Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for the QFX Series

 

These release notes accompany Junos OS Release 20.4R2 for the QFX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

What's New

Learn about new features introduced in the Junos OS main and maintenance releases for QFX Series Switches.

Note

The following QFX Series platforms are supported in Release 20.4R2: QFX5100, QFX5110-32Q, QFX5110-48S, QFX5120, QFX5200, QFX5210, QFX10002, QFX10002-60C, QFX10008, and QFX10016.

Junos on White Box runs on Accton Edgecore AS7816-64X switches in this release. The software is based on Junos OS running on QFX5210 switches, so release-note items that apply to QFX5210 switches also apply to Junos on White Box.

What’s New in Release 20.4R2

There are no new features or enhancements to existing features for QFX Series Switches in Junos OS Release 20.4R2.

What’s New in Release 20.4R1

Hardware

  • Support for QSA Adapter (QFX10002-60C)—Starting in Junos OS Release 20.4R1, you can use the QSA Adapter to support 1GbE and 10GbE connections on the QFX10002-60C switches.

    [See the Hardware Compatibility Tool (HCT) for details.]

  • Support for transceivers, AOCs, and DACs (QFX5120-48T)—Starting in Junos OS Release 20.4R1, transceivers, AOCs, and DACs are supported on the QFX5120-48T switches.

    [See the Hardware Compatibility Tool (HCT) for details.]

  • New QFX5120-48YM Switch (QFX Series)—In Junos OS Release 20.4R1, we introduce the QFX5120-48YM, an ideal switch for data center top-of-rack, leaf-and-spine deployments, enterprise multicloud deployments, and campus distribution or core deployments. The QFX5120-48YM is a 25GbE/100GbE switch that offers 48 SFP28 ports and 8 QSFP28 ports. The 48 SFP28 ports support 1-Gbps, 10-Gbps, and 25-Gbps speeds and the 8 QSFP28 ports support 40-Gbps and 100-Gbps speeds. QFX5120-48YM switches support both manual and auto-channelization, but manual CLI channelization always takes precedence. [See Port Settings.]

    To install the QFX5120-48YM switch hardware and perform initial software configuration, routine maintenance, and troubleshooting, see QFX5120 Switch Hardware Guide. See Feature Explorer for the complete list of features for any platform.

    Table 3 summarizes the QFX5120-48YM features in Junos OS Release 20.4R1.

    Table 3: Features Supported by the QFX5120-48YM

    Feature

    Description

    Access security

    Authentication and access control

    Class of service (CoS)

    • QFX5120-48YM switches support all class-of-service (CoS) features except the following: shared unicast and multi-destination classifiers, forwarding classes, and output queues; CoS flexible hierarchical scheduling (ETS); virtual output queue (VOQ) architecture; and CoS command to detect the source of RED-dropped packets. [See CoS Support on QFX Series Switches, EX4600 Line of Switches, and QFabric Systems.]

    DHCP

    EVPN-VXLAN

    Firewalls and policers

    • Firewall filters provide rules that define whether to permit, deny, or forward packets that are transiting an interface on the device from a source address to a destination address. The supported firewall filter and policer features include:

      • Policer mark down action and policing/rate limiting

      • Single-rate two-color marking (ingress), single-rate tricolor marking (color aware, color blind), and two-rate tricolor marking

      • Filter-based forwarding (FBF) and FBF with destination and source prefix list on IPv6 interfaces

      • Dynamic allocation of TCAM memory to firewall filters and error message displayed when TCAM is full

      • Enhanced filter classification of CPU-generated packets

      • Firewall filter actions: assign forwarding class, counters; logging, syslog, reject; mirroring to an interface; and permit, drop, police, and mark

      • Firewall filter flexible match conditions

      • Firewall filters on loopback interface and management interface

      • IPv6 fields for ingress port and VLAN firewall filters

      • Policer action for MPLS firewall filters

      • Port firewall filters (egress and ingress), routed firewall filters (egress and ingress) and VLAN firewall filters (egress and ingress)

      • TCP/UDP port ranges in classification

      • Loopback filter optimization

      • Firewall filtering and policing on EVPN-VXLAN traffic

      • Filter-based GRE de-encapsulation

      [See Firewall Filter Match Conditions and Actions (QFX5220).]

    • Firewall filter support on Layer 3 interfaces. [See Firewall Filter Match Conditions and Actions (QFX5220).]

    High availability

    • Nonstop bridging (NSB), and nonstop active routing (NSR) for IPv6 and OSPFv2.

    Interfaces and chassis

    • Support for the following resiliency features:

      • Operating system resiliency to recover the Junos OS software by using the recovery mode option on the Grub menu, which is visible after BIOS has booted up.

      • Partial resiliency for DIMM errors, machine-check exception (MCE), and PCI Express advanced error reporting (AER). If required, you can take assistance from Juniper Networks Technical Assistance Center (JTAC) to manually debug these type of errors when they occur.

      [See Channelizing Interfaces on QFX5120-48YM Switches.]

    • Support for channelizing interfaces. The QFX5120-48YM contains a total of 56 ports, of which 8 are QSFP28 ports and 48 are SFP28 ports. To channelize speed, you use the channel-speed statement. For setting speed, you use the set chassis fpc 0 pic 0 port <25g|1g|10g|50g|100g|40g> command. The speeds supported are:

      • 1 Gbps, 10 Gbps, and 25 Gbps on SFP28

      • 40 Gbps, 100 Gbps, 4x25 Gbps, 4x10 Gbps, 2x50 Gbps on QSFP28

      • 2x50 Gbps, 4x25 Gbps, or 4x10 Gbps channelization is supported on ports 50 and 52.

      [See Port Settings.]

    Junos OS XML API and scripting

    • Python, SLAX, and XSLT scripting languages, commit scripts and macros, event policy and event scripts, op scripts, and SNMP scripts. [See Automation Scripting User Guide.]

    Layer 2 features

    • Layer 2 protocol tunneling (L2PT) support to tunnel any of the following Layer 2 protocols: CDP, E-LMI, GVRP, IEEE 802.1X, IEEE 802.3AH, LACP, LLDP, MMRP, MVRP, STP (including RSTP and MSTP), UDLD, VSTP, and VTP. [See Layer 2 Protocol Tunneling.]

    • Support for the following Layer 2 multicast features:

      • IGMP snooping with IGMPv1, IGMPv2, and IGMPv3

      • IGMP proxy

      • IGMP querier

      • Virtual router (VRF-lite) IGMP snooping [See IGMP Snooping Overview.]

    • Support for the following Layer 2 unicast features:

      • 802.1D

      • 802.1w (RSTP)

      • 802.1s (MST)

      • BPDU protection

      • Loop protection

      • Root protection

      • VSTP

      • 802.1Q VLAN trunking

      • 802.1p

      • IRB (Integrated routing and bridging Interface)

      • Layer 3 vlan-tagged sub-interfaces

      • 4096 VLANs

      • Multiple VLAN Registration Protocol (802.1ak)

      • MAC address filtering

      • MAC address aging configuration

      • Static MAC address assignment for interface

      • Pe-VLAN MAC learning (limit)

      • Pe-VLAN MAC learning (limit)

      • MAC Learning Disable

      • Persistent MAC (Sticky MAC)

      • Link Aggregation (Static and Dynamic) with LACP (Fast and Slow LACP)

      • LLDP

      • MC-LAG with configuration sync

      • Uplink Failure Detection (UFD)

      • VxLAN L2 Gateway (Static, OVSDB, EVPN)

      • QinQ Tag manipulation

      • 802.1x (Access control)

      [See Layer 2 Networking.]

    Layer 3 features

    • Traceroute over Layer 3 VPN.

    • Virtual routing and forwarding (VRF) support in IRB interfaces in a Layer 3 VPN.

    • VRF-lite, BGP, IGMP, IS-IS, OSPF, PIM, and RIP.

    • Support for the following Layer 3 multicast features:

      • IGMP version 1 (IGMPv1), version 2 (IGMPv2), and version 3 (IGMPv3)

      • IGMP filtering

      • PIM sparse mode (PIM-SM)

      • PIM dense mode (PIM-DM)

      • PIM source-specific multicast (PIM-SSM)

        Multicast Source Discovery Protocol (MSDP) IGMP and PIM are also supported on virtual routers.

      [See Multicast Overview.]

    • Support for the following Layer 3 unicast features:

      • Virtual Router Redundancy Protocol (VRRP)

      • Static routing

      • OSPFv2

      • IPv4 BGP

      • IPv4 MBGP

      • BGP 4-byte ASN support

      • BGP Add Path (BGP-AP)

      • IS-IS

      • BFD (for RIP, OSPF, ISIS, BGP, PIM)

      • Filter based forwarding (FBF)

      • Unicast reverse path forwarding (unicast RPF)

      • IP directed broadcast traffic forwarding

      • IPv4 over GRE

      • IPv6 neighbor discovery protocol

      • Path MTU discovery

      • IPv6 CoS (BA, classification and rewrite, scheduling based on TC)

      • IPv6 ping

      • IPv6 static routing

      • IPv6 traceroute

      • IPv6 stateless auto-configuration

      • IPv6 OSPFv3

      • IPv6 IS-IS

      • IPv6 BGP

      • VRRPv3

      • 32-way equal-cost multipath (ECMP)

      • VXLAN Layer 3 Gateway

      • MPLS over UDP

      • DHCP snooping

      • IPv6 Ready Logo certification

    MPLS

    OVSDB-VXLAN

    Network management and monitoring

    • Support for the following services:

      • sFlow networking monitoring technology—Collects samples of network packets and sends them in a UDP datagram to a monitoring station called a collector. You can configure sFlow technology on a device to monitor traffic continuously at wire speed on all interfaces simultaneously. The inline-sampling configuration option is available.

      • Local, remote, and extended port mirroring—Copies packets entering or exiting a port or entering a VLAN and sends the copies to a local interface (local port mirroring), to a VLAN (remote port mirroring), or to the IP address of a device running an analyzer application on a remote network (extended port mirroring). When you use extended port mirroring, the mirrored packets are GRE-encapsulated.

      • Storm control—Causes a device to monitor traffic levels and take a specified action when a specified traffic level—called the storm control level—is exceeded, thus preventing packets from proliferating and degrading service. You can configure devices to drop broadcast and unknown unicast packets, shut down interfaces, or temporarily disable interfaces when the storm control level is exceeded.

