Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for EX Series


These release notes accompany Junos OS Release 20.4R3 for the EX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at

What's New

Learn about new features introduced in this release for EX Series Switches.


The following EX Series switches are supported in Release 20.4R3: EX2300, EX3400, EX4300, EX4600, EX4650, EX9200, EX9204, EX9208, EX9214, EX9251, and EX9253.

What’s New in Release 20.4R3

There are no new features or enhancements to existing features for EX Series switches in Junos OS Release 20.4R3.

What’s New in Release 20.4R2

There are no new features or enhancements to existing features for EX Series switches in Junos OS Release 20.4R2.

What’s New in Release 20.4R1

Authentication, Authrorization, and Accounting

  • RADIUS attributes for dynamic VLAN assignment on colorless ports (EX2300, EX2300-MP, EX3400, EX4300, and EX4300-MP)—We now support IETF-defined RADIUS attributes that provide VLAN assignments and also indicate whether frames on the VLAN are in tagged or untagged format. This enables the network access control server to dynamically assign VLANs on colorless ports. The VLAN assignments, which are based on device profiling, can be made on either access ports or trunk ports.

    [See Dynamic VLAN Assignment on Colorless Ports.]


  • MAC limit, MAC move limit, and persistent MAC learning with EVPN-VXLAN (EX4300-48MP)—We support the following Layer 2 port security features in an EVPN-VXLAN overlay network:

    • MAC limit—You can limit the number of MAC addresses learned by network (local) interfaces.


      We don’t support MAC limits on virtual tunnel endpoint (VTEP) interfaces.

    • MAC move limit—You can limit the number of times a MAC address is moved to a different interface within 1 second. To configure this feature, you apply a limit to a VLAN. In an EVPN-VXLAN network, a VLAN’s members can include network (local) and VTEP interfaces. We support the following MAC move use cases and actions:

      • MAC moves between network interfaces—By default, the configured action is applied on the interface to which the MAC address is last moved. If you configured action priority on the interfaces, the action is applied on the interface with the lesser priority.

      • MAC moves between network and VTEP interfaces and vice-versa—The action is applied on the network interface.


        We don’t support MAC moves between the following:

        • VTEP interfaces.

        • A VTEP interface and a network interface on which persistent MAC learning and static MAC addresses are configured.

    • Persistent MAC learning (sticky MAC)—You can enable network interfaces to retain dynamically learned MAC addresses when the switch is restarted or when an interface goes down and comes back up again.


      We don’t support persistent MAC learning on VTEP interfaces.

    [See Understanding MAC Limiting and MAC Move Limiting and Understanding and Using Persistent MAC Learning.]

  • MC-LAG emulation in an EVPN deployment (EX Series, MX Series, and vMX)—Starting in Junos OS Release 20.4R1, you can emulate the function of an MC-LAG in active-standby mode in an EVPN configuration without having to configure an ICCP or ICL interface. In a standard EVPN configuration, logical interfaces configured on an aggregated Ethernet interface can have different designated forwarder election roles. To emulate an MC-LAG configuration, the designated forwarder (DF) takes on the role of the aggregated Ethernet interface. The provider edge (PE) that is the non-DF will send LACP out-of-sync packets to the CE. This causes LACP to go down on the CE device, and the CE device does not use the links connected to the non-DF for sending traffic. If the connection between a CE and a DF PE fails, the PE is re-elected as a DF. If the connection between a CE and a non-DF PE fails, the current DF PE is not changed.

    To enable this functionality, configure the lacp-oos-on-ndf statement at the [edit interfaces interface name esi df-election-granularity per-esi] hierarchy.

  • Support for IGMP snooping and selective multicast forwarding (EX4300-MP)—Starting in Junos OS Release 20.4R1, the EX4300-MP switch supports IGMP snooping and selective multicast forwarding in an EVPN-VXLAN centrally-routed bridging overlay network with all-active multihoming. Selective multicast Ethernet (SMET) forwarding is part of IGMP snooping. IGMP snooping and SMET forwarding reduce the volume of multicast traffic in a broadcast domain by forwarding multicast traffic only to interfaces that have IGMP listeners. SMET forwarding sends multicast packets to the leaf devices in the core that have expressed an interest in that multicast group. SMET forwarding is supported only in intra-VLAN replication. This feature supports EVPN Type 7 (IGMP Join Synch Route) and EVPN Type 8 (IGMP Leave Synch Routes). To configure IGMP snooping, include the igmp-snooping proxy configuration statement at the [edit routing-instances routing-instance-name protocols] hierarchy level.

    [See Overview of Multicast Forwarding with IGMP Snooping in an EVPN-VXLAN Environment and Overview of Selective Multicast Forwarding.]

  • Support for assisted replication (EX4300MP)—Starting in Junos OS Release 20.4R1, the EX4300-MP switch supports assisted replication in an EVPN-VXLAN centrally-routed bridging overlay network with all-active multihoming. Assisted replication (AR) optimizes multicast traffic flow by offloading traffic replication to devices that can more efficiently handle replication and forwarding. You can configure the EX4300-MP only as an AR-leaf device. You can further optimize multicast traffic by configuring AR with IGMP snooping. To configure the EX4300-MP as an AR leaf, include the assisted-replication leaf statement at the [edit routing-instances routing-instance-name protocols evpn] or [edit protocols evpn] hierarchy level.

    [See Assisted Replication Multicast Optimization in EVPN Networks

  • Support for sFlow in an EVPN-VXLAN network (EX4300-MP)—Starting in Junos OS Release 20.4R1, sFlow monitoring is supported on EX4300-MP switches in an EVPN-VXLAN network. sFlow monitoring provides visibility into your EVPN VXLAN network by sampling VXLAN-encapsulated traffic at the ingress and egress interfaces. You can configure sFlow technology on a device to monitor traffic continuously at wire speed on all interfaces simultaneously. You must enable sFlow monitoring on each interface individually. Configure sFlow monitoring at the [edit protocols sflow] hierarchy level. Use the show sflow collector command to display the collector statistics and the clear sflow collector command to delete the collector statistics.

