Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Changes in Default Behavior and Syntax in JUNOS Release 10.2 for M Series, MX Series, and T Series Routers

    Class of Service

    • Output forwarding map not supported on multiservices link services intelligent queuing—If you configure an output forwarding class map associating a forwarding class with a queue number, these maps are not supported on multiservices link services intelligent queuing (lsq-) interfaces.

      [Class of Service]

    • Ingress shaping overhead (MX Series routers)—For MX Series routers, when ingress queueing is enabled on EQ DPCs, ingress shaping overhead can be made accurate by using the following values for the ingress-shaping-overhead statement:

      • For Layer 2, subtract 14 bytes
      • For Layer 3 untagged ports, add 2 bytes
      • For Layer 3 dual-tagged ports, add 10 bytes
      [Class of Service]
    • A DSCP action or traffic-class action configured on a DPC in an MX Series router no longer causes the commit to fail—For MX Series routers, if you configure a firewall filter with a DSCP action or traffic-class action on a DPC, the commit no longer fails. However, a warning displays and an entry is made in the syslog.

      [Class of Service]

    Forwarding and Sampling

    • Support for the match condition prefix-list for firewall filters for the protocol family VPLS (MX Series routers only)—The match condition that is supported for IPv4 and IPv6 protocol families is now also supported for the VPLS family. Support for VPLS prefix lists is limited to IPv4 addresses only; any IPv6 addresses included in the prefix list will be discarded. To enable the prefix-list firewall filters match condition for VPLS, include the prefix-list prefix-list-name match condition at the [edit firewall family vpls filter filter-name term term-name from ] hierarchy level.

      [Policy Framework]

    General Routing

    • Framed-Route tag option supported—The MX Series routers now fully support the tag route-tag option in the RADIUS Framed-Route [22] attribute for access routes in dynamic profiles. To use the route tag, include the tag $junos-framed-route-tag statement at the [edit dynamic-profiles profile-name routing-options access route $junos-framed-route-prefix] hierarchy level.
    • Access route tag supported—For M120, M320, and MX Series routers, you can optionally assign a tag to a statically configured access route. To use the route tag, include the tag route-tag statement at the [edit routing-options access route ip-prefix/prefix-length] hierarchy level.

    Interfaces and Chassis

    • Deprecated empty-service statement—For PPPoE service name table configurations on M120, M320, and MX Series routers, the empty-service statement has been deprecated at the [edit protocols pppoe service-name-tables table-name] hierarchy level in JUNOS Release 10.2 and later. Instead, use the service empty statement at the [edit protocols pppoe service-name-tables table-name] hierarchy level to configure attributes for the empty service entry in a PPPoE service name table.

      [Network Interfaces]

    • Enhancement to the show system license command—For scalable license-based features such as Subscriber Access (scale-subscriber), L2TP (scale-l2tp), Mobile IP (scale-mobile-ip), and so on, the show system license operational mode command now displays the actual usage count in the Licenses used column based on the number of active sessions or connections as reported by the corresponding feature daemons.

      [System Basics and Services Command Reference]

    • show system switchover is deprecated on the master Routing Engine—Beginning JUNOS Release 9.6, the show system switchover command has been deprecated on the master Routing Engine on all routers other than a TX Matrix (switch-card chassis) or a TX Matrix Plus (switch-fabric chassis) router. However, in a routing matrix, if you issue the show system switchover command on the master Routing Engine of the TX Matrix router (or switch-card chassis), the CLI displays graceful switchover information for the master Routing Engine of the T640 routers (or line-card chassis) in the routing matrix. Likewise, if you issue the show system switchover command on the master Routing Engine of a TX Matrix Plus router (or switch-fabric chassis), the CLI displays output for the master Routing Engine of T1600 routers (or line-card chassis) in the routing matrix.

      [System Basics and Services Command Reference]

    • Options added to the show arp command—The vpn and logical-system options have been added to the show arp command.

      [System Basics Command Reference]

    • Commit-time warning messages at the [edit interfaces] hierarchy level are now system logged—CLI commit-time warnings displayed for configuration at the [edit interfaces] hierarchy level have been removed and are now logged as system log messages.