      [See Overview of sFlow Technology, Understanding Port Mirroring, and Understanding Storm Control.]

    • Support for adding nonnative YANG modules to the Junos OS schema. [See Understanding the Management of Nonnative YANG Modules on Devices Running Junos OS.]

    • Puppet for Junos OS support. [See Puppet for Junos OS Administration Guide.]

    Port Security

    Software installation and upgrade

    • Secure boot—The implementation is based on the UEFI 2.4 standard. [See Software Installation and Upgrade Guide.]

    • You need a license to use the features on the QFX5120-48YM. To find out what features are supported on this device, see QFX Switch Support for the Juniper Flex Program. To add, delete, and manage licenses, see Managing Licenses.

    • Zero-touch provisioning (ZTP). [See Zero Touch Provisioning Overview.]

    • Virtualization enables the switch to support multiple instances of Junos OS and other operating systems on the same Routing Engine. One instance of Junos OS, which runs as a guest operating system, is launched by default. You need to log in to this instance for operations and management. The Routing Engines on the QFX5120-48YM switches support the Wind River Linux 9 (WRL9) kernel version. [See What Are VMHosts?.]

    To view the hardware compatibility matrix for optical interfaces and transceivers supported on the QFX5120-48YM, see the Hardware Compatibility Tool.

Class of Service (CoS)

  • Priority-based flow control (PFC) using Differentiated Services code points (DSCP) at Layer 3 for untagged traffic (QFX5210 switches)—Starting in Junos OS Release 20.4R1, to support lossless traffic across Layer 3 connections to Layer 2 subnetworks on QFX5210 switches, you can configure priority-based flow control (PFC) to operate using 6-bit DSCP values from Layer 3 headers of untagged VLAN traffic. You can do this rather than use IEEE 802.1p priority values in Layer 2 VLAN-tagged packet headers. You need DSCP-based PFC to support remote direct memory access (RDMA) over converged Ethernet version 2 (RoCEv2).

    To enable DSCP-based PFC:

    1. Map a forwarding class to a PFC priority using the pfc-priority statement.

    2. Define a congestion notification profile to enable PFC on traffic specified by a 6-bit DSCP value.

    3. Set up a classifier for the DSCP value and the PFC-mapped forwarding class.

    [See Understanding PFC Using DSCP at Layer 3 for Untagged Traffic.]

EVPN

  • Multicast with IGMPv3 in EVPN-VXLAN centrally-routed bridging overlay fabrics (QFX10000, QFX5110, and QFX5120)—Starting in Junos OS Release 20.4R1, you can configure IGMPv3 multicast in an EVPN-VXLAN centrally-routed bridging overlay fabric with multihoming for the following IPv4 multicast traffic use cases:

    • Intra-VLAN forwarding

    • Inter-VLAN routing using:

      • IRB interfaces configured with PIM

      • A PIM gateway router (for Layer 2 or Layer 3 connectivity)

      • An external multicast router

    IGMPv3 multicast works with these multicast optimizations:

    • IGMP snooping

    • Selective multicast (SMET) forwarding

    • Assisted replication (AR)

    These devices process IGMPv3 reports in one of two modes:

    • As any-source multicast (ASM) (*,G) reports by default

    • As source-specific multicast (SSM) (S,G) reports only (if you explicitly configure this mode)

    [See Overview of Multicast Forwarding with IGMP Snooping in an EVPN-VXLAN Environment, Overview of Selective Multicast Forwarding, Assisted Replication Multicast Optimization in EVPN Networks, and evpn-ssm-reports-only.]

  • MAC VRF with EVPN-VXLAN (MX Series and vMX routers; QFX5100, QFX5110, QFX5120, QFX5200, QFX10002, QFX10008, and QFX10016 switches)—Data center service providers must support multiple customers with their own routing and bridging policies in the same physical network. To accommodate this requirement, you can now configure multiple customer-specific EVPN instances (EVIs) of type mac-vrf, each of which can support a different EVPN service type. This configuration results in customer-specific virtual routing and forwarding (VRF) tables with MAC addresses on each Juniper Networks device that serves as a virtual tunnel endpoint (VTEP) in the EVPN-VXLAN network.

    Note

    We support MAC VRF routing instances for EVPN unicast routes only.

    To support this feature, we introduce a uniform routing instance configuration, which complies with RFC 7432, BGP MPLS-Based Ethernet VPN. The uniform configuration eliminates hardware restrictions that limit the number of EVIs and combinations of EVIs with their respective policies that can simultaneously exist. The common configuration includes the following new CLI elements:

    • The mac-vrf keyword at the [edit routing-instances name instance-type] hierarchy level.

    • The service-type configuration statement at the [edit routing-instances name] hierarchy level. We support VLAN-based, VLAN-aware, and VLAN-bundle service types.

    • (QFX10000 line of switches only) The forwarding-instance configuration statement at the [edit routing-instances name] hierarchy level. With this optional configuration statement, you can map multiple routing instances to a single forwarding instance. If you don’t include this configuration statement, the default forwarding instance is used.

    We continue to support the existing method of routing instance configuration along with the new uniform routing instance configuration.

    [See EVPN User Guide.]

  • Filter-based forwarding in EVPN-VXLAN networks (QFX10002-36Q, QFX10002-72Q, QFX10002-60C, QFX10008, and QFX10016)—Instead of using the routing functionality typically provided by routing protocols, you can now use firewall filter-based forwarding. With filter-based forwarding, you can use firewall filter match conditions and actions to better control how traffic is routed in your EVPN-VXLAN network.

    We support the following filter-based forwarding use cases:

    • Redirecting traffic received on IRB interfaces. To set up a firewall filter:

      • Create an input filter.

        Note

        When specifying an IP address for this filter, you can use either IPv4 or IPv6 addresses.

      • Specify the following match criteria:

        • The source and destination IP addresses in the inner header after a packet is de-encapsulated.

        • The source and destination ports in the inner header.

      • Specify an action that directs matching packets to one of the following:

        • A routing instance

        • A next hop

        • A next hop and a routing instance

      • Apply the filter to an IRB interface with or without a virtual gateway address or an anycast address.

    • Handling transit traffic that matches a VXLAN network identifier (VNI). To set up a firewall filter:

      • Create an input filter.

        Note

        When specifying an IP address for this filter, you must use an IPv4 address.

      • Specify the following match criteria:

        • VNI.

        • The source and destination IP addresses in the outer header.

      • For the action, specify count or any other firewall filter action that is supported by the QFX10000 line of switches.

      • Apply the filter to a Layer 3 interface.

    [See Understanding Filter-Based Forwarding.]

  • Loop detection for EVPN-VXLAN fabrics (QFX5120, QFX5200, QFX5210, and QFX5220)—You can configure loop detection on the server-facing Layer 2 interfaces of the leaf devices in an EVPN-VXLAN fabric. This feature can detect the following types of Ethernet loops:

    • A loop between two interfaces with different Ethernet segment identifiers (ESIs). This loop is typically caused by miswiring fabric components.

    • A loop between two interfaces with the same ESI. This loop is typically caused by miswiring a third-party switch to the fabric.

    After you’ve enabled loop detection, the interfaces periodically send multicast loop-detection protocol data units (PDUs). If a loop detection-enabled interface receives a PDU, a loop is detected, which triggers the configured action to break the loop. For example, if the configured action is interface-down, the interface is brought down. After the revert-interval timer expires, the configured action is reverted, and the interface is brought back up again.

    [See loop-detect.]

  • IPv6 multicast with MLDv1 and MLDv2 in EVPN-VXLAN centrally-routed bridging overlay fabrics (QFX10000, QFX5110, and QFX5120)—Starting in Junos OS Release 20.4R1, you can configure MLDv1 and MLDv2 multicast in an EVPN-VXLAN centrally-routed bridging overlay fabric with multihoming for the following IPv6 multicast traffic use cases:

    • Intra-VLAN forwarding

    • Inter-VLAN routing using:

      • IRB interfaces configured with PIM

      • A PIM gateway router (for Layer 2 or Layer 3 connectivity)

      • An external multicast router

    MLD multicast works with these multicast optimizations:

    • MLD snooping

    • Selective multicast (SMET) forwarding

    • Assisted replication (AR)

    These devices process MLD reports as follows:

    • MLDv1 reports as any-source multicast (ASM) (*,G) reports

    • MLDv2 reports in one of two modes:

      • As any-source multicast (ASM) (*,G) reports by default

      • As source-specific multicast (SSM) (S,G) reports only (if you explicitly configure this mode)

    [See Overview of Multicast Forwarding with IGMP Snooping or MLD Snooping in an EVPN-VXLAN Environment, Overview of Selective Multicast Forwarding, Assisted Replication Multicast Optimization in EVPN Networks, and evpn-ssm-reports-only.]

  • Seamless EVPN-VXLAN stitching with multicast support (QFX10002-36Q, QFX10002-72Q, QFX10008, and QFX10016)—Starting in Junos OS Release 20.4R1, we support the following multicast features with the seamless EVPN-VXLAN stitching data center interconnect (DCI) use case:

    • Protocol Independent Multicast (PIM)

    • Internet Group Management Protocol version 2 (IGMPv2) snooping

    • Assisted replication (AR) with the following use cases:

      • The super spine device, which interconnects the data centers, and the AR replicator are two separate devices.

      • The super spine device and the AR replicator are the same device.

    • Selective multicast Ethernet tag (SMET)

    [See interconnect.]

Flow-Based and Packet-Based Processing

  • Support for user-defined flex hashing for MPLS traffic flows (QFX5210; Accton Edgecore AS7816 running Junos OS on White Box)—Starting in Junos OS Release 20.4R1, you can configure user-defined flex hashing to load-balance MPLS traffic based on TCP or UDP source and destination port information. User-defined flex hashing, which supports protocol versions IPv4 and IPv6, enables you to set byte offsets in packet headers to influence hashing computation. You specify two offsets, each 2 bytes in length, from the first 128 bytes of a packet. You can configure the selected bytes to be directly used for hashing or to be used only when the data pattern in these bytes matches specific values (conditional match). To provide load balancing in spine layers, configure flex hashing and encapsulate the traffic in VXLAN, thus enabling entropy at UDP source ports. At de-encapsulation, configure the no-inner-payload statement to load-balance based on the outer UDP header.