    [See Overview of sFlow Technology.]

  • Layer 3 gateway in an EVPN-MPLS environment (EX9200 with EX9200-SF3 switch fabric module and EX9200-15C line card)—Starting in Junos OS Release 20.4R1, an EX9200 switch with an EX9200-SF3 switch fabric module and an EX9200-15C line card can act as a default Layer 3 gateway for an EVPN instance (EVI) that can span a set of devices. In this role, the EX9200 switch can perform inter-subnet forwarding. With inter-subnet forwarding, each subnet represents a distinct broadcast domain.

    The Layer 3 gateway supports the following features:

Interfaces and Chassis

  • 10GBASE-T SFP+ transceiver for EX4600-40F—Starting in Junos OS Release 20.4R1, EX4600-40F switches support the 10GBASE-T SFP+ transceiver (JNP-SFPP-10GE-T), capable of working at speeds of 10 Gbps, 1Gbps, and 100Mbps, and also auto-negotiation. You can use the existing show commands such as the show interfaces media command to view the details of the transceivers.

    [See speed(Ethernet).]

Junos OS XML, API, and Scripting

  • Support for Certificate Authority Chain Profile (EX2300, EX3400, EX4300, MX240, MX480, MX960, PTX-5000, VMX, vSRX and QFX5200)—Starting in Junos OS Release 20.4R1, you can configure intermediate Certificate Authority (CA) chain profile certificate and perform https REST API request using mutual and server authentications.

    To configure intermediate ca-chain certificate, configure ca-chain ca-chain statement at the [edit system services rest https] hierarchy level.

  • Start time option for interval-based internal events that trigger event policies (EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.4R1, when you create an interval-based internal event for triggering event policies, you can specify the start date and time for the initial event. To specify a start time, configure the start-time option along with the time-interval option at the [edit event-options generate-event] hierarchy level.

    [See Generating Internal Events to Trigger Event Policies.]

Network Management and Monitoring

  • Configuration retrieval using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you can use the configuration revision identifier feature to view the configuration for a specific revision. This configuration database revision can be viewed with the CLI command show system configuration revision.

    [See show system configuration revision.]

  • Junos XML protocol operations support loading and comparing configurations using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, the Junos XML management protocol operations support loading and comparing configurations by referencing the configuration revision identifier of a committed configuration. You can execute the <load-configuration> operation with the configuration-revision attribute to load the configuration with the given revision identifier into the candidate configuration. Additionally, you can compare the candidate or active configuration to a previously committed configuration by referencing the configuration revision identifier for the comparison configuration. The <get-configuration> operation supports the compare="configuration-revision" and configuration-revision attributes to perform the comparison.

    [See <get-configuration> and <load-configuration>.]

Routing Protocols

  • BGP Prefix-Independent Convergence (PIC) Edge for MPLS VPNs (EX9200)—You can now install a Layer 3 VPN route in the forwarding table as an alternate path, enabling fast failover when a provider edge (PE) router fails or you lose connectivity to a PE router. This already installed path is used until global convergence through the IGP is resolved.

    To enable BGP PIC Edge in an MPLS VPN, include the protect-core statement at the [edit routing-instances routing-instance-name routing-options] hierarchy level. Both IS-IS LDP and OSPF LDP are supported. When BGP PIC Edge is enabled, the show route extensive command now displays the weight assigned to the indirect hop.

    [See Configuring BGP PIC Edge for MPLS Layer 3 VPNs.]

  • Support for multiple single-hop EBGP sessions on different links using the same IPv6 link-local address (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you are no longer required to have unique peer addresses for Juniper devices for every EBGP session. You can now enable single-hop EBGP sessions on different links over multiple directly connected peers that use the same IPv6 link-local address.

    In earlier Junos OS Releases, BGP peers could be configured with link-local addresses, but multiple BGP peers could not be configured to use the same link-local address on different interfaces.

    [See Configure Multiple Single-Hop EBGP Sessions on Different Links Using the Same Link-Local Address (IPv6).]

Software Installation and Upgrade

  • Phone-home client (EX4600, EX4650, EX9200, QFX5110, QFX5200, QFX5210, QFX5120-32C, and QFX5120-48Y)—Starting with Junos OS Release 20.4R1, you can use either the legacy DHCP-options-based ZTP or the phone-home client (PHC) to provision software for the switch. When the switch boots up, if there are DHCP options that have been received from the DHCP server for ZTP, ZTP resumes. If DHCP options are not present, PHC is attempted. PHC enables the switch to securely obtain bootstrapping data, such as a configuration or software image, with no user intervention other than having to physically connect the switch to the network. When the switch first boots up, PHC connects to a redirect server, which redirects to a phone home server to obtain the configuration or software image.

    To initiate either DHCP-options-based ZTP or PHC, the switch must be in a factory-default state, or you can issue the request system zeroize command.

    [See Understanding the Phone-Home Client

  • ZTP with DHCPv6 client support (EX3400, EX4300, PTX1000, PTX5000, PTX10002-60C, PTX10008, QFX5100, QFX5200, QFX10002, and QFX10002-60C)—Starting in Junos OS Release 20.4R1, zero touch supports the DHCPv6 client. During the bootstrap process, the device first uses the DHCPv4 client to request for information regarding image and configuration file from the DHCP server. The device checks the DHCPv4 bindings sequentially. If one of the DHCPv4 bindings fails, the device continues to check for bindings until provisioning is successful. However, if there are no DHCPv4 bindings, the device checks for DHCPv6 bindings and follows the same process as for DHCPv4 until the device can be provisioned successfully. Both DHCPv4 and DHCPv6 clients are included as part of the default configuration on the device.

