Junos OS Release Notes for the QFX Series
These release notes accompany Junos OS Release 20.4R3 for the QFX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.
What's New
Learn about new features introduced in the Junos OS main and maintenance releases for QFX Series Switches.
The following QFX Series platforms
are supported in Release 20.4R3: QFX5100, QFX5110-32Q, QFX5110-48S, QFX5120,
QFX5200, QFX5210, QFX10002, QFX10002-60C, QFX10008, and QFX10016.
Junos on White Box runs on Accton Edgecore AS7816-64X switches in this release. The software is based on Junos OS running on QFX5210 switches, so release-note items that apply to QFX5210 switches also apply to Junos on White Box.
What’s New in Release 20.4R3
MPLS
Support for optimizing auto-bandwidth adjustments for MPLS LSPs (QFX10008)—Starting in Junos OS Release 20.4R3, you can configure faster auto-bandwidth adjustment for MPLS LSPs under overflow or underflow conditions. This feature decreases the minimum allowed adjust-threshold-overflow-limit and adjust-interval to 150 seconds when adjust-threshold-overflow-limit and adjust-threshold-underflow-limit cross the configured threshold values. In releases earlier than Junos OS Release 20.4R3, the adjust-interval is 300 seconds under overflow or underflow conditions.
You can configure faster in-place LSP bandwidth update that avoids signaling of a new LSP instance as part of make-before-break. To configure faster in-place LSP bandwidth update, include the in-place-lsp-bandwidth-update configuration statement at the [edit protocols mpls label-switched-path lsp-name] hierarchy level.
You can also configure RSVP interfaces to support subscription percentage per priority. To configure subscription percentage per priority, include the subscription priority priority percent value configuration statement at the [edit protocols rsvp interface interface-name] hierarchy level.
[See Configuring Optimized Auto-bandwidth Adjustments for MPLS LSPs.]
When you enable the configuration statement route-age-bgp-view at the [edit protocols bgp] or the [edit protocols bgp family inet unicast] hierarchy level, the route-age of BGP routes reflects protocol updates events. However, it does not reflect internal events causing any route change, such as route-resolution, bgp-multipath.
What’s New in Release 20.4R2
There are no new features or enhancements to existing features for QFX Series Switches in Junos OS Release 20.4R2.
What’s New in Release 20.4R1
Hardware
Support for QSA Adapter (QFX10002-60C)—Starting in Junos OS Release 20.4R1, you can use the QSA Adapter to support 1GbE and 10GbE connections on the QFX10002-60C switches.
[See the Hardware Compatibility Tool (HCT) for details.]
Support for transceivers, AOCs, and DACs (QFX5120-48T)—Starting in Junos OS Release 20.4R1, transceivers, AOCs, and DACs are supported on the QFX5120-48T switches.
[See the Hardware Compatibility Tool (HCT) for details.]
New QFX5120-48YM Switch (QFX Series)—In Junos OS Release 20.4R1, we introduce the QFX5120-48YM, an ideal switch for data center top-of-rack, leaf-and-spine deployments, enterprise multicloud deployments, and campus distribution or core deployments. The QFX5120-48YM is a 25GbE/100GbE switch that offers 48 SFP28 ports and 8 QSFP28 ports. The 48 SFP28 ports support 1-Gbps, 10-Gbps, and 25-Gbps speeds and the 8 QSFP28 ports support 40-Gbps and 100-Gbps speeds. QFX5120-48YM switches support both manual and auto-channelization, but manual CLI channelization always takes precedence. [See Port Settings.]
To install the QFX5120-48YM switch hardware and perform initial software configuration, routine maintenance, and troubleshooting, see QFX5120 Switch Hardware Guide. See Feature Explorer for the complete list of features for any platform.
Table 3 summarizes the QFX5120-48YM features in Junos OS Release 20.4R1.
Table 3: Features Supported by the QFX5120-48YM
Feature
Description
Access security
DHCP and DHCPv6 snooping. [See DHCP Snooping.]
IP and IPv6 source guard. [See Understanding IP Source Guard for Port Security on Switches.]
Dynamic ARP inspection (DAI). [See Understanding and Using Dynamic ARP Inspection (DAI).]
IPv6 neighbor discovery inspection. [See IPv6 Neighbor Discovery Inspection.]
Authentication and access control
IEEE 802.1X authentication. [See User Access and Authentication User Guide.]
RADIUS and TACACS+ authentication and accounting. [See Authentication Order for RADIUS, TACACS+, and Local Password.]
Authentication bypass access (based on host MAC address) and fallback. [See Static MAC Bypass of 802.1X and MAC RADIUS.]
Captive portal authentication for Layer 2 and Layer 3 interfaces. [See Captive Portal Authentication.]
Class of service (CoS)
QFX5120-48YM switches support all class-of-service (CoS) features except the following: shared unicast and multi-destination classifiers, forwarding classes, and output queues; CoS flexible hierarchical scheduling (ETS); virtual output queue (VOQ) architecture; and CoS command to detect the source of RED-dropped packets. [See CoS Support on QFX Series Switches, EX4600 Line of Switches, and QFabric Systems.]
DHCP
DHCP server. [See DHCP Server.]
DHCP relay agent and DHCP smart relay. [See DHCP Relay Agent.]
DHCP server and client in separate routing instances. [See DHCP Message Exchange Between DHCP Clients and DHCP Server in Different VRFs.]
DHCP relay with option 82 for Layer 2 VLANs and Layer 3 interface. [See DHCP Relay Agent Information Option (Option 82).]
DHCP option 82 with textual interface description. [See DHCP Relay Agent Information Option (Option 82).]
DHCPv6 option 79. [See relay-agent-option-79.]
DHCP static addresses. [See Configuring Static DHCP IP Addresses.]
Extended DHCP (also referred to as virtual router (VR) aware DHCP). [See Legacy DHCP and Extended DHCP.]
EVPN-VXLAN
In a centrally routed bridging overlay, the QFX5120-48YM switch can act as a leaf device (Layer 2 VXLAN gateway). [See Example: Configuring an EVPN Control Plane and VXLAN Data Plane.]
In an edge-routed bridging overlay, the QFX5120-48YM switch can act as a leaf device (Layer 2 and 3 VXLAN gateways). [See Example: Configuring a QFX5110 Switch as Layer 2 and 3 VXLAN Gateways in an EVPN-VXLAN Edge-Routed Bridging Overlay.]
In a campus EVPN multihoming environment, you can deploy two QFX5120-48YM switches as distribution switches with ESI-LAG (Layer 2 and 3 VXLAN gateways) to eliminate STP.
In a campus fabric environment, you can deploy QFX5120-48YM switches as distribution or core switches in a centrally routed bridging overlay or an edge routed bridging overlay.
In the spine and leaf roles, the QFX5120-48YM switches support the following features:
Firewall filtering and policing of EVPN-VXLAN traffic. [See Overview of Firewall Filters (QFX Series).]
IGMPv2 snooping in a centrally routed bridging overlay. Supported use cases include intra-VLAN, inter-VLAN with IRB interfaces and PIM, and inter-VLAN with a PIM gateway and Layer 2 connectivity. [See Overview of Multicast Forwarding with IGMP Snooping or MLD Snooping in an EVPN-VXLAN Environment.]
Support for IPv6 data traffic. [See Routing IPv6 Data Traffic through an EVPN-VXLAN Network with an IPv4 Underlay.]
MAC filtering, storm control, and port mirroring. [See MAC Filtering, Storm Control, and Port Mirroring Support in an EVPN-VXLAN Environment.]
EVPN pure Type 5 routes. [See EVPN Type-5 Route with VXLAN Encapsulation for EVPN-VXLAN.]
EVPN proxy ARP and ARP suppression, and proxy Neighbor Discovery Protocol (NDP) and NDP suppression. [See EVPN Proxy ARP and ARP Suppression, and Proxy NDP and NDP Suppression.]
Support for OSPF, IS-IS, BGP, and static routing on IRB interfaces. [See Supported Protocols on an IRB Interface in EVPN-VXLAN.]
Virtual machine traffic optimization for ingress interfaces. [See Ingress Virtual Machine Traffic Optimization.]
Layer 2 and 3 families, encapsulation types, and VXLAN on the same physical interface. [See Understanding Flexible Ethernet Services Support With EVPN-VXLAN.]
Selective multicast forwarding. [See Overview of Selective Multicast Forwarding.]
MAC mobility and duplicate MAC address detection and suppression. [See Overview of MAC Mobility.]
Firewalls and policers
Firewall filters provide rules that define whether to permit, deny, or forward packets that are transiting an interface on the device from a source address to a destination address. The supported firewall filter and policer features include:
Policer mark down action and policing/rate limiting
Single-rate two-color marking (ingress), single-rate tricolor marking (color aware, color blind), and two-rate tricolor marking
Filter-based forwarding (FBF) and FBF with destination and source prefix list on IPv6 interfaces
Dynamic allocation of TCAM memory to firewall filters and error message displayed when TCAM is full
Enhanced filter classification of CPU-generated packets
Firewall filter actions: assign forwarding class, counters; logging, syslog, reject; mirroring to an interface; and permit, drop, police, and mark
Firewall filter flexible match conditions
Firewall filters on loopback interface and management interface
IPv6 fields for ingress port and VLAN firewall filters
Policer action for MPLS firewall filters
Port firewall filters (egress and ingress), routed firewall filters (egress and ingress) and VLAN firewall filters (egress and ingress)
TCP/UDP port ranges in classification
Loopback filter optimization
Firewall filtering and policing on EVPN-VXLAN traffic
Filter-based GRE de-encapsulation
[See Firewall Filter Match Conditions and Actions (QFX5220).]
Firewall filter support on Layer 3 interfaces. [See Firewall Filter Match Conditions and Actions (QFX5220).]
High availability
Nonstop bridging (NSB), and nonstop active routing (NSR) for IPv6 and OSPFv2.
Interfaces and chassis
Support for the following resiliency features:
Operating system resiliency to recover the Junos OS software by using the recovery mode option on the Grub menu, which is visible after BIOS has booted up.
Partial resiliency for DIMM errors, machine-check exception (MCE), and PCI Express advanced error reporting (AER). If required, you can take assistance from Juniper Networks Technical Assistance Center (JTAC) to manually debug these type of errors when they occur.
Support for channelizing interfaces. The QFX5120-48YM contains a total of 56 ports, of which 8 are QSFP28 ports and 48 are SFP28 ports. To channelize speed, you use the channel-speed statement. For setting speed, you use the set chassis fpc 0 pic 0 port <25g|1g|10g|50g|100g|40g> command. The speeds supported are:
1 Gbps, 10 Gbps, and 25 Gbps on SFP28
40 Gbps, 100 Gbps, 4x25 Gbps, 4x10 Gbps, 2x50 Gbps on QSFP28
2x50 Gbps, 4x25 Gbps, or 4x10 Gbps channelization is supported on ports 50 and 52.
[See Port Settings.]
Junos OS XML API and scripting
Python, SLAX, and XSLT scripting languages, commit scripts and macros, event policy and event scripts, op scripts, and SNMP scripts. [See Automation Scripting User Guide.]
Layer 2 features
Layer 2 protocol tunneling (L2PT) support to tunnel any of the following Layer 2 protocols: CDP, E-LMI, GVRP, IEEE 802.1X, IEEE 802.3AH, LACP, LLDP, MMRP, MVRP, STP (including RSTP and MSTP), UDLD, VSTP, and VTP. [See Layer 2 Protocol Tunneling.]
Support for the following Layer 2 multicast features:
IGMP snooping with IGMPv1, IGMPv2, and IGMPv3
IGMP proxy
IGMP querier
Virtual router (VRF-lite) IGMP snooping [See IGMP Snooping Overview.]
Support for the following Layer 2 unicast features:
802.1D
802.1w (RSTP)
802.1s (MST)
BPDU protection
Loop protection
Root protection
VSTP
802.1Q VLAN trunking
802.1p
IRB (Integrated routing and bridging Interface)
Layer 3 vlan-tagged sub-interfaces
4096 VLANs
Multiple VLAN Registration Protocol (802.1ak)
MAC address filtering
MAC address aging configuration
Static MAC address assignment for interface
Pe-VLAN MAC learning (limit)
Pe-VLAN MAC learning (limit)
MAC Learning Disable
Persistent MAC (Sticky MAC)
Link Aggregation (Static and Dynamic) with LACP (Fast and Slow LACP)
LLDP
MC-LAG with configuration sync
Uplink Failure Detection (UFD)
VxLAN L2 Gateway (Static, OVSDB, EVPN)
QinQ Tag manipulation
802.1x (Access control)
[See Layer 2 Networking.]
Layer 3 features
Traceroute over Layer 3 VPN.
Virtual routing and forwarding (VRF) support in IRB interfaces in a Layer 3 VPN.
VRF-lite, BGP, IGMP, IS-IS, OSPF, PIM, and RIP.
Support for the following Layer 3 multicast features:
IGMP version 1 (IGMPv1), version 2 (IGMPv2), and version 3 (IGMPv3)
IGMP filtering
PIM sparse mode (PIM-SM)
PIM dense mode (PIM-DM)
PIM source-specific multicast (PIM-SSM)
Multicast Source Discovery Protocol (MSDP) IGMP and PIM are also supported on virtual routers.
[See Multicast Overview.]
Support for the following Layer 3 unicast features:
Virtual Router Redundancy Protocol (VRRP)
Static routing
OSPFv2
IPv4 BGP
IPv4 MBGP
BGP 4-byte ASN support
BGP Add Path (BGP-AP)
IS-IS
BFD (for RIP, OSPF, ISIS, BGP, PIM)
Filter based forwarding (FBF)
Unicast reverse path forwarding (unicast RPF)
IP directed broadcast traffic forwarding
IPv4 over GRE
IPv6 neighbor discovery protocol
Path MTU discovery
IPv6 CoS (BA, classification and rewrite, scheduling based on TC)
IPv6 ping
IPv6 static routing
IPv6 traceroute
IPv6 stateless auto-configuration
IPv6 OSPFv3
IPv6 IS-IS
IPv6 BGP
VRRPv3
32-way equal-cost multipath (ECMP)
VXLAN Layer 3 Gateway
MPLS over UDP
DHCP snooping
IPv6 Ready Logo certification
MPLS
MPLS support for label edge routers (LERs) and label switch routers (LSR). [See MPLS Overview for Switches.]
MPLS signaling protocols LDP and RSVP. [See LDP Overview and RSVP Overview.]
Fast reroute (FRR) support (a component of MPLS local protection for both one-to-one and many-to-one local protection).
Static LSPs. [See LSP Overview.]
MPLS node protection, link protection, and statistics for static LSPs.