    To configure user-defined flex hashing:

    To configure a conditional match (repeat the following command with values for offsets and match data 2-4):

    To enable load balancing on VXLAN transit traffic based on the outer UDP header:

    To troubleshoot, use the show forwarding-options enhanced-hash-key command.

    Limitations:

    • Use a maximum of two MPLS labels.

    • Use only even values for offset1 and offset2.

    • If you are using conditional matches, configure the conditions before you attach them to the flex-hashing entry.

    • An aggregated Ethernet (ae) or LAG interface is not supported as an input interface. You can configure input interfaces on LAGs by configuring the same user-defined flex-hashing data and the same conditional-match data on all member interfaces of a LAG interface.

      • Apply a similar set of commands to the various member interfaces. For example, if the members of a particular LAG are xe-0/0/2, xe-0/0/3, and xe-0/0/4, configure three slightly different flex-hashing rules on those individual member interfaces—the rules are identical except that they have different names for the incoming traffic:

        • set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls interface xe-0/0/2

          set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls num-labels 2

          set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls conditional-match COND_L2_V6_TCP_4

          set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls hash-offset offset1 base-offset1 start-of-L3-OuterHeader

          set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls hash-offset offset1 offset2 offset2-mask ffff


          [...configuration commands truncated...]

        • set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_5 ethtype mpls interface xe-0/0/3

          [...configuration commands truncated...]

        • set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_6 ethtype mpls interface xe-0/0/4

          [...configuration commands truncated...]

      • Use unique flex-data profile names and unique conditional-data profile names for each member interface—for example, in the following conditional-data profile names, the port number is unique in each instance:

        • ...enhanced-hash-key conditional-match COND_L1_V6_UDP_SRC_PORT_1...

        • ...enhanced-hash-key conditional-match COND_L1_V6_UDP_SRC_PORT_2...

    [See flex-hashing.]

High Availability (HA) and Resiliency

  • Disk health monitoring (QFX5100 and QFX5120-48Y)—Starting in Junos OS Release 20.4R1, the QFX5100 and QFX5120-48Y switches support disk-health monitoring. This feature detects solid-state drive (SSD) failures and reboots the device gracefully to handle those failures. With this feature in place, you need not manually intervene to recover the system from an SSD failure condition. The QFX5100 switches used in a Virtual Chassis as well support this feature.

    [See show chassis routing-engine]

Interfaces and Chassis

IP Tunneling

  • IPIP encapsulation for flexible tunnel interfaces (FTIs) (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)—We've extended flexible tunnel interfaces (FTIs) and existing forwarding constructs to support configuring static IPv4 IP-in-IP tunnels and RIB APIs. To configure an IP-in-IP tunnel on a FTI, use the ipip option at the [edit interfaces interface-name unit logical-unit-number tunnel encapsulation] hierarchy level.

    [See Configuring Flexible Tunnel Interfaces and ipip.]

Juniper Extension Toolkit

  • Support for static backup paths with IP-in-IP tunnel encapsulation and provisioning APIs (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)—We’ve enhanced Juniper Extension Toolkit (JET) APIs to enable a controller to set up underlay network backup paths that use IP-in-IP tunnels with IPv4 encapsulation. JET APIs notify the controller of active paths, interfaces, and changes to the interface state. The loop-free backup paths help quickly restore failed core transport networks built with only IP protocols.

    [See JET APIs on Juniper EngNet.]

  • Support for policy match condition to match programmed routes (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)—We’ve introduced a new option programmed that allows policy matches for routes injected by JET APIs. To allow policy matches for routes injected by JET APIs, use the programmed option at the [edit policy-options policy-statement policy-name term term-name from] hierarchy level. To view details about programmed routes, use the show route programmed (detail | extensive) command.

    [See policy-statement and show route.]

  • RIB service API option to control route distribution (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)—We’ve added a no-advertise flag to the RIB service API per-route RouteAttributes object to limit re-advertisement of the provisioned route. You can set this flag to TRUE to prevent the route from being redistributed to routing protocols and advertised to peers.

    [See JET APIs on Juniper EngNet.]

Junos OS XML, API, and Scripting

  • Support for Certificate Authority Chain Profile (EX2300, EX3400, EX4300, MX240, MX480, MX960, PTX-5000, VMX, vSRX and QFX5200)—Starting in Junos OS Release 20.4R1, you can configure intermediate Certificate Authority (CA) chain profile certificate and perform https REST API request using mutual and server authentications.

    To configure intermediate ca-chain certificate, configure ca-chain ca-chain statement at the [edit system services rest https] hierarchy level.

  • Start time option for interval-based internal events that trigger event policies (EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.4R1, when you create an interval-based internal event for triggering event policies, you can specify the start date and time for the initial event. To specify a start time, configure the start-time option along with the time-interval option at the [edit event-options generate-event] hierarchy level.

    [See Generating Internal Events to Trigger Event Policies.]

Junos Telemetry Interface

Network Management and Monitoring

  • Support for sFlow technology with VXLAN (QFX5110, QFX5120-32C, QFX5120-48Y, and QFX5120-48T-6C)—Starting in Junos OS Release 20.4R1, we support sFlow technology with VXLAN. sFlow is a monitoring technology for high-speed switched or routed networks. The sFlow agent performs packet sampling and gathers interface statistics, and then combines the information into UDP datagrams that are sent to sFlow collectors.

    Keep the following points in mind:

    • True egress sampling is not supported on the switches. Egress sampling is done at the end of the ingress pipeline, and so the egress samples do not contain modifications that are made to the packet in the egress pipeline. When the packet flow is from the access port to the network port, sFlow is configured on the egress network port, and thus packets are captured without VXLAN encapsulation at the collector.

    • Egress sampling for BUM traffic is not supported.

    • Extended router data with next-hop information is not supported on the switches.

    • Sampling on ingress interfaces does not capture CPU-bound traffic.

    • You cannot configure sFlow on a (LAG), but you can configure it individually on a LAG member interface.

    • You must not configure sFlow for more than one logical interface on a physical interface.

    [See Overview of sFlow Technology.]

  • Configuration retrieval using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you can use the configuration revision identifier feature to view the configuration for a specific revision. This configuration database revision can be viewed with the CLI command show system configuration revision.

    [See show system configuration revision.]

  • sFlow sampling support for IP-IP traffic (QFX5100 and QFX5200)—Starting in Junos OS Release 20.4R1, you can use sFlow technology to sample IP over IP (IP-IP) traffic at a physical port. This feature is supported for IP-IP tunnels with an IPv4 outer header that carry IPv4 or IPv6 traffic. You can use sFlow monitoring technology to randomly sample network packets from IP-IP tunnels to send the samples to a destination collector for monitoring. Devices that act as an IP-IP tunnel entry point, transit device, or tunnel endpoint support sFlow sampling.

    [See Overview of sFlow Technology.]

  • Junos XML protocol operations support loading and comparing configurations using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, the Junos XML management protocol operations support loading and comparing configurations by referencing the configuration revision identifier of a committed configuration. You can execute the <load-configuration> operation with the configuration-revision attribute to load the configuration with the given revision identifier into the candidate configuration. Additionally, you can compare the candidate or active configuration to a previously committed configuration by referencing the configuration revision identifier for the comparison configuration. The <get-configuration> operation supports the compare="configuration-revision" and configuration-revision attributes to perform the comparison.

    [See <get-configuration> and <load-configuration>.]

Platform and Infrastructure

  • Flooding bridge protocol data units (BPDUs) using existing ingress port-based firewall filters (QFX5100, QFX5110, QFX5120-32C, QFX5200, and QFX5210)—Starting in Junos OS Release 20.4R1, you can configure a new firewall filter CLI action to flood BPDUs using the set firewall family ethernet-switching filter f1 term t1 then flood statement. The flexibility to flood BPDUs on a per port basis for the QFX5000 line of switches can be achieved by using the existing ingress port-based firewall filters.

    [See Configuring a Firewall Filter.]

Routing Policy and Firewall Filters

  • Support for route’s next-hop weight in policy match condition (MX Series, PTX Series, and QFX Series)—Starting in Junos OS Release 20.4R1, a route with multiple next-hop paths can use the weight associated with a path to identify primary and backup paths. The path with the lowest weight is used as the primary path, and any paths with higher weights are treated as backup paths. You can use the next-hop weight as a match condition in export policies to redistribute IGP and BGP routes based on whether the primary or backup paths are active.

    Configure this match condition using the [edit policy-options policy-statement policy-name term term-name from] statement.

    [See policy-statement and show policy.]

  • IPv6 support for firewall filtering and policing on EVPN-VXLAN traffic (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)— Starting with Junos OS Release 20.4R1, you can use IPv6 for firewall filters and policers on VXLAN traffic in an EVPN topology. Configure firewall filters at the [edit firewall] hierarchy level. For each firewall filter that you apply to a VXLAN, you can specify family ethernet-switching to filter Layer 2 (Ethernet) packets or family inet or family inet6 to filter on IRB interfaces. You can apply firewall filters and policers on CE-facing interfaces in the ingress direction only. For IRB interfaces, you can apply filtering only at the ingress point of a non-encapsulated frame routed through the IRB interface.

    [See Understanding VXLANs and Overview of Firewall Filters.]

  • Support for matching IPv6 source addresses from an inet6 egress interface (QFX5110)—Starting in Junos OS Release 20.4R1, you can configure a firewall filter on an IPv6 egress interface to match specified IPv6 source or destination addresses, for example, to protect a third-party device connected to the switch.

    [See eracl-ip6-match and Example: Configuring an Egress Filter Based on IPv6 Source or Destination IP Addresses.]

Routing Protocols

  • Support for multiple single-hop EBGP sessions on different links using the same IPv6 link-local address (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you are no longer required to have unique peer addresses for Juniper devices for every EBGP session. You can now enable single-hop EBGP sessions on different links over multiple directly connected peers that use the same IPv6 link-local address.

    In earlier Junos OS Releases, BGP peers could be configured with link-local addresses, but multiple BGP peers could not be configured to use the same link-local address on different interfaces.

    [See Configure Multiple Single-Hop EBGP Sessions on Different Links Using the Same Link-Local Address (IPv6).]