    The DHCP server uses DHCPv6 options 59 and 17 and applicable suboptions to exchange ZTP-related information between itself and the DHCP client.


    ZTP supports only HTTP and HTTPS transport protocols.

    [See Zero Touch Provisioning.]

  • Phone-home client (EX4300-48MP Virtual Chassis)—Starting in Junos OS Release 20.4R1, the phone-home client (PHC) can securely provision a Virtual Chassis consisting of all EX4300-48MP member switches without requiring user interaction. If the switches all have the factory-default configuration, you just need to:

    • Connect the switches using the Virtual Chassis ports.

    • Connect any network port or the management port to the network.

    • Power on the Virtual Chassis.

    The PHC automatically starts up and connects to the phone-home server (PHS), which responds with bootstrapping information. The PHC then upgrades each member with the new image and applies the configuration, and the Virtual Chassis is ready to go.

    [See Provision a Virtual Chassis Using the Phone-Home Client.]

Subscriber Management and Services

  • Control plane DDoS protection against DDoS attacks (EX9200 with MPC10E)—Starting in Junos OS Release 20.4R1, control plane distributed denial of service (DDoS) protection is enabled by default on EX9200 switches with MPC10E line cards. To prevent malicious traffic from interfering with device operations, this feature uses firewall filters and policers to discard or rate-limit control plane traffic. You can disable this feature at different levels or change the default policer parameters for many protocol groups and individual packet types in the supported protocol groups.

    [See Control Plane Distributed Denial-of-Service (DDoS) Protection Overview.]

What's Changed

Learn about what changed in this release for EX Series Switches.

What's Changed in Release 20.4R3

Layer 2 Ethernet Services

  • Link selection support for DHCP—We have introduced the link-selection statement at the edit forwarding-options dhcp-relay relay-option-82 hierarchy level, which allows DHCP relay to add suboption 5 to option 82. Suboption 5 allows DHCP proxy clients and relay agents to request an IP address for a specific subnet from a specific IP address range and scope. Prior to this release, the DHCP relay dropped packets during the renewal DHCP process and the DHCP server used the leaf's address as a destination to acknowledge the DHCP renewal message.

    [See relay-option-82.]

Network Management and Monitoring

  • Enhancement to the snmp mib walk command (PTX Series, QFX Series, EX Series, MX Series, SRX Series)—The ipv6IfOperStatus field displays the current operational state of the interface. The noIfIdentifier(3) state indicates that no valid interface identifier is assigned to the interface. This state usually indicates that the link-local interface address failed duplicate address detection. When you specify the Duplicate Address Detected error flag on the interface, the new value (noIfIdentifier(3)) is displayed. Previously, the snmp mib walk command did not display the new value (noIfIdIdentifier(3)).

  • Changes in contextEngineID for SNMPv3 INFORMS (PTX Series, QFX Series, ACX Series, EX Series, MX Series, and SRX Series— Now the contextEngineID of SNMPv3 INFORMS is set to the local engine-id of Junos devices. In earlier releases, the contextEngineID of SNMPv3 INFORMS was set to remote engine-id.

    [See SNMP MIBs and Traps Supported by Junos OS.]

  • The configuration accepts only defined identity values for nodes of type identityref in YANG data models (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—If you configure a statement that has type identityref in the corresponding YANG data model, the device accepts only defined identity values (as defined by an identity statement) as valid input. In earlier releases, the device also accepts values that are not defined identity values.

What's Changed in Release 20.4R2


  • IGMP snooping options has changed hierarchy level—Junos OS has moved the following options from the edit protocols igmp-snooping hierarchy to edit routing-instances evpn protocols igmp-snooping vlan <vlan-name/vlan-all> hierarchy:

    • query-interval

    • query-last-member-interval

    • query-response-interval

    • robust-count

    • evpn-ssm-reports-only

    • immediate-leave

  • Support for displaying SVLBNH information—You can now view shared VXLAN load balancing next hop (SVLBNH) information when you display the VXLAN tunnel endpoint information for a specified ESI and routing instance by using show ethernet-switching vxlan-tunnel-end-point esi <varname>esi-identifier esi-identifier instance <varname>instance svlbnh command.

General Routing

  • Configure internal IPsec authentication algorithm (EX Series)—You can configure the algorithm hmac-sha-256-128 at the edit security ipsec internal security-association manual direction bidirectional authentication algorithm hierarchy level for internal IP security (IPsec) authentication. In earlier releases, you could configure the algorithm hmac-sha-256-128 for MX Series devices only.

Junos XML API and Scripting

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX commit scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX commit scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

    [See invoke() Function (SLAX and XSLT).]

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX event scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX event scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

    [See invoke() Function (SLAX and XSLT).]

What's Changed in Release 20.4R1


  • The show mpls lsp extensivel and show mpls lsp detail commands display next hop gateway LSPid—When you use the show mpls lsp extensivel and show mpls lsp detail commands, you'll see next hop gateway LSPid in the output as well.

Network Management and Monitoring

  • Warning changed for configuration statements that correspond to deviate not-supported nodes in YANG data models (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—If you configure a statement corresponding to a YANG data model node that defines the deviate not-supported statement, the Junos OS configuration annotates that statement with the comment Warning: statement ignored: unsupported platform. In earlier releases, the warning is Warning: 'statement' is deprecated.