MPLS OAM (LSP ping).
MPLS statistics. [See statistics (Protocols MPLS).]
MPLS automatic bandwidth allocation and dynamic count sizing.
MPLS with RSVP-based LSPs.
IRB interfaces over an MPLS core network. [See Example: Configuring IRB Interfaces on QFX5100 Switches over an MPLS Core Network.]
MPLS stitching for virtual machine connections. [See Using MPLS Stitching with BGP to Connect Virtual Machines.]
MPLS over Layer 3 subinterfaces. [See MPLS Limitations on QFX Series and EX4600 Switches.]
RSVP-traffic engineering (RSVP-TE), traffic engineering extensions (OSPF-TE, IS-IS-TE), Path Computation Element Protocol (PCEP), and PCE-initiated LSPs for the PCEP implementation. [See MPLS Applications User Guide.]
Equal-cost multipath (ECMP) operation on MPLS using firewall filters.
OVSDB-VXLAN
In an OVSDB-VXLAN environment, the QFX5120-48YM switch can act as a Layer 2 VXLAN gateway. [See Understanding the OVSDB Protocol Running on Juniper Networks Devices.]
In a manual (PIM-based) VXLAN environment, the QFX5120-48YM switch can act as:
A Layer 2 VXLAN gateway.
A transit Layer 3 switch for downstream VTEPs.
A Layer 2 VXLAN gateway.
[See Examples: Manually Configuring VXLANs on QFX Series and EX4600 Switches.]
Network management and monitoring
Support for the following services:
sFlow networking monitoring technology—Collects samples of network packets and sends them in a UDP datagram to a monitoring station called a collector. You can configure sFlow technology on a device to monitor traffic continuously at wire speed on all interfaces simultaneously. The inline-sampling configuration option is available.
Local, remote, and extended port mirroring—Copies packets entering or exiting a port or entering a VLAN and sends the copies to a local interface (local port mirroring), to a VLAN (remote port mirroring), or to the IP address of a device running an analyzer application on a remote network (extended port mirroring). When you use extended port mirroring, the mirrored packets are GRE-encapsulated.
Storm control—Causes a device to monitor traffic levels and take a specified action when a specified traffic level—called the storm control level—is exceeded, thus preventing packets from proliferating and degrading service. You can configure devices to drop broadcast and unknown unicast packets, shut down interfaces, or temporarily disable interfaces when the storm control level is exceeded.
[See Overview of sFlow Technology, Understanding Port Mirroring, and Understanding Storm Control.]
Support for adding nonnative YANG modules to the Junos OS schema. [See Understanding the Management of Nonnative YANG Modules on Devices Running Junos OS.]
Puppet for Junos OS support. [See Puppet for Junos OS Administration Guide.]
Port Security
Support for Media Access Control security with 256-bit cipher suite. GCM-AES-256 has a maximum key length of 256 bits and is also available with extended packet numbering (GCM-AES-XPN-256). [See Understanding Media Access Control Security (MACsec).]
Software installation and upgrade
Secure boot—The implementation is based on the UEFI 2.4 standard. [See Software Installation and Upgrade Guide.]
You need a license to use the features on the QFX5120-48YM. To find out what features are supported on this device, see QFX Switch Support for the Juniper Flex Program. To add, delete, and manage licenses, see Managing Licenses.
Zero-touch provisioning (ZTP). [See Zero Touch Provisioning Overview.]
Virtualization enables the switch to support multiple instances of Junos OS and other operating systems on the same Routing Engine. One instance of Junos OS, which runs as a guest operating system, is launched by default. You need to log in to this instance for operations and management. The Routing Engines on the QFX5120-48YM switches support the Wind River Linux 9 (WRL9) kernel version. [See What Are VMHosts?.]
To view the hardware compatibility matrix for optical interfaces and transceivers supported on the QFX5120-48YM, see the Hardware Compatibility Tool.
Class of Service (CoS)
Priority-based flow control (PFC) using Differentiated Services code points (DSCP) at Layer 3 for untagged traffic (QFX5210 switches)—Starting in Junos OS Release 20.4R1, to support lossless traffic across Layer 3 connections to Layer 2 subnetworks on QFX5210 switches, you can configure priority-based flow control (PFC) to operate using 6-bit DSCP values from Layer 3 headers of untagged VLAN traffic. You can do this rather than use IEEE 802.1p priority values in Layer 2 VLAN-tagged packet headers. You need DSCP-based PFC to support remote direct memory access (RDMA) over converged Ethernet version 2 (RoCEv2).
To enable DSCP-based PFC:
Map a forwarding class to a PFC priority using the pfc-priority statement.
Define a congestion notification profile to enable PFC on traffic specified by a 6-bit DSCP value.
Set up a classifier for the DSCP value and the PFC-mapped forwarding class.
[See Understanding PFC Using DSCP at Layer 3 for Untagged Traffic.]
EVPN
Multicast with IGMPv3 in EVPN-VXLAN centrally-routed bridging overlay fabrics (QFX10000, QFX5110, and QFX5120)—Starting in Junos OS Release 20.4R1, you can configure IGMPv3 multicast in an EVPN-VXLAN centrally-routed bridging overlay fabric with multihoming for the following IPv4 multicast traffic use cases:
Intra-VLAN forwarding
Inter-VLAN routing using:
IRB interfaces configured with PIM
A PIM gateway router (for Layer 2 or Layer 3 connectivity)
An external multicast router
IGMPv3 multicast works with these multicast optimizations:
IGMP snooping
Selective multicast (SMET) forwarding
Assisted replication (AR)
These devices process IGMPv3 reports in one of two modes:
As any-source multicast (ASM) (*,G) reports by default
As source-specific multicast (SSM) (S,G) reports only (if you explicitly configure this mode)
[See Overview of Multicast Forwarding with IGMP Snooping in an EVPN-VXLAN Environment, Overview of Selective Multicast Forwarding, Assisted Replication Multicast Optimization in EVPN Networks, and evpn-ssm-reports-only.]
MAC-VRF with EVPN-VXLAN (MX Series and vMX routers; QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, QFX10002-60C, QFX10008, and QFX10016 switches)—Data center service providers must support multiple customers with their own routing and bridging policies in the same physical network. To accommodate this requirement, you can now configure multiple customer-specific EVPN instances (EVIs) of type mac-vrf, each of which can support a different EVPN service type. This configuration results in customer-specific virtual routing and forwarding (VRF) tables with MAC addresses on each Juniper Networks device that serves as a virtual tunnel endpoint (VTEP) in the EVPN-VXLAN network.
Note We support MAC-VRF routing instances for EVPN unicast routes only.
To support this feature, we introduce a uniform routing instance configuration, which complies with RFC 7432, BGP MPLS-Based Ethernet VPN. The uniform configuration eliminates hardware restrictions that limit the number of EVIs and combinations of EVIs with their respective policies that can simultaneously exist. The common configuration includes the following new CLI elements:
The mac-vrf keyword at the [edit routing-instances name instance-type] hierarchy level.
The service-type configuration statement at the [edit routing-instances name] hierarchy level. We support VLAN-based, VLAN-aware, and VLAN-bundle service types.
(QFX10000 line of switches only) The forwarding-instance configuration statement at the [edit routing-instances name] hierarchy level. With this optional configuration statement, you can map multiple routing instances to a single forwarding instance. If you don’t include this configuration statement, the default forwarding instance is used.
We continue to support the existing method of routing instance configuration along with the new uniform routing instance configuration.
[See EVPN User Guide.]
Filter-based forwarding in EVPN-VXLAN networks (QFX10002-36Q, QFX10002-72Q, QFX10002-60C, QFX10008, and QFX10016)—Instead of using the routing functionality typically provided by routing protocols, you can now use firewall filter-based forwarding. With filter-based forwarding, you can use firewall filter match conditions and actions to better control how traffic is routed in your EVPN-VXLAN network.
We support the following filter-based forwarding use cases:
Redirecting traffic received on IRB interfaces. To set up a firewall filter:
Create an input filter.
Note When specifying an IP address for this filter, you can use either IPv4 or IPv6 addresses.
Specify the following match criteria:
The source and destination IP addresses in the inner header after a packet is de-encapsulated.
The source and destination ports in the inner header.
Specify an action that directs matching packets to one of the following:
A routing instance
A next hop
A next hop and a routing instance
Apply the filter to an IRB interface with or without a virtual gateway address or an anycast address.
Handling transit traffic that matches a VXLAN network identifier (VNI). To set up a firewall filter:
Create an input filter.
Note When specifying an IP address for this filter, you must use an IPv4 address.
Specify the following match criteria:
VNI.
The source and destination IP addresses in the outer header.
For the action, specify count or any other firewall filter action that is supported by the QFX10000 line of switches.
Apply the filter to a Layer 3 interface.
Loop detection for EVPN-VXLAN fabrics (QFX5120, QFX5200, QFX5210, and QFX5220)—You can configure loop detection on the server-facing Layer 2 interfaces of the leaf devices in an EVPN-VXLAN fabric. This feature can detect the following types of Ethernet loops:
A loop between two interfaces with different Ethernet segment identifiers (ESIs). This loop is typically caused by miswiring fabric components.
A loop between two interfaces with the same ESI. This loop is typically caused by miswiring a third-party switch to the fabric.
After you’ve enabled loop detection, the interfaces periodically send multicast loop-detection protocol data units (PDUs). If a loop detection-enabled interface receives a PDU, a loop is detected, which triggers the configured action to break the loop. For example, if the configured action is interface-down, the interface is brought down. After the revert-interval timer expires, the configured action is reverted, and the interface is brought back up again.
[See loop-detect.]
IPv6 multicast with MLDv1 and MLDv2 in EVPN-VXLAN centrally-routed bridging overlay fabrics (QFX10000, QFX5110, and QFX5120)—Starting in Junos OS Release 20.4R1, you can configure MLDv1 and MLDv2 multicast in an EVPN-VXLAN centrally-routed bridging overlay fabric with multihoming for the following IPv6 multicast traffic use cases:
Intra-VLAN forwarding
Inter-VLAN routing using:
IRB interfaces configured with PIM
A PIM gateway router (for Layer 2 or Layer 3 connectivity)
An external multicast router
MLD multicast works with these multicast optimizations:
MLD snooping
Selective multicast (SMET) forwarding
Assisted replication (AR)
These devices process MLD reports as follows:
MLDv1 reports as any-source multicast (ASM) (*,G) reports
MLDv2 reports in one of two modes:
As any-source multicast (ASM) (*,G) reports by default
As source-specific multicast (SSM) (S,G) reports only (if you explicitly configure this mode)
[See Overview of Multicast Forwarding with IGMP Snooping or MLD Snooping in an EVPN-VXLAN Environment, Overview of Selective Multicast Forwarding, Assisted Replication Multicast Optimization in EVPN Networks, and evpn-ssm-reports-only.]
Seamless EVPN-VXLAN stitching with multicast support (QFX10002-36Q, QFX10002-72Q, QFX10008, and QFX10016)—Starting in Junos OS Release 20.4R1, we support the following multicast features with the seamless EVPN-VXLAN stitching data center interconnect (DCI) use case:
Protocol Independent Multicast (PIM)
Internet Group Management Protocol version 2 (IGMPv2) snooping
Assisted replication (AR) with the following use cases:
The super spine device, which interconnects the data centers, and the AR replicator are two separate devices.
The super spine device and the AR replicator are the same device.
Selective multicast Ethernet tag (SMET)
[See interconnect.]
Flow-Based and Packet-Based Processing
Support for user-defined flex hashing for MPLS traffic flows (QFX5210; Accton Edgecore AS7816 running Junos OS on White Box)—Starting in Junos OS Release 20.4R1, you can configure user-defined flex hashing to load-balance MPLS traffic based on TCP or UDP source and destination port information. User-defined flex hashing, which supports protocol versions IPv4 and IPv6, enables you to set byte offsets in packet headers to influence hashing computation. You specify two offsets, each 2 bytes in length, from the first 128 bytes of a packet. You can configure the selected bytes to be directly used for hashing or to be used only when the data pattern in these bytes matches specific values (conditional match). To provide load balancing in spine layers, configure flex hashing and encapsulate the traffic in VXLAN, thus enabling entropy at UDP source ports. At de-encapsulation, configure the no-inner-payload statement to load-balance based on the outer UDP header.
To configure user-defined flex hashing:
set forwarding-options enhanced-hash-key flex-hashing name ethtype mpls num-labels num_labels hash-offset offset1 base-offset1 offset1-value offset1_value offset1-mask offset1_mask offset2 base-offset2 offset2-value offset2_value offset2-mask offset2_maskTo configure a conditional match (repeat the following command with values for offsets and match data 2-4):
set forwarding-options enhanced-hash-key conditional-match name offset1 base-offset1 offset1-value offset1_value offset1-mask offset1_mask matchdata1 matchdata1 matchdata1-mask matchdata1-maskTo enable load balancing on VXLAN transit traffic based on the outer UDP header:
set forwarding-options enhanced-hash-key vxlan no-inner-payloadTo troubleshoot, use the show forwarding-options enhanced-hash-key command.
Limitations:
Use a maximum of two MPLS labels.
Use only even values for offset1 and offset2.
If you are using conditional matches, configure the conditions before you attach them to the flex-hashing entry.
An aggregated Ethernet (ae) or LAG interface is not supported as an input interface. You can configure input interfaces on LAGs by configuring the same user-defined flex-hashing data and the same conditional-match data on all member interfaces of a LAG interface.
Apply a similar set of commands to the various member interfaces. For example, if the members of a particular LAG are xe-0/0/2, xe-0/0/3, and xe-0/0/4, configure three slightly different flex-hashing rules on those individual member interfaces—the rules are identical except that they have different names for the incoming traffic:
set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls interface xe-0/0/2
set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls num-labels 2
set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls conditional-match COND_L2_V6_TCP_4
set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls hash-offset offset1 base-offset1 start-of-L3-OuterHeader
set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_4 ethtype mpls hash-offset offset1 offset2 offset2-mask ffff
[...configuration commands truncated...]set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_5 ethtype mpls interface xe-0/0/3
[...configuration commands truncated...]set forwarding-options enhanced-hash-key flex-hashing FLEX_L2_V6_TCP_6 ethtype mpls interface xe-0/0/4
[...configuration commands truncated...]
Use unique flex-data profile names and unique conditional-data profile names for each member interface—for example, in the following conditional-data profile names, the port number is unique in each instance:
...enhanced-hash-key conditional-match COND_L1_V6_UDP_SRC_PORT_1...
...enhanced-hash-key conditional-match COND_L1_V6_UDP_SRC_PORT_2...
[See flex-hashing.]
