What's Changed

Flow-label configuration status for EVPN ELAN services—The output for the show evpn instance extensive command now displays the flow-label and flow-label-static operational status for a device and not for the routing instances. A device with flow-label enabled supports flow-aware transport (FAT) flow labels and advertises its support to its neighbors. A device with flow-label-static enabled supports FAT flow labels but does not advertise its capabilities.

Updated output for show route table—The output for show route table bgp.evpn.0 now displays L2 service TLV type. Previously, the output displayed the L3 service TLV.

Commit error if interconnect and local route distinguishers have the same value—On EVPN data center interconnect (DCI) gateway devices, if you configure an interconnect RD at the edit routing-instances name protocols evpn interconnect hierarchy, the interconnect RD must be different from the local RD in the routing instance. If you try to configure the same value for the interconnect RD and the local RD in a routing instance, the device enforces this requirement by throwing a commit error. However, with DCI seamless stitching for EVPN Type 5 routes, you don't see the commit error prior to this release. Starting in this release, the device throws the commit error to enforce this condition for DCI stitching with Type 5 routes.

See [ route-distinguisher.]

New enhancement "udp source port" introduced in Junos OS Release 22.4R1 for overlay ping and traceroute— In Junos OS releases prior to 22.4R1, you could not configure the udp source port in a ping overlay or traceroute overlay operation. You may now configure this value in an EVPN-VXLAN environment using hash. The configuration option hash will override any other hash-* options that may be used to determine the source port value.

Mozilla certification authority (CA) certificates removed (ACX Series, PTX Series, and QFX Series)—To minimize security risks, Junos OS Evolved no longer includes Mozilla's set of root certificates from various CA operators by default. To use Docker container images from a registry that requires TLS authentication, you must first save the image as a tar archive on a remote device and then import the contents of the archive on the device running Junos OS Evolved.

See [ Running Third-Party Applications in Containers.]

When subscribing to the resource path /junos/system/linecard/environment, the prefix for the streamed path at the collector side was displaying as /junos/linecard/environment. This issue is resolved in Junos OS 23.1R1 and Junos OS Evolved 23.1R1 and the subscription path and the streamed path match to display /junos/system/linecard/environment.

The Ethernet link fault management process (lfmd) runs only when the link-fault-management protocol is configured.

Previously, if the system failed to install an interface or hierarchical policer, the PFE crashed due to an assert. Now, the system installs a firewall discard and logs a DFW_HALP_ERR_MSG_POLICER_ADD_FAILED error message. This error message provides the name of the affected policer and the corresponding error code. Relevant policers appear under the interface > unit > family > policer input/output (or) interface > unit > family > input-hierarchical-policer stanzas.PR1701676

XML tag in the get-system-yang-packages RPC reply changed (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—The get-system-yang-packages RPC reply replaces the xmlproxy-yang-modules tag with the proxy-xml-yang-modules tag in the XML output.

Multicast debug information added in EVPN options to request system information command (MX Series, QFX Series)—The output from CLI command request support information evpn-vxlan now includes additional information to help debug EVPN multicast issues.

[See request support information.]

Prior to this change the output of a show task replication | display xml validate returned an error of the form "ERROR: Duplicate data element <task-protocol-replication-name>. With this change the XML output is properly structured with no validation errors.

Before this change the output of a show task replication logical-system all | display xml validate command reported an error. After the change the output is correctly formatted with a "logical-system" root tag and no validation error occurs.

The connectivity fault management process (cfmd) runs only when the ethernet connectivity-fault-management protocol is configured.

Label for the hours unit of time displayed in output— When there are zero minutes in the output for the show system uptime command, the label for the hours unit of time is displayed.

[See show system uptime.]

In the past inet6flow.0 was not allowed to be a primary rib in a rib-group. Starting with Release 22.3 this is now allowed.

The active-user-count is defined as a numeric integer value in ODL request output — The output for the get-system-uptime-information ODL request contains information for the active-user-count. The active-user-count is now defined as a numeric integer value and avoids an invalid value type error.