Platform and Infrastructure

  • Support for unicast ARP request on table entry expiration—You can configure the device to send a unicast ARP request instead of the default broadcast request when an ARP table entry is about to expire. The retry requests are unicast at intervals of 5 seconds. Without this option, the retry requests are broadcast at intervals of 800 milliseconds. This behavior reduces ARP overall broadcast traffic. It also supports the use case where access nodes are configured not to forward broadcast ARP requests toward customer CPEs for security reasons and instead translate ARP broadcasts to unicast requests. To confirm whether this is configured, you can issue the following command: show configuration system arp | grep unicast-mode-on-expire.

    [See arp.]

User Interface and Configuration

  • Verbose format option for exporting JSON configuration data (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The Junos OS CLI exposes the verbose statement at the edit system export-format json hierarchy level. The default format for exporting configuration data in JSON changed from verbose format to ietf format starting in Junos OS Release 16.1R1. You can explicitly specify the default export format for JSON configuration data by configuring the appropriate statement at the edit system export-format json hierarchy level. Although the verbose statement is exposed in the Junos OS CLI as of the current release, you can configure this statement starting in Junos OS Release 16.1R1.

    [See export-format.]

Known Limitations

Learn about known limitations in this release for EX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.


  • After a reboot during recovery process, the ESI LAGs come up before the BGP sessions and routes/ARP entries are not synced. PR1487112

Platform and Infrastructure

  • Junos OS can hang trying to acquire the SMP IPI lock while rebooting when it is running as a VM on Linux and QEMU hypervisor. Device can be recovered using power-cycle of the device. PR1385970

  • 10G channels show false up even when peer end is configured with different speed. The LED on the device also shows green. PR1530061

  • On all Junos OS platforms, in a Q-in-Q environment, xSTP is enabled on the interface having logical interface with vlan-id-list configured, then it will only run on those logical interfaces whose vlan-id range includes native-vlan-id configured and all others will be in discarding state. This might lead to traffic drop. PR1532992

  • For port-based GBP tag assignment, filter counters might not be displayed. This is a hardware limitation. PR1547268

Open Issues

Learn about open issues in Junos OS Release 20.4R3 for EX Series switches. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Forwarding and Sampling

  • The configuration statement fast-lookup-filter with match condition is not supported in FLT hardware and might cause a traffic drop.PR1573350

General Routing

  • When VLAN is added as an action for changing the VLAN in both ingress and egress filters, the filter is not installed. PR1362609

  • On EX9208 switches, a few xe- interfaces go down with the error message if_msg_ifd_cmd_tlv_decode ifd xe-0/0/0 #190 down with ASIC Error. PR1377840

  • On EX9214 switches, if the MACsec-enabled link flaps after reboot, the error errorlib_set_error_log(): err_id(-1718026239) is observed. PR1448368

  • The following message might be seen in chassisd log after rebooting or changing the configuration. re_tvp_builtin_fwinfo_update: Unable to get firmware version. PR1471938

  • On BCM Packet Forwarding Engine-based EX Series platforms, frames between MTU+4 and MTU+8 bytes with invalid FCS, code error, or IEEE length check error are treated as Jabber frames. PR1487709

  • On EX Series platforms using chipset with SFP+ implemented, interface on the platforms might be in active status when TX or RX connector is removed. As a result, traffic might drop. PR1495564

  • When running the command show pfe filter hw filter-name filter-name, the command fails to retrieve the Packet Forwarding Engine programming details of the filter. PR1495712

  • When you rename a Virtual Chassis, the SNMP POE MIB walk produce either no results or sometimes show result from the primary Virtual Chassis. PR1503985

  • During flooding, MAC is learnt only on normal access port but not on the aggregated Ethernet interface trunk port. PR1506403

  • On the legacy EX Series platform, when adding or removing micro BFD LAG configuration, a kernel crash might happen. The kernel crash might cause unexpected Routing Engine reboot or switchover, and even result in traffic loss until the Routing Engine is restored. PR1524490

  • When the streamed telemetry data for a node is deleted during a network churn and the same node is being walked or rendered for the sensor, the rpd process might crash and generate a core file. This is a corner case where rendering and deletion of a particular node occur at the same instance. This issue might be seen only in case of a unstable network. PR1552816

  • When dot1x server-fail-voip vlan-name is configured, ensure that both server-fail-voip vlan-name and voip vlan are configured using VLAN name and not by using vlan-id. PR1561323

  • EX2300 shows high FPC CPU usage. However, the system processes and kernel CPU usage does not add up to the overall FPC usage. This is due to a cosmetic issue with calculation of FPC CPU usage that has been resolved in Junos OS Release 21.1R1 and later. PR1567438

  • Observing traffic drop during unified ISSU due to LAG interface flap. PR1569578

  • EX4600-40F EVPN_VXLAN get unexpected multicast traffic streams after enabling EVPN. PR1570689

  • There is a remote possibility that during many reboots, the Junos VM goes into a state where NMI is needed to continue the reboot. There is no workaround for this and a subsequent reboot does not seem to hit this issue. PR1601867


  • On EX Series switches, if you are configuring a large number of firewall filters on some interfaces, the FPC might crash and generate core files. PR1434927

  • IFDE: Null uint32 set vector, ifd and IFFPC: 'IFD Ether uint32 set' (opcode 151) error message is observed continuously in AD with base configurations. PR1485038

  • A double free vulnerability in the software forwarding interface daemon (sfid) process of Juniper Networks Junos OS allows an adjacently-connected attacker to cause a Denial of Service (DoS) by sending a crafted ARP packet to the device. Refer for more information. PR1497768

  • On EX Series platforms, a traffic drop might be observed after restarting the pfem process due to the stale route entry in Ternary Content Addressable Memory (TCAM). PR1517497

  • User while loading the kernel would see the message GEOM: mmcsd0s.enh: corrupt or invalid GPT detected. This message has no impact on functionality. PR1549754