      [CLI User Guide]

    • Enhancement to the show chassis fabric fpcs command—The show chassis fabric fpcs command issued on T Series routers now displays a list of Packet Forwarding Engines with destination errors in addition to link errors. This is applicable for SIBs in the Check state. In JUNOS Release 9.6 and later, the list of Packet Forwarding Engines with destination errors is displayed in the output. In JUNOS releases before 9.6, the output only indicates that there are destination errors. However, the list of Packet Forwarding Engines with destination errors is not displayed.

      The following is a sample of the enhanced output for this command:


      user@host> show chassis fabric fpcs
      Fabric management FPC state:
      
      FPC #3
        PFE #1
          SIB #2
                 Plane enabled
          SIB #3
                 Link error
                 Destination error on PFEs       0    1    2    3    4    5    6    7
                   8    9   10   11   12   13   14   15   16   17   18   19   20   21
          SIB #4
                 Destination error on PFEs       0    1    2    3    4    5    6    7
                   8    9   10   11   12   13   14   15   16   17   18   19   20   21 
      
      

      [System Basics Command Reference]

    • Support for demux and PPPoE static interfaces—The maximum number of static logical interfaces supported per physical interface for demux (on demux0) and PPPoE (on pp0) has been increased to 65,536 (logical unit numbers in the range 0 through 65,535). For all other interface types, the maximum number of static interfaces per physical interface remains at 16,386 (logical unit numbers in the range 0 through 16,385).

      [Network Interfaces]

    • Enhancement to the show chassis sibs command—The show chassis sibs command now displays destination errors for SIBS in the Check state. In JUNOS Release 9.6 and later, the Check state message shows the number of Packet Forwarding Engines in the plane having destination errors. For example, Check (10 destination errors) indicates 10 Packet Forwarding Engines having destination errors. If there are no destination errors, and if the SIB transitions to the Check state because of link errors only, the Check state message shows Check (0 destination errors).

      In JUNOS Release 9.5 and earlier, the Check state message shows Check (destination errors) if there are Packet Forwarding Engines with destination errors in this plane. However, it does not show the number of Packet Forwarding Engines having destination errors. If there are no destination errors and if the SIB transitions to the Check state because of link errors only, the Check state message shows Check (no destination errors).


      user@host> show chassis sibs
       Slot  State                            Uptime
        0    Check (destination errors)       2 hours, 23 minutes, 2 seconds
        1    Empty
        2    Check (destination errors)       2 hours, 23 minutes, 3 seconds
        3    Check (destination errors)       2 hours, 23 minutes, 3 seconds
        4    Check (destination errors)       2 hours, 23 minutes, 3 seconds
        
       use "show chassis fabric fpcs" and "show chassis fabric sibs" for more details

      In addition, the command also displays a message to use the show chassis fabric fpcs and show chassis fabric sibs commands for more information.

      If there are no SIBs in the Check state, there is no change in the output of this command.

      [System Basics Command Reference]

    • Changes to the output of the show chassis power command—The output of the show chassis power command has now been revised to show the maximum and actual power capacity details for an AC or DC PEM, based on number of feeds, the number of feeds expected and connected, and other system statistics. The following is a sample of the revised output for the show chassis power command:
      PEM 0:
        State:     Online
        DC input:  OK (1 feed expected, 1 feed connected)
        DC input:  48.0 V input (51500 mV)
        Capacity:  2800 W (maximum 2800 W)
        DC output: 306 W (zone 0, 6 A at 51 V, 10% of capacity)
       
      PEM 1:
        State:     Online
        DC input:  OK (1 feed expected, 1 feed connected)
        DC input:  48.0 V input (51000 mV)
        Capacity:  2800 W (maximum 2800 W)
        DC output: 459 W (zone 1, 9 A at 51 V, 16% of capacity)
       
      PEM 2:
        State:     Empty
        Input:     Absent
       
      PEM 3:
        State:     Empty
        Input:     Absent
       
      System:
        Zone 0:
            Capacity:          2800 W (maximum 2800 W)
            Allocated power:   540 W (2260 W remaining)
            Actual usage:      306 W
        Zone 1:
            Capacity:          2800 W (maximum 2800 W)
            Allocated power:   905 W (1895 W remaining)
            Actual usage:      459 W
        Total system capacity: 5600 W (maximum 5600 W)
        Total remaining power: 4155 W
      

