What's Changed

You cannot apply a classifier to a physical interface on MX Series routers. On MX Series routers, you must apply the classifier to a logical interface.

EVPN-VXLAN tracing configuration— The set services trace evpn-vxlan configuration invokes a built-in commit script to generate tracing configurations for troubleshooting EVPN-VXLAN in multiple modules and hierarchies.

[See trace (EVPN-VXLAN).]

This feature also now includes a few new options so you have more flexibility to customize the generated configuration:

• no-underlay-config at the [edit services evpn] hierarchy level—To provide your own underlay peering configuration.

• mtu overlay-mtu and mtu underlay-mtu options at the [edit services evpn global-parameters] hierarchy level—To change the default assigned MTU size for underlay or overlay packets.

[See Easy EVPN LAG Configuration.]

.

Limit on number of IP address associations per MAC address per bridge domain in EVPN MAC-IP database—By default, devices can associate a maximum of 200 IP addresses with a single MAC address per bridge domain. We provide a new CLI statement to customize this limit, mac-ip-limit statement at the [edit protocols evpn] hierarchy level. In most use cases, you don?t need to change the default limit. If you want to change the default limit, we recommend that you don?t set this limit to more than 300 IP addresses per MAC address per bridge domain. Otherwise, you might see very high CPU usage on the device, which can degrade system performance.

[See mac-ip-limit.]

The max-db-size is an optional configuration command on routers having >=32 GB DRAM, for example, on MX960 platform. To enable subscriber-management, use the command set chassis network-services enhanced-ip and set system services subscriber-management enable. The router reboots and comes-up with subscriber-management enabled without max-db-size (optional) configuration and requires only 1 reboot.

In older Junos Releases, Data Definition Language (DDL) lists were ordered by the sequence in which the user configured the list items, for example a series of static routes. With this change, the list order is determined by the system with items displayed in numerical sequence rather than by the order in which the items were configured. There is no functional impact to this change.

While running request system snapshot recovery command on all VMHost based Routing Engines, disable or stop reporting any warning message.

Introduction of extensive option for IPsec security associations (MX Series, SRX Series and vSRX 3.0) We've introduced the extensive option for the show security ipsec security-associations command. Use this option to display IPsec security associations with all the tunnel events. Use the existing detail option to display upto ten events in reverse chronological order.

[See show security ipsec security-associations.]

New commit check for MAC-VRF routing instances with the encapsulate-inner-vlan statement configured— We introduced a new commit check that prevents you from configuring an IRB interface and the encapsulate-inner-vlan statement together in a MAC-VRF routing instance. Please correct or remove these configurations prior to upgrading to Junos OS 23.2R2 or newer to avoid a configuration validation failure during the upgrade.

[See encapsulate-inner-vlan.]

MTU and TCP MSS not available on service interfaces (MX Series routers)—You cannot configure the media MTU or TCP MSS on service interfaces (ms, vms, or ams).

[See mtu (interfaces).]

Change in options and generated configuration for the EZ-LAG configuration IRB subnet-address statement—With the EZ-LAG subnet-address inet or subnet-address inet6 options at the [edit services evpn evpn-vxlan irb irb-instance] hierarchy, you can now specify multiple IRB subnet addresses in a single statement using the list syntax addr1 addr2 ... . Also, in the generated configuration for IRB interfaces, the commit script now includes default router-advertisement statements at the [edit protocols] hierarchy level for that IRB interface.

[See subnet-address (Easy EVPN LAG Configuration).]

Media Access Control Security (MACsec) session remains stable when changing exclude-protocol configuration—When you change the protocols excluded from MACsec using the exclude-protocol protocol-name option at the [edit security macsec connectivity-association connectivity-association-name], the MACsec session remains stable.

[See exclude-protocol

ChaCha20-Poly1305 algorithm deprecation for SSH cipher option—The ChaCha20-Poly1305 authenticated encryption algorithm is deprecated for SSH cipher option. Configure aes-128-gcm and aes-256-gcm as the encryption algorithm for SSH Cipher option.

[See ssh (System Services).] PR1783811

When all the members of the AE have the same speed (x) and no mixed speed configured. If you change the speed value of any member of the AE to a value other than x, the commit succeeded in earlier releases. From this release, the commit fails. When there are et interfaces with different speeds and you want them to be part of an AE interface. If you change the speed of all the members of the interfaces to be the same speed (x), configure the AE interface, and commit, the commit failed in earlier releases. From this release, such commits succeed.PR1745893

Ability to commit extension-service file configuration when application file is unavailable—When you set the optional option at the [edit system extension extension-service application file file-name] hierarchy level, the operating system can commit the configuration even if the file is not available at the /var/db/scripts/jet file path.

[See file (JET).]

NETCONF <copy-config> operations support a file:// URI for copy to file operations (ACX Series, EX Series, MX Series, QFX Series, SRX Series, vMX, and vSRX)—The NETCONF <copy-config> operation supports using a file:// URI when <url> is the target and specifies the absolute path of a local file.

[See <copy-config>.]

DDoS syslog messages enhancement (MX Series devices with MPC10, MPC11, LC4800, or LC9600? line cards)—We've enhanced the severity of the DDoS module syslog messages ddos_get_vbf_ifl_from_flow_id and ddos_get_vbf_ifl_name in a subscriber management environment. In earlier releases, these syslog messages displayed incorrect messages in a subscriber management environment when you enable SCFD (suspicious control flow detection).

[See Control Plane DDoS Protection Flow Detection Overview.]

Two-Way Active Measurement Protocol (TWAMP) server/reflector test traffic classified by the ingress filter was re-classified with the values configured on the host-outbound-traffic configuration statement (All Junos OS Evolved platforms; MX Series platforms with MPC10E, MPC11E, or JNP10K-LC9600 cards)—We no longer re-classify the egress TWAMP traffic. We now maintain the same queue for the packets in the egress direction that the packets had in the ingress direction.PR1739935

Previously, shaping of Layer 2 pseudowires did not work on logical tunnel interfaces. This has been fixed for all platforms except QX chip-based MICs and MPCs.

Viewing files with the file compare files command requires users to have maintenance permission—The file compare files command in Junos OS and Junos OS Evolved requires a user to have a login class with maintenance permission.

[See Login Classes Overview..]

Increase in revert-delay timer range— The revert-delay timer range is increased to 600 seconds from 20 seconds.

[See min-rate.]

Configure min-rate for IPMSI traffic explicitly— In a source-based MoFRR scenario, you can set a min-rate threshold for IPMSI traffic explicitly by configuring ipmsi-min-rate under set routing-instances protocols mvpn hot-root-standby min-rate. If not configured, the existing min-rate will be applicable to both IPMSI and SPMSI traffic.

[See min-rate.]