  • Support for IS-IS flood-reflector interfaces (PTX1000, QFX10002, QFX10008)—Starting in Junos OS Release 20.4R1, we support the IS-IS flood reflector feature, which allows creation of IS-IS flood reflection topologies. Flood reflection allows the creation of topologies where Level 1 areas provide transit forwarding for Level 2 destinations within a Level 2 topology that provides better scalability.

    We designate flexible tunnel interfaces (FTI) as flood-reflector interfaces. To enable the flood reflector on an FTI, include the flood-reflector statement at the [edit protocols isis interface interface name level level number hierarchy level.

    You can configure the interface to be either the reflector or the client. To enable the reflector, you can use the flood-reflector reflector cluster-id statement at the [edit protocols isis level level number] hierarchy level.

    To enable the flood reflector client, include the flood-reflector client statement at the [edit protocols isis level level number hierarchy level.

    Note

    You can configure the flood reflector feature on FTIs at Level 2 only.

    [See How to Configure Flood Reflector Interfaces in IS-IS Networks.]

  • Support for relaxing BGP router ID format from /32 to a nonzero ID per RFC6286 ( MX204, NFX Series, PTX5000, QFX Series, and vRR)—Starting in Junos OS Release 20.4R1, you can establish a BGP connection using a BGP identifier that is a 4-octet, unsigned, nonzero integer and it needs to be unique only within the autonomous system (AS) per RFC 6286. In earlier releases, the BGP ID of a BGP speaker was required to be a valid IPv4 host address assigned to the BGP speaker.

    To enable this feature, use the bgp-identifier identifier group bgp group name bgp-identifier identifier neighbor peer address bgp-identifier identifier configuration statement at the [edit protocols bgp] hierarchy level.

    [See router-id]

  • Support for IPv4 VPN unicast and IPv6 VPN unicast address families in BGP (QFX10002-60C, QFX10002, QFX10008, and QFX10016)—Starting in Junos OS Release 20.4R1, on QFX Series switches, the following address families are supported to enable advertisement or reception, or both, of multiple paths to a destination to and from the same BGP peer, instead of advertising and receiving only one path to and from the same BGP peer, under the [edit protocols bgp group group-name] hierarchy. You can configure the add-path statement at the BGP global, group level, and peer level.

    • IPv4 VPN unicast (family inet-vpn)

    • IPv6 VPN unicast (family inet6-vpn)

    [See Understanding the Advertisement of Multiple Paths to a Single Destination in BGP.]

Software Defined Networking (SDN)

  • PCEP support for color (MX480, QFX5200)—Starting in Junos OS Release 20.4R1, the Path Computation Element Protocol (PCEP) supports color for colored segment routing LSPs. This includes Path Computation Element (PCE)-initiated, Path Computation Client (PCC)-controlled, and PCC-delegated segment routing LSPs. With this PCEP extension, you can configure candidate paths based on color and endpoints, where the active candidate path is the path with the highest segment routing preference, or based on source priority.

    [See Understanding Static Segment Routing LSP in MPLS Networks.]

  • Static VXLAN at VLAN or bridge domain level (MX5, MX10, MX40, MX80, MX150, MX240, MX480, MX960, MX2008, MX2010, MX2020, MX10003, MX10008, MX10016 routers and QFX5120-32C, QFX5120-48T, and QFX5120-48Y switches)—In Junos OS Release 20.3R1 and earlier, we supported the configuration of static VXLAN at the global level only. By including the remote-vtep-list configuration statement at the [edit switch-options] or [edit routing-instances name] hierarchy level, you can map all local VLANs or bridge domains to the remote virtual tunnel endpoints (VTEPs) in the list.

    Starting in Junos OS Release 20.4R1, you can also configure static VXLAN at the VLAN or bridge domain level using the static-remote-vtep-list configuration statement at the [edit vlans name vxlan], [edit bridge-domains name vxlan], or [edit routing-instances name bridge-domains name vxlan] hierarchy level.

    When specifying remote VTEPs at the VLAN level in the default switching instance, you must also specify the same VTEPs at the global level in the default switching instance. Or when specifying remote VTEPs at the bridge domain level in a routing instance, you must also specify the same VTEPs at the global level in the same routing instance. For example, if you specify a VTEP in the static-remote-vtep-list at the [edit routing-instances name bridge-domains name vxlan] hierarchy level, you must also specify the VTEP in the remote-vtep-list at the [edit routing-instances name] hierarchy level.

    To replicate and flood BUM traffic, you must specify the ingress-node-replication configuration statement at the [edit vlans name vxlan], [edit bridge-domains name vxlan], or [edit routing-instances name bridge-domains name vxlan] hierarchy level. This configuration restricts the BUM traffic flood domain to only those VTEPs mapped to a particular bridge domain or VLAN.

    [See Static VXLAN and static-remote-vtep-list.]

Software Installation and Upgrade

  • Phone-home client (EX4600, EX4650, EX9200, QFX5110, QFX5200, QFX5210, QFX5120-32C, and QFX5120-48Y)—Starting with Junos OS Release 20.4R1, you can use either the legacy DHCP-options-based ZTP or the phone-home client (PHC) to provision software for the switch. When the switch boots up, if there are DHCP options that have been received from the DHCP server for ZTP, ZTP resumes. If DHCP options are not present, PHC is attempted. PHC enables the switch to securely obtain bootstrapping data, such as a configuration or software image, with no user intervention other than having to physically connect the switch to the network. When the switch first boots up, PHC connects to a redirect server, which redirects to a phone home server to obtain the configuration or software image.

    To initiate either DHCP-options-based ZTP or PHC, the switch must be in a factory-default state, or you can issue the request system zeroize command.

    [See Understanding the Phone-Home Client

  • ZTP with DHCPv6 client support (EX3400, EX4300, PTX1000, PTX5000, PTX10002-60C, PTX10008, QFX5100, QFX5200, QFX10002, and QFX10002-60C)—Starting in Junos OS Release 20.4R1, zero touch supports the DHCPv6 client. During the bootstrap process, the device first uses the DHCPv4 client to request for information regarding image and configuration file from the DHCP server. The device checks the DHCPv4 bindings sequentially. If one of the DHCPv4 bindings fails, the device continues to check for bindings until provisioning is successful. However, if there are no DHCPv4 bindings, the device checks for DHCPv6 bindings and follows the same process as for DHCPv4 until the device can be provisioned successfully. Both DHCPv4 and DHCPv6 clients are included as part of the default configuration on the device.

    The DHCP server uses DHCPv6 options 59 and 17 and applicable suboptions to exchange ZTP-related information between itself and the DHCP client.

    Note

    ZTP supports only HTTP and HTTPS transport protocols.

    [See Zero Touch Provisioning.]

System Management

  • PTP transparent clock (QFX5120-32C)—Starting in Junos OS Release 20.4R1, you can use a transparent clock to update Precision Time Protocol (PTP) packets with the residence time as the packets pass through QFX5120-32C switches. The PTP Transparent Clock (PTP TC) is defined in IEEE 1588-2008 (PTPv2). QFX5120-32C switches support end-to-end transparent clocks, which include only the residence time. To use a transparent clock, enable the e2e-transparent statement at the [edit protocols ptp] hierarchy level.

    [See Understanding Transparent Clocks in Precision Time Protocol.]

System Logging

  • Support for time averaged watermark (MX Series, PTX Series, and QFX Series)—Starting in Junos OS Release 20.4R1, you can capture steady state data of routing and forwarding (RIB/FIB) table routes using the time-averaged-watermark-interval configuration statement at the [edit routing-options] hierarchy level. Time averaged watermark is calculated whenever the time averaged interval is changed from CLI. Time averaged watermark is logged in syslog if the logs are enabled in the system at LOG_NOTICE level. The default time averaged watermark interval is 1 day. You can see the timed averaged watermark using the existing show route summary command.

    [See routing-options and show route summary.]

What's Changed

Learn about what changed in Junos OS main and maintenance releases for QFX Series Switches.

What’s Changed in Release 20.4R2

EVPN

  • Support for displaying SVLBNH information—You can now view shared VXLAN load balancing next hop (SVLBNH) information when you display the VXLAN tunnel endpoint information for a specified ESI and routing instance by using the show ethernet-switching vxlan-tunnel-end-point esi esi-identifier esi-identifier instance instance svlbnh command.

General Routing

  • Support only for manual channelization on QSFP-100G-SR4-T2 optics (QFX5120-48T and QFX5120-32C)— We recommend that you use the active optical cable (AOC) for auto-channelization. The QSFP-100G-SR4-T2 cables do not support auto-channelization. To use the QSFP-100G-SR4-T2 optics with an external breakout cable, you must configure the channelization manually by running the channel-speed statement at the edit chassis fpc slot-number pic pic-number (port port-number | port-range port-range-low port-range-high) hierarchy level.

    [See channel-speed.]

Junos XML API and Scripting

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX commit scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX commit scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

    [See invoke() Function (SLAX and XSLT).]

  • The jcs:invoke() function supports suppression of root login and logout events in system log files for SLAX event scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The jcs:invoke() extension function supports the no-login-logout parameter in SLAX event scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.

    [See invoke() Function (SLAX and XSLT).]

What’s Changed in Release 20.4R1

Class of Service (CoS)

  • We've corrected the output of the "show class-of-service interface | display xml" command. Output of the following sort: <container> <leaf-1> data <leaf-2> data <leaf-3> data <leaf-1> data <leaf-2> data <leaf-3> data will now appear correctly as: <container> <leaf-1> data <leaf-2> data <leaf-3> data <container> <leaf-1> data <leaf-2> data <leaf-3> data.

General Routing

  • Control plane DDoS protection packet type option for ARP traffic (PTX Series and QFX Series)— Starting in this release, we've renamed the arp-snoop packet type option in the edit system ddos-protection protocols arp protocol group to arp. This packet type option enables you to change the default control plane distributed denial-of-service (DDoS) protection policer parameters for ARP traffic.

    [See protocols (DDoS) (PTX Series and QFX Series).]

  • Support for unicast ARP request on table entry expiration—You can configure the device to send a unicast ARP request instead of the default broadcast request when an ARP table entry is about to expire. The retry requests are unicast at intervals of 5 seconds. Without this option, the retry requests are broadcast at intervals of 800 milliseconds. This behavior reduces ARP overall broadcast traffic. It also supports the use case where access nodes are configured not to forward broadcast ARP requests toward customer CPEs for security reasons and instead translate ARP broadcasts to unicast requests. To confirm whether this is configured, you can issue the following command: show configuration system arp | grep unicast-mode-on-expire.