High Availability (HA) and Resiliency
Disk health monitoring (QFX5100 and QFX5120-48Y)—Starting in Junos OS Release 20.4R1, the QFX5100 and QFX5120-48Y switches support disk-health monitoring. This feature detects solid-state drive (SSD) failures and reboots the device gracefully to handle those failures. With this feature in place, you need not manually intervene to recover the system from an SSD failure condition. The QFX5100 switches used in a Virtual Chassis as well support this feature.
Interfaces and Chassis
Retrieve an ECMP or trunk interface hardware hash result for a given input for load balancing (QFX5120)—Starting in Junos OS Release 20.4R1, you can view the hash parameters that are used by the hashing algorithm and the final egress interface for the traffic you are interested in. Use the CLI command show forwarding-options load-balance ecmp|trunk to retrieve this information. The command output provides you information to troubleshoot issues for which you need to know the packet path.
[See Configuring the Fields in the Algorithm Used To Hash LAG Bundle and ECMP Traffic (CLI Procedure) and show forwarding-options load-balance ecmp|trunk.]
IP Tunneling
IPIP encapsulation for flexible tunnel interfaces (FTIs) (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)—We've extended flexible tunnel interfaces (FTIs) and existing forwarding constructs to support configuring static IPv4 IP-in-IP tunnels and RIB APIs. To configure an IP-in-IP tunnel on a FTI, use the ipip option at the [edit interfaces interface-name unit logical-unit-number tunnel encapsulation] hierarchy level.
[See Configuring Flexible Tunnel Interfaces and ipip.]
Juniper Extension Toolkit
Support for static backup paths with IP-in-IP tunnel encapsulation and provisioning APIs (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)—We’ve enhanced Juniper Extension Toolkit (JET) APIs to enable a controller to set up underlay network backup paths that use IP-in-IP tunnels with IPv4 encapsulation. JET APIs notify the controller of active paths, interfaces, and changes to the interface state. The loop-free backup paths help quickly restore failed core transport networks built with only IP protocols.
[See JET APIs on Juniper EngNet.]
Support for policy match condition to match programmed routes (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)—We’ve introduced a new option programmed that allows policy matches for routes injected by JET APIs. To allow policy matches for routes injected by JET APIs, use the programmed option at the [edit policy-options policy-statement policy-name term term-name from] hierarchy level. To view details about programmed routes, use the show route programmed (detail | extensive) command.
[See policy-statement and show route.]
RIB service API option to control route distribution (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)—We’ve added a no-advertise flag to the RIB service API per-route RouteAttributes object to limit re-advertisement of the provisioned route. You can set this flag to TRUE to prevent the route from being redistributed to routing protocols and advertised to peers.
[See JET APIs on Juniper EngNet.]
Junos OS XML, API, and Scripting
Support for Certificate Authority Chain Profile (EX2300, EX3400, EX4300, MX240, MX480, MX960, PTX-5000, VMX, vSRX and QFX5200)—Starting in Junos OS Release 20.4R1, you can configure intermediate Certificate Authority (CA) chain profile certificate and perform https REST API request using mutual and server authentications.
To configure intermediate ca-chain certificate, configure ca-chain ca-chain statement at the [edit system services rest https] hierarchy level.
Start time option for interval-based internal events that trigger event policies (EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Starting in Junos OS Release 20.4R1, when you create an interval-based internal event for triggering event policies, you can specify the start date and time for the initial event. To specify a start time, configure the start-time option along with the time-interval option at the [edit event-options generate-event] hierarchy level.
Junos Telemetry Interface
BGP neighbor telemetry with sharding (MX Series, PTX Series, and QFX Series)—Starting in Junos OS Release 20.4R1, BGP neighbor telemetry with sharding (multi-threading) is supported.
[See Guidelines for gRPC and gNMI Sensors (Junos Telemetry Interface).]
Network Management and Monitoring
Support for sFlow technology with VXLAN (QFX5110, QFX5120-32C, QFX5120-48Y, and QFX5120-48T-6C)—Starting in Junos OS Release 20.4R1, we support sFlow technology with VXLAN. sFlow is a monitoring technology for high-speed switched or routed networks. The sFlow agent performs packet sampling and gathers interface statistics, and then combines the information into UDP datagrams that are sent to sFlow collectors.
Keep the following points in mind:
True egress sampling is not supported on the switches. Egress sampling is done at the end of the ingress pipeline, and so the egress samples do not contain modifications that are made to the packet in the egress pipeline. When the packet flow is from the access port to the network port, sFlow is configured on the egress network port, and thus packets are captured without VXLAN encapsulation at the collector.
Egress sampling for BUM traffic is not supported.
Extended router data with next-hop information is not supported on the switches.
Sampling on ingress interfaces does not capture CPU-bound traffic.
You cannot configure sFlow on a (LAG), but you can configure it individually on a LAG member interface.
You must not configure sFlow for more than one logical interface on a physical interface.
[See Overview of sFlow Technology.]
Configuration retrieval using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you can use the configuration revision identifier feature to view the configuration for a specific revision. This configuration database revision can be viewed with the CLI command show system configuration revision.
sFlow sampling support for IP-IP traffic (QFX5100 and QFX5200)—Starting in Junos OS Release 20.4R1, you can use sFlow technology to sample IP over IP (IP-IP) traffic at a physical port. This feature is supported for IP-IP tunnels with an IPv4 outer header that carry IPv4 or IPv6 traffic. You can use sFlow monitoring technology to randomly sample network packets from IP-IP tunnels to send the samples to a destination collector for monitoring. Devices that act as an IP-IP tunnel entry point, transit device, or tunnel endpoint support sFlow sampling.
[See Overview of sFlow Technology.]
Junos XML protocol operations support loading and comparing configurations using the configuration revision identifier (EX3400, EX4300, MX204, MX240, MX480, MX960, MX2020, PTX3000, PTX10008, QFX5100, QFX10002-60C, SRX5800, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, the Junos XML management protocol operations support loading and comparing configurations by referencing the configuration revision identifier of a committed configuration. You can execute the
<load-configuration>
operation with theconfiguration-revision
attribute to load the configuration with the given revision identifier into the candidate configuration. Additionally, you can compare the candidate or active configuration to a previously committed configuration by referencing the configuration revision identifier for the comparison configuration. The<get-configuration>
operation supports thecompare="configuration-revision"
andconfiguration-revision
attributes to perform the comparison.[See <get-configuration> and <load-configuration>.]
Platform and Infrastructure
Flooding bridge protocol data units (BPDUs) using existing ingress port-based firewall filters (QFX5100, QFX5110, QFX5120-32C, QFX5200, and QFX5210)—Starting in Junos OS Release 20.4R1, you can configure a new firewall filter CLI action to flood BPDUs using the set firewall family ethernet-switching filter f1 term t1 then flood statement. The flexibility to flood BPDUs on a per port basis for the QFX5000 line of switches can be achieved by using the existing ingress port-based firewall filters.
Routing Policy and Firewall Filters
Support for route’s next-hop weight in policy match condition (MX Series, PTX Series, and QFX Series)—Starting in Junos OS Release 20.4R1, a route with multiple next-hop paths can use the weight associated with a path to identify primary and backup paths. The path with the lowest weight is used as the primary path, and any paths with higher weights are treated as backup paths. You can use the next-hop weight as a match condition in export policies to redistribute IGP and BGP routes based on whether the primary or backup paths are active.
Configure this match condition using the [edit policy-options policy-statement policy-name term term-name from] statement.
[See policy-statement and show policy.]
IPv6 support for firewall filtering and policing on EVPN-VXLAN traffic (QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210)— Starting with Junos OS Release 20.4R1, you can use IPv6 for firewall filters and policers on VXLAN traffic in an EVPN topology. Configure firewall filters at the [edit firewall] hierarchy level. For each firewall filter that you apply to a VXLAN, you can specify family ethernet-switching to filter Layer 2 (Ethernet) packets or family inet or family inet6 to filter on IRB interfaces. You can apply firewall filters and policers on CE-facing interfaces in the ingress direction only. For IRB interfaces, you can apply filtering only at the ingress point of a non-encapsulated frame routed through the IRB interface.
[See Understanding VXLANs and Overview of Firewall Filters.]
Support for matching IPv6 source addresses from an inet6 egress interface (QFX5110)—Starting in Junos OS Release 20.4R1, you can configure a firewall filter on an IPv6 egress interface to match specified IPv6 source or destination addresses, for example, to protect a third-party device connected to the switch.
[See eracl-ip6-match and Example: Configuring an Egress Filter Based on IPv6 Source or Destination IP Addresses.]
Routing Protocols
Support for multiple single-hop EBGP sessions on different links using the same IPv6 link-local address (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—Starting in Junos OS Release 20.4R1, you are no longer required to have unique peer addresses for Juniper devices for every EBGP session. You can now enable single-hop EBGP sessions on different links over multiple directly connected peers that use the same IPv6 link-local address.
In earlier Junos OS Releases, BGP peers could be configured with link-local addresses, but multiple BGP peers could not be configured to use the same link-local address on different interfaces.
Support for IS-IS flood-reflector interfaces (PTX1000, QFX10002, QFX10008)—Starting in Junos OS Release 20.4R1, we support the IS-IS flood reflector feature, which allows creation of IS-IS flood reflection topologies. Flood reflection allows the creation of topologies where Level 1 areas provide transit forwarding for Level 2 destinations within a Level 2 topology that provides better scalability.
We designate flexible tunnel interfaces (FTI) as flood-reflector interfaces. To enable the flood reflector on an FTI, include the flood-reflector statement at the [edit protocols isis interface interface name level level number hierarchy level.
You can configure the interface to be either the reflector or the client. To enable the reflector, you can use the flood-reflector reflector cluster-id statement at the [edit protocols isis level level number] hierarchy level.
To enable the flood reflector client, include the flood-reflector client statement at the [edit protocols isis level level number hierarchy level.
Note You can configure the flood reflector feature on FTIs at Level 2 only.
[See How to Configure Flood Reflector Interfaces in IS-IS Networks.]
Support for relaxing BGP router ID format from /32 to a nonzero ID per RFC6286 ( MX204, NFX Series, PTX5000, QFX Series, and vRR)—Starting in Junos OS Release 20.4R1, you can establish a BGP connection using a BGP identifier that is a 4-octet, unsigned, nonzero integer and it needs to be unique only within the autonomous system (AS) per RFC 6286. In earlier releases, the BGP ID of a BGP speaker was required to be a valid IPv4 host address assigned to the BGP speaker.
To enable this feature, use the bgp-identifier identifier group bgp group name bgp-identifier identifier neighbor peer address bgp-identifier identifier configuration statement at the [edit protocols bgp] hierarchy level.
[See router-id]
Support for IPv4 VPN unicast and IPv6 VPN unicast address families in BGP (QFX10002-60C, QFX10002, QFX10008, and QFX10016)—Starting in Junos OS Release 20.4R1, on QFX Series switches, the following address families are supported to enable advertisement or reception, or both, of multiple paths to a destination to and from the same BGP peer, instead of advertising and receiving only one path to and from the same BGP peer, under the [edit protocols bgp group group-name] hierarchy. You can configure the add-path statement at the BGP global, group level, and peer level.
IPv4 VPN unicast (family inet-vpn)
IPv6 VPN unicast (family inet6-vpn)
[See Understanding the Advertisement of Multiple Paths to a Single Destination in BGP.]
Software Defined Networking (SDN)
PCEP support for color (MX480, QFX5200)—Starting in Junos OS Release 20.4R1, the Path Computation Element Protocol (PCEP) supports color for colored segment routing LSPs. This includes Path Computation Element (PCE)-initiated, Path Computation Client (PCC)-controlled, and PCC-delegated segment routing LSPs. With this PCEP extension, you can configure candidate paths based on color and endpoints, where the active candidate path is the path with the highest segment routing preference, or based on source priority.
[See Understanding Static Segment Routing LSP in MPLS Networks.]
Static VXLAN at VLAN or bridge domain level (MX5, MX10, MX40, MX80, MX150, MX240, MX480, MX960, MX2008, MX2010, MX2020, MX10003, MX10008, MX10016 routers and QFX5120-32C, QFX5120-48T, and QFX5120-48Y switches)—In Junos OS Release 20.3R1 and earlier, we supported the configuration of static VXLAN at the global level only. By including the remote-vtep-list configuration statement at the [edit switch-options] or [edit routing-instances name] hierarchy level, you can map all local VLANs or bridge domains to the remote virtual tunnel endpoints (VTEPs) in the list.
Starting in Junos OS Release 20.4R1, you can also configure static VXLAN at the VLAN or bridge domain level using the static-remote-vtep-list configuration statement at the [edit vlans name vxlan], [edit bridge-domains name vxlan], or [edit routing-instances name bridge-domains name vxlan] hierarchy level.
When specifying remote VTEPs at the VLAN level in the default switching instance, you must also specify the same VTEPs at the global level in the default switching instance. Or when specifying remote VTEPs at the bridge domain level in a routing instance, you must also specify the same VTEPs at the global level in the same routing instance. For example, if you specify a VTEP in the static-remote-vtep-list at the [edit routing-instances name bridge-domains name vxlan] hierarchy level, you must also specify the VTEP in the remote-vtep-list at the [edit routing-instances name] hierarchy level.
To replicate and flood BUM traffic, you must specify the ingress-node-replication configuration statement at the [edit vlans name vxlan], [edit bridge-domains name vxlan], or [edit routing-instances name bridge-domains name vxlan] hierarchy level. This configuration restricts the BUM traffic flood domain to only those VTEPs mapped to a particular bridge domain or VLAN.
[See Static VXLAN and static-remote-vtep-list.]
Software Installation and Upgrade
Phone-home client (EX4600, EX4650, EX9200, QFX5110, QFX5200, QFX5210, QFX5120-32C, and QFX5120-48Y)—Starting with Junos OS Release 20.4R1, you can use either the legacy DHCP-options-based ZTP or the phone-home client (PHC) to provision software for the switch. When the switch boots up, if there are DHCP options that have been received from the DHCP server for ZTP, ZTP resumes. If DHCP options are not present, PHC is attempted. PHC enables the switch to securely obtain bootstrapping data, such as a configuration or software image, with no user intervention other than having to physically connect the switch to the network. When the switch first boots up, PHC connects to a redirect server, which redirects to a phone home server to obtain the configuration or software image.
To initiate either DHCP-options-based ZTP or PHC, the switch must be in a factory-default state, or you can issue the request system zeroize command.