  • When receives a unicast EAPOL (0x888e) with vlan588 tag at ae1 in this example, the packet is forwarded to ae0 without changing the vlanID to 3054. set vlans vlan588 vlan-id 588. set vlans vlan588 interface ae1.0. set vlans vlan588 interface ae0.0 mapping 3054 swap. PR1580129

Layer 2 Features

  • On EX4600 platforms, if a change related to TPID is made in the Device Control Daemon, traffic might be dropped in the Packet Forwarding Engine due to failure on Layer 2 learning or interfaces flapping. PR1477156

Platform and Infrastructure

  • When the dhcp relay mode is configured as no-snoop, the offer gets dropped due to incorrect ASIC programing. PR1530160

  • On EX9200 line of switches, FPC gets restarted and thereby disrupting traffic when there is an out-of-order filter state. This issue might be seen only in back-to-back GRES in more than 40 to 50 iterations. PR1579182

Routing Policy and Firewall Filters

  • On all Junos OS platforms with set policy-options rtf-prefix-list configured, if upgrade to a specific version, the device might fail to validate its configuration which eventually cause rpd to crash unexpectedly due to a software fault. PR1538172

User Interface and Configuration

  • The mgd crashes and generates a core file when the image is upgraded. The issue is seen on EX Series VC. As a workaround, provide a valid package during upgrade. PR1557628

Resolved Issues

Learn about the issues fixed in Junos OS Release 20.4R3 for EX Series switches.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues: 20.4R3

Class of Service (CoS)

  • The buffer allocation for VCP ports might not get released in Packet Forwarding Engine after physically moving the port location. PR1581187


  • Traffic loss might be seen under EVPN-VxLAN scenario when MAC-IP moves from one CE interface to another. PR1591264

  • In the EVPN/VXLAN scenario, the label field for Type-1 route is not required but it is assigned 1 instead of 0, which is in conflict with the RFC7432. PR1594981

  • Traffic loss might be seen if aggregated Ethernet bundle interface with ESI is disabled on primary Routing Engine followed by a Routing Engine switchover. PR1597300

General Routing

  • MPPE-Send or Recv-key attribute is not extracted correctly by dot1xd. PR1522469

  • On EX Series line of switches Virtual Chassis (VC), Power over Ethernet (POE) might not be detected and hence might fail to work on VC members. PR1539933

  • DHCP discover packet might be dropped if the DHCP inform packet is received first. PR1542400

  • Classifier is not programmed in the hardware and error logs might be seen in syslog. PR1548159

  • FPC with power related faults might get on-lined again once fabric healing has off-lined the FPC. PR1556558

  • The MAC addresses learned in a Virtual Chassis might fail due to aging out in the MAC scaling environment. PR1558128

  • The tunable optics SFP+-10G-T-DWDM-ZR is not working in EX4600 line of switches. PR1561181

  • LICENSE_INVALID_FEATURE_ID syslog message is not logged if a license key has features that are not applicable on the platform (unknown features), the license key is rejected. PR1562700

  • The DHCP client might not obtain IP address when dhcp-security is configured. PR1564941

  • The new primary Routing Engine post switchover might go into DB mode (or crash) on EX Series line of switches. PR1565213

  • The 40G DAC connection between EX9253 and the peers might not come up. PR1569230

  • Packet loss might be observed when sample based action is used in firewall filter. PR1571399

  • The fxpc process might crash and cause traffic loss in the IFBD scenario. PR1572305

  • Private VLAN configuration might fail in certain scenario. PR1574480

  • Protocol convergence between end nodes might fail when L2PT is enabled on transit switch. PR1576715

  • The device implemented with different service image version might become VC member as unexpected. PR1576774

  • On EX2300-C switches, MVR configuration cannot be configured. PR1577905

  • The fxpc process might crash on EX Series line of switches. PR1578421

  • The dcpfe crash is observed on Junos OS EX Series line of switches. PR1578859

  • Random or silent reboot might be seen on EX2300-24MP and EX2300-48MP platforms. PR1579576

  • On EX Series line of switches, some 40G ports might not be channelized successfully. . `PR1582105

  • The voice VLAN might not get assigned to the access interface. PR1582115

  • The l2ald crashes if a specific naming format is applied between a vlan-range and a single VLAN. PR1583092

  • DSCP rewriting might fail to work on EX2300 switches. PR1586341

  • The SNMP trap for MAC notifications might not be generated when an interface is added explicitly under switch-options. PR1587610

  • After performing NSSU, timeout waiting for response from fpc0 error message is seen while checking version details. PR1584457

  • Process dot1xd crash might be seen and re-authentication might be needed on EX9208 platform. PR1587837

  • The rpd crash might be observed on the router running a scaled setup. PR1588439

  • Packet loss might be observed on dynamically assigning VoIP vlan. PR1589678

  • Traffic loss might be observed for interface configured in subnet PR1590040

  • The LLDP packet might loss on the EX4300-MP platform if configuring LLDP on the management interface. PR1591387

  • The show pfe filter hw statement might generate the following error message: ERROR (dfw): Unknown group id: 21. PR1592096

  • On EX4300MP platforms, if an aggregated Ethernet interface is configured as the underlay interface for the type 5 route that is used to connect the DHCP relay and server, the DHCP relay might not work which might result in the DHCP client failing to obtain an IP address. PR1592133

  • xSTP might not get configured when enabled on an interface with SP style configuration on all platforms. PR1592264

  • Clients authentication failure might occur due to dot1x daemon memory leak. PR1594224

  • Storm control profile might not be applied on EX2300 platforms. PR1594353

  • IS-IS adjacency might fail to be formed if the MTU size of an IRB interface is configured with a value greater than 1496 bytes. PR1595823