[See show system uptime.]

Two new alarms are added and can be seen with MPC11E when 400G-ZR optics are used. High Power Optics Too Warm: warning of the increase in chassis ambient temperature with no functional action taken on the optics Temperature too high for optics power on: New inserted optics when the chassis ambient temperature is elevated beyond the threshold will not be powered on and would need to be reinserted when the ambient temperature is within the acceptable range

The packet rate and byte rate fields for LSP sensors on AFT (with the legacy path) have been renamed as jnx-packet-rate and jnx-byte-rate and is in parity with the UKERN behavior. Previously, these rate fields were named as packetRate and byteRate.

You can specify the minimum and maximum value for the hold-time down and hold-time up interval between 0 through 3600000 milliseconds at the edit protocols network-isolation group group-name detection hierarchy level.PR1726039

Support for podman-based JDM deployment—Starting in Junos OS Release 23.2R1, the external server-based Junos node slicing supports deployment of Juniper Device Manager (JDM) using the Pod Manager tool (podman). This change is applicable to servers running Red Hat Enterprise Linux (RHEL) 9. In Junos releases prior to 23.2R1, Junos node slicing supported RHEL 7.3 that provided libvirt?s lxc driver (libvirt-lxc) to deploy JDMs.

Support for podman-based JDM deployment—Starting in Junos OS Release 23.2R1, the external server-based Junos node slicing supports deployment of Juniper Device Manager (JDM) using the Pod Manager tool (podman). This change is applicable to servers running Red Hat Enterprise Linux (RHEL) 9. In Junos releases prior to 23.2R1, Junos node slicing supported RHEL 7.3 that provided libvirt?s lxc driver (libvirt-lxc) to deploy JDMs.PR1737550

The xmlns:junos attribute includes the complete software version string (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—The xmlns:junos namespace string in XML RPC replies includes the complete software version release number, which is identical to the version emitted by the show version command. In earlier releases, the xmlns:junos string includes only partial software version information.

Starting in Junos OS release 23.2R1 and Junos OS Evolved release 23.2R1-EVO, the output of show chassis power command displays the state of the power supply in PTX10003 and QFX10003 platforms.

See [ show chassis power

Ability to commit extension-service file configuration when application file is unavailable—When you set the optional option at the edit system extension extension-service application file file-name hierarchy level, the operating system can commit the configuration even if the file is not available at the /var/db/scripts/jet file path.

See [ file (JET).]

Ability to restart restart daemonized applications—Use the request extension-service restart-daemonize-app application-name command to restart a daemonized application running on a Junos device. Restarting the application can assist you with debugging and troubleshooting.

See [ request extension-service restart-daemonize-app.]

Change in display of affinity constraints to hexadecimal values (MX10004, ACX7100-32C, ACX7100-48L, ACX7509, ACX7024, PTX10001-36MR, PTX10004, PTX10008, and PTX10016)-Starting in Junos OS release 22.4R1 and Junos Evolved Release 22.4R1, in the output of the show ted spring-te-policy extensive operational command, the affinity constraints will be displayed in hexadecimal format instead of decimal.

See [ show ted spring-te-policy.]

Changes to the show system yang package (get-system-yang-packages RPC) XML output (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—The show system yang package command and <get-system-yang-packages> RPC include the following changes to the XML output:

• The root element is yang-package-information instead of yang-pkgs-info.

• A yang-package element encloses each set of package files.

• The yang-pkg-id tag is renamed to package-id.

• If the package does not contain translation scripts, the Translation Script(s) (trans-scripts) value is none.

operator login class is restricted from viewing NETCONF trace files that are no-world-readable (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When you configure NETCONF tracing options at the edit system services netconf traceoptions hierarchy level and you restrict file access to the file owner by setting or omitting the no-world-readable statement (the default), users assigned to the operator login class do not have permissions to view the trace file.