ZTP with DHCPv6 client support (EX3400, EX4300, PTX1000, PTX5000, PTX10002-60C, PTX10008, QFX5100, QFX5200, QFX10002, and QFX10002-60C)—Starting in Junos OS Release 20.4R1, zero touch supports the DHCPv6 client. During the bootstrap process, the device first uses the DHCPv4 client to request for information regarding image and configuration file from the DHCP server. The device checks the DHCPv4 bindings sequentially. If one of the DHCPv4 bindings fails, the device continues to check for bindings until provisioning is successful. However, if there are no DHCPv4 bindings, the device checks for DHCPv6 bindings and follows the same process as for DHCPv4 until the device can be provisioned successfully. Both DHCPv4 and DHCPv6 clients are included as part of the default configuration on the device.
The DHCP server uses DHCPv6 options 59 and 17 and applicable suboptions to exchange ZTP-related information between itself and the DHCP client.
Note ZTP supports only HTTP and HTTPS transport protocols.
[See Zero Touch Provisioning.]
System Management
PTP transparent clock (QFX5120-32C)—Starting in Junos OS Release 20.4R1, you can use a transparent clock to update Precision Time Protocol (PTP) packets with the residence time as the packets pass through QFX5120-32C switches. The PTP Transparent Clock (PTP TC) is defined in IEEE 1588-2008 (PTPv2). QFX5120-32C switches support end-to-end transparent clocks, which include only the residence time. To use a transparent clock, enable the e2e-transparent statement at the [edit protocols ptp] hierarchy level.
[See Understanding Transparent Clocks in Precision Time Protocol.]
System Logging
Support for time averaged watermark (MX Series, PTX Series, and QFX Series)—Starting in Junos OS Release 20.4R1, you can capture steady state data of routing and forwarding (RIB/FIB) table routes using the time-averaged-watermark-interval configuration statement at the [edit routing-options] hierarchy level. Time averaged watermark is calculated whenever the time averaged interval is changed from CLI. Time averaged watermark is logged in syslog if the logs are enabled in the system at LOG_NOTICE level. The default time averaged watermark interval is 1 day. You can see the timed averaged watermark using the existing show route summary command.
[See routing-options and show route summary.]
What's Changed
Learn about what changed in Junos OS main and maintenance releases for QFX Series Switches.
What’s Changed in Release 20.4R3
Class of Service (CoS)
On a Layer 2 interface, use unit * to apply a classifier or rewrite rule to all of the logical units on that interface.
EVPN
Community information no longer included in VRF routing table— The QFX series switches will no longer include the inherited advertised route target communities, EVPN extended communities, or vxlan encapsulation communities for EVPN Type 2 and EVPN Type 5 routes when an IP host is added in the VRF routing table.
Interfaces and Chassis
Blocking duplicate IP detection in the same routing instance (ACX Series, EX Series, MX Series, NFX Series, PTX Series, QFX Series, and SRX Series)—Junos will no longer accept duplicate IPs between different logical interfaces in the same routing instance. Refer to the table mentioned in the topic inet (interfaces). When you try to configure same IP on two logical interfaces inside same routing instance, the commit will be blocked with the error displayed as shown below: edit user@host# set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.2/24 edit user@host# commit commit complete edit user@host# set interfaces ge-0/0/2 unit 0 family inet address 2.2.2.2/24 edit user@host# commit edit interfaces ge-0/0/2 unit 0 family inet 'address 2.2.2.2/24' identical local address found on rt_inst default, intfs ge-0/0/2.0 and ge-0/0/1.0, family inet. error: configuration check-out failed
[See inet(interfaces).]
Layer 2 Ethernet Services
Link selection support for DHCP—We have introduced the link-selection statement at the edit forwarding-options dhcp-relay relay-option-82 hierarchy level, which allows DHCP relay to add suboption 5 to option 82. Suboption 5 allows DHCP proxy clients and relay agents to request an IP address for a specific subnet from a specific IP address range and scope. Prior to this release, the DHCP relay dropped packets during the renewal DHCP process and the DHCP server used the leaf's address as a destination to acknowledge the DHCP renewal message.
[See relay-option-82.]
Network Management and Monitoring
Enhancement to the snmp mib walk command (EX Series, MX Series, PTX Series, QFX Series, and SRX Series)— The ipv6IfOperStatus field displays the current operational state of the interface. The noIfIdentifier(3) state indicates that no valid Interface Identifier is assigned to the interface. This state usually indicates that the link-local interface address failed Duplicate Address Detection. When you specify the 'Duplicate Address Detected' error flag on the interface, the new value (noIfIdentifier(3)) is displayed. Previously, the snmp mib walk command did not display the new value (noIfIdIdentifier(3)).
Changes in contextEngineID for SNMPv3 INFORMS (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Now the contextEngineID of SNMPv3 INFORMS is set to the local engine-id of Junos devices. In earlier releases, the contextEngineID of SNMPv3 INFORMS was set to remote engine-id.
The configuration accepts only defined identity values for nodes of type identityref in YANG data models (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—If you configure a statement that has type identityref in the corresponding YANG data model, the device accepts only defined identity values (as defined by an identity statement) as valid input. In earlier releases, the device also accepts values that are not defined identity values.
Change in OID ifHighSpeed—Now, the object identifier (OID) ifHighSpeed displays the negotiated speed once negotiation is completed. If the speed is not negotiated, ifHighSpeed displays the actual maximum speed of the interface. In earlier releases, ifHighSpeed always displayed the actual speed of the interface.
What’s Changed in Release 20.4R2
EVPN
Support for displaying SVLBNH information—You can now view shared VXLAN load balancing next hop (SVLBNH) information when you display the VXLAN tunnel endpoint information for a specified ESI and routing instance by using the show ethernet-switching vxlan-tunnel-end-point esi esi-identifier esi-identifier instance instance svlbnh command.
General Routing
Support only for manual channelization on QSFP-100G-SR4-T2 optics (QFX5120-48T and QFX5120-32C)— We recommend that you use the active optical cable (AOC) for auto-channelization. The QSFP-100G-SR4-T2 cables do not support auto-channelization. To use the QSFP-100G-SR4-T2 optics with an external breakout cable, you must configure the channelization manually by running the channel-speed statement at the edit chassis fpc slot-number pic pic-number (port port-number | port-range port-range-low port-range-high) hierarchy level.
[See channel-speed.]
Junos XML API and Scripting
Refreshing scripts from an HTTPS server requires a certificate (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When you refresh a local commit, event, op, SNMP, or Juniper Extension Toolkit (JET) script from an HTTPS server, you must specify the certificate (Root CA or self-signed) that the device uses to validate the server's certificate, thus ensuring that the server is authentic. In earlier releases, when you refresh scripts from an HTTPS server, the device does not perform certificate validation.
When you refresh a script using the
request system scripts refresh-from
operational mode command, include thecert-file
option and specify the certificate path. Before you refresh a script using theset refresh
or setrefresh-from
configuration mode command, first configure thecert-file
statement under the hierarchy level where you configure the script. The certificate must be in Privacy-Enhanced Mail (PEM) format.[See request system scripts refresh-from and cert-file.]
The
jcs:invoke()
function supports suppression of root login and logout events in system log files for SLAX commit scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Thejcs:invoke()
extension function supports theno-login-logout
parameter in SLAX commit scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.The
jcs:invoke()
function supports suppression of root login and logout events in system log files for SLAX event scripts (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—Thejcs:invoke()
extension function supports theno-login-logout
parameter in SLAX event scripts. If you include the parameter, the function does not generate and log UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages when the script logs in as root to execute the specified remote procedure call (RPC). If you omit the parameter, the function behaves as in earlier releases in which the root UI_LOGIN_EVENT and UI_LOGOUT_EVENT messages are included in system log files.
Software Licensing
License key format (QFX5120-32C, QFX5120-48Y, and QFX5200)—When you are upgrading from Junos OS release 20.4R1 to Junos OS release 20.4R2 or later releases, you need new license keys to use the features on the listed devices. Contact Customer Care to exchange license keys for Junos OS releases 20.4R2 or later.
What’s Changed in Release 20.4R1
Class of Service (CoS)
We've corrected the output of the "show class-of-service interface | display xml" command. Output of the following sort: <container> <leaf-1> data <leaf-2> data <leaf-3> data <leaf-1> data <leaf-2> data <leaf-3> data will now appear correctly as: <container> <leaf-1> data <leaf-2> data <leaf-3> data <container> <leaf-1> data <leaf-2> data <leaf-3> data.
General Routing
Control plane DDoS protection packet type option for ARP traffic (PTX Series and QFX Series)— Starting in this release, we've renamed the arp-snoop packet type option in the edit system ddos-protection protocols arp protocol group to arp. This packet type option enables you to change the default control plane distributed denial-of-service (DDoS) protection policer parameters for ARP traffic.
[See protocols (DDoS) (PTX Series and QFX Series).]
Support for unicast ARP request on table entry expiration—You can configure the device to send a unicast ARP request instead of the default broadcast request when an ARP table entry is about to expire. The retry requests are unicast at intervals of 5 seconds. Without this option, the retry requests are broadcast at intervals of 800 milliseconds. This behavior reduces ARP overall broadcast traffic. It also supports the use case where access nodes are configured not to forward broadcast ARP requests toward customer CPEs for security reasons and instead translate ARP broadcasts to unicast requests. To confirm whether this is configured, you can issue the following command: show configuration system arp | grep unicast-mode-on-expire.
[See arp.]
Change in license bandwidth command on vMX virtual routers—Starting in Junos OS, to use the available license bandwidth, explicitly set the license bandwidth using the set chassis license bandwidth <ln-mbps> command.
[See Configuring Licenses on vMX Virtual Routers.]
High Availability (HA) and Resiliency
The ntp boot-server command is deprecated — The boot-server option for the ntp command is no longer needed, and has been deprecated.
MPLS
The show mpls lsp extensivel and show mpls lsp detail commands display next hop gateway LSPid—When you use the show mpls lsp extensivel and show mpls lsp detail commands, you'll see next hop gateway LSPid in the output as well.
Network Management and Monitoring
Warning changed for configuration statements that correspond to
deviate not-supported
nodes in YANG data models (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—If you configure a statement corresponding to a YANG data model node that defines thedeviate not-supported
statement, the Junos OS configuration annotates that statement with the comment Warning: statement ignored: unsupported platform. In earlier releases, the warning is Warning: 'statement' is deprecated.
User Interface and Configuration
Verbose format option for exporting JSON configuration data (ACX Series, EX Series, MX Series, PTX Series, QFX Series, and SRX Series)—The Junos OS CLI exposes the verbose statement at the edit system export-format json hierarchy level. The default format for exporting configuration data in JSON changed from verbose format to ietf format starting in Junos OS Release 16.1R1. You can explicitly specify the default export format for JSON configuration data by configuring the appropriate statement at the edit system export-format json hierarchy level. Although the verbose statement is exposed in the Junos OS CLI as of the current release, you can configure this statement starting in Junos OS Release 16.1R1.
[See export-format.]
Known Limitations
Learn about known limitations in Junos OS Release 20.4R3 for QFX Series Switches. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Class of Service (CoS)
Traffic might be dropped by the destination device. PR1568333
EVPN
VTEP interface displays output packets underlying the physical interface. PR1549820
The TYPE-5 decapsulation nexthop does not get installed if the peer does not advertising the TYPE-5 route. PR1599717
Layer 2 Features
On the QFX5000 line of switches with SP-style aggregated Ethernet interface, the child member link changes leads to momentary CRC error and drops traffic when there is a scale of logical interfaces. PR1532342
Platform and Infrastructure
After you configure and delete the Ethernet loopback configuration, the interface goes down and does not come up. PR1353734
On QFX10002-60C line of switches, continuos FPC might crash and the dcpfe process might generate the core file. PR1612871
Reroute counter log events ocuurs sometimes when you change the routes pointed by the unilist next hop. PR1380350
Router might become non responsive when you reboot the router with the request system reboot statement. PR1385970
On the QFX10000 line of switches, the analyzer does not mirror after you add the child member to an aggregated Ethernet interface. PR1417694
When you tag the spine underlay and untag again, the inner packet comes and goes over the TYPE 2 tunnel, resulting in IPv4 discarding the traffic silently on PECHIP. PR1435864
After you rename VLAN on the trunk interface, the local host MAC learning halts for more than 30 seconds. PR1454274
Changing the scaled firewall profiles on the fly does not release the TCAM resources as expected. PR1512242
On the QFX5110-48S line of switches, the Number of Datagrams and Number of Flow Samples values displays their value as zero in the output of the show sflow collector detail command, . PR1525356
On the QFX5000 line of switches with storm control, significant difference between the configured rate and actual rate is observed. PR1526906
The following notification appears during the reboot or powering off the device: [FAILED] Failed unmounting /var. PR1527581
The show chassis environment and show chassis fan commands have different string status for fan failure. PR1527628
The vmcore process might generate a core file during the aggressive sensor subscribe and unsubscribe. PR1528432
When you disable the auto-channelization with the 4x10G breakout cable, the dut interface goes in the Down state while the 10G interfaces on the peer goes in the Up state. PR1531850
On the QFX10002 line of switches in a dynamic IP-IP tunnel transit scenario, the sFlow export data does not include the nexthop field. PR1533307
The input runts error counter does not increment when the packets are sent with the size less than 64 bytes. PR1533322
On the QFX5100 line of switches that does not run the QFX-5E codes (non TVP architecture), when you install the image with Broadcom SDK upgrade (6.5.X), the CPU utilization might go up by around 5 percent. PR1534234
ECMP over GRE does not work for the BGP routes. PR1537924
The QFX5100 line of switches sends maximum samples of around 700 per second to the sFlow collector. PR1539815
Power interruption during firmware upgrade is not recommended. PR1543192
The QFX10000 line of switches do not keep the inner vlan-id on the egress EP interface. PR1546840
On the QFX5120 and QFX5200 line of switches, the EVPN VXLAN loop detect and CFM must not be configured on the same VLAN. PR1553384
Routing Protocols
Node protection for the RSVP LSP on FTI interfaces does not work. PR1456350
On the QFX5000 line of switches, the PIP decapsulation in the forward filter does not work when you commit the NO from matching conditions AND when subnet masks < 32 statement. PR1511893
On the QFX5210 line of switches, when you configure two Flex Hash rules, deactivating the first Flex Hash rules, the second Flex Hash rules do not get programmed in the hardware. PR1521306
On the QFX5100-24Q line of switches, error messages occurs when you deactivate and activate interfaces. PR1522701
On the QFX5000 line of switches, error messages on the Packet Forwarding Engine console occurs when you bring up the 512 IP-IP tunnels. PR1525270
On the QFX5120-48YM line of switches, when the scale of IPv4 and IPv6 routes are present in the LPM profile, few of the IPv6 routes do not get installed when the ports on which the routes are learnt flaps due to the LPM table full error. PR1557655
Open Issues
Learn about open issues in Junos OS Release 20.4R3 for QFX Series Switches. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.