    [See arp.]

  • Change in license bandwidth command on vMX virtual routers—Starting in Junos OS, to use the available license bandwidth, explicitly set the license bandwidth using the set chassis license bandwidth <ln-mbps> command.

    [See Configuring Licenses on vMX Virtual Routers.]

MPLS

  • The show mpls lsp extensivel and show mpls lsp detail commands display next hop gateway LSPid—When you use the show mpls lsp extensivel and show mpls lsp detail commands, you'll see next hop gateway LSPid in the output as well.

Network Management and Monitoring

  • Warning changed for configuration statements that correspond to deviate not-supported nodes in YANG data models (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—If you configure a statement corresponding to a YANG data model node that defines the deviate not-supported statement, the Junos OS configuration annotates that statement with the comment Warning: statement ignored: unsupported platform. In earlier releases, the warning is Warning: 'statement' is deprecated.

User Interface and Configuration

  • Verbose format option for exporting JSON configuration data (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The Junos OS CLI exposes the verbose statement at the edit system export-format json hierarchy level. The default format for exporting configuration data in JSON changed from verbose format to ietf format starting in Junos OS Release 16.1R1. You can explicitly specify the default export format for JSON configuration data by configuring the appropriate statement at the edit system export-format json hierarchy level. Although the verbose statement is exposed in the Junos OS CLI as of the current release, you can configure this statement starting in Junos OS Release 16.1R1.

    [See export-format.]

Known Limitations

Learn about known limitations in Junos OS Release 20.4R2 for QFX Series Switches. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

These EVPN-VXLAN features are not supported in some of the QFX Series platforms with Junos OS Release 20.4R2:

Feature

Unsupported Platforms

Tracking PRs

Layer 3 Gateway functionality

QFX10002, QFX10008, QFX10016, QFX10002-60C

1561102, 1561115, 1522585

VPLAG (with Type-5) traffic

QFX5110, QFX5120

1545178, 1560173

Native VLAN ID configuration

QFX5110, QFX5120

1552671, 1559813, 1560038

VLAN 2 (untagged traffic routed over native vlan)

QFX5100

1560161

EVPN

  • VTEP interface displays output packets underlying the physical interface. PR1549820

Layer 2 Features

  • On the QFX5000 devices with storm control, there is a significant difference between the configured rate and actual rate. PR1526906

  • On the QFX5000 devices with SP-style aggregated Ethernet, the child member link change leads to momentary CRC error and drops traffic when there is a scale of logical interfaces. PR1532342

Platform and Infrastructure

  • After configuring and deleting the Ethernet loopback configuration, the interface goes down and does not come up. PR1353734

  • Reroute counter log events are seen sometimes while changing the routes pointed by the unilist next hop. PR1380350

  • On the QFX10000 line of switches, the analyzer does not mirror after adding the child member to an aggregated Ethernet interface. PR1417694

  • When the spine underlay is tagged and untagged, the inner packet comes and goes over the type-2 tunnel resulting in IPv4 discarding traffic silently on PECHIP. PR1435864

  • After renaming VLAN on the trunk interface, the local host MAC learning halts for more than 30 seconds. PR1454274

  • Changing the scaled firewall profiles on the fly does not release the TCAM resources as expected. PR1512242

  • On the QFX5110-48S devices, in the output of the show sflow collector detail command, the Number of Datagrams and Number of Flow Samples values are displayed as zero. PR1525356

  • The following notification pops up during the reboot or powering off: [FAILED] Failed unmounting /var. PR1527581

  • The show chassis environment and show chassis fan commands have different string status for fan failure. PR1527628

  • The vmcore process might generate core file during aggressive sensor subscribe and unsubscribe. PR1528432

  • With 4x10G breakout cable on disabling auto-channelization, the dut interface goes to the Down state while 10G interfaces on the peer are in the Up state. PR1531850

  • On the QFX10002 devices, the nextHop field is missed in the reported sFlow sampled data when sFlow egress sampling is enabled in the aggregated Ethernet interface ecmp case at the IPIP tunnel transit scenario. PR1533307

  • The input runts error counter does not increment on sending the packets with size less than 64 bytes. PR1533322

  • ECMP over GRE does not work for the BGP routes. PR1537924

  • The QFX5100 devices send samples maximum of around 700 per second to the sFlow collector. PR1539815

  • Power interruption during firmware upgrade is not recommended. PR1543192

  • The QFX10000 devices do not keep the inner vlan-id on the egress EP interface. PR1546840

  • On the QFX5120 and QFX5200 devices, the EVPN VXLAN loop detect and CFM must not be configured on the same VLAN. PR1553384

  • When you commit the request system reboot statement, routers get stuck in the rebooting state occasionally. PR1385970

Routing Protocols

  • Node protection for the RSVP LSP on FTI interfaces does not work. PR1456350

  • On the QFX5000 devices, the PIP decap in the forward filter does not work when the NO from matching conditions AND when subnet masks < 32 statement is used. PR1511893

  • On the QFX5210 devices, when two Flex Hash rules are configured, on deactivating first one, second one is not programmed in hardware. PR1521306

  • On the QFX5100-24Q devices, error messages are observed on deactivating and activating interfaces. PR1522701

  • On the QFX5000 devices, error messages on the Packet Forwarding Engine console are observed when 512 IP-IP tunnels are brought up. PR1525270

  • On the QFX5100 devices, if the qfx-5e codes (non-TVP architecture) are not ran when an image with the Broadcom SDK upgrade (6.5.x) is installed, the CPU utilization might go up by around 5 percent. PR1534234

  • On QFX5120-48YM devices, when the scale of IPv4 and IPv6 routes are present in the LPM profile, few of the IPv6 routes are not installed when the ports on which the routes are learnt is flapped due to a LPM table full error. PR1557655

Open Issues

Learn about open issues in Junos OS Release 20.4R2 for QFX Series Switches. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

EVPN

  • On the QFX5120 devices, traffic received on the VTEP which is not configured in static-remote-vtep-list is not dropped. PR1543779

High Availability (HA) and Resiliency

  • On the QFX5200-32C devices, the reboot time is degraded from 205 seconds in Junos OS Release 20.2R1 to 260 seconds in Junos OS Release 20.3. PR1511607

Layer 2 Features

  • On the QFX5110 and QFX5120 devices, changing lo0 IP address might sometimes either result in the stale entry of IP in the mpls_entry table or missing IP entry, which results in traffic drop for VXLAN traffic. PR1472333

Layer 2 Ethernet Services

  • ZTP is not activated after the device is clear. PR1529246

Platform and Infrastructure

  • The sFlow sampling fails when the egress interface is configured with more than 8 in a line card. PR1202870

  • On the QFX10000 devices, the source MAC and TTL values do not get updated for the routed multicast packets in EVPN-VXLAN. PR1346894

  • The FPC might crash when a firewall filter is modified. PR1432116

  • On the QFX5200 devices, the ISSU might fail. PR1438690

  • On the QFX5000 devices, port qualifier is not supported. PR1440980

  • On the QFX5110 line of switches, the VXLAN VNI (mcast) scaling causes traffic issue. PR1462548

  • The SNMP index in the Packet Forwarding Engine reports as 0, causing the sFlow collector to report either IIF or OIF (not both) as 0 in the sFlow record data at the collector. PR1484322

  • Interface on platforms using Broadcom chipset might have abnormal status. PR1495564

  • On the QFX5100 devices, degradation is observed in the system reboot time and FPC online time. PR1513540

  • SNMP trap of power failure might not be sent out. PR1520144

  • Layer 3 classifier takes effect though the Layer 2 classifier is configured. PR1520570

  • On the QFX5100 Virtual Chassis and Virtual Chassis fan, after NSSU while performing GRES, backup can generate core file and go to the database prompt. PR1533874

  • On the QFX5100 Virtual Chassis, the firewall counter does not get updated as expected with PACL applied. PR1535825

  • On the QFX10002-72Q devices, the sFlow egress samples at PHP router do not include explicit-null (IPv4 and IPv6). PR1537946

  • On the QFX10002 devices, the sFlow log error message is observed when egress sampling is enabled on the dynamic IP-IP tunnel encapsulation scenario. PR1538863

  • On the QFX10008 with the Layer 2 and Layer 3 multicast configurations, the vmcore generates core file on the primary and backup Routing Engines. PR1539259

  • The following error message is observed while rebooting with Enterprise base configurations: Error BCMX: Failed to add lport 0x0 (unit , port ). -8: Entry exists. PR1541159

  • Compared to the ARP or token scale of the QFX10002-60C device, the ARP/token scale is lower than the ARP/token scale of the QFX10002 or QFX10008 device, causing the dcpfe process to generate corefile at high scale. PR1541686

  • On the QFX5000 Virtual Chassis fan, traffic loss might be seen after swapping the primary and backup Routing Engines. PR1544353

  • On the QFX5000 devices, the installed next-hop local-bias filter fails on the Packet Forwarding Engine with MAC-VRF. PR1544850

  • The QFX10000 device does not keep the inner vlan-id on the egress EP interface. PR1546840

  • On the QFX10000 devices, you need to move WRL7 SDK to RCPL31. PR1547565

  • On the QFX10000 devices, no local mac-ip entry for vlan-bundle service is observed. PR1548456

  • During power cycle, 100G port down issue is observed occasionally on the et-0/0/54 and et-0/0/55 with InnoLight 100G-AOC cables. PR1548525

  • Host shell is not reachable after image installation. PR1548710

  • On the QFX10000 devices, only untagged traffic flows through the ethernet-bridge interface. PR1550700

  • On the QFX10002-60C devices, ethernet-bridge is not supported. PR1551037

  • In Junos OS Release 20.2, some features show up as a licensed feature. While using the features, alarms and commit warnings are displayed. However, there is no functional impact. PR1558017

  • On the QFX5110 devices, untagged traffic routed over native-vlan might be dropped. PR1560038

  • On the QFX5110-32Q, L2_mac_scaling_inter_pod traffic drop is observed with evpn-vxlan-type-5 base configurations. PR1569879

  • Unexpected multicast traffic streams after enabling EVPN is observed. PR1570689

  • The dcpfe process crashes while checking the virtual tunnel-nh packet status. PR1580114

  • BUM traffic can be looped for a short time when the interface is newly added as the CE interface. PR1493650

  • Additional firewall policy must be added to allow the client DNS queries from QF directors. PR1509383

  • Upgrading the satellite devices might lead to some SDs to go in the SyncWait state. PR1556850

  • BUM traffic from AR-LEAF does not display the correct count in the output of the show interfaces vtep extensive command. PR1579614

  • The l2ald process generates the core file in l2ald_vxlan_ifl_create_event_handler while running the EVPN-VXLAN scripts in VQFX during the PCT submission. PR1582128

  • On the QFX10008 chassis, the dcpfe process generates core file. PR1572889

Routing Policy and Firewall Filters

  • When upgrading Junos OS to a specific version, the configuration validation might fail and the rpd process might crash. PR1538172

Routing Protocols

  • On the QFX5100 Virtual Chassis or Virtual Chassis fan, the following error is observed in the hardware with the mini-PDT base configurations: BRCM_NH-,brcm_nh_bdvlan_ucast_uninstall(), 128:l3 nh 6594 unintsall failed. PR1407175

  • The rpd process might crash after committing with the configured static group 224.0.0.0. PR1586631

Resolved Issues

Learn which issues were resolved in Junos OS main and maintenance releases for QFX Series Switches.