      The following is a sample of the earlier output for the show chassis power command:

      DC PEM 0
      Limits: Voltage Current Rating  MaxDPC
              48      101     4100    600
      Input:  Zone    Feed    Switch  Code
              0       2       1       2-G
      Output: Voltage Current Power   Load(%) RemainingPower
              58      16      928     22      3172
      State:  Online
      
      DC PEM 1
      Limits: Voltage Current Rating  MaxDPC
              48      101     4100    600
      Input:  Zone    Feed    Switch  Code
              1       2       1       2-G
      Output: Voltage Current Power   Load(%) RemainingPower
              57      7       399     9       3701
      State:  Online
      
      DC PEM 2
      Limits: Voltage Current Rating  MaxDPC
              48      70      2800    352
      Input:  Zone    Feed    Switch  Code
              0       1       0       1-G
      State:  Present
      
      DC PEM 3
      Limits: Voltage Current Rating  MaxDPC
              48      70      2800    352
      Input:  Zone    Feed    Switch  Code
              1       1       0       1-G
      State:  Present

      [System Basics and Services Command Reference]

    • Deleting configuration statements using the delete command—Beginning with JUNOS Release 10.2, you cannot delete multiple statements or identifiers within a hierarchy using a single delete command. You must delete each statement or identifier individually using multiple delete commands. For example, consider the following configuration at the [edit system] hierarchy level:
      system {host-name host-211;domain-name domain-122;backup-router 192.168.71.254;arp;authentication-order [ radius password tacplus ];}

      To delete the domain-name, host-name, and backup-router from the configuration, you cannot issue a single delete command:


      user@host> delete system hostname host-211 domain-name domain-122 backup-router 192.168.71.254

      You can only delete each statement individually:


      user@host delete system host-name host-211

      user@host delete system domain-name domain-122

      user@host delete system backup-router 192.168.71.254

      [CLI User Guide]

    • Enhancement to the show system virtual-memory command output—Starting with JUNOS Release 10.2, the show system virtual-memory command issued with the | display XML pipe option displays XML output for the command in the parent tags: <vmstat-memstat-malloc>, <vmstat-memstat-zone>, <vmstat-sumstat>, <vmstat-intr>, and <vmstat-kernel-state> with each child element as a separate XML tag. The following is a sample output for the next XML output:

      user@host> show system virtual-memory | display xml
      <rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.2R1/junos">
          <system-virtual-memory-information>
              <vmstat-memstat-malloc>
                  <memstat-name>CAM dev queue</memstat-name>
                  <inuse>1</inuse>
                  <memuse>1</memuse>
                  <high-use>-</high-use>
                  <memstat-req>1</memstat-req>
                  <memstat-size>64</memstat-size>
      