Class of Service (CoS)
The buffer allocation for the VCP ports might not get released in the Packet Forwarding Engine after physically moving the port location. PR1581187
EVPN
On the QFX5120 line of switches, traffic received on the VTEP, which is not configured in the static-remote-vtep-list does not gets dropped. PR1543779
MAC address of the end-host gets wrongly programmed in the forwarding table after the ESI failover. PR1584595
I-ESI modification workflow on DC-GW occurs. PR1600600
The MAC address of the end-host gets wrongly programmed in the forwarding table after the ESI failovers. PR1584595
High Availability (HA) and Resiliency
On the QFX5200-32C line of switches, the reboot time gets degraded from 205 seconds in Junos OS Release 20.2R1 to 260 seconds in Junos OS Release 20.3. PR1511607
Infrastructure
The following error message occurs during FTP: ftpd[14105]: bl_init: connect failed for /var/run/blacklistd.sock(No such file or directory). PR1315605
Interfaces and Chassis
Newly added MC-LAGs do not come up after the Routing Engine switchovers. PR1583547
Junos Fusion Satellite Software
The output of the od temperature sensor 2 for opus SD106 does not appear. PR1582981
Layer 2 Features
On QFX5110 and QFX5120 line of switches, changing lo0 IP address might sometimes either result in stale entry of IP in mpls_entry table or missing IP entry, which results in traffic drop for VXLAN traffic. PR1472333
The MAC addresses learnt from the MC-LAG client device might keep flapping between the ICL interface and mc-ae interface after you disable one child link in the mc-ae interface. PR1582473
Traffic drop might occur on the aggregated Ethernet interface. PR1585320
On the QFX5000 line of switches, the DF might not forward BUM traffic. PR1575976
On the QFX5100 line of switches, traffic might be dropped in the Packet Forwarding Engine after you commit changes related to TPID in the dcd process. PR1477156
On the QFX5100 line of switches, traffic might be dropped in the Packet Forwarding Engine after making changes related to TPID in the dcd process. PR1477156
Layer 2 Ethernet Services
ZTP does not get activated after all the values of the device becomes zero. PR1529246
Platform and Infrastructure
The sFlow sampling fails when you configure the egress interface with more than 8 in a line card. PR1202870
On the QFX10000 line of switches, the source MAC and TTL values do not get updated for the routed multicast packets in EVPN-VXLAN. PR1346894
The backup Routing Engine might crash after GRES occurs continuously for more than 10 times. PR1348806
On QFX5110 line of switches, the VCP ports goes down after the members split and merge in the Virtual Chassis. PR1606705
Upon receipt of specific sequences of genuine packets destined to the device, the kernel crashes and restarts. PR1557881
The VCF might become not stable. PR1559172
The subscriber management infrastructure daemon (smid) process might become nonresponsive at hundred percent. PR1559402
The dcpfe process might crash after you commit the EVPN-VXLAN profile configuration and ARP resolution might fail leading to traffic issues. PR1561588
On the QFX5110-32Q line of switches, LACP does not come up in the non-oversubscribed mode for a set of ports. PR1563171
On QFX10002 line of switches, continuous Layer 3 traffic drop occurs with the MC-LAG configuration. PR1610173
On QFX5000 Virtual Chassis, MAC move or MAC flap might be triggered. PR1610295
The QFX5000 and QFX10000 line of switches might become nonresponsive after reboot for sometime. PR1584902
Due to the transient hardware condition, the single-bit error (SBE) events gets corrected and have no operational impact. Those reported events had been disabled to prevent alarms and possibly unnecessary hardware replacements. PR1384435
On QFX10002-60C line of switches, complete packet loss occurs while testing the vacl ingress terms scale configuration. PR1581767
On QFX10000 line of switches, the dcpfe and fpc process might crash. PR1597479
The IS-IS adjacency might fail to be formed if you configure the MTU size of an IRB interface with a value great than 1496 bytes. PR1595823
The fpc process might crash when you modify a firewall filter. PR1432116
On the QFX5200 line of switches, the ISSU might fail. PR1438690
On the QFX5000 line of switches, the port qualifier is not supported. PR1440980
Storm-control does not rate-limit the ARP packets. PR1461958
On the QFX5110 line of switches, the VXLAN VNI (mcast) scaling causes traffic issue. PR1462548
On the QFX5000 line of switches, analyzer does not work. PR1576327
The OSPF session over IRB might not come up in the EVPN-VXLAN scenario. PR1577183
On the QFX10000 line of switches, the port might not go in to the Down state immediately during some abnormal type of line card reboots. PR1577315
The unexpected next hop might occur after the route gets deleted. PR1477603
The SNMP index in the Packet Forwarding Engine reports as 0 that causes sFlow to report either IIF or OIF (not both) as 0 in the sFlow record data at the collector. PR1484322
Interface on platforms using the Broadcom chipset might have abnormal status. PR1495564
On the QFX10000 line of switches, the show pfe filter hw filter-name command does not retrieve the Packet Forwarding Engine program. PR1495712
On the QFX5100 line of switches, degradation occurs during the system reboot time and FPC online time. PR1513540
SNMP trap of power failure might not be sent out. PR1520144
The Layer 3 classifier takes effect though the configured Layer 2 classifier. PR1520570
The FIPS mode is not supported. PR1530951
FPC might crash in a scaled firewall configuration. PR1586817
On the QFX5100 line of switches that does not run the QFX-5E codes (non TVP architecture), when you install image with the Broadcom SDK upgrade (6.5.X), the CPU utilization might go up by around 5 percent. PR1534234
The MAC addresses might not be relearned successfully after the MAC address age timeouts. PR1567723
DCI traffic loss of the hundred percent occurs in the transit spine devices. PR1572238
On the QFX10000 line of switches, the dcpfe or fpc process might crash if the ARP MAC occurs. PR1572876
On the QFX5100 Virtual Chassis, the firewall counter does not get updated as expected with PACL applied. PR1535825
On the QFX10002-72Q line of switches, the sFlow egress samples at PHP router do not include explicit-null (IPv4 and IPv6). PR1537946
The dcpfe process might crash when any interface flaps. PR1579736
On the QFX5000 line of switches, traffic loss might occur in the EVPN-VxLAN scenario. PR1580005
The IS-IS packet might be corrupted on the provider edge device over the Layer 2 circuit. tunnel PR1580047
The DHCP packets might be dropped if you apply the dyn-dhcpv4_v6_trap dynamic filter on the interface. PR1580352
On the QFX10002 line of switches, the sFlow log error message occurs when you enable the egress sampling on the dynamic IP-IP tunnel encapsulation scenario. PR1538863
On the QFX10008 line of switches with the Layer 2 and Layer 3 multicast configurations, the vmcore process generates the core file on the primary and backup Routing Engines. PR1539259
The following error message occurs when you reboot the device with the enterprise base configurations: Error BCMX: Failed to add lport 0x0 (unit , port ). -8: Entry exists. PR1541159
On the QFX5000 Virtual Chassis fan, traffic loss might occurs after you swap the primary and backup Routing Engines. PR1544353
On the QFX5000 line of switches, the installed next hop local-bias filter fails on the Packet Forwarding Engine with MAC-VRF. PR1544850
The QFX10000 line of switches do not keep the inner vlan-id on the egress EP interface. PR1546840
Need to move WRL7 to RCPL31 for the QFX-10-M and QFX-10-F line of switches. PR1547565
On the QFX10000 line of switches, there are no local MAC-IP entry for vlan-bundle service. PR1548456
During power cycle, 100G port down issue occurs occasionally on et-0/0/54 and et-0/0/55 with INNOLIGHT 100G-AOC cables. PR1548525
Host shell gets unreachable after the image installation. PR1548710
On the QFX10000 line of switches, only untagged traffic flows through the ethernet-bridge interface. PR1550700
On the QFX10002-60C line of switches, ethernet-bridge is not supported. PR1551037
In Junos OS Release 20.2, some features appears as a licensed feature. While using the features, the alarms and commit warnings are displayed. However, there are no functional impact. PR1558017
pic_create_ifname: 0/0/0 pic type F050 is not supported. The log messages generated under chassisd and other messages in logs appers. PR1566440
Unexpected multicast traffic streams occurs after you enable EVPN. PR1570689
BUM traffic from AR-LEAF does not display the correct count in the output of the show interfaces vtep extensive command. PR1579614
On the QFX5210-64C line of switches, PSU firmware upgrades through JUNOS. PR1589572
On QFX10008 line of switches, the system reboot takes approximately 9 minutes for FPCs to come online after system reboot command is issued. It is about 2 minutes more than 20.4 releases. PR1605002
IRB ARP/ND entries missing in GW nodes and traffic black-hole after modify WAN-RD or WAN-RT of EVPN VXLAN DCI routing instance. PR1611154
Traffic received on the Type-5 tunnel on Spine are not forwarded out to leaf after modifying lo0 interface IP on QFX1000. PR1615253
On QFX10008 and QFX10016 line of switches with EVPN-VXLAN configuration and dual GRES enabled, the dcpfe process generates core file after the below sequence of events. PR1615430
On QFX5210-64C line of switches after reboot, the carrier transition counter does not increment when the link flaps. PR1605037
On the EVPN VXLAN environment, VNI for the EAD/ES route sets to 1. PR1594981
The mcscnoopd process generates the core files at snp_token_db_gencfg_handler,krt_decode_gencfg,krt_ifstate_resync_read,krt_async_recv_ifstate_resync_phase. PR1596483
During an image upgrade, sometimes the system goes for NMI or auto vmcore generation. PR1601867
BUM traffic might be looped for a short time when you add the interface as the CE interface. PR1493650
Additional firewall policy must be added to allow the client DNS queries from the QF directors. PR1509383
Offer message from the server reaching the relay agent appears. ,However, the messages does not get forwarded to IRB on which clients are connected. PR1530160
On the QFX10000 line of switches, the firewall filter logs are incorrectly populated the protocol 8847 entries. PR1582780
The DHCP offer packets might be dropped on the Spine device in the VXLAN multi-homing setup. PR1585715
Traffic drop occurs while verifying the traffic status on the fec interface after reboot. PR1586036
Inter and intra VNI traffic might drop in Spine with the EVPN-VXLAN CRB configuration. PR1586537
Packet DMA memory leak might occur in the EVPN-VXLAN scenario after receiving some packets. PR1587609
The LLDP packets drop on the SP style interface. PR1589702
Multiple crashes with the toe_interrupt_errors error message might occur. PR1593025
Routing Policy and Firewall Filters
When you upgrade Junos OS to a specific version, the configuration validation might fail and the rpd process might crash. PR1538172
The rpd process might crash when you delete the routing table. PR1565629
Routing Protocols
On the QFX-5100 Virtual Chassis or Virtual Chassis Fan, the following error occurs in the hardware with the mini-PDT base configurations: BRCM_NH-,brcm_nh_bdvlan_ucast_uninstall(), 128:l3 nh 6594 unintsall failed. PR1407175
On the QFX5100 line of switches, the fxpc process might generate the core filr when you cleanup the configurations after ISSU. PR1578115
The multi-hop BFD session might flap if you execute the RSI (Request Support Information) collection command. PR1589765
IPv4 static route might still forward traffic unexpectedly even when the static route configuration has already been deleted. PR1599084
Filter with destination-port-range-optimize or source-port-range-optimize fails. PR1582452
Encapsulation and decapsulation of VXLAN traffic fails leading to traffic drop. PR1582713
With IGMP snooping implemented, unexpected jitter issue might occur leading to traffic loss. PR1583207
VPNs
On the QFX10000, the auto-RP functionality does not work in the NGMVPN scenario. PR1604014
Resolved Issues
Learn which issues were resolved in Junos OS main and maintenance releases for QFX Series Switches.
For the most complete and latest information about known Junos OS defects, use the Juniper online Junos Problem Report Search application.