For the most complete and latest information about known Junos OS defects, use the Juniper online Junos Problem Report Search application.

Resolved Issues: 20.4R2

EVPN

  • The l2ald process might crash under a VLAN-based EVPN-VXLAN scenario. PR1550109

  • On the QFX10000 devices, the l2ald process generates the core file at l2ald_VXLAN_ifl_create_event_handler at /src/junos/usr.sbin/l2ald/platform/junos/l2ald_rtsock_VXLAN.c:477. PR1560068

  • global-mac-ip-table-aging-time; change from a high to low value might not take effect. PR1562925

Forwarding and Sampling

  • The l2ald process might crash due to next-hop issue in the EVPN-MPLS. PR1548124

  • Configuration archive transfer-on-commit fails while running Junos OS Release 18.2R3-S6.5. PR1563641

General Routing

  • The DHCP relay-reply packets are dropped in the DHCPv6 relay scenario. PR1352613

Interfaces and Chassis

  • MAC address entry issue might be seen after MC-LAG interface failover or failback. PR1562535

Layer 2 Features

  • On the QFX5120 devices, packets with VLAN ID 0 are dropped. PR1566850

  • On the QFX5000, software-forwarded VXLAN de-encapsulated packets have illegal length. PR1574435

Layer 2 Ethernet Services

  • DHCP packet drop might be seen when the DHCP relay is configured on a leaf device. PR1554992

Platform and Infrastructure

  • On the QFX5000 line of switches, the number of egress ACL filter entries is only 512 in Junos OS Release 19.4R1. PR1472206

  • On the QFX10000 device, the chassisd process might generate core files on the backup Routing Engine after commit for 200 seconds due to the following error message: CHASSISD_MAIN_THREAD_STALLED. PR1481143

  • Channelized interfaces might fail to come up. PR1512203

  • Some inter-VLAN traffic flows do not converge after rebooting a spine (QFX10002) device in an EVPN-VXLAN non-collapsed scaled scenario. PR1522585

  • Traffic loss might be observed on interfaces in a VXLAN environment. PR1524955

  • On the QFX10002, the firewall logs are incorrectly populating from the Packet Forwarding Engine. PR1533814

  • The following Packet Forwarding Engine error message is observed in BRCM-VIRTUAL: brcm_virtual_tunnel_port_create() ,489: Failed NW VXLAN port token(45) hw-id(7026) status(Entry not found). PR1535555

  • The BFD sessions might not come up in a VXLAN scenario. PR1538600

  • The rpd memory leak might be observed on the backup Routing Engine due to link flaps. PR1539601

  • Unable to take RSI properly due to the authentication error. PR1539654

  • FPC might not be recognized after power cycle (hard reboot). PR1540107

  • OSPFv3 session might keep flapping and OSPFv3 hellos might be dropped in the host path. PR1547032

  • On the QFX10000 device, traffic might get dropped when the set routing-options forwarding-table no-ecmp-fast-reroute configuration is changed to 128 ECMP entries. PR1547457

  • On the QFX5100 Virtual Chassis, the backup Routing Engines clear the reporting alarm for a PEM failure intermittently for a missing power source. PR1548079

  • The 40GbE interface might be channelized after restarting the Virtual Chassis member. PR1548267

  • Neighbor Solicitation might be dropped from the peer device. PR1550632

  • The interface filter with source-port 0 matches everything instead of port 0. PR1551305

  • On the QFX5110 and QFX5120 devices, the DHCPv6 traffic received over a VTEP might not be forwarded. PR1551710

  • On the QFX5000 devices, the ARP resolution might fail. PR1552671

  • The dcpfe process might crash and the non-channelization interfaces might not come up. PR1552798

  • The action-shutdown command of storm control does not work for the ARP broadcast packets. PR1552815

  • Traffic might not pass due to the addition of the VLAN tag 2 while passing through the Virtual Chassis port. PR1555835

  • Traffic might be dropped when a firewall filter rule uses the then VLAN action. PR1556198

  • The dcpfe process might crash and restart with the dcpfe process generated core file created while running the type-5 EVPN-VXLAN with 2000 VLANs. PR1556561

  • On the QFX5120-48YM device, the Multiple License Warning Messages are observed. PR1556816

  • Traffic storm might be caused by the analyzer due to the flapping of the link. PR1557274

  • On the QFX5000 devices, the firewall filter might fail. PR1558320

  • On the QFX5120 device, amber LEDs are displayed for the fan modules after upgrading to Junos OS Release 20.2R1. PR1558407

  • PRBS (Pseudo Random Binary Sequence) test on the QFX5200 devices fails for 100GbE interfaces with the default settings. PR1560086

  • When configuring the static MAC and static ARP on the EVPN core aggregate interface, the underlay next-hop programming might not be updated in the Packet Forwarding Engine. PR1561084

  • PTP BC with G.8275.2.enh profile_2 512 clients does not come up. PR1561348

  • PTP lock status gets stuck in the Acquiring state instead of the Phase Aligned state. PR1561372

  • Firewall filters might not work after ISSU. PR1561690

  • On the QFX10000 devices, the dcpfe process might crash during the configuration changes. PR1561746

  • Traffic loss might occur in a large-scaled EVPN scenario when the next-hop type changes between discard and unicast. PR1562425

  • On the QFX5000 devices, port mirroring might not work as expected. PR1562607

  • On the QFX5120 devices, storm control with IRB interface might not work correctly. PR1564020

  • On the QFX5100 Virtual Chassis, continuous message about agentd-pfe-proxy_telemetry_publisher is observed. PR1566528

  • On the QFX5100 devices, the following internal comment is displayed in the output of the show configuration command: Placeholder for QFX platform configuration. PR1567037

  • On the QFX10002 devices, discrepancy in inet.1 versus Packet Forwarding Engine reports multicast routes. PR1567353

  • PTP management message with SMTLV is sent only to the first port number to go active in the member multicast-mode l2-ifl. PR1571283

  • Issue is observed in telemetry when the set services analytics streaming-server <> <> configuration is present and server is not reachable. PR1581192

  • The dcpfe process might crash and cause FPC to restart due to the traffic burst. PR1534340

  • On the QFX10000 devices, the dcpfe process might crash in the specific MAC move cases and traffic loss might be observed in the EVPN-VXLAN scenario. PR1542709

  • The switchover might be affected with the shared VXLAN tunnel. PR1581524

Routing Policy and Firewall Filters

  • The policy configuration might be mismatched between the rpd and mgd process when deactivate policy-options prefix-list is involved in the configuration sequence. PR1523891

Routing Protocols

  • Traffic might be silently discarded when the BGP route gets deleted which is part of multipath. PR1514966

  • The OSPF neighborship gets stuck in the Start state after configuring EVPN-VXLAN. PR1519244

  • BGP LU session flap might be seen with the AIGP used scenario. PR1558102

  • On the QFX5110-32Q device, the following syslog error message is observed after loading the NC type-5 EVPN-VXLAN configuration: BCM-L2,pfe_bcm_l2_sp_bridge_port_tpid_set() Config TPID New/Old (8100:8100) Other-Tpid's ba49, 4aa0, 80f. PR1558189

  • On the QFX5120-48Y devices, the Layer 3 IPv4 traffic issue is observed after loading the non-collapsed type 5 EVPN-VXLAN configuration. PR1560173

  • On the QFX5110 devices, the ARP resolution might fail if native-vlan-id is configured on the VXLAN interface. PR1563569

  • The dcpfe process might crash when the size of the Local Bias Filter Bitmap string exceeds 256 characters. PR1568159

  • On the QFX5000 devices, the untagged packets might not work. PR1568533

  • The GRE egress traffic might not be forwarded between the different routing-instances. PR1573411

Resolved Issues: 20.4R1

EVPN

  • EVPN-VXLAN core isolation do not work when the system is rebooted or the routing is restarted. PR1461795

  • Unable to create a new VTEP interface. PR1520078

  • ARP table might not be updated after performing VMotion or a network loop. PR1521526

  • All the ARP reply packets towards to some address are flooded across the entire fabric. PR1535515

  • EVPN-VXLAN registers mac-move counters under "system statistics bridge" even though there is no actual mac-move for multi-home (MH) clients. PR1538117

  • Observed Layer 2 core file when system is rebooted when shared-tunnels are configured. PR1548502

  • The l2ald process crashes and genereats a core file l2ald_iff_rtm_delete_subintf_ifbds during the datacenter interconnect (dci) fusion run. PR1550109

General Routing

  • Port LEDs do not work on the QFX5100-48T-6Q platforms. PR1317750

  • On the QFX5100 switches, the interface output counter is double counted for self-generated traffic. PR1462748

  • IRB MAC is not programmed in hardware when the MAC persistence timer expires. PR1484440

  • Virtual Chassis is not stable with 100-Gigabit Ethernet and 40-Gigabit Ethernet interfaces. PR1497563

  • BFD sessions flap after deactivating or activating the aggregated Ethernet interface or executing GRES. PR1500798