      ...
              </vmstat-memstat-malloc>
              <vmstat-memstat-zone>
                  <zone-name>UMA Kegs:</zone-name>
                  <zone-size>136</zone-size>
                  <count-limit>0</count-limit>
                  <used>71</used>
                  <free>1</free>
                  <zone-req>71</zone-req>
      ...
              </vmstat-memstat-zone>
              <vmstat-sumstat>
                  <cpu-context-switch>934906</cpu-context-switch>
                  <dev-intr>1707986</dev-intr>
                  <soft-intr>33819</soft-intr>
                  <traps>203604</traps>
                  <sys-calls>1200636</sys-calls>
                  <kernel-thrds>60</kernel-thrds>
                  <fork-calls>1313</fork-calls>
                  <vfork-calls>21</vfork-calls>
                  <rfork-calls>0</rfork-calls>
                  <swap-pageins>0</swap-pageins>
                  <swap-pagedin>0</swap-pagedin>
                  <swap-pageouts>0</swap-pageouts>
                  <swap-pagedout>0</swap-pagedout>
                  <vnode-pageins>23094</vnode-pageins>
                  <vnode-pagedin>23119</vnode-pagedin>
                  <vnode-pageouts>226</vnode-pageouts>
                  <vnode-pagedout>3143</vnode-pagedout>
                  <page-daemon-wakeup>0</page-daemon-wakeup>
                  <page-daemon-examined-pages>0</page-daemon-examined-pages>
                  <pages-reactivated>8821</pages-reactivated>
                  <copy-on-write-faults>48364</copy-on-write-faults>
                  <copy-on-write-optimized-faults>31</copy-on-write-optimized-faults>
                  <zero-fill-pages-zeroed>74665</zero-fill-pages-zeroed>
                  <zero-fill-pages-prezeroed>70061</zero-fill-pages-prezeroed>
                  <transit-blocking-page-faults>85</transit-blocking-page-faults>
                  <total-vm-faults>191824</total-vm-faults>
                  <pages-affected-by-kernel-thrd-creat>0</pages-affected-by-kernel-thrd-creat>
                  <pages-affected-by-fork>95343</pages-affected-by-fork>
                  <pages-affected-by-vfork>3526</pages-affected-by-vfork>
                  <pages-affected-by-rfork>0</pages-affected-by-rfork>
                  <pages-freed>221502</pages-freed>
                  <pages-freed-by-deamon>0</pages-freed-by-deamon>
                  <pages-freed-by-exiting-proc>75630</pages-freed-by-exiting-proc>
                  <pages-active>45826</pages-active>
                  <pages-inactive>13227</pages-inactive>
                  <pages-in-vm-cache>49278</pages-in-vm-cache>
                  <pages-wired-down>10640</pages-wired-down>
                  <pages-free>70706</pages-free>
                  <bytes-per-page>4096</bytes-per-page>
                  <swap-pages-used>0</swap-pages-used>
                  <peak-swap-pages-used>0</peak-swap-pages-used>
                  <total-name-lookups>214496</total-name-lookups>
                  <positive-cache-hits>92</positive-cache-hits>
                  <negative-cache-hits>5</negative-cache-hits>
                  <pass2>0</pass2>
                  <cache-deletions>0</cache-deletions>
                  <cache-falsehits>0</cache-falsehits>
                  <toolong>0</toolong>
              </vmstat-sumstat>
              <vmstat-intr>
                  <intr-name>irq0: clk          </intr-name>
                  <intr-cnt>1243455</intr-cnt>
                  <intr-rate>999</intr-rate>
                  <intr-name>irq4: sio0         </intr-name>
                  <intr-cnt>1140</intr-cnt>
                  <intr-rate>0</intr-rate>
                  <intr-name>irq8: rtc          </intr-name>
                  <intr-cnt>159164</intr-cnt>
                  <intr-rate>127</intr-rate>
                  <intr-name>irq9: cbb1 fxp0    </intr-name>
                  <intr-cnt>28490</intr-cnt>
                  <intr-rate>22</intr-rate>
                  <intr-name>irq10: fxp1        </intr-name>
                  <intr-cnt>20593</intr-cnt>
                  <intr-rate>16</intr-rate>
                  <intr-name>irq14: ata0        </intr-name>
                  <intr-cnt>5031</intr-cnt>
                  <intr-rate>4</intr-rate>
                  <intr-name>Total</intr-name>
                  <intr-cnt>1457873</intr-cnt>
                  <intr-rate>1171</intr-rate>
              </vmstat-intr>
              <vm-kernel-state>
                  <vm-kmem-map-free>248524800</vm-kmem-map-free>
              </vm-kernel-state>
          </system-virtual-memory-information>
          <cli>
              <banner></banner>
          </cli>
      </rpc-reply>
      

      In JUNOS Releases 10.1 and earlier, the | display XML option for this command does not have an XML API element and the entire output is displayed in a single <output> tag element.

      [System Basics and Services Command Reference]

    • PIC combination limitations on M7i, M10i, and M120 routers—In most cases, you can install PICs of different media types in a router. However, configuration rules might limit certain combinations of PICs. For M7i and M10i routers, some PICs of different PIC families cannot be installed in PIC slots 0 and 1, or in slots 2 and 3. For M120 routers, some PICs of different PIC families cannot be installed in the same FPC. If you have different PIC families in the router and are running JUNOS Release 10.2 or later, review the configuration rules to plan which PICs to install in your router. Consult the most recent technical bulletins about configuration rules for PIC combinations on the Juniper Networks Support site at https://www.juniper.net/support/. Newer JUNOS services for some PICs can require significant Internet Processor ASIC memory. Ethernet and SONET PICs typically do not use large amounts of memory. Gigabit Ethernet, ATM2, IQ serial PICs, IQE PICs, and MultiServices PICs use more. To conserve memory, you can group PICs in the same family together on the same FPC.

