software install can leave artifacts that consume space. These need to be included in package cleanup procedure. PR1544222

Interfaces and Chassis

• After GRES, the VSTP port cost on aggregated Ethernet interfaces might get changed, leading to a topology change. PR1174213

Layer 2 Features

• GARPs were being sent whenever there was a MAC (fdb) operation (add or delete). This is now updated to send GARP when the interface is up and Layer 3 interface is attached to the VLAN. PR1192520

Layer 2 Ethernet Services

• If forward-only is set within dhcp-reply in a Juniper Networks device as a DHCP relay agent, the DHCP DECLINE packets that are broadcasted from the DHCP client are dropped and not forwarded to the DHCP server. PR1429456

• OSPF and OSPF3 adjacency uptime is more than expected after NSSU upgrade and outage is higher than the expected. PR1551925

Platform and Infrastructure

• On the EX9208 device, 33 percent degradation with MAC learning rate is observed in Junos OS Release 19.3R1 compared to Junos OS Release 18.4R1. PR1450729

• On EX4300 platforms configured with ERP, after multiple devices reboot/restart at the same time, ERP might not revert back to the IDLE state. This issue might be seen in situations where the ERP node-id is not configured manually and after the restart, the default node-id (switch base MAC address) might get reset to 00:00:00:00:00:00, effectively causing multiple devices to have the same node-id. PR1461434

• The pfex_junos process generates core file at 0x01847994 in pfeman_watchdog (arg=< optimized out>) at ../../../../src/pfe/common/applications/pfeman/pfeman_rt_pfex.c:1411.PR1535178

• Upgrading satellite devices might lead to some SDs in SyncWait state. Cascade port flap not causing the issue. PR1556850

• "Last flapped" timestamp for interface fxp0 gets reset every time "monitor traffic interface fxp0" is executed. PR1564323

• On all EX9200 platforms with EVPN-VXLAN configured, the next-hop memory leak in MX Series ASIC happens whenever there is a route churn for remote MAC-IP entries learned bound to the IRB interface in EVPN-VXLAN routing instance. When the ASIC's next-hop memory partition exhausted the FPC might reboot. PR1571439

Routing Protocols

• Verifying loader only uses ECDSA256+SHA256 for integrity checks but does not say so. PR1504211

Resolved Issues

• Resolved Issues: 20.2R3

• Resolved Issues: 20.2R2

• Resolved Issues: 20.2R1

Resolved Issues: 20.2R3

General Routing

• IRB MAC will not be programmed in hardware when MAC persistence timer expires. PR1484440

• While verifying the last-change op-state value through XML, the rpc-reply message is inappropriate. PR1492449

• The mge interface might still stay up while the far end of the link goes down. PR1502467

• The output VLAN push might not work. PR1510629

• DHCP traffic might not be forwarded correctly when sending DHCP unicast packets. PR1512175

• EX4300-48MP device might go out of service during a software upgrade operation. PR1526493

• On the EX2300 device, the following PoE message is observed poe_get_dev_class: Failed to get PD class info. PR1536408

• The LLDP neighborship with the VoIP phones cannot be established. PR1538482

• On the EX3400 and EX2300 switches, the upgrade fails due to the lack of available storage. PR1539293

• FPC might not be recognized after power cycle (hard reboot). PR1540107

• DHCP discover packet might be dropped if DHCP inform packet is received first. PR1542400

• Slaac-Snoopd child process generates a core file upon multiple switchovers on the Routing Engine. PR1543181

• In every software upgrade host needs to get upgrade. PR1543890

• On EX4300-48MP line of switches with Linux TVP architecture and Junos OS as VM, the Junos CLI outputs do not confirm if the Junos OS and the host kernel are compatible with each other. PR1543901

• The chip on FPC linecard might crash when the system reboots. PR1545455

• "show pfe route summary hw" shows random high free and 'Used' column for 'IPv6 LPM(< 64)' routes. PR1552623

• The statement 'action-shutdown' of storm control does not work for ARP broadcast packets. PR1552815

• Traffic might be dropped when a firewall filter rule uses 'then vlan' as the action. PR1556198

• On EX3400VC line of switches, the DAEMON-7-PVIDB throws syslog messages for every 12 to 14 minutes after you upgrade to Junos OS Release 19.1R3-S3. PR1563192