  • On EX Series line of switches such as EX2300, EX3400, EX4300, EX4600, and EX4650 with chip as Packet Forwarding Engine, if IS-IS is enabled on an integrated routing and bridging (IRB) interface and the maximum transmission unit (MTU) size of the IRB interface is configured with a value greater than 1496 bytes, the IS-IS hello (IIH) PDUs with jumbo frame size (i.e., greater than 1496 bytes) might be dropped and not sent to the IS-IS neighbors. PR1595823

  • The MAC or IP withdraw route might be suppressed by rpd in the EVPN-VxLAN scenario. PR1597391

  • The backup Virtual Chassis member might not learn MAC address on a primary after removing a VLAN unit from the SP style aggregated Ethernet interface which is part of multiple VLAN units. PR1598346

  • On the EX4300-MP switch, the disable (interface) configuration mode command might not be available for the management port em1. The em1 interface CLI disable option is removed for all the products, but it has to be disabled only for EX4300-MP device. Devices with em1 interface enabled might be out of service. PR1600905

  • On EX Series switches, the fxpc process might crash and generate a core file. PR1607372

  • On EX4300 platform, the dcpfe process that handles packet forwarding might crash if the mge-* interfaces are configured with CoS and scheduler port-speed is non-zero while shaping rate becomes 0. PR1608306

  • The upgrade using phone-home feature to Junos OS Release 20.3 or later might fail on EX2300 and EX4650 switches. PR1601722

  • On EX4400 switches, dot1x authentication might not work on EVPN/VxLAN enabled endpoints. PR1603015

  • On EX Series, QFX10008, and QFX10016 line of switches, the system reboot takes approximately 9 minutes for FPCs to come online after system reboot command is issued. PR1605002

  • MAC move might be seen between the ICL and MC-LAG interface while removing and then adding VLANs on the ICL interface. PR1605234

  • DHCP packets might be received and then returned back to DHCP relay through the same interface on EX2300, EX3400, and EX4300 Virtual Chassis platforms. PR1610253

  • Change in commit error message while configuring the same vlan-id with different vlan-name through openconfig CLI. PR1612566

  • The configured MAC address does not reflect after the device reboots. PR1569203


  • Some MAC addresses might not be aged out on EX4300 platforms. PR1579293

  • The fxpc process might crash and generate a core file. PR1611480

Interfaces and Chassis

  • MC-LAG interfaces might go down if the same VRRP group-id is configured on multiple IRB units. PR1575779

  • The aggregated Ethernet interface might flap. PR1576533

  • ARP resolution failure might occur during VRRP failover. PR1578126

  • Incorrect advertisement threshold values are seen on VRRP groups when VRRP is configured on EX2300 switches. PR1584499

Layer 2 Ethernet Services

  • Aggregated Ethernet interface flap might be seen during NSSU. PR1551925

  • The DHCP client will be offline for 120 seconds after sending the DHCPINFORM message in the DHCP relay scenario. PR1575740

  • The DHCP client might be offline for about 120 seconds after sending the DHCPINFORM message. PR1587982

Layer 2 Features

  • MAC addresses learned from the MC-LAG client device might keep flapping between the ICL interface and MC-AE interface after one child link in the MC-AE interface is disabled. PR1582473

Junos Fusion Enterprise

  • Reverting the primary Routing Engine from RE1 to RE0 might lead to l2ald daemon crash and cause an outage. PR1601817


  • Incorrect EXP bit change might be seen in certain conditions under MPLS scenario. PR1555797

Platform and Infrastructure

  • On EX3400 Virtual Chassis, console access on backup Virtual Chassis member is not allowed. PR1530106

  • Upon receipt of specific sequences of genuine packets destined to the device, the kernel will crash and restart (vmcore). PR1557881

  • The LLDP neighbor advertisement on EX4300 switches might send an incorrect 802.3 power format with TLV length 7 instead of length 12. PR1563105

  • The last flapped timestamp for interface fxp0 resets every time when you perform monitor traffic interface fxp0. PR1564323

  • On all EX9200 platforms with EVPN-VXLAN configured, the next hop memory leak in MX Series ASIC happens whenever there is a route churn for remote MAC-IP entries learned bound to the IRB interface in EVPN-VXLAN routing instance. When the ASIC's next hop memory partition is exhausted, the FPC might reboot. PR1571439

  • DHCP packets with source IP as link-local address are dropped in EX4300 switches. PR1576022

  • The pfex might crash during PIC 4x 1G/10G SFP/SFP+ offline or online. PR1582457

  • Firewall filter is not programmed correctly and traffic might drop unexpectedly. PR1586433

  • The egress RACL firewall filter might not get programmed correctly on EX4300 platforms. PR1595797

  • Broadcast traffic might be discarded when a firewall filter is applied to the loopback interface. PR1597548

  • VLAN tagged traffic might be dropped with service provider style configuration. PR1598251

  • When you configure mac-move-limit statement, forwarding the VRRP packets is not possible. PR1601005

  • Adding aggregated Ethernet configuration without child member might cause MAC/ARP learning issues. PR1602399

  • ZTP does not work when downgrade Junos OS Release 21.1R2.2 image to Junos OS Release 21.1R2.1 image. PR1603227

Routing Protocols

  • BGP session carrying VPNv4 prefix with IPv6 next-hop might be dropped. PR1580578

  • The rpd might crash in scaled routing instances scenario. PR1590638

User Interface and Configuration

  • Removing the flash component from monitor interfaces and DHCP pages, removes the other flash pages. PR1553176

Virtual Chassis

  • EX4300 VCP might not come up after upgrade when QSFP+-40G-SR4/QSFP+-40G-LR4/QSFP+40GE-LX4 is used. PR1579430