      As a workaround, you can:

      • Install one PIC in a different PIC slot.
      • Remove one of the PICs from the router.
    • Additional output line in the show system statistics ip command—The show system statistics ip command now includes a new output line number incoming raw packets dropped due to no socket space to display statistics on packets dropped due to the kernel socket buffer being full.

      [System Basics and Services Command Reference]

    • Enhancement to the show chassis fabric sibs command—The plane unusable by # pfes string in the show chassis fabric sibs command output in the plane state: output field has now been modified to the plane has link errors on # pfes. This indicates that the plane is still usable but has link errors on the number of PFEs indicated. However, it doesn’t indicate destination errors.

      [System Basics and Services Command Reference]

    Layer 2 Ethernet Services

    • Modification to the output of the show dhcp/dhcpv6 relay/server binding commands—The output of the show dhcp server binding summary command, the show dhcp relay binding summary command, and the show dhcpv6 server binding command has been modified to include the number of clients in the init state and the requesting state.

      [Subscriber Access]

    • Disable IRB packet from being mirrored as a Layer 2 packet—If you associate integrated routing and bridging (IRB) with the bridge domain (or VPLS routing instance), and also configure within the bridge domain (or VPLS routing instance) a forwarding table filter with the port-mirror or port-mirror-instance action, then the IRB packet is mirrored as a Layer 2 packet. You can disable this behavior by configuring the no-irb-layer-2-copy statement in the bridge-domain (or VPLS routing instance).

      [Layer 2 Configuration]

    • Configuring vlan-id all statement in a VPLS routing instance—If you configure the vlan-id all statement in a VPLS routing instance, we recommend using the input-vlan-map pop and output-vlan-map push statements on the logical interface to pop the service VLAN ID on input and push the service VLAN ID on output and in this way limit the impact of doubly-tagged frames on scaling.

      [Layer 2 Configuration]

    MPLS Applications

    • Optimal path for bypass LSPs—To ensure that bypass LSPs take the most optimal path to reach their destination, they are now rerouted automatically when you configure or change the configuration of any of the following:

      • Administrative group for a bypass LSP—admin-group statement at the [edit protocols rsvp interface interface-name link-protection] hierarchy level
      • Fate sharing group—group statement at the [edit routing-options fate-sharing] hierarchy level
      • IS-IS overload—overload statement at the [edit protocols isis] hierarchy level
      • LSP metric—metric statement at the [edit protocols mpls label-switched-path lsp-name] hierarchy level
      This functionality requires that you configure the optimize-timer statement for link protection at the [edit protocols rsvp interface interface-name link-protection] hierarchy level.

      [MPLS]

    • 64 character support for bypass LSP name—You can now configure the name of a bypass LSP using up to 64 characters. You configure a bypass LSP name using the bypass statement at the [edit protocols rsvp interface interface-name link-protection] hierarchy level.

      [MPLS]

    Routing Policy and Firewall Filters

    • Option to enable enhanced jtree memory allocation for Layer 3 VPNs (T640 and T1600 routers with Enhanced Scaling FPC3 and Enhanced Scaling FPC4)—For T Series routers only. With JUNOS Release 10.2, enhanced jtree memory allocation is turned OFF by default. To enable jtree memory allocation, use the route-memory-enhanced statement at the [edit chassis] hierarchy level, and reboot all the affected FPCs to activate the configuration. For JUNOS Release 9.3 to 10.1, the default routing tables (inet.0 and inet6.0) use both memory segments by default.

      [System Basics]

    • Three-color policers (M120 and MX Series routers)—On MX Series and M120 routers, you can apply three-color policers to aggregated interfaces.

      [Class of Service]

    Services Applications

    • New configuration to avoid IDP traffic loss (M120, M320, and MX Series routers)—When the MultiServices PIC or DPC configured for a service set is either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit services service-set service-set-name service-set-options] hierarchy level and (for TCP traffic only) the ignore-errors tcp statement at the [edit interfaces interface-name services-options] hierarchy level. When you configure these statements, the affected packets are forwarded, in the event of a MultiServices PIC or DPC failure or offlining, as though interface-style services were not configured. This issue applies only to M120, M320, and MX Series routers.