• Client authentication is failing after performing GRES. PR1563431

Infrastructure

• On the EX4600 and EX4300 Virtual Chassis or Virtual Chassis fabric, the VSTP configurations device goes unreachable and becomes nonresponsive after commit. PR1520351

• EX 4300 VC/VCF : Observing HEAP malloc(0) detected. PR1546036

• Traffic related to IRB interface might be dropped when mac-persistence-timer expires PR1557229

Platform and Infrastructure

• DHCP binding is not happening after graceful switchover. PR1515234

• lldp-receive-packet-count is not getting exchanged properly in l2pt operation for lldp after configuring protocols. PR1532721

• LLDP neighborship might not come up on EX4300 non-aggregated Ethernet interfaces. PR1538401

• The targeted-broadcast feature might not work after a reboot. PR1548858

• The BGP session replication might fail to start after the session crashes on a backup Routing Engine. PR1552603

• The targeted-broadcast feature may send out duplicate packets. PR1553070

Routing Protocols

• The OSPFv3 adjacency should not be established when IPsec authentication is enabled. PR1525870

• DCPFE crash might be observed while updating VRF for multicast routes during irb uninit. PR1546745

• Sending multicast traffic to downstream receiver on MX Series-based Virtual Chassis platforms might fail. PR1555518

• The untagged packets might not work on EX Series platforms. PR1568533

User Interface and Configuration

• The license errors may get returned on backup RE when trying to commit the configuration. PR1543037

Virtual Chassis

• EX4600/EX4300 mixed VC : Error message 'ex_bcm_pic_eth_uint8_set' is seen when changing configuration related to interface. PR1573173

Resolved Issues: 20.2R2

Authentication and Access Control

• The DOT1XD_AUTH_SESSION_DELETED event is not triggered with a single supplicant mode. PR1512724

• The dot1x client won't be moved to held state when the authenticated PVLAN is deleted. PR1516341

EVPN

• Unable to create a new VTEP interface. PR1520078

General Routing

• Virtual Chassis split after network topology is changed. PR1427075

• EX2300 Series: High CPU load due to receipt of specific multicast packets on Layer 2 interface (CVE-2020-1668). PR1491905

• Authentication session might be terminated if PEAP request is retransmitted by the authenticator. PR1494712

• The fxpc might crash when renumbering the master member id value of the EX2300/EX3400 Virtual Chassis. PR1497523

• Outbound SSH connection flaps or memory leaks occur during the push configuration to ephemeral database with high rate. PR1497575

• Traffic might get dropped if the aggregated Ethernet member interface is deleted or added, or an SFP of the aggregated Ethernet member interface is unplugged or plugged. PR1497993

• In some cases, if we have an OSPF session on the IRB over LAG interface with a 40-Gigabit Ethernet port as member, the session gets stuck in restart. PR1498903

• On the EX4300, EX3400, and EX2300 Virtual Chassis with NSB and xSTP enabled, continuous traffic loss might be observed while performing GRES. PR1500783

• The mge interface might still stay up while the far end of its link goes down. PR1502467

• LLDP is not acquired when native-vlan-id and tagged VLAN-ID are the same on a port. PR1504354

• The output VLAN push might not work. PR1510629

• LLDP might not work when PVLAN is configured on EX Series and QFX Series Virtual Chassis. PR1511073

• Traffic might not flow as per configured policer parameters. PR1512433

• LACP goes down after performing Routing Engine switchover if MACsec is enabled on the LAG members on EX4300. PR1513319

• The 100M SFP-FX is not supported on satellite device in Junos fusion setup. PR1514146

• A "dot1x" memory leak is observed. PR1515972

• The dcpfe (PFE) process might crash due to memory leak. PR1517030

• MPPE-Send or Recv-key attribute is not extracted correctly by dot1xd. PR1522469

• "Drops" and "Dropped packets" counters in the output for "show interface extensive" are double-counted. PR1525373

Infrastructure

• The qmon-sw sensor is not supported in EX3400. PR1506710

• The IP communication between directly connected interfaces on EX4600 might fail. PR1515689

• OID ifOutDiscards reports zero and sometimes shows valid value. PR1522561

Layer 2 Features

• On the QFX5000 line of switches, traffic imbalance might be observed if hash-params is not configured. PR1514793

• The MAC address in the hardware table might become out of synchronization between the master and member in Virtual Chassis after the MAC flaps. PR1521324