Changes to the NETCONF server's rpc-error element when the operation="delete" operation deletes a nonexistent configuration object (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX) —We've changed the rpc-error response that the NETCONF server returns when the edit-config or load-configuration operation uses operation="delete" to delete a configuration element that is absent in the target configuration. The error severity is error instead of warning, and the rpc-error element includes the error-tagdata-missing error-tag and error-type application error-type elements.

NETCONF server's <rpc-error> response changed when <load-configuration> uses operation="delete" to delete a nonexistent configuration object (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—In an earlier release, we changed the NETCONF server's <rpc-error> response for when an <edit-config> or <load-configuration> operation uses operation="delete" to delete a configuration element that is absent in the target configuration. We've reverted the changes to the <load-configuration> response.

Support for the junos:cli-feature YANG extension (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—The cli-feature YANG extension identifies certain CLI properties associated with some command options and configuration statements. The Junos YANG modules that define the configuration or RPCs include the cli-feature extension statement, where appropriate, in schemas emitted with extensions. This extension is beneficial when a client consumes YANG data models, but for certain workflows, the client needs to generate CLI-based tools.

See [ Understanding the Junos DDL Extensions YANG Module.]

Changes to the RPC response for <validate> operations in RFC-compliant NETCONF sessions (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—When you configure the rfc-compliant statement at the [edit system services netconf] hierarchy level, the NETCONF server emits only an <ok/> or <rpc-error> element in response to <validate> operations. In earlier releases, the RPC reply also includes the <commit-results> element.

The ping host | display xml validate command validates XML without error (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, and vMX) — In Junos OS and Junos OS Evolved releases prior to 22.4R2, the ping host | display xml validate command results in CRITICAL ERROR: Root tag name mismatch. Expected 'ping-results', got 'run-command'. The command now validates the XML successfully without error.

See [ ping.]

Prior to this change, devices by default responded only to ARP requests originating from the same subnet. Configure the new CLI option, "respond-out-of-subnet" at the edit system arp hierarchy level to allow ARP reply to a request that originates from a different subnet.

Configure conserve-mcast-route-in-pfe option on OISM server leaf and border leaf devices in scaled EVPN-VXLAN fabrics to avoid multicast route exhaustion (QFX5130-32CD and QFX5700 switches)—You can configure QFX5130-32CD and QFX5700 switches as optimized intersubnet multicast (OISM) server leaf or border leaf devices in an EVPN-VXLAN fabric. In scaled fabrics with many VLANs, EVPN instances, and multicast streams, you might see multicast traffic loss on these devices due to the limited size of the multicast snooping route tables in the PFE. To avoid this problem on QFX5130-32CD and QFX5700 switches with OISM in scaled environments, we require that you configure the conserve-mcast-routes-in-pfe option at the edit multicast-snooping-options oism hierarchy on these platforms. This option is available only on QFX5130-32CD and QFX5700 switches. Use this option when you configure these devices as server leaf or border leaf devices with OISM. Do not configure this option when you configure these devices as standalone assisted replication (AR) replicators with OISM.

[See oism (Multicast Snooping Options.]

Prior to this change the output of the show isis statistics interface <interface_name> | display xml command used the XML tag "interface-name", which generated an error. With the change the XML output uses the tag "isis-interface-name".

New options for the request system snapshot command (ACX Series, EX Series, MX Series, QFX Series, and SRX Series)—The request system snapshot command includes new options for non-recovery snapshots. You can include the name option to specify a user-defined name for the snapshot, and you can include the configuration or no-configuration option to include or exclude configuration files in the snapshot. By default, the snapshot saves the configuration files, which include the contents of the /config and /var directories and certain SSH files.

[See request system snapshot (Junos OS with Upgraded FreeBSD).]

The xmlns:junos attribute includes the complete software version string (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX and vSRX)—The xmlns:junos namespace string in XML RPC replies includes the complete software version release number, which is identical to the version emitted by the show version command. In earlier releases, the xmlns:junos string includes only partial software version information.

[See Login Classes Overview