      [Services Interfaces]

    • Border Gateway Function (BGF)—Emergency calls will be accepted even while the BGF is in the draining state due to a graceful shutdown if you enter the set accept-emergency-calls-while-graceful configuration statement at the [edit services pgcp gateway gateway-name h248–options] hierarchy level.

      [Session Border Control Solutions, Services Interfaces]

    • Enhancement to APPID, AACL, and L-PDF processing for APPID “best-effort” application identification—On MX Series routers equipped with Multiservices DPCs and M120 or M320 routers equipped with Multiservices 400 PICs, APPID application identification of TCP, UDP, and ICMP flows supports a “best-effort” application determination as follows:

      • When a best-effort application determination is made, AACL does not apply any AACL term actions configured for that flow. Instead, AACL or L-PDF tracks the flow and accepts all packets for that flow until a final determination is made, at which time the normal AACL or L-PDFL actions are fully applied to the flow.
      • During the time that APPID has not yet made a final determination of the application associated with a given flow, the flow does not contribute to any per-subscriber or per-application statistics collection.
      • During the time that APPID has not yet made a final determination of the application associated with a given flow, the flow is included in the output of the following operational mode commands:

        • show services local-policy-decision-function flows (interface interface-name | subscriber subscriber-name)
        • show services application-aware-access-list flows (interface interface-name | subscriber subscriber-name)
        In the command output, the Action field displays "accept" and the Application or Application group field displays “unknown” for a flow for which APPID has not yet made a final determination.
      • If a flow ends before APPID has made either a final or a best-effort application identification, AACL or L-PDF uses the "unknown" application ID as a final determination and performs any necessary collection, aggregation, and reporting of statistics based on that Layer 7 application. In particular, if the count AACL term action is configured for the "application-group-any" application, then the statistics for that flow will be collected and aggregated against the count bucket type, and reported as such.
      • If a flow ends while the application identification is on a best-effort basis, AACL or L-PDF uses that best-effort determination as a final determination. AACL or L-PDF performs any necessary collection, aggregation, and reporting of statistics based on that Layer 7 application. In particular, if the count AACL term action is configured for that Layer 7 application, then the statistics for the flow will be collected and aggregated against the AACL or L-PDF statistics.
      [Services Interfaces]
    • The control source component of the dynamic flow capture architecture supports multiple content destinations for DTCP/0.7 implementations of DTCP ADD requests—The JUNOS Software substantially supports DTCP: Dynamic Tasking Control Protocol, specified in draft-cavuto-dtcp-03.txt at http://www.ietf.org/internet-drafts. In particular, the JUNOS Software supports the current version string for this release of the DTCP protocol: DTCP/0.7. The JUNOS Software dynamic flow capture architecture now enables control sources (clients that monitor electronic data or voice transfer over the network) to process version 0.7 implementations of DTCP ADD request messages that specify multiple content destinations.

      Note: For implementations of the DTCP protocol earlier than version 0.7, dynamic flow capture does not support DTCP ADD request messages that specify multiple content destinations. If a control source receives a DTCP-ADD request that specifies multiple content destinations but also contains a DTCP protocol version string earlier than DTCP/0.7, the control source rejects the request by sending a response message with the response code 432: Improper Filter Specification.

      Differences between the DTCP/0.7 protocol specification and the DTCP/0.5 and DTCP/0.6 protocol specifications are described in APPENDIX A: Prior Implementation of the current Internet draft.

      [Services Interfaces, Hierarchy and Standards]

    • Border Gateway Function (BGF) media-service entity removed from the CLI—The media-service entity has been deprecated from the CLI. The media-service configuration statement pointed to a NAT pool to be used by a pgcp rule or virtual interface. Now, you should specify the NAT pools directly in the configuration statements for the pgcp rule or virtual interface.

