What's Changed

Flow-label configuration status for EVPN ELAN services—The output for the show evpn instance extensive command now displays the flow-label and flow-label-static operational status for a device and not for the routing instances. A device with flow-label enabled supports flow-aware transport (FAT) flow labels and advertises its support to its neighbors. A device with flow-label-static enabled supports FAT flow labels but does not advertise its capabilities.

Updated output for show route table—The output for show route table bgp.evpn.0 now displays L2 service TLV type. Previously, the output displayed the L3 service TLV. PR1694780

Commit error if interconnect and local route distinguishers have the same value—On EVPN data center interconnect (DCI) gateway devices, if you configure an interconnect RD at the [edit routing-instances name protocols evpn interconnect] hierarchy, the interconnect RD must be different from the local RD in the routing instance. If you try to configure the same value for the interconnect RD and the local RD in a routing instance, the device enforces this requirement by throwing a commit error. However, with DCI seamless stitching for EVPN Type 5 routes, you don't see the commit error prior to this release. Starting in this release, the device throws the commit error to enforce this condition for DCI stitching with Type 5 routes.

[See route-distinguisher.]

Specify the UDP source port in a ping overlay or traceroute overlay operation —In Junos OS Evolved releases prior to 22.4R1, you could not configure the UDP source port in a ping overlay or traceroute overlay operation. You may now configure this value in an EVPN-VXLAN environment using hash. The configuration option hash will override any other hash-* options that may be used to determine the source port value.

Before this change the output of a show task replication logical-system all | display xml validate command reported an error. After the change the output is correctly formatted with a logical-system root tag and no validation error occurs.

Prior to this change the output of a show task replication | display xml validate returned an error of the form "ERROR: Duplicate data element <task-protocol-replication-name>. With this change the XML output is properly structured with no validation errors.

The Ethernet link fault management process (lfmd) runs only when the link-fault-management protocol is configured.

Previously, if the system failed to install an interface or hierarchical policer, the PFE crashed due to an assert. Now, the system installs a firewall discard and logs a DFW_HALP_ERR_MSG_POLICER_ADD_FAILED error message. This error message provides the name of the affected policer and the corresponding error code. Relevant policers appear under the interface > unit > family > policer input/output (or) interface > unit > family > input-hierarchical-policer stanzas.PR1701676

The connectivity fault management process (cfmd) runs only when the ethernet connectivity-fault-management protocol is configured.

In the past inet6flow.0 was not allowed to be a primary rib in a rib-group. Starting with Release 22.3 this is now allowed.

XML tag in the get-system-yang-packages RPC reply changed (ACX Series, EX Series, PTX Series, and QFX Series)—The get-system-yang-packages RPC reply replaces the xmlproxy-yang-modules tag with the proxy-xml-yang-modules tag in the XML output.

An optics configuration mismatch alarm might be triggered when there is a discrepancy between the configured speed of an interface and the supported speed of the optic. This alarm indicates that the optic installed in the specified FPC is incompatible with the speed configured on the interface.PR1703957

Global tunnel termination option disables tunnel termination for all traffic (PTX10000 Series Routers)—You can use the set interfaces logical-interface-name unit 'n' family inet/inet6 no-tunnel-termination command to block VXLAN tunnel termination for the port. Adding the no-tunnel-termination option disables tunnel termination for all traffic which the firewall filter would have otherwise allowed you to block termination based on IP addresses.

[See VXLAN Constraints on PTX10000 Series Routers.]

Change in display of affinity constraints to hexadecimal values (MX10004, ACX7100-32C, ACX7100-48L, ACX7509, ACX7024, PTX10001-36MR, PTX10004, PTX10008, and PTX10016)—Starting in Junos OS release 22.4R1 and Junos Evolved Release 22.4R1, in the output of the show ted spring-te-policy extensive operational command, the affinity constraints will be displayed in hexadecimal format instead of decimal.

operator login class is restricted from viewing NETCONF trace files that are no-world-readable (ACX Series, PTX Series, and QFX Series)—When you configure NETCONF tracing options at the [edit system services netconf traceoptions] hierarchy level and you restrict file access to the file owner by setting or omitting the no-world-readable statement (the default), users assigned to the operator login class do not have permissions to view the trace file.