  • The error message "mpls_extra NULL" might be seen when you add, change, or delete MPLS route. PR1502385

  • The interface becomes physically down after changing to the FEC none mode. PR1502959

  • LLDP is not acquired when native-vlan-id and tagged VLAN-ID are the same on a port. PR1504354

  • "Media type" in show interface command is displayed as "Fiber" for SFP-10G-T. PR1504630

  • The archival function might fail in certain conditions. PR1507044

  • The fxpc might crash and restart with a fxpc core file created while installing image through ZTP. PR1508611

  • Traffic might be affected on QFX10002, QFX10008, and QFX10016 line of switches. PR1509220

  • The output VLAN push might not work. PR1510629

  • Multicast traffic loss is observed because of the few multicast routes missing in the spine node. PR1510794

  • The QFX10000-36Q line card used on QFX10008 and QFX10016 line of switches might fail to detect any QSFP. PR1511155

  • Display issue, Virtual Chassis environment, Configured num-65-127-prefix value is shown incorrect for the command O/P "show chassis forwarding-options" PR1512712

  • In the VXLAN configuration, the firewall filters might not be loaded into the TCAM with the following message due to TCAM overflow after upgrading to Junos OS Release 18.1R3-S1, 18.2R1, and later. PR1514710

  • The routes update might fail upon the HMC memory issue and traffic impact might be seen. PR1515092

  • The 100-Gigabit Ethernet AOC non-breakout port might be auto-channelized to other speed. PR1515487

  • The MAC learning might not work properly after multiple MTU changes on the access port in the VXLAN scenario. PR1516653

  • The dcpfe (PFE) process might crash due to memory leak. PR1517030

  • The vgd process might generate a core file when the OVSDB server restarts. PR1518807

  • Traffic forwarding might be affected when adding, removing, or modifying the VLAN or VNI configurations such as VLAN-ID, VNI-ID, and Ingress-Replication command. PR1519019

  • QFX5100: cprod timeout triggers high CPU. PR1520956

  • The interfaces on the EX4600-EM-8F expansion module do not come up on the QFX5100-24Q with the non-QFX5E image. PR1521523

  • Output interface index in SFLOW packet is zero when transit traffic is observed on the IRB interface with VRRP enabled. PR1521732

  • On the QFX10002, QFX10008, and QFX10016 line of switches, the following error message is observed during specific steps while clearing and loading the scaled configuration again: PRDS_SLU_SAL:jprds_slu_sal_update_lrncnt(),1379: jprds_slu_sal_update_lrncnt call failed. PR1522852

  • The ECMP and LAG hash polarization might occur if the "hash-parameters" statement is not configured. PR1525387

  • Sampling with the rate limiter command enabled, crosses the sample rate 65535. PR1525589

  • Traffic loss might be observed when traffic is locally routed between the two VXLANs on the QFX5120 switch. PR1527939

  • The MPLS EXP classifier might not work on QFX10000 line of switches. PR1531095

  • Running SNMP MIB walk and executing 'show interfaces' command may cause the picd to crash. PR1533766

  • High rate of ARP or NS packets might be observed between a device that runs Junos OS and host when the device that runs Junos OS receives an ARP or NS packet on an interface in transition. PR1534796

  • The filter instance do not get removed from Packet Forwarding Engine after deactivating VLAN and IRB. PR1537108

  • Interfaces are not created after channel-speed 10G is applied across ports 48 to 53 on QFX5100-48T. PR1538340

  • Management Ethernet link down alarm seen while verifying system alarms in Virtual Chassis setup. PR1538674

  • Traffic loss might be seen in OVSDB VXLAN scenario. PR1540208

  • Inter VLAN traffic drop might be observed in EVPN-VXLAN scenario. PR1541406

  • On QFX10002-60C switch, the "show pfe filter" CLI command is unavailable. PR1545019

  • The neighbor solicitation might be dropped from the peer device. PR1550632

  • DHCP IPv6 is not working for QFX5110-48s-4c. PR1551710

  • On QFX10000 and PTX10000 line of devices with Junos OS Releases 20.1R1 and later, cannot collect RSI properly because of the authentication error. PR1556816

Infrastructure

  • The kernel might crash if a file or a directory is accessed for the first time and is not created locally. PR1518898

  • OID ifOutDiscards reports zero and sometimes shows valid value. PR1522561

Interfaces and Chassis

  • The dcpfe might crash when the ICL is disabled and then enabled. PR1525234

  • The logical interface might flap after adding or deleting native VLAN configuration. PR1539991

Layer 2 Features

  • Flow control is enabled in Packet Forwarding Engine irrespective of the interface configuration and the fix causes small amount of packet loss when a parameter related to an interface such as "interface description" on any port is changed. PR1496766

  • The dcpfe or FPC might crash generate a core file because of the memory leak after the VLAN add and VLAN delete operation. PR1505239

  • On the QFX5000 line of switches, traffic imbalance might be observed if hash-params is not configured. PR1514793

  • The MAC address in the hardware table might not synchronize between the master and the member in Virtual Chassis after the MAC flap. PR1521324

  • On QFX5110 switch, the EVPN-VXLAN check traffic when VXLAN encap header fails. PR1541316

Platform and Infrastructure

  • On QFX5110 and QFX5120 platforms, unicast RPF check in strict mode might not work properly. PR1417546

Routing Policy and Firewall Filters

  • The policy configuration might be mismatched between rpd and mgd when "deactivate policy-options prefix-list" is involved in configuration sequence. PR1523891

Routing Protocols

  • System upgrade or installation might fail on QFX5100-48T-6Q VC/VCF. PR1486632

  • The IPv6 traffic might drop when falling back from IP-in-IP tunnel to inet.0/inet6.0. PR1508631

  • Scale of filters with egress-to-ingress command is enabled. PR1514570

  • The rpd process might report 100 percent CPU usage with the BGP route damping enabled. PR1514635

  • The remaining BFD sessions of the aggregated Ethernet interface flap continuously if one of the BFD sessions is deleted. PR1516556

  • Stale tunnel entries are seen after negative triggers. PR1516818

  • The BFD sessions might flap continuously after disruptive switchover followed by GRES. PR1518106

  • On QFX5210-64C, enabling IPv6 flow-based Packet Forwarding Engine hashing gives commit error. PR1519018

  • Firewall "sample" configuration gives the warning as unsupported on QFX10002-36q and will not work. PR1521763

  • Errors are seen during script run with negative triggers at scale[LOG: Err] BRCM_NH-,brcm_nh_iptunnel_unilist_install(),5752:IPoIP < src: 1.1.1.1, dst: 1.1.3.1> NH id 2537, Tunnel id: 512 failed to create decap obj Table full: vrf 1 vid 4082 intf 4058 of nh 131074(3)] when the tunnel color attribute is deleted for all the tunnels at scale. PR1526405

  • On QFX5000 line of switches, the IPIP firewall filter term with decapsulate action need to be duplicated for each from protocol. PR1527755

  • On QFX5000 line of switches, the fxpc process might crash if the VXLAN interface flap. PR1528490

Virtual Chassis

  • On the QFX5000 Virtual Chassis, the DDoS violations that occur on the backup are not reported to the Routing Engine. PR1490552

  • On QFX5120 and QFX5210 platforms unexpected storm control events might occur. PR1519893

Documentation Updates

There are no errata or changes in Junos OS Release 20.4R2 documentation for the QFX Series Switches.

Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.

Upgrading Software on QFX Series Switches

When upgrading or downgrading Junos OS, always use the jinstall package. Use other packages (such as the jbundle package) only when so instructed by a Juniper Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the Installation and Upgrade Guide and Junos OS Basics in the QFX Series documentation.

If you are not familiar with the download and installation process, follow these steps:

  1. In a browser, go to https://www.juniper.net/support/downloads/junos.html.

    The Junos Platforms Download Software page appears.

  2. In the QFX Series section of the Junos Platforms Download Software page, select the QFX Series platform for which you want to download the software.
  3. Select 20.4 in the Release pull-down list to the right of the Software tab on the Download Software page.
  4. In the Install Package section of the Software tab, select the QFX Series Install Package for the 20.4 release.

    An Alert box appears.

  5. In the Alert box, click the link to the PSN document for details about the software, and click the link to download it.

    A login screen appears.

  6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
  7. Download the software to a local host.
  8. Copy the software to the device or to your internal software distribution site.
  9. Install the new jinstall package on the device.Note

    We recommend that you upgrade all software packages out of band using the console, because in-band connections are lost during the upgrade process.

    Customers in the United States and Canada use the following command:

    user@host> request system software add source/jinstall-host-qfx-5-x86-64-20.4-R1.n-secure-signed.tgz reboot

    Replace source with one of the following values:

    • /pathname—For a software package that is installed from a local directory on the switch.

    • For software packages that are downloaded and installed from a remote location:

      • ftp://hostname/pathname

      • http://hostname/pathname

      • scp://hostname/pathname (available only for Canada and U.S. version)

    Adding the reboot command reboots the switch after the upgrade is installed. When the reboot is complete, the switch displays the login prompt. The loading process can take 5 to 10 minutes.

    Rebooting occurs only if the upgrade is successful.

Note

After you install a Junos OS Release 20.4 jinstall package, you can issue the request system software rollback command to return to the previously installed software.

Installing the Software on QFX10002-60C Switches

This section explains how to upgrade the software, which includes both the host OS and the Junos OS. This upgrade requires that you use a VM host package—for example, a junos-vmhost-install-x.tgz.

During a software upgrade, the alternate partition of the SSD is upgraded, which will become primary partition after a reboot .If there is a boot failure on the primary SSD, the switch can boot using the snapshot available on the alternate SSD.

Note

The QFX10002-60C switch supports only the 64-bit version of Junos OS.

Note

If you have important files in directories other than /config and /var, copy the files to a secure location before upgrading. The files under /config and /var (except /var/etc) are preserved after the upgrade.

To upgrade the software, you can use the following methods:

If the installation package resides locally on the switch, execute the request vmhost software add <pathname><source> command.

For example:

user@switch> request vmhost software add /var/tmp/junos-vmhost-install-qfx-x86-64-20.4R2.9.tgz

If the Install Package resides remotely from the switch, execute the request vmhost software add <pathname><source> command.