Resolved Issues: 20.4R3
Class of Service (CoS)
The buffer allocation for the VCP ports might not get released in the Packet Forwarding Engine after you physically move the port location. PR1581187
On the QFX5000 line of switches, the DSCP classifier might not work properly. PR1585361
The TCP-ECN traffic might not be forwarded with high priority. PR1585854
Not able to configure policer with bandwidth-limit greater than 50G. PR1575049
EVPN
The l2ald process might crash and restart with a l2ald core file created when you enable the global level telemetry sensor. PR1570757
Configuring static-mac and no-mac-learning simultaneously on the VXLAN interface causes to stale the MAC or IP entry in the EVPN database. PR1576147
Policy with mac-filter-list might not work if you commit changes in the policy unrelated to that policy in the EVPN scenario. PR1567623
After device reboots in an EVPN-VXLAN setup with graceful restart, the EVPN routes does not get advertised to the EVPN peers until the rpd process gets up for 180 seconds. PR1586246
Traffic loss might occur under the EVPN-VXLAN scenario when MAC-IP moves from one CE interface to another. PR1591264
The device announces router-mac, target, and EVPN-VXLAN community to the BGP IPv4 NLRI. PR1600653
Traffic sent by the QFX5000 switch leaf to remote leaf with link down. PR1605375
Interfaces and Chassis
New added MC-LAGs do not come up after the Routing Engine switchovers. PR1583547
Removing the configuration from interface stanza might cause the dcpfe process to crash. PR1594356
Traffic loss might occur when you deactivate and activate member links of the logical child or ICCP interface. PR1542840
Layer 2 Features
On the QFX5110-32Q line of switches, LACP does not come up in the non-oversubscribed mode for a set of ports. PR1563171
Traffic forwarding for VLAN 2 might not be correct when a VLAN member is removed from the ESI interface. PR1570446
On the QFX5000 line of switches, software with forwarded VXLAN decapsulated packets contains illegal length. PR1574435
On the QFX5000 line of switches, DF might not forward BUM traffic. PR1575976
MAC addresses learnt from the MC-LAG client device might keep flapping between the ICL interface and MC-AE interface after you disable one child link in the MC-AE interface. PR1582473
Traffic might drop on the aggregated Ethernet interface. PR1585320
In the OVSDB VXLAN scenario, the inner VLAN tag 8 gets added unexpectedly into the encapsulated Ethernet header. PR1531319
Packets received on a port that is in the LACP Detached and Broadcom STP Blocked might get forwarded. PR1553570
LACP gets into the Detached state when you delete VLAN on the aggregate Ethernet interface configured on the SP style. PR1555862
Layer 2 Ethernet Services
The DHCP client becomes offline for 120 seconds after sending the DHCPINFORM message in the DHCP relay scenario. PR1575740
The DHCP relay drops packets during the renewal DHCP process. PR1576417
Network Management and Monitoring
Slow memory leak might occur in the snmpd process. PR1575790
Platform and Infrastructure
Kernel crash might occur after NSSU when you perform GRES. PR1533874
The dcpfe process might crash with auto-channelization enabled. PR1484336
On the QFX10000 line of switches, need to enhancement to enable watchdog petting log on line cards. PR1527535
On the QFX5110-32Q line of switches, the ports from 20 to 27 might flap when you insert the QSPF-40G transceiver into the port 29 to 31. PR1535216
On the QFX10000 line of switches, Denial of Service (DoS) upon receipt of the DVMRP packets gets received on the multi-homing ESI in VXLAN. PR1539194
The Layer 3 static license is required even though it is included in the base license. PR1557631
On QFX5120-48T line of switches after removing 1G speed on interface, the speed does not come back as 10g. PR1591038
The socket connection drops due to keepalive timer expiration with the port 33015. PR1598019
The egress interface of the GRE tunnel does not dynamically get updated when the destination to tunnel changes. PR1602391
Sampled memory might leak when the analyzer is in the Down state. PR1564790
Traffic loss might occur in the MC-LAG scenario. PR1565287
On the QFX5000 line of switches, the dcpfe process might crash after deleting the VXLAN configuration PR1562692
The received encapsulated VXLAN packets might be dropped if you load the EVPN-VXLAN configuration. PR1562814
The VXLAN queue DDoS violation and RARP packets flood might occur if you receive the RARP packets more than the supported DDoS bandwidth. PR1560243
On the QFX10000-60S-6Q line of switches, line card takes more than 15 minutes to boot up after you trigger the panic or watchdog reboot. PR1559725
Timestamp discrepancy might occur in the IPFIX packet flows exported. PR1558131
The DF (Designated Forwarder) might not forward traffic. PR1567752
The 100G port with module QSFP 100G-SR4-T2 converts to two channelized interfaces without any channelized configuration. PR1567937
The BFD session flaps between leaf and core during the Spine reboot causing other protocols to flap. PR1568615
Multicast streams might stop flooding in the VXLAN setup. PR1606256
The LLDP packets received on the VXLAN enabled port might get flooded unexpectedly. PR1607249
Ping to lo0/IRB over Type-5 fails. PR1610093
The dcpfe process might crash and cause FPC to restart due to the traffic burst. PR1534340
The BFD neighborship fails with the EVPN-VXLAN configuration after the Layer 2 learning restarts. PR1538600
The traffic does not get load-balanced properly in an EVPN overlay-ecmp setup. PR1550020
The interface might not come up with 1G optics. PR1554098
The dcpfe process might crash and restart with a dcpfe core file created when you run the Type5 EVPN-VXLAN with 2000 VLANs. PR1556561
The MAC addresses learned in a Virtual Chassis might fail due to aging out in the MAC scaling environment. PR1558128
On the QFX5000 line of switches, incorrect ARP reply might be sent through the aggregated Ethernet interface. PR1554389
Traffic loss might occur on a VXLAN enabled VLAN. PR1554600
The Virtual Chassis Fabric might become unstable. PR1559172
The subscriber management infrastructure daemon (smid) process might become nonresponsive at 100 percent. PR1559402
On the QFX5110 line of switches, the untagged traffic routed over native-vlan might be dropped. PR1560038
VXLAN queue DDos violation and RARP packets flood might occur if the RARP packets are received more than the supported DDoS bandwidth. PR1560243
The tunable optics SFP+-10G-T-DWDM-ZR does not work. PR1561181
The dcpfe process might crash on after committing the EVPN-VXLAN profile configuration and ARP resolution might fail causing traffic issues. PR1561588
On the QFX5000 line of switches, the dcpfe process might crash after you delete the VXLAN configuration. PR1562692
MAC addresses might not be relearned successfully after the MAC address age timeouts. PR1567723
Another port gets shutdown after one port on the QFX10002-60C device shuts down. PR1568294
The dcpfe process might crash if the TYPE-5 tunnel fails to get installed for EVPN-VXLAN. PR1570136
Unexpected packet loss might occur if you delete the subunit of the physical interface. PR1571286
DCI traffic loss of 100 percent occurs in the transit spine devices. PR1572238
The EVPN VXLAN CE interface with RSTP configured might cause LACP or BFD issues. PR1572504
On the QFX10000 line of switches, the dcpfe or fpc process might crash if you mobe the ARP MAC. PR1572876
On the QFX10008 chassis, the dcpfe process generates a core file. PR1572889
On the QFX10008 and QFX10016 line of switches, traffic loss might be observed due to faulty FPC. PR1574779
BFD might flap occasionally during the spine reboot. PR1575296
On the QFX5000 line of switches, analyzer does not work. PR1576327
The OSPF session over IRB might not come up in the EVPN-VXLAN scenario. PR1577183
On the QFX10000 line of switches, the WAN port links might not come down immediately during some abnormal type of line card reboot. PR1577315
TACACS traffic might be dropped. PR1578579
The dcpfe process might crash when any interface flaps. PR1579736
The IS-IS packet might be corrupted on the provider edge device over the l2circuit tunnel. PR1580047
The dcpfe process crashes when you check the virtual tunnel-nexthop packet status. PR1580114
The DHCP packets might be dropped if you apply the dyn-dhcpv4_v6_trap dynamic filter on the interface. PR1580352
When you apply mapping analyzers to the channelized port, mirror might not work properly. PR1580473
On the QFX5120-32C line of switches, the following error appears: kern.ipc.maxpipekva exceeded; see tuning error. PR1581192
The switchover might get affected with the shared VXLAN tunnel. PR1581524
The traffic might not be load-balanced properly in an EVPN overlay-ecmp setup. PR1582017
On the QFX5100 line of switches, few 40G ports might not be channelized successfully. PR1582105
On the QFX10000 line of switches, the firewall filter logs incorrectly populates the protocol 8847 entries. PR1582780
On the QFX5000 line of switches, the firewall filter do not get programmed after you delete a large filter and add a new one in a single commit. PR1583440
The ZTP process might cause the traffic to discard silently. PR1585057
The DHCP offer packets might be dropped on the spine device in the VXLAN multi-homing setup. PR1585715
Inter and intra VNI traffic drop might occur in the spine device with the EVPN-VXLAN CRB configuration. PR1586537
The na-grpc process might crash and existing telemetry connections gets disconnected. PR1587956
When you remove the member interface from the aggregated Ethernet interface, the member interface do not get removed from mirroring in the analyzer. PR1589579
Traffic loop occurs when you add the logical child interface in the case of the multihomed SP style in the EVPN-VXLAN. PR1543966
The LLDP packets drop on the SP style interface. PR1589702
On the QFX5120 line of switches, the MPLS traffic might not be forwarded after the aggregate interface flaps. PR1589840
VXLAN DDoS violation might occur when you disable the port mirror analyzer output interface. PR1590150
The Routing Engine kernel might crash due to the logical child interface of the aggregated interface. PR1592456
The IPv4 fragmented packets might be broken if you configure the PTP transparent clock. PR1592463
On the QFX10002, QFX10008, and QFX10016 line of switches, the MPLS traffic might get discarded on passive monitoring interface. PR1592693
Multiple crashes with the toe_interrupt_errors error message occurs. PR1593025
the BFD session might flap during the Routing Engine switchover. PR1593244
The dcpfe process might crash in an EVPN-VXLAN scenario. PR1593950
Packet drop might occur in an ECMP next-hop flap scenario. PR1594030
The existing ECMP route traffic might be dropped if you configure a static ECMP route with the same number of next-hops as the existing ECMP route. PR1594573
In the QFX10002-72Q line of switches, SNMP walk jnxOperatingEntry displays only two PSU even if you install four PSU. PR1555852
The VGA might be down when you configure the IRB interface with multi VGA addresses. PR1555338
The lcmd process might consume memory until all of the free memory available to VMHOST gets exhausted. PR1555386
The re-installation of the Type-5 tunnels might fail in an EVPN-VXLAN scenario. PR1595197
Traffic might be dropped after you reboot the backup FPC in a Virtual Chassis scenario. PR1596773
The logical child interface does not come up in a specific condition. PR1552938
The Layer 2 multicast traffic received on the VCP (Virtual Chassis port) ports might be dropped if you enable the igmp-snooping and STP/VSTP. PR1553159
LACP timeout issue might occur while you poll for the QSFP diagnostics. PR1549121
The dcpfe process might crash due to the chip SDK fault. PR1552645
On the QFX10008 and QFX10016 line of switches, traffic loss might occur due to faulty FPC. PR1574779
Port mirroring might not work when the analyzer output gets in a trunk interface. PR1575129
On the QFX10000 line of switches, a high rate of 802.3x pause frames gets sent out of theiInterfaces. PR1575280
The BFD session might flap occasionally during the Spine reboot. PR1575296
The traffic does not get load-balanced properly in the EVPN overlay-ecmp setup. PR1550020
The interface might not be brought up when you configure QinQ. PR1597261
On the QFX5000 line of switches, the sFlow impacts on the ICMP traffic. PR1598239
The dcpfe process might crash if the TYPE-5 tunnel fails to be installed for EVPN-VXLAN. PR1570136
Traffic forwarding for VLAN 2 might not be correct when you remove a VLAN member from the ESI interface. PR1570446
The dcpfe process crashes in the VXLAN scenario. PR1571170
Unexpected packet loss might occur if you delete the subunit of the physical interface. PR1571286
On the QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210 line of switches, the DDoS violations might be reported for the IP multicast miss traffic incorrectly. PR1598678
File permissions gets changed for the
/var/db/scripts
files after reboot. PR1599365On the QFX10002-60C line of switches with IRB interface, the Layer 3 traffic might be silently discarded. PR1599692
Unable to disable the configuration mode command for the management port em1. PR1600905
On the QFX10000 line of switches, the dcpfe process might crash. PR1546572
On the QFX5000 line of switches, the static MAC on an interface might not work. PR1546655
On the QFX5120-48y-8c line of switches, the dcpfe process generates core file when you issue the show pfe vxlan nh-usage command in an ERB EMC scenario with around 6000 ARP entries. PR1601949
The status of FPC becomes down and the dcpfe process might generate core file dump in some cases. PR1602583
Traffic loss might occur in the MC-LAG scenario. PR1602811
On the QFX5000 line of switches, traffic drop might occur in the Virtual Chassis scenario when you configure the firewall filter. PR1602914
Duplicate packets might appear when you bring up all the interfaces on the spine switch. PR1604393
MAC movement might occur between the ICL and MC-LAG interface if you add or remove the VLANs on the ICL interface. PR1605234
Upon the receipt of the specific sequences of genuine packets destined to the device, the kernel crashes and restarts. PR1557881
FPC might crash in a scaled-firewall configuration. PR1586817
Routing Policy and Firewall Filters
The rpd might crash when deletion of routing table occurs. PR1565629
Routing Protocols
The remaining BFD sessions of the aggregated Ethernet interface flaps continuously if one of the BFD sessions gets deleted. PR1516556
The fpc and dcpfe process might crash when you insert and remove the channelized interface of QSFP. PR1547231
Memory leak might occur in the MSDP scenario. PR1571906
A filter could not be installed if the filter has large scaled number of terms. PR1555337
The rpd memory might leak in the BGP scenario. PR1547273
The BFD sessions over IRB interface becomes nonresponsive in the Init state with the incremental FRR errors. PR1541851
The BFD sessions on the Layer 3 sub-interface of the ESI aggregated Ethernet interface might keep flapping when the upstream underlay or overlay BGP flaps. PR1544982
There might be traffic loss when the GRE interface flaps. PR1566428
The GRE egress traffic might not be forwarded between different routing instances. PR1573411
On the QFX5000 line of switches, continuous traffic destined to a device configured with MC-LAG leading to nodes losing their control connection, which can impact traffic. PR1552877
The QFX5000 line of switches might drop the DHCP packets in the static VXLAN scenario. PR1576168
Multicast Packets with TTL=1 gets dropped on the VXLAN enabled interface when you enable the igmp-snooping or MLD-snooping. PR1576775
On the QFX5000 line of switches, traffic loss might occur in the EVPN-VxLAN scenario. PR1580005
The BGP session carrying the VPNv4 prefix with IPv6 next-hop might be dropped. PR1580578
Traffic loss might occur when IPv6 traffic forwarded by IPv4 GRE tunnel. PR1582408
With IGMP snooping implemented, unexpected jitter issue might cause traffic loss. PR1583207
The rpd process might crash after you commit the configured static group 224.0.0.0. PR1586631
The multi-hop BFD session might flap if you commit the RSI (Request Support Information) collection command. PR1589765
The traffic might get silently discarded or forwarded through not-best-path in the BGP setup. PR1592550
There might be traffic loss when the GRE interface flaps. PR1566428
On the QFX5000 line of switches, memory leak might occur. PR1566483
Resolved Issues: 20.4R2
EVPN
The l2ald process might crash under a VLAN-based EVPN-VXLAN scenario. PR1550109
On the QFX10000 devices, the l2ald process generates the core file at l2ald_VXLAN_ifl_create_event_handler at
/src/junos/usr.sbin/l2ald/platform/junos/l2ald_rtsock_VXLAN.c:477
. PR1560068global-mac-ip-table-aging-time; change from a high to low value might not take effect. PR1562925