Support for the junos:cli-feature YANG extension (ACX Series, PTX Series, and QFX Series)—The cli-feature YANG extension identifies certain CLI properties associated with some command options and configuration statements. The Junos YANG modules that define the configuration or RPCs include the cli-feature extension statement, where appropriate, in schemas emitted with extensions. This extension is beneficial when a client consumes YANG data models, but for certain workflows, the client needs to generate CLI-based tools.

[See Understanding the Junos DDL Extensions YANG Module.]

XML tag in the get-system-yang-packages RPC reply changed (ACX Series, PTX Series, and QFX Series)—The get-system-yang-packages RPC reply replaces the xmlproxy-yang-modules tag with the proxy-xml-yang-modules tag in the XML output.

Changes to the NETCONF server's <rpc-error> element when the operation="delete" operation deletes a nonexistent configuration object (ACX Series, PTX Series, and QFX Series)—We've changed the <rpc-error> response that the NETCONF server returns when the <edit-config> or <load-configuration> operation uses operation="delete" to delete a configuration element that is absent in the target configuration. The error severity is error instead of warning, and the <rpc-error> element includes the <error-tag>data-missing</error-tag> and <error-type>application</error-type> elements.

Support for export of sFlow samples on the management Ethernet interface (PTX Series)—You can now export sFlow samples through the management Ethernet interface. Previously, you could only use WAN-facing interfaces to export the samples.

The ping host | display xml validate command validates XML without error (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, and vMX) — In Junos OS and Junos OS Evolved releases prior to 22.4R2, the ping host | display xml validate command results in CRITICAL ERROR: Root tag name mismatch. Expected 'ping-results', got 'run-command'. The command now validates the XML successfully without error.

[See ping.]

Prior to this change, devices by default responded only to ARP requests originating from the same subnet. Configure the new CLI option, respond-out-of-subnet at the edit system arp hierarchy level to allow ARP reply to a request that originates from a different subnet. PR1710699

Prior to this change the output of the show isis statistics interface <interface_name> | display xml command used the XML tag "interface-name", which generated an error. With the change the XML output uses the tag "isis-interface-name".PR1712358

When subscribing to the resource path /junos/system/linecard/environment, the prefix for the streamed path at the collector side was displaying as /junos/linecard/environment. This issue is resolved in Junos OS 23.1R1 and Junos OS Evolved 23.1R1 and the subscription path and the streamed path match to display /junos/system/linecard/environment.

When disk usage for the run directory is above 85%, ZooKeeper logs and snapshots in the /run/zookeeper/conf/default/version-2 directory will be deleted if there are more than 3 files, leaving only the 3 most recent files.

Mozilla certification authority (CA) certificates removed (ACX Series, PTX Series, and QFX Series)—To minimize security risks, Junos OS Evolved no longer includes Mozilla's set of root certificates from various CA operators by default. To use docker container images from a registry that requires TLS authentication, you must first save the image as a tar archive on a remote device and then import the contents of the archive on the device running Junos OS Evolved.

[See Running Third-Party Applications in Containers.]

Deprecating options related to certificate enrollment (Junos)—Starting in Junos OS Release 23.2R1, we’re deprecating earlier CLI options related to Public Key Infrastructure (PKI) to enroll and reenroll local certificate through Simple Certificate Enrolment Protocol (SCEP). The table below shows the Junos CLI commands and configuration statements with the options being deprecated. You can find the same CLI options now available under scep option in these commands and statements.

[See auto-re-enrollment (Security), request security pki local-certificate enroll scep, and request security pki node-local local-certificate enroll.]

In Junos OS Evolved releases prior to 22.4R1, the show system directory-usage command assumes the current working directory is always /usr/sbin. If you want to run the command inside another directory, you must include the full directory path in the command. Starting in Junos OS Evolved Release 22.4R1, this command references the directory you currently have open. The command output displays the absolute path of the directory so you can easily see you are in the correct directory.

[See system directory-usage.]