      [Session Border Control Solutions, Services Interfaces]

    • Integrated Multi-Service Gateway (IMSG)—The following statements have been replaced with new versions that provide filtering by server or service point:
      • The show services border-signaling-gateway calls statement is replaced by the show services border-signaling-gateway calls by-server and show services border-signaling-gateway calls by-service-point statements.
      • The show services border-signaling-gateway calls-failed statement is replaced by the show services border-signaling-gateway calls-failed by-server and show services border-signaling-gateway calls-failed by-service-point statements.
      • The show services border-signaling-gateway calls-duration statement is replaced by the show services border-signaling-gateway calls-duration by-server and show services border-signaling-gateway calls-duration by-service-point statements.

      [Session Border Control Solutions, Systems Basics and Services CR]

    • Integrated Multi-Service Gateway (IMSG)—You can now use the JUNOS Software CLI to restart a specific border signaling gateway (BSG) by using the restart services border-signaling-gateway gateway gateway-name command.

      [Session Border Control Solutions ]

    • Border Gateway Function (BGF) BTLB requirements—The BGF pgcpd process running on a control service PIC now runs as a block translation look-aside buffer (BTLB) process. In order to correctly activate the process, you must include the following CLI configuration statements:
      • set chassis fpc fpc # pic pic # adaptive-services service-package extension-provider wired-process-mem-size 512
      • set chassis fpc fpc # pic pic # adaptive-services service-package extension-provider wired-max-processes 8

      [Session Border Control Solutions]

    • IPsec policy for dynamic endpoints—With JUNOS Release 10.2 you can now specify the IPsec policy for dynamic endpoints. To specify an IPsec policy for dynamic endpoints, define the policy and its proposals under the [edit services ipsec-vpn ipsec] hierarchy level. Specify the policy name by including the ipsec-policy policy-name statement at the [edit access profile profile-name client* ike] hierarchy level. If no policy is set, any policy proposed by the dynamic peer will be accepted.

      [Services Interfaces]

    • Integrated Multiservice Gateway (IMSG) maximum number of policies and policy-related entities per Border Signaling Gateway (BSG)—The following table shows the maximum number of policies and related entities:

      Table 1: Maximum Number of Policies and Related Entities

      Entity

      Maximum

      Policies (total of new call usage and new transaction policies) per BSG

      750

      New call usage policies per BSG

      500

      New transaction policies per BSG

      500

      Policies per service point

      10

      Service points per BSG

      100

      Terms per policy

      20

      Terms per BSG

      10,000

      Total of AND and OR operators in a policy term

      4

      [Session Border Control Solutions]

    Subscriber Access Management

    • Address assignment for dynamic PPPoE subscriber interfaces (M120, M320, and MX Series routers)—If the subscriber address for a dynamic PPPoE interface is not specified by means of the Framed-IP-Address (8) or Framed-Pool (88) RADIUS IETF attributes during authentication, the router allocates an IP address from the first IPv4 local address-assignment pool defined in the routing instance. For this reason, make sure that the local address assigned for the inet (IPv4) address family is in the same subnet as the addresses obtained from the first IPv4 local address-assignment pool.

      The router allocates the IP address from the first IPv4 local address-assignment pool under either of the following conditions:

      • RADIUS returns no address attributes.
      • RADIUS authentication does not take place because only address allocation is requested.

      If the first IPv4 local address-assignment pool has no available addresses, or if no IPv4 local address-assignment pools are configured, the router does not allocate an IP address to the dynamic PPPoE subscriber interface and denies access to the associated subscriber. To avoid depletion of IP addresses, you can configure linked address-assignment pools on the first IPv4 address-assignment local pool to create one or more backup pools.

      [Subscriber Access]

    • Enabling and disabling DHCP snooping support—You can now explicitly enable or disable DHCP snooping support on the router. If you disable DHCP snooping support, the router drops snooped DHCP discover and request messages.

      To enable DHCP snooping support, include the allow-snooped-clients statement at the [edit forwarding-options dhcp-relay overrides] hierarchy level. To disable DHCP snooping support, include the no-allow-snooped-clients statement at the [edit forwarding-options dhcp-relay overrides] hierarchy level. Both statements are also supported at the named group level and per-interface level.

      In JUNOS Release 10.0 and earlier, DHCP snooping is enabled by default. In JUNOS Release 10.1 and later, DHCP snooping is disabled by default.