Forwarding and Sampling
The l2ald process might crash due to next-hop issue in the EVPN-MPLS. PR1548124
Configuration archive transfer-on-commit fails while running Junos OS Release 18.2R3-S6.5. PR1563641
General Routing
The DHCP relay-reply packets are dropped in the DHCPv6 relay scenario. PR1352613
Interfaces and Chassis
MAC address entry issue might be seen after MC-LAG interface failover or failback. PR1562535
Layer 2 Features
On the QFX5120 devices, packets with VLAN ID 0 are dropped. PR1566850
On the QFX5000, software-forwarded VXLAN de-encapsulated packets have illegal length. PR1574435
Layer 2 Ethernet Services
DHCP packet drop might be seen when the DHCP relay is configured on a leaf device. PR1554992
Platform and Infrastructure
On the QFX5000 line of switches, the number of egress ACL filter entries is only 512 in Junos OS Release 19.4R1. PR1472206
On the QFX10000 device, the chassisd process might generate core files on the backup Routing Engine after commit for 200 seconds due to the following error message: CHASSISD_MAIN_THREAD_STALLED. PR1481143
Channelized interfaces might fail to come up. PR1512203
Some inter-VLAN traffic flows do not converge after rebooting a spine (QFX10002) device in an EVPN-VXLAN non-collapsed scaled scenario. PR1522585
Traffic loss might be observed on interfaces in a VXLAN environment. PR1524955
On the QFX10002, the firewall logs are incorrectly populating from the Packet Forwarding Engine. PR1533814
The following Packet Forwarding Engine error message is observed in BRCM-VIRTUAL: brcm_virtual_tunnel_port_create() ,489: Failed NW VXLAN port token(45) hw-id(7026) status(Entry not found). PR1535555
The BFD sessions might not come up in a VXLAN scenario. PR1538600
The rpd memory leak might be observed on the backup Routing Engine due to link flaps. PR1539601
Unable to take RSI properly due to the authentication error. PR1539654
FPC might not be recognized after power cycle (hard reboot). PR1540107
OSPFv3 session might keep flapping and OSPFv3 hellos might be dropped in the host path. PR1547032
On the QFX10000 device, traffic might get dropped when the set routing-options forwarding-table no-ecmp-fast-reroute configuration is changed to 128 ECMP entries. PR1547457
On the QFX5100 Virtual Chassis, the backup Routing Engines clear the reporting alarm for a PEM failure intermittently for a missing power source. PR1548079
The 40GbE interface might be channelized after restarting the Virtual Chassis member. PR1548267
Neighbor Solicitation might be dropped from the peer device. PR1550632
The interface filter with source-port 0 matches everything instead of port 0. PR1551305
On the QFX5110 and QFX5120 devices, the DHCPv6 traffic received over a VTEP might not be forwarded. PR1551710
On the QFX5000 devices, the ARP resolution might fail. PR1552671
The dcpfe process might crash and the non-channelization interfaces might not come up. PR1552798
The action-shutdown command of storm control does not work for the ARP broadcast packets. PR1552815
Traffic might not pass due to the addition of the VLAN tag 2 while passing through the Virtual Chassis port. PR1555835
Traffic might be dropped when a firewall filter rule uses the then VLAN action. PR1556198
The dcpfe process might crash and restart with the dcpfe process generated core file created while running the type-5 EVPN-VXLAN with 2000 VLANs. PR1556561
On the QFX5120-48YM device, the Multiple License Warning Messages are observed. PR1556816
Traffic storm might be caused by the analyzer due to the flapping of the link. PR1557274
On the QFX5000 devices, the firewall filter might fail. PR1558320
On the QFX5120 device, amber LEDs are displayed for the fan modules after upgrading to Junos OS Release 20.2R1. PR1558407
PRBS (Pseudo Random Binary Sequence) test on the QFX5200 devices fails for 100GbE interfaces with the default settings. PR1560086
When configuring the static MAC and static ARP on the EVPN core aggregate interface, the underlay next-hop programming might not be updated in the Packet Forwarding Engine. PR1561084
PTP BC with G.8275.2.enh profile_2 512 clients does not come up. PR1561348
PTP lock status gets stuck in the Acquiring state instead of the Phase Aligned state. PR1561372
Firewall filters might not work after ISSU. PR1561690
On the QFX10000 devices, the dcpfe process might crash during the configuration changes. PR1561746
Traffic loss might occur in a large-scaled EVPN scenario when the next-hop type changes between discard and unicast. PR1562425
On the QFX5000 devices, port mirroring might not work as expected. PR1562607
On the QFX5120 devices, storm control with IRB interface might not work correctly. PR1564020
On the QFX5100 Virtual Chassis, continuous message about agentd-pfe-proxy_telemetry_publisher is observed. PR1566528
On the QFX5100 devices, the following internal comment is displayed in the output of the show configuration command: Placeholder for QFX platform configuration. PR1567037
On the QFX10002 devices, discrepancy in inet.1 versus Packet Forwarding Engine reports multicast routes. PR1567353
PTP management message with SMTLV is sent only to the first port number to go active in the member multicast-mode l2-ifl. PR1571283
Issue is observed in telemetry when the set services analytics streaming-server <> <> configuration is present and server is not reachable. PR1581192
The dcpfe process might crash and cause FPC to restart due to the traffic burst. PR1534340
On the QFX10000 devices, the dcpfe process might crash in the specific MAC move cases and traffic loss might be observed in the EVPN-VXLAN scenario. PR1542709
The switchover might be affected with the shared VXLAN tunnel. PR1581524
Routing Policy and Firewall Filters
The policy configuration might be mismatched between the rpd and mgd process when deactivate policy-options prefix-list is involved in the configuration sequence. PR1523891
Routing Protocols
Traffic might be silently discarded when the BGP route gets deleted which is part of multipath. PR1514966
The OSPF neighborship gets stuck in the Start state after configuring EVPN-VXLAN. PR1519244
BGP LU session flap might be seen with the AIGP used scenario. PR1558102
On the QFX5110-32Q device, the following syslog error message is observed after loading the NC type-5 EVPN-VXLAN configuration: BCM-L2,pfe_bcm_l2_sp_bridge_port_tpid_set() Config TPID New/Old (8100:8100) Other-Tpid's ba49, 4aa0, 80f. PR1558189
On the QFX5120-48Y devices, the Layer 3 IPv4 traffic issue is observed after loading the non-collapsed type 5 EVPN-VXLAN configuration. PR1560173
On the QFX5110 devices, the ARP resolution might fail if native-vlan-id is configured on the VXLAN interface. PR1563569
The dcpfe process might crash when the size of the Local Bias Filter Bitmap string exceeds 256 characters. PR1568159
On the QFX5000 devices, the untagged packets might not work. PR1568533
The GRE egress traffic might not be forwarded between the different routing-instances. PR1573411
Resolved Issues: 20.4R1
EVPN
EVPN-VXLAN core isolation do not work when the system is rebooted or the routing is restarted. PR1461795
Unable to create a new VTEP interface. PR1520078
ARP table might not be updated after performing VMotion or a network loop. PR1521526
All the ARP reply packets towards to some address are flooded across the entire fabric. PR1535515
EVPN-VXLAN registers mac-move counters under "system statistics bridge" even though there is no actual mac-move for multi-home (MH) clients. PR1538117
Observed Layer 2 core file when system is rebooted when shared-tunnels are configured. PR1548502
The l2ald process crashes and genereats a core file l2ald_iff_rtm_delete_subintf_ifbds during the datacenter interconnect (dci) fusion run. PR1550109
General Routing
Port LEDs do not work on the QFX5100-48T-6Q platforms. PR1317750
On the QFX5100 switches, the interface output counter is double counted for self-generated traffic. PR1462748
IRB MAC is not programmed in hardware when the MAC persistence timer expires. PR1484440
Virtual Chassis is not stable with 100-Gigabit Ethernet and 40-Gigabit Ethernet interfaces. PR1497563
BFD sessions flap after deactivating or activating the aggregated Ethernet interface or executing GRES. PR1500798
The error message "mpls_extra NULL" might be seen when you add, change, or delete MPLS route. PR1502385
The interface becomes physically down after changing to the FEC none mode. PR1502959
LLDP is not acquired when native-vlan-id and tagged VLAN-ID are the same on a port. PR1504354
"Media type" in show interface command is displayed as "Fiber" for SFP-10G-T. PR1504630
The archival function might fail in certain conditions. PR1507044
The fxpc might crash and restart with a fxpc core file created while installing image through ZTP. PR1508611
Traffic might be affected on QFX10002, QFX10008, and QFX10016 line of switches. PR1509220
The output VLAN push might not work. PR1510629
Multicast traffic loss is observed because of the few multicast routes missing in the spine node. PR1510794
The QFX10000-36Q line card used on QFX10008 and QFX10016 line of switches might fail to detect any QSFP. PR1511155
Display issue, Virtual Chassis environment, Configured num-65-127-prefix value is shown incorrect for the command O/P "show chassis forwarding-options" PR1512712
In the VXLAN configuration, the firewall filters might not be loaded into the TCAM with the following message due to TCAM overflow after upgrading to Junos OS Release 18.1R3-S1, 18.2R1, and later. PR1514710
The routes update might fail upon the HMC memory issue and traffic impact might be seen. PR1515092
The 100-Gigabit Ethernet AOC non-breakout port might be auto-channelized to other speed. PR1515487
The MAC learning might not work properly after multiple MTU changes on the access port in the VXLAN scenario. PR1516653
The dcpfe (PFE) process might crash due to memory leak. PR1517030
The vgd process might generate a core file when the OVSDB server restarts. PR1518807
Traffic forwarding might be affected when adding, removing, or modifying the VLAN or VNI configurations such as VLAN-ID, VNI-ID, and Ingress-Replication command. PR1519019
QFX5100: cprod timeout triggers high CPU. PR1520956
The interfaces on the EX4600-EM-8F expansion module do not come up on the QFX5100-24Q with the non-QFX5E image. PR1521523
Output interface index in SFLOW packet is zero when transit traffic is observed on the IRB interface with VRRP enabled. PR1521732
On the QFX10002, QFX10008, and QFX10016 line of switches, the following error message is observed during specific steps while clearing and loading the scaled configuration again: PRDS_SLU_SAL:jprds_slu_sal_update_lrncnt(),1379: jprds_slu_sal_update_lrncnt call failed. PR1522852
The ECMP and LAG hash polarization might occur if the "hash-parameters" statement is not configured. PR1525387
Sampling with the rate limiter command enabled, crosses the sample rate 65535. PR1525589
Traffic loss might be observed when traffic is locally routed between the two VXLANs on the QFX5120 switch. PR1527939
The MPLS EXP classifier might not work on QFX10000 line of switches. PR1531095
Running SNMP MIB walk and executing 'show interfaces' command may cause the picd to crash. PR1533766
High rate of ARP or NS packets might be observed between a device that runs Junos OS and host when the device that runs Junos OS receives an ARP or NS packet on an interface in transition. PR1534796
The filter instance do not get removed from Packet Forwarding Engine after deactivating VLAN and IRB. PR1537108
Interfaces are not created after channel-speed 10G is applied across ports 48 to 53 on QFX5100-48T. PR1538340
Management Ethernet link down alarm seen while verifying system alarms in Virtual Chassis setup. PR1538674
Traffic loss might be seen in OVSDB VXLAN scenario. PR1540208
Inter VLAN traffic drop might be observed in EVPN-VXLAN scenario. PR1541406
On QFX10002-60C switch, the "show pfe filter" CLI command is unavailable. PR1545019
The neighbor solicitation might be dropped from the peer device. PR1550632
DHCP IPv6 is not working for QFX5110-48s-4c. PR1551710
On QFX10000 and PTX10000 line of devices with Junos OS Releases 20.1R1 and later, cannot collect RSI properly because of the authentication error. PR1556816
Infrastructure
The kernel might crash if a file or a directory is accessed for the first time and is not created locally. PR1518898
OID ifOutDiscards reports zero and sometimes shows valid value. PR1522561
Interfaces and Chassis
The dcpfe might crash when the ICL is disabled and then enabled. PR1525234
The logical interface might flap after adding or deleting native VLAN configuration. PR1539991
Layer 2 Features
Flow control is enabled in Packet Forwarding Engine irrespective of the interface configuration and the fix causes small amount of packet loss when a parameter related to an interface such as "interface description" on any port is changed. PR1496766
The dcpfe or FPC might crash generate a core file because of the memory leak after the VLAN add and VLAN delete operation. PR1505239
On the QFX5000 line of switches, traffic imbalance might be observed if hash-params is not configured. PR1514793
The MAC address in the hardware table might not synchronize between the master and the member in Virtual Chassis after the MAC flap. PR1521324
On QFX5110 switch, the EVPN-VXLAN check traffic when VXLAN encap header fails. PR1541316
Platform and Infrastructure
On QFX5110 and QFX5120 platforms, unicast RPF check in strict mode might not work properly. PR1417546
Routing Policy and Firewall Filters
The policy configuration might be mismatched between rpd and mgd when "deactivate policy-options prefix-list" is involved in configuration sequence. PR1523891
Routing Protocols
System upgrade or installation might fail on QFX5100-48T-6Q VC/VCF. PR1486632
The IPv6 traffic might drop when falling back from IP-in-IP tunnel to inet.0/inet6.0. PR1508631
Scale of filters with egress-to-ingress command is enabled. PR1514570
The rpd process might report 100 percent CPU usage with the BGP route damping enabled. PR1514635
The remaining BFD sessions of the aggregated Ethernet interface flap continuously if one of the BFD sessions is deleted. PR1516556
Stale tunnel entries are seen after negative triggers. PR1516818
The BFD sessions might flap continuously after disruptive switchover followed by GRES. PR1518106
On QFX5210-64C, enabling IPv6 flow-based Packet Forwarding Engine hashing gives commit error. PR1519018
Firewall "sample" configuration gives the warning as unsupported on QFX10002-36q and will not work. PR1521763
Errors are seen during script run with negative triggers at scale[LOG: Err] BRCM_NH-,brcm_nh_iptunnel_unilist_install(),5752:IPoIP < src: 1.1.1.1, dst: 1.1.3.1> NH id 2537, Tunnel id: 512 failed to create decap obj Table full: vrf 1 vid 4082 intf 4058 of nh 131074(3)] when the tunnel color attribute is deleted for all the tunnels at scale. PR1526405
On QFX5000 line of switches, the IPIP firewall filter term with decapsulate action need to be duplicated for each from protocol. PR1527755
On QFX5000 line of switches, the fxpc process might crash if the VXLAN interface flap. PR1528490
Virtual Chassis
On the QFX5000 Virtual Chassis, the DDoS violations that occur on the backup are not reported to the Routing Engine. PR1490552
On QFX5120 and QFX5210 platforms unexpected storm control events might occur. PR1519893
Documentation Updates
There are no errata or changes in Junos OS Release 20.4R3 documentation for the QFX Series Switches.
Migration, Upgrade, and Downgrade Instructions
This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network.
Upgrading Software on QFX Series Switches
When upgrading or downgrading Junos OS, always use the jinstall package. Use other packages (such as the jbundle package) only when so instructed by a Juniper Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the Installation and Upgrade Guide and Junos OS Basics in the QFX Series documentation.
If you are not familiar with the download and installation process, follow these steps:
- In a browser, go to https://www.juniper.net/support/downloads/junos.html.
The Junos Platforms Download Software page appears.
- In the QFX Series section of the Junos Platforms Download Software page, select the QFX Series platform for which you want to download the software.
- Select 20.4 in the Release pull-down list to the right of the Software tab on the Download Software page.
- In the Install Package section of the Software tab, select
the QFX Series Install Package for the 20.4 release.
An Alert box appears.
- In the Alert box, click the link to the PSN document for
details about the software, and click the link to download it.
A login screen appears.
- Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
- Download the software to a local host.
- Copy the software to the device or to your internal software distribution site.
- Install the new jinstall package on the device.