Platform and Infrastructure

• Packets get dropped when next hop is IRB over an lt interface. PR1494594

• LLDP neighborship might not come up on EX4300 non-AE interfaces. PR1538401

• Redirected IP traffic is duplicated. PR1518929

Routing Protocols

• On EX4300-MP and EX4600, high CPU load occurs due to receipt of specific Layer 2 frames in EVPN-VXLAN deployment. (CVE-2020-1687) & High CPU load occurs due to receipt of specific Layer 2 frames when deployed in a Virtual Chassis configuration (CVE-2020-1689). PR1495890

• The rpd might report 100 percent CPU usage with BGP route damping enabled. PR1514635

• Packet loss might be observed while verifying traffic from access to core network for IPv4/IPv6 interfaces. PR1520059

• OSPFv3 adjacency should not be established when IPsec authentication is enabled. PR1525870

User Interface and Configuration

• Installing J-Web application package might fail on the EX2300/EX3400 platforms. PR1513612

• The J-Web does not display the correct flow-control status on EX Series devices. PR1520246

Virtual Chassis

• EX4650: "kldload: an error occurred while loading the module" during booting. PR1527170

Resolved Issues: 20.2R1

Authentication and Access Control

• EX2300-48MP: Client did not receive captive-portal success page by downloading the ACL parameter as Authentication failed. PR1504818

EVPN

• The ESI of IRB interfaces does not get updated after an autonomous-system number change if the interface is down. PR1482790

• The VXLAN function might be broken due to a timing issue after the change in PR 1495098. PR1502357

Infrastructure

• Kernel core files might be observed if you deactivate the daemon on EX2300/EX3400 platforms. PR1483644

Interfaces and Chassis

• FRU has no connection arguments fru_send_msg Global FPC x is observed after MX Series Virtual Chassis local or global switchover. PR1428254

• The MC-LAG configuration-consistency ICL configuration might fail after committing some changes. PR1459201

• Executing commit might hang up due to a stuck dcd process. PR1470622

• A stale IP address might be seen after a specific order of configuration changes under a logical-systems scenario. PR1477084

Junos Fusion for Enterprise

• SDPD core files found: vfpc_all_eports_deletion_complete vfpc_dampen_fpc_timer_expiry. PR1454335

• Loop detection might not work on extended ports in Junos fusion scenarios. PR1460209

Junos Fusion Satellite Software

• Temperature sensor alarm is seen on EX4300 in a Junos fusion scenario. PR1466324

Layer 2 Ethernet Services

• Member links state might be asynchronized on a connection between PE and CE devices in an EVPN active/active scenario. PR1463791

• Issues with DHCPv6 relay processing Confirm and Reply packets. PR1496220

Layer 2 Features

• The LLDP function might fail when a Juniper device connects to a non-Juniper one. PR1462171

• EX4650/QFX5120: QinQ: The third VLAN tag is not pushed onto the stack and SWAP is being done instead. PR1469149

• Traffic might be affected if composite next hop is enabled. PR1474142

MPLS

• BGP session might keep flapping between two directly connected BGP peers because of the wrong TCP-MSS in use. PR1493431

Platform and Infrastructure

• The IRB traffic might get dropped after mastership switchover. PR1453025

• The switch might not be able to learn MAC addresses with dot1x and interface-mac-limit configured. PR1470424

• EX4300: Input firewall filter attached to isolated or community VLANs not matching 802.1p bits on the VLAN header. PR1478240

• MAC learning under bridge-domain stops after an MC-LAG interface flap. PR1488251

• The NSSU upgrade might fail on EX4300 switches due to a storage issue in the /var/tmp directory. PR1494963

• Traffic loss might be seen with framing errors or runts if MACsec is configured on EX4300. PR1502726

• The MAC Pause frames will be incrementing in the Receive direction if half-duplex mode on 10-Mbps or 100-Mbps speed is configured. PR1452209

• Link up delay and traffic drop might be seen on mixed SP L2/L3 and EP L2 type configurations. PR1456336

• MAC addresses learned on RTG may not be aged out after the aging time. PR1461293

• RTG link faces nearly 20 seconds down during backup node rebooting. PR1461554

• The jdhcpd process might consume high CPU and no further subscribers can be brought up if there are more than 4000 DHCP relay clients in the MAC move scenario. PR1465277

• FPCs might get disconnected from the EX3400 Virtual Chassis briefly after a reboot or an upgrade. PR1467707