Resolved Issues: 20.4R2

Forwarding and Sampling

  • Configuration archive transfer-on-commit fails on devices running Junos OS Release 18.2R3-S6.5. PR1563641

General Routing

  • Traffic loss might be observed on interfaces in a VXLAN environment. PR1524955

  • EX4300-48MP: Sflow: dcpfe core file is observed while using "request chassis fpc slot <slot_num> restart" command. PR1536997

  • FPC might not be recognized after power cycle (hard reboot). PR1540107

  • DHCP discover packet might be dropped if DHCP inform packet is received first. PR1542400

  • The JNH memory leak might be observed on MX Series-based line cards. PR1542882

  • The Slaac-Snoopd child process generates core file upon multiple switchovers on the Routing Engine. PR1543181

  • On EX4300-48MP line of switches with Linux TVP architecture and Junos OS as VM, the Junos CLI outputs do not confirm if the Junos OS and the host kernel are compatible with each other. PR1543901

  • Traffic loop when adding logical interface in the case of multihomed SP style in EVPN/VXLAN. PR1543966

  • High EVENTD CPU utilization upon receiving LLMNR and MDNS traffic on EX2300. PR1544549

  • The device might be out of service after configuring the em1 or em2 interface. PR1544864

  • FPC(s) might not boot on EX9214 line of switches in a certain condition. PR1545838

  • The static MAC on an interface might not work on EX4600 line of switches. PR1546655

  • Two Routing Engine's might lose communication if they have different Junos OS versions. PR1550594

  • show pfe route summary hw shows random high free and 'Used' column for 'IPv6 LPM(< 64)' routes. PR1552623

  • The dcpfe process might crash and the non-channelization interfaces might not come up. PR1552798

  • The 'action-shutdown' statement of storm control does not work for ARP broadcast packets. PR1552815

  • Layer 2 multicast traffic received on the Virtual Chassis port (VCP) ports might be dropped if igmp-snooping and STP/VSTP are enabled. PR1553159

  • OIR of CBs might result in major errors and the Packet Forwarding Engine disable action halted traffic forwarding on the FPCs. PR1554145

  • The link on the Linux-based LC is not brought down immediately after the FPC process (ukern/indus.elf) crashes or the process is killed. PR1554430

  • The console might hang up with the configuration statement set system ports console log-out-on-disconnect configured. PR1555487

  • On the EX9200 device, SF3 Fabric OIR issue is observed with Junos OS Release. PR1555727

  • Traffic might be dropped when a firewall filter rule uses then VLAN as the action. PR1556198

  • On the EX4300 device, script fails while committing the IPsec authentication configuration because of the missing algorithm statement. PR1557216

  • RPD core file is seen after Routing Engine switchover. PR1558814

  • Some transmitting packets might get dropped because the disable-pfe action is not invoked when the fabric self-ping failure is detected. PR1558899

  • Tunable optics SFP+-10G-T-DWDM-ZR is not working in EX4600 line of switches. PR1561181

  • Observing error opening configuration database: could not open configuration database during USB upgrading. PR1561741

  • EX3400VC smartd pollutes syslog every 5 seconds after upgrade or system reboot. PR1562396

  • On EX3400VC line of switches, the DAEMON-7-PVIDB throws syslog messages for every 12 to 14 minutes after you upgrade to Junos OS Release 19.1R3-S3. PR1563192

  • Client authentication fails after performing GRES. PR1563431

  • The JWeb upgrade might fail on EX2300 and EX3400. PR1563906

  • On EX4650 line of switches, storm control with IRB interface might not work approximately. PR1564020

  • On the EX4600 device, the following internal comment is displayed: “Placeholder for QFX platform configuration” on performing show config output. PR1567037

  • The designated forwarder (DF) might not forward traffic. PR1567752

  • Port-mirroring might not work when the analyzer output is a trunk interface. PR1575129


  • On the EX4600 and EX4300 Virtual Chassis or Virtual Chassis fabric, the VSTP configurations device goes unreachable and becomes nonresponsive after commit. PR1520351

  • HEAP malloc(0) is observed on EX4300 VC/VCF. PR1546036

  • The DSCP rewrite is not happening correctly with wildcard interface. PR1552372

  • The vme/me0 management interface cannot process any incoming packets. PR1552952

  • Traffic related to IRB interface might be dropped when mac-persistence-timer expires. PR1557229

  • Traffic might not be forwarded on EX3400 and EX4300-MP platforms with Layer 2 classifier rules applied. PR1561263

Interfaces and Chassis

  • The ppmd might crash when VRRP is configured on all Junos OS platforms. PR1561281

  • MC-AE interfaces might go down if same VRRP group-id is configured on multiple IRB units. PR1575779

Layer 2 Ethernet Services

  • OSPF and OSPF3 adjacency uptime is more than expected after NSSU upgrade and outage is higher than the expected. PR1551925


  • Incorrect EXP bit change might be seen in certain conditions under MPLS scenario. PR1555797

Platform and Infrastructure

  • Packets transiting through multicast-based VXLAN VTEP interface might be dropped when post FPC restarts. PR1536364

  • The targeted-broadcast feature might not work after a reboot. PR1548858

  • The BGP session replication might fail to start after the session crashes on the backup Routing Engine. PR1552603

  • The targeted-broadcast feature might send out duplicate packets. PR1553070

  • ARP resolution might fail if ARP packets are received over multicast-based VXLAN access network from CE. PR1553917

  • The traffic might be dropped on Layer 3 LAG after rebooting or halting any member of EX4300 Virtual Chassis. PR1556124

  • PFEX might crash when soft error recovery feature is enabled on the Packet Forwarding Engine. PR1567515