Note We recommend that you upgrade all software packages out of band using the console, because in-band connections are lost during the upgrade process.
Customers in the United States and Canada use the following command:
user@host> request system software add source/jinstall-host-qfx-5-x86-64-20.4-R1.n-secure-signed.tgz reboot
Replace source with one of the following values:
/pathname
—For a software package that is installed from a local directory on the switch.For software packages that are downloaded and installed from a remote location:
ftp://hostname/pathname
http://hostname/pathname
scp://hostname/pathname
(available only for Canada and U.S. version)
Adding the reboot command reboots the switch after the upgrade is installed. When the reboot is complete, the switch displays the login prompt. The loading process can take 5 to 10 minutes.
Rebooting occurs only if the upgrade is successful.
After you install a Junos OS Release 20.4 jinstall package, you can issue the request system software rollback command to return to the previously installed software.
Installing the Software on QFX10002-60C Switches
This section explains how to upgrade the software, which includes
both the host OS and the Junos OS. This upgrade requires that you
use a VM host package—for example, a junos-vmhost-install-x.tgz
.
During a software upgrade, the alternate partition of the SSD is upgraded, which will become primary partition after a reboot .If there is a boot failure on the primary SSD, the switch can boot using the snapshot available on the alternate SSD.
The QFX10002-60C switch supports only the 64-bit version of Junos OS.
If you have important files in directories other than /config and /var, copy the files to a secure location before upgrading. The files under /config and /var (except /var/etc) are preserved after the upgrade.
To upgrade the software, you can use the following methods:
If the installation package resides locally on the switch, execute the request vmhost software add <pathname><source> command.
For example:
user@switch> request vmhost software add /var/tmp/junos-vmhost-install-qfx-x86-64-20.4R3.9.tgz
If the Install Package resides remotely from the switch, execute the request vmhost software add <pathname><source> command.
For example:
user@switch> request vmhost software add ftp://ftpserver/directory/junos-vmhost-install-qfx-x86-64-20.4R3.9.tgz
After the reboot has finished, verify that the new version of software has been properly installed by executing the show version command.
user@switch> show version
Installing the Software on QFX10002 Switches
If you are upgrading from a version of software that does not have the FreeBSD 10 kernel (15.1X53-D30, for example), you will need to upgrade from Junos OS Release 15.1X53-D30 to Junos OS Release 15.1X53-D32. After you have installed Junos OS Release 15.1X53-D32, you can upgrade to Junos OS Release 15.1X53-D60 or Junos OS Release 18.3R1.
On the switch, use the force-host option to force-install the latest version of the Host OS. However, by default, if the Host OS version is different from the one that is already installed on the switch, the latest version is installed without using the force-host option.
If the installation package resides locally on the switch, execute the request system software add <pathname><source> reboot command.
For example:
user@switch> request system software add /var/tmp/jinstall-host-qfx-10-f-x86-64-20.4R3.n-secure-signed.tgz
reboot
If the Install Package resides remotely from the switch, execute the request system software add <pathname><source> reboot command.
For example:
user@switch> request system software add ftp://ftpserver/directory/jinstall-host-qfx-10-f-x86-64-20.4R3.n-secure-signed.tgz
reboot
After the reboot has finished, verify that the new version of software has been properly installed by executing the show version command.
user@switch> show version
Upgrading Software from Junos OS Release 15.1X53-D3X to Junos OS Release 15.1X53-D60, 15.1X53-D61.7, 15.1X53-D62, and 15.1X53-D63 on QFX10008 and QFX10016 Switches
Before you install the software, back up any critical files in /var/home. For more information regarding how to back up critical files, contact Customer Support at https://www.juniper.net/support.
The switch contains two Routing Engines, so you will need to install the software on each Routing Engine (re0 and re1).
If the installation package resides locally on the switch, execute the request system software add <pathname><source> command.
To install the software on re0:
user@switch> request system software add /var/tmp/jinstall-host-qfx-10-m-15.1X53-D60.n-secure-domestic-signed.tgz
re0
If the Install Package resides remotely from the switch, execute the request system software add <pathname><source> re0 command.
For example:
user@switch> request system software add ftp://ftpserver/directory/jinstall-host-qfx-10-m-15.1X53-D60.n-secure-domestic-signed.tgz
re0
To install the software on re1:
user@switch> request system software add /var/tmp/jinstall-host-qfx-10-m-15.1X53-D60.n-secure-domestic-signed.tgz
re1
If the Install Package resides remotely from the switch, execute the request system software add <pathname><source> re1 command.
For example:
user@switch> request system software add ftp://ftpserver/directory/jinstall-host-qfx-10-m-15.1X53-D60.n-secure-domestic-signed.tgz
re1
Reboot both Routing Engines.
For example:
user@switch> request system reboot both-routing-engines
After the reboot has finished, verify that the new version of software has been properly installed by executing the show version command.
user@switch> show version
Installing the Software on QFX10008 and QFX10016 Switches
Because the switch has two Routing Engines, perform a Junos OS installation on each Routing Engine separately to avoid disrupting network operation.
Before you install the software, back up any critical files in /var/home. For more information regarding how to back up critical files, contact Customer Support at https://www.juniper.net/support.
If graceful Routing Engine switchover (GRES), nonstop bridging (NSB), or nonstop active routing (NSR) is enabled when you initiate a software installation, the software does not install properly. Make sure you issue the CLI delete chassis redundancy command when prompted. If GRES is enabled, it will be removed with the redundancy command. By default, NSR is disabled. If NSR is enabled, remove the nonstop-routing statement from the [edit routing-options] hierarchy level to disable it.
Log in to the master Routing Engine’s console.
For more information about logging in to the Routing Engine through the console port, see the specific hardware guide for your switch.
From the command line, enter configuration mode:
user@switch> configure
Disable Routing Engine redundancy:
user@switch# delete chassis redundancy
Disable nonstop-bridging:
user@switch# delete protocols layer2-control nonstop-bridging
Save the configuration change on both Routing Engines:
user@switch# commit synchronize
Exit the CLI configuration mode:
user@switch# exit
After the switch has been prepared, you first install the new Junos OS release on the backup Routing Engine, while keeping the currently running software version on the master Routing Engine. This enables the master Routing Engine to continue operations, minimizing disruption to your network.
After making sure that the new software version is running correctly on the backup Routing Engine, you are ready to switch routing control to the backup Routing Engine, and then upgrade or downgrade the software version on the other Routing Engine.
Log in to the console port on the other Routing Engine (currently the backup).
For more information about logging in to the Routing Engine through the console port, see the specific hardware guide for your switch.
Install the new software package using the request system software add command:
user@switch> request system software add validate /var/tmp/jinstall-host-qfx-10-f-x86-64-20.4R3.n-secure-signed.tgz
For more information about the request system software add command, see the CLI Explorer.
Reboot the switch to start the new software using the request system reboot command:
user@switch> request system reboot
Note You must reboot the switch to load the new installation of Junos OS on the switch.
To abort the installation, do not reboot your switch. Instead, finish the installation and then issue the request system software delete <package-name> command. This is your last chance to stop the installation.
All the software is loaded when you reboot the switch. Installation can take between 5 and 10 minutes. The switch then reboots from the boot device on which the software was just installed. When the reboot is complete, the switch displays the login prompt.
While the software is being upgraded, the Routing Engine on which you are performing the installation is not sending traffic.
Log in and issue the show version command to verify the version of the software installed.
user@switch> show version
Once the software is installed on the backup Routing Engine, you are ready to switch routing control to the backup Routing Engine, and then upgrade or downgrade the master Routing Engine software.
Log in to the master Routing Engine console port.
For more information about logging in to the Routing Engine through the console port, see the specific hardware guide for your switch.
Transfer routing control to the backup Routing Engine:
user@switch> request chassis routing-engine master switch
For more information about the request chassis routing-engine master command, see the CLI Explorer.
Verify that the backup Routing Engine (slot 1) is the master Routing Engine:
user@switch> show chassis routing-engine
Routing Engine status:
Slot 0:
Current state Backup
Election priority Master (default)
Routing Engine status:
Slot 1:
Current state Master
Election priority Backup (default)Install the new software package using the request system software add command:
user@switch> request system software add validate /var/tmp/jinstall-host-qfx-10-f-x86-64-20.4R3.n-secure-signed.tgz
For more information about the request system software add command, see the CLI Explorer.
Reboot the Routing Engine using the request system reboot command:
user@switch> request system reboot
Note You must reboot to load the new installation of Junos OS on the switch.
To abort the installation, do not reboot your system. Instead, finish the installation and then issue the request system software delete jinstall <package-name> command. This is your last chance to stop the installation.
The software is loaded when you reboot the system. Installation can take between 5 and 10 minutes. The switch then reboots from the boot device on which the software was just installed. When the reboot is complete, the switch displays the login prompt.
While the software is being upgraded, the Routing Engine on which you are performing the installation does not send traffic.
Log in and issue the show version command to verify the version of the software installed.
Transfer routing control back to the master Routing Engine:
user@switch> request chassis routing-engine master switch
For more information about the request chassis routing-engine master command, see the CLI Explorer.
Verify that the master Routing Engine (slot 0) is indeed the master Routing Engine:
user@switch> show chassis routing-engine
Routing Engine status:
Slot 0:
Current state Master
Election priority Master (default)
outing Engine status:
Slot 1:
Current state Backup
Election priority Backup (default)
Performing a Unified ISSU
You can use unified ISSU to upgrade the software running on the switch with minimal traffic disruption during the upgrade.
Unified ISSU is supported in Junos OS Release 13.2X51-D15 and later.
Perform the following tasks:
Preparing the Switch for Software Installation
Before you begin software installation using unified ISSU:
Ensure that nonstop active routing (NSR), nonstop bridging (NSB), and graceful Routing Engine switchover (GRES) are enabled. NSB and GRES enable NSB-supported Layer 2 protocols to synchronize protocol information between the master and backup Routing Engines.
To verify that nonstop active routing is enabled:
Note If nonstop active routing is enabled, then graceful Routing Engine switchover is enabled.
user@switch> show task replication Stateful Replication: Enabled RE mode: Master
If nonstop active routing is not enabled (Stateful Replication is Disabled), see Configuring Nonstop Active Routing on Switches for information about how to enable it.
Enable nonstop bridging (NSB). See Configuring Nonstop Bridging on Switches (CLI Procedure) for information on how to enable it.
(Optional) Back up the system software—Junos OS, the active configuration, and log files—on the switch to an external storage device with the request system snapshot command.
Upgrading the Software Using Unified ISSU
This procedure describes how to upgrade the software running on a standalone switch.
To upgrade the switch using unified ISSU:
Download the software package by following the procedure in the Downloading Software Files with a Browser section in Installing Software Packages on QFX Series Devices.
Copy the software package or packages to the switch. We recommend that you copy the file to the /var/tmp directory.
Log in to the console connection. Using a console connection allows you to monitor the progress of the upgrade.
Start the ISSU:
On the switch, enter:
user@switch> request system software in-service-upgrade /var/tmp/package-name.tgz
where package-name.tgz is, for example, jinstall-host-qfx-10-f-x86-64-20.4R3.n-secure-signed.tgz.
Note During the upgrade, you cannot access the Junos OS CLI.
The switch displays status messages similar to the following messages as the upgrade executes:
warning: Do NOT use /user during ISSU. Changes to /user during ISSU may get lost! ISSU: Validating Image ISSU: Preparing Backup RE Prepare for ISSU ISSU: Backup RE Prepare Done Extracting jinstall-host-qfx-5-f-x86-64-18.3R1.n-secure-signed.tgz ... Install jinstall-host-qfx-5-f-x86-64-19.2R1.n-secure-signed.tgz completed Spawning the backup RE Spawn backup RE, index 0 successful GRES in progress GRES done in 0 seconds Waiting for backup RE switchover ready GRES operational Copying home directories Copying home directories successful Initiating Chassis In-Service-Upgrade Chassis ISSU Started ISSU: Preparing Daemons ISSU: Daemons Ready for ISSU ISSU: Starting Upgrade for FRUs ISSU: FPC Warm Booting ISSU: FPC Warm Booted ISSU: Preparing for Switchover ISSU: Ready for Switchover Checking In-Service-Upgrade status Item Status Reason FPC 0 Online (ISSU) Send ISSU done to chassisd on backup RE Chassis ISSU Completed ISSU: IDLE Initiate em0 device handoff
Note A unified ISSU might stop, instead of abort, if the FPC is at the warm boot stage. Also, any links that go down and up will not be detected during a warm boot of the Packet Forwarding Engine (PFE).
Note If the unified ISSU process stops, you can look at the log files to diagnose the problem. The log files are located at /var/log/vjunos-log.tgz.
Log in after the reboot of the switch completes. To verify that the software has been upgraded, enter the following command:
user@switch> show versionEnsure that the resilient dual-root partitions feature operates correctly, by copying the new Junos OS image into the alternate root partitions of all of the switches:
user@switch> request system snapshot slice alternateResilient dual-root partitions allow the switch to boot transparently from the alternate root partition if the system fails to boot from the primary root partition.
Upgrade and Downgrade Support Policy for Junos OS Releases
We have two types of releases, EOL and EEOL:
End of Life (EOL) releases have engineering support for twenty four months after the first general availability date and customer support for an additional six more months.
• Extended End of Life (EEOL) releases have engineering support for thirty six months after the first general availability date and customer support for an additional six more months.
For both EOL and EEOL releases, you can upgrade to the next three subsequent releases or downgrade to the previous three releases. For example, you can upgrade from 19.2 to the next three releases – 19.3, 19.4 and 20.1 or downgrade to the previous three releases – 19.1, 18.4 and 18.3.
For EEOL releases only, you have an additional option - you can upgrade directly from one EEOL release to the next two subsequent EEOL releases, even if the target release is beyond the next three releases. Likewise, you can downgrade directly from one EEOL release to the previous two EEOL releases, even if the target release is beyond the previous three releases. For example, 19.2 is an EEOL release. Hence, you can upgrade from 19.2 to the next two EEOL releases – 19.3 and 19.4 or downgrade to the previous two EEOL releases – 19.1 and 18.4.4.
Release Type | End of Engineering (EOE) | End of Support (EOS) | Upgrade and Downgrade to subsequent 3 releases | Upgrade and Downgrade to subsequent 2 EEOL releases |
End of Life (EOL) | 24 months | End of Engineering + 6 months | Yes | No |
Extended End of Life (EEOL) | 36 months | End of Engineering + 6 months | Yes | Yes |
For more information about EOL and EEOL releases, see https://www.juniper.net/support/eol/junos.html.
For information about software installation and upgrade, see the Installation and Upgrade Guide.