      [Subscriber Access]

    • Configuring default values for predefined variables—You can now configure default values for certain JUNOS predefined variables. If the external RADIUS server is not available or the vendor-specific attribute (VSA) does not contain a value for the predefined variable, the JUNOS Software uses the default values.

      To configure default values, include the predefined-variable-defaults predefined-variable variable-option default-value statement at the [edit dynamic-profiles profile-name] hierarchy level.

      [Subscriber Access]

    • Modifications to the RADIUS revert-interval statement—The default setting and range have changed for the revert-interval statement at the [edit access profile profile-name radius options] hierarchy level. You can now set a revert interval in the range from 0 (off) through 4,294,967,295 seconds. The default setting is now 60 seconds.

      [Subscriber Access]

    • Required pppoe-options subhierarchy for configuring static and dynamic PPPoE interfaces (M120, M320, MX Series routers)—When you configure a static or dynamic pp0 (PPPoE) logical interface, you must include the pppoe-options subhierarchy in the configuration. Failure to include the pppoe-options subhierarchy causes the commit operation to fail.

      This requirement is in effect for configuration of static PPPoE logical interfaces as of JUNOS Release 10.2 and later, and has always been in effect for configuration of dynamic PPPoE subscriber interfaces in a PPPoE dynamic profile. For example, the following configuration now causes the commit operation to fail for both static and dynamic PPPoE logical interfaces:

      pp0 {unit 0 {}

      To configure a static PPPoE logical interface in JUNOS Release 10.2 and higher-numbered releases, you must include the pppoe-options subhierarchy at the [edit interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit logical-systems logical-system-name interfaces pp0 unit logical-unit-number] hierarchy level. At a minimum, the pppoe-options subhierarchy must include the name of the PPPoE underlying interface and the server statement, which configures the router to act as a PPPoE server. For example:

      [edit interfaces]...pp0 {unit 0 {pppoe-options {underlying-interface ge-1/0/0.0;server;}...}}

      To configure a dynamic PPPoE subscriber interface in a PPPoE dynamic profile, you must include the pppoe-options subhierarchy at the [edit dynamic-profiles profile-name interfaces pp0 unit “$junos-interface-unit”] hierarchy level. At a minimum, the pppoe-options subhierarchy must include the name of the underlying Ethernet interface, represented by the $junos-underlying-interface predefined dynamic variable, and the server statement. For example:

      [edit]dynamic-profiles {pppoe-profile {interfaces {pp0 {unit "$junos-interface-unit" {pppoe-options {underlying-interface "$junos-underlying-interface";server;}...}}}}}

      [Network Interfaces, Subscriber Access]

    VPNs

    • New configuration statement for removing dynamically learned MAC addresses from the MAC address database—Media access control (MAC) flush processing removes MAC addresses from the MAC address database that have been learned dynamically. With the dynamically learned MAC addresses removed, MAC address convergence requires less time to complete.

      In this release, you enable MAC flush processing for the virtual private LAN service (VPLS) routing instance or for the mesh group under a VPLS routing instance by using the mac-flush statement instead of the mac-tlv-receive and mac-tlv-send statements.

      mac-flush [ explicit-mac-flush-message-options ];

      You can include the statement at the following hierarchy levels:

      • [edit logical-systems logical-system-name routing-instances routing-instance-name protocols vpls]
      • [edit logical-systems logical-system-name routing-instances routing-instance-name protocols vpls mesh-group mesh-group-name]
      • [edit routing-instances routing-instance-name protocols vpls]
      • [edit routing-instances routing-instance-name protocols vpls mesh-group mesh-group-name]

      Note: The mac-tlv-receive and mac-tlv-send statements were removed from Release 10.0 of the JUNOS Software and are no longer visible in the [edit logical-systems logical-system-name routing-instances routing-instance-name protocols vpls] and [edit routing-instances routing-instance-name protocols vpls] hierarchy levels. Although the mac-tlv-receive and mac-tlv-send statements are recognized in the current release, they will be removed in a future release. We recommend that you update your configurations and use the mac-flush statement.

      To also configure the router to send explicit MAC flush messages, you can include explicit-mac-flush-message-options with the statement.

      [VPNs]


    Published: 2010-09-28