  • Introduce two new major CMERRORs for XM chip-based line card to stabilize the running device. PR1574631

Routing Protocols

  • The rpd memory leak might be seen in the BGP scenario. PR1547273

  • The OSPF neighborship get stuck in the Start state after configuring the EVPN-VXLAN. PR1519244

  • Sending multicast traffic to downstream receiver on MX Series-based Virtual Chassis platforms might fail. PR1555518

  • The ppmd memory leak might cause traffic loss. PR1561850

  • The rpd process might crash if there are more routes changed during the commit-sync processing window. PR1565814

  • The untagged packets might not work on EX Series platforms. PR1568533

User Interface and Configuration

  • Remove flash component from monitor, interfaces, and DHCP pages, and remove other flash pages. PR1553176

  • J-Web application package cannot be auto updated for all the supported EX Series devices. PR1563588

Virtual Chassis

  • On EX4600 and EX4300 mixed Virtual Chassis, an error message 'ex_bcm_pic_eth_uint8_set' is seen when changing configuration related to interface. PR1573173

Resolved Issues:20.4R1

Authentication and Access Control

  • The dot1x client won't be moved to held state when the authenticated PVLAN is deleted. PR1516341


  • Unable to create a new VTEP interface. PR1520078


  • qmon-sw sensor is not supported in EX3400. PR1506710

  • The IP communication between directly connected interfaces on EX4600 would fail. PR1515689

  • The VC system might get hanged after committing the VSTP configurations. PR1520351

  • OID ifOutDiscards reports zero and sometimes shows valid value. PR1522561

  • Firewall policer with discard action might fail on EX4300. PR1532670

  • Errors might be seen when dumping vmcore on EX2300 and EX3400 switches. PR1537696

  • The LLDP neighborship with the VoIP phones can't be established. PR1538482

Layer 2 Features

  • The dcpfe/FPC might crash due to the memory leak during the vlan add/delete operation. PR1505239

  • On the QFX5000 line of switches, traffic imbalance might be observed if hash-params is not configured. PR1514793

  • The MAC address in the hardware table might become out of synchronization between the primary and member in Virtual Chassis after the MAC flaps. PR1521324

Network Management and Monitoring

  • EX4300: SNMP OID (hrProcessorLoad ) always returns 0 irrespective of the real CPU utilization. PR1508364

Platform and Infrastructure

  • IPv6 neighbor solicitation packets might be dropped in a transit device. PR1493212

  • DHCP Binding is not happening after Graceful switchover. PR1515234

  • LLDP adjacency might fail for non-AE interfaces on EX4300 platform. PR1538401

  • uRPF in the Strict mode does not work. PR1417546

  • Virtual Chassis split after network topology changed. PR1427075

  • IRB MAC will not be programmed in hardware when MAC persistence timer expires. PR1484440

  • Authentication session might be terminated if PEAP request is retransmitted by authenticator. PR1494712

  • In some cases, if we have an OSPF session on the IRB over LAG interface with 40-Gigabit Ethernet port as member, the session gets stuck in restart. PR1498903

  • On the EX4300, EX3400, and EX2300 Virtual Chassis with NSB and xSTP enabled, continuous traffic loss might be observed while performing GRES. PR1500783

  • The mge interface might still stay up while the far end of its link goes down. PR1502467

  • LLDP is not acquired when native-VLAN-ID and tagged VLAN-ID are the same on a port. PR1504354

  • The output VLAN push might not work. PR1510629

  • Traffic might not flow as per configured policer parameters. PR1512433

  • LACP goes down after performing Routing Engine switchover if MACsec is enabled on the LAG members on EX4300. PR1513319

  • Last commit line in configuration is updated after the configuration backup has been done. PR1513499

  • The 100M SFP-FX is not supported on satellite device in a Junos Fusion setup. PR1514146

  • ARP learning issue might be seen on EX4300-MP platform when configuring Layer 3 gateway interfaces. PR1514729

  • "dot1x" memory leak is seen. PR1515972

  • The dcpfe (PFE) process might crash due to memory leak. PR1517030

  • MPPE-Send/Recv-key attribute is not extracted correctly by dot1xd. PR1522469

  • "Drops" and "Dropped packets" counters in the output by "show interface extensive" are double counting. PR1525373

  • EX4300-48MP device might go out of service during a software upgrade operation. PR1526493

  • PoE messages "poe_get_dev_class: Failed to get PD class info" seen on EX2300. PR1536408

  • EX3400, EX2300 : Upgrade failure do to lack of available storage. PR1539293

  • Slaac-Snoopd child process core is observed upon multiple switchovers on Routing Engine. PR1543181

  • EX9200 SF3 Fabric OIR Issues with Junos 23.1R1.8. PR1555727

Routing Protocols

  • The rpd process might report 100 percent CPU usage with the BGP route damping enabled. PR1514635

  • Packet loss might be observed while verifying traffic from access to core network for IPv4 and IPv6 interfaces. PR1520059

  • OSPFv3 adjacency should not be established when IPsec authentication is enabled. PR1525870

User Interface and Configuration

  • J-Web does not display the correct Flow-control status on EX Series devices. PR1520246

Virtual Chassis

  • On the EX4650 device, the following error message is observed during booting: kldload: an error occurred while loading the module. PR1527170

Documentation Updates

There are no errata or changes in Junos OS Release 20.4R3 documentation for EX Series switches.

Migration, Upgrade, and Downgrade Instructions

This section contains the upgrade and downgrade support policy for Junos OS for EX Series switches. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. For information about software installation and upgrade, see the Installation and Upgrade Guide.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 19.2, 19.3, and 19.4 are EEOL releases. You can upgrade from Junos OS Release 19.2 to Release 19.3 or from Junos OS Release 19.2 to Release 19.4.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see