• Traffic loss might be seen with framing errors or runts if MACsec is configured on EX4600 or QFX5100 platforms. PR1469663

• SSH session closes while checking for the show configuration | display set command for both local and nonlocal users. PR1470695

• The shaping of CoS does not work after reboot. PR1472223

• CoS 802.1p bits rewrite might not happen in Q-in-Q mode. PR1472350

• DSCP marking might not work as expected if the fixed classifiers are applied to interfaces on QFX5000 or EX4600 platforms. PR1472771

• ERP might not come up properly when MSTP and ERP are enabled on the same interface. PR1473610

• The RIPv2 packets forwarded across a Layer 2 circuit connection might be dropped. PR1473685

• On EX4300, the output of show security macsec statisitics shows high values incorrectly. PR1476719

• EX3400 me0 interface might remain down. PR1477165

• The dhcpd process may crash in a Junos fusion environment. PR1478375

• Trio based linecard might crash when there is bulk route update failure in a corner case. PR1478392

• TFTP installation from loader prompt may not succeed on the EX Series devices. PR1480348

• ARP request packets for an unknown host might get dropped in remote PE in EVPN-VXLAN scenario. PR1480776

• On EX2300 switches, SNMP traps are not generated when the MAC addresses limit threshold is reached. PR1482709

• Incorrect 'frame length' of 132 bytes might be shown in packet header. PR1487876

• Virtual Chassis ports might go down in a mixed Virtual Chassis setup of QFX5100-24Q-2P/EX4300 and EX4600/EX4300. PR1489985

• DHCP binding fails while you verify DHCPv4 snooping functionality with P-VLAN with a firewall to block or allow certain IPv4 packets. PR1490689

• Traffic loss could be observed in a mixed-Virtual Chassis setup of QFX5100 and EX4300. PR1493258

• Traffic loss could be seen in an MC-LAG scenario on QFX5120 and EX4650. PR1494507

• Traffic might get dropped if AE member interface is deleted/added or a SFP of the AE member interface is unplugged/plugged. PR1497993

Routing Protocols

• BGP IPv4/IPv6 convergence and RIB install and delete time is degraded in Junos OS Releases 19.1R1, 19.2R1, 19.3R1, and 19.4R1. PR1414121

• MUX State in LACP interface does not go to collecting and distributing and remains attached after enabling the ae interface. PR1484523

• FPC might go to "NotPrsnt" state after upgrading with non-TVP image in VC/VCF setup. PR1485612

• The BGP route-target family might prevent RR from reflecting Layer 2 VPN and Layer 3 VPN routes. PR1492743

• Firewall filter could not work in certain conditions in an Virtual Chassis setup. PR1497133

User Interface and Configuration

• umount: unmount of /.mount/var/val/chroot/packages/mnt/jweb-ex32-d2cf6f6b failed: Device busy message is seen when Junos OS is upgraded with the validate option. PR1478291

Documentation Updates

Migration, Upgrade, and Downgrade Instructions

• Upgrade and Downgrade Support Policy for Junos OS Releases

Upgrade and Downgrade Support Policy for Junos OS Releases

We have two types of releases, EOL and EEOL:

• End of Life (EOL) releases have engineering support for twenty four months after the first general availability date and customer support for an additional six more months.

• • Extended End of Life (EEOL) releases have engineering support for thirty six months after the first general availability date and customer support for an additional six more months.

For both EOL and EEOL releases, you can upgrade to the next three subsequent releases or downgrade to the previous three releases. For example, you can upgrade from 19.2 to the next three releases – 19.3, 19.4 and 20.1 or downgrade to the previous three releases – 19.1, 18.4 and 18.3.

For EEOL releases only, you have an additional option - you can upgrade directly from one EEOL release to the next two subsequent EEOL releases, even if the target release is beyond the next three releases. Likewise, you can downgrade directly from one EEOL release to the previous two EEOL releases, even if the target release is beyond the previous three releases. For example, 19.2 is an EEOL release. Hence, you can upgrade from 19.2 to the next two EEOL releases – 19.3 and 19.4 or downgrade to the previous two EEOL releases – 19.1 and 18.4.4.

For more information about EOL and EEOL releases, see https://www.juniper.net/support/eol/junos.html.

For information about software installation and upgrade, see the Installation and Upgrade Guide.