For example:

user@switch> request vmhost software add ftp://ftpserver/directory/junos-vmhost-install-qfx-x86-64-20.4R2.9.tgz

After the reboot has finished, verify that the new version of software has been properly installed by executing the show version command.

user@switch> show version

Installing the Software on QFX10002 Switches

Note

If you are upgrading from a version of software that does not have the FreeBSD 10 kernel (15.1X53-D30, for example), you will need to upgrade from Junos OS Release 15.1X53-D30 to Junos OS Release 15.1X53-D32. After you have installed Junos OS Release 15.1X53-D32, you can upgrade to Junos OS Release 15.1X53-D60 or Junos OS Release 18.3R1.

Note

On the switch, use the force-host option to force-install the latest version of the Host OS. However, by default, if the Host OS version is different from the one that is already installed on the switch, the latest version is installed without using the force-host option.

If the installation package resides locally on the switch, execute the request system software add <pathname><source> reboot command.

For example:

user@switch> request system software add /var/tmp/jinstall-host-qfx-10-f-x86-64-20.4R2.n-secure-signed.tgz reboot

If the Install Package resides remotely from the switch, execute the request system software add <pathname><source> reboot command.

For example:

user@switch> request system software add ftp://ftpserver/directory/jinstall-host-qfx-10-f-x86-64-20.4R2.n-secure-signed.tgz reboot

After the reboot has finished, verify that the new version of software has been properly installed by executing the show version command.

user@switch> show version

Upgrading Software from Junos OS Release 15.1X53-D3X to Junos OS Release 15.1X53-D60, 15.1X53-D61.7, 15.1X53-D62, and 15.1X53-D63 on QFX10008 and QFX10016 Switches

Note

Before you install the software, back up any critical files in /var/home. For more information regarding how to back up critical files, contact Customer Support at https://www.juniper.net/support.

The switch contains two Routing Engines, so you will need to install the software on each Routing Engine (re0 and re1).

If the installation package resides locally on the switch, execute the request system software add <pathname><source> command.

To install the software on re0:

user@switch> request system software add /var/tmp/jinstall-host-qfx-10-m-15.1X53-D60.n-secure-domestic-signed.tgz re0

If the Install Package resides remotely from the switch, execute the request system software add <pathname><source> re0 command.

For example:

user@switch> request system software add ftp://ftpserver/directory/jinstall-host-qfx-10-m-15.1X53-D60.n-secure-domestic-signed.tgz re0

To install the software on re1:

user@switch> request system software add /var/tmp/jinstall-host-qfx-10-m-15.1X53-D60.n-secure-domestic-signed.tgz re1

If the Install Package resides remotely from the switch, execute the request system software add <pathname><source> re1 command.

For example:

user@switch> request system software add ftp://ftpserver/directory/jinstall-host-qfx-10-m-15.1X53-D60.n-secure-domestic-signed.tgz re1

Reboot both Routing Engines.

For example:

user@switch> request system reboot both-routing-engines

After the reboot has finished, verify that the new version of software has been properly installed by executing the show version command.

user@switch> show version

Installing the Software on QFX10008 and QFX10016 Switches

Because the switch has two Routing Engines, perform a Junos OS installation on each Routing Engine separately to avoid disrupting network operation.

Note

Before you install the software, back up any critical files in /var/home. For more information regarding how to back up critical files, contact Customer Support at https://www.juniper.net/support.

Warning

If graceful Routing Engine switchover (GRES), nonstop bridging (NSB), or nonstop active routing (NSR) is enabled when you initiate a software installation, the software does not install properly. Make sure you issue the CLI delete chassis redundancy command when prompted. If GRES is enabled, it will be removed with the redundancy command. By default, NSR is disabled. If NSR is enabled, remove the nonstop-routing statement from the [edit routing-options] hierarchy level to disable it.

  1. Log in to the master Routing Engine’s console.

    For more information about logging in to the Routing Engine through the console port, see the specific hardware guide for your switch.

  2. From the command line, enter configuration mode:

    user@switch> configure
  3. Disable Routing Engine redundancy:

    user@switch# delete chassis redundancy
  4. Disable nonstop-bridging:

    user@switch# delete protocols layer2-control nonstop-bridging
  5. Save the configuration change on both Routing Engines:

    user@switch# commit synchronize
  6. Exit the CLI configuration mode:

    user@switch# exit

    After the switch has been prepared, you first install the new Junos OS release on the backup Routing Engine, while keeping the currently running software version on the master Routing Engine. This enables the master Routing Engine to continue operations, minimizing disruption to your network.

    After making sure that the new software version is running correctly on the backup Routing Engine, you are ready to switch routing control to the backup Routing Engine, and then upgrade or downgrade the software version on the other Routing Engine.

  7. Log in to the console port on the other Routing Engine (currently the backup).

    For more information about logging in to the Routing Engine through the console port, see the specific hardware guide for your switch.

  8. Install the new software package using the request system software add command:

    user@switch> request system software add validate /var/tmp/jinstall-host-qfx-10-f-x86-64-20.4R2.n-secure-signed.tgz

    For more information about the request system software add command, see the CLI Explorer.

  9. Reboot the switch to start the new software using the request system reboot command:

    user@switch> request system reboot
    Note

    You must reboot the switch to load the new installation of Junos OS on the switch.

    To abort the installation, do not reboot your switch. Instead, finish the installation and then issue the request system software delete <package-name> command. This is your last chance to stop the installation.

    All the software is loaded when you reboot the switch. Installation can take between 5 and 10 minutes. The switch then reboots from the boot device on which the software was just installed. When the reboot is complete, the switch displays the login prompt.

    While the software is being upgraded, the Routing Engine on which you are performing the installation is not sending traffic.

  10. Log in and issue the show version command to verify the version of the software installed.

    user@switch> show version

    Once the software is installed on the backup Routing Engine, you are ready to switch routing control to the backup Routing Engine, and then upgrade or downgrade the master Routing Engine software.

  11. Log in to the master Routing Engine console port.

    For more information about logging in to the Routing Engine through the console port, see the specific hardware guide for your switch.

  12. Transfer routing control to the backup Routing Engine:

    user@switch> request chassis routing-engine master switch

    For more information about the request chassis routing-engine master command, see the CLI Explorer.

  13. Verify that the backup Routing Engine (slot 1) is the master Routing Engine:

    user@switch> show chassis routing-engine
  14. Install the new software package using the request system software add command:

    user@switch> request system software add validate /var/tmp/jinstall-host-qfx-10-f-x86-64-20.4R2.n-secure-signed.tgz

    For more information about the request system software add command, see the CLI Explorer.

  15. Reboot the Routing Engine using the request system reboot command:

    user@switch> request system reboot
    Note

    You must reboot to load the new installation of Junos OS on the switch.

    To abort the installation, do not reboot your system. Instead, finish the installation and then issue the request system software delete jinstall <package-name> command. This is your last chance to stop the installation.

    The software is loaded when you reboot the system. Installation can take between 5 and 10 minutes. The switch then reboots from the boot device on which the software was just installed. When the reboot is complete, the switch displays the login prompt.

    While the software is being upgraded, the Routing Engine on which you are performing the installation does not send traffic.

  16. Log in and issue the show version command to verify the version of the software installed.

  17. Transfer routing control back to the master Routing Engine:

    user@switch> request chassis routing-engine master switch

    For more information about the request chassis routing-engine master command, see the CLI Explorer.

  18. Verify that the master Routing Engine (slot 0) is indeed the master Routing Engine:

    user@switch> show chassis routing-engine

Performing a Unified ISSU

You can use unified ISSU to upgrade the software running on the switch with minimal traffic disruption during the upgrade.

Note

Unified ISSU is supported in Junos OS Release 13.2X51-D15 and later.

Perform the following tasks:

Preparing the Switch for Software Installation

Before you begin software installation using unified ISSU:

  • Ensure that nonstop active routing (NSR), nonstop bridging (NSB), and graceful Routing Engine switchover (GRES) are enabled. NSB and GRES enable NSB-supported Layer 2 protocols to synchronize protocol information between the master and backup Routing Engines.

    To verify that nonstop active routing is enabled:

    Note

    If nonstop active routing is enabled, then graceful Routing Engine switchover is enabled.

    If nonstop active routing is not enabled (Stateful Replication is Disabled), see Configuring Nonstop Active Routing on Switches for information about how to enable it.

  • Enable nonstop bridging (NSB). See Configuring Nonstop Bridging on Switches (CLI Procedure) for information on how to enable it.

  • (Optional) Back up the system software—Junos OS, the active configuration, and log files—on the switch to an external storage device with the request system snapshot command.

Upgrading the Software Using Unified ISSU

This procedure describes how to upgrade the software running on a standalone switch.

To upgrade the switch using unified ISSU:

  1. Download the software package by following the procedure in the Downloading Software Files with a Browser section in Installing Software Packages on QFX Series Devices.

  2. Copy the software package or packages to the switch. We recommend that you copy the file to the /var/tmp directory.

  3. Log in to the console connection. Using a console connection allows you to monitor the progress of the upgrade.

  4. Start the ISSU:

    • On the switch, enter:

      where package-name.tgz is, for example, jinstall-host-qfx-10-f-x86-64-20.4R2.n-secure-signed.tgz.

    Note

    During the upgrade, you cannot access the Junos OS CLI.

    The switch displays status messages similar to the following messages as the upgrade executes:

    Note

    A unified ISSU might stop, instead of abort, if the FPC is at the warm boot stage. Also, any links that go down and up will not be detected during a warm boot of the Packet Forwarding Engine (PFE).

    Note

    If the unified ISSU process stops, you can look at the log files to diagnose the problem. The log files are located at /var/log/vjunos-log.tgz.

  5. Log in after the reboot of the switch completes. To verify that the software has been upgraded, enter the following command:

  6. Ensure that the resilient dual-root partitions feature operates correctly, by copying the new Junos OS image into the alternate root partitions of all of the switches:

    Resilient dual-root partitions allow the switch to boot transparently from the alternate root partition if the system fails to boot from the primary root partition.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 19.3, 19.4, and 20.1 are EEOL releases. You can upgrade from Junos OS Release 19.3 to Release 19.4 or from Junos OS Release 19.3 to Release 20.1.

You cannot upgrade directly from a non-EEOL release to a release that is more than three releases ahead or behind. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.