Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What's Changed

Learn about what changed in this release for ACX Series routers.

Authentication and Access Control

  • ChaCha20-Poly1305 algorithm deprecation for SSH cipher option— The ChaCha20-Poly1305 authenticated encryption algorithm is deprecated for SSH cipher option. Configure aes-128-gcm and aes-256-gcm as the encryption algorithm for SSH Cipher option. [See ssh (System Services).]

EVPN

  • OISM SBD bit in EVPN Type 3 route multicast flags extended community—In EVPN Type 3 Inclusive Multicast Ethernet Tag (IMET) route advertisements for interfaces associated with the supplemental bridge domain (SBD) in an EVPN optimized intersubnet multicast (OISM) network, we now set the SBD bit in the multicast flags extended community. We set this bit for interoperability with other vendors, and to comply with the IETF draft standard for OISM, draft-ietf-bess-evpn-irb-mcast. You can see this setting in the output from the show route table bgp.evpn.0 ? extensive command.

    [See CLI Commands to Verify the OISM Configuration.]

  • Group-based Policy (GBP) tag displayed with show bridge mac-table command—On platforms that support VXLAN-GBP, the show bridge mac-table command now displays a GBP TAG output column that lists the GBP tag associated with the MAC address for a bridge domain or VLAN in a routing instance. Even if the device does not support or not using GBP itself, the output includes this information for GBP tags in packets received from remote EVPN-VXLAN peers.

    [See Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.]

  • Updates to syslog EVPN_DUPLICATE_MAC messages—EVPN_DUPLICATE_MAC messages in the System log (syslog) now contain additional information to help identify the location of a duplicate MAC address in an EVPN network. These messages will include the following in addition to the duplicate MAC address:

    • The peer device, if the duplicate MAC address is from a remote VXLAN tunnel endpoint (VTEP).

    • The VLAN or virtual network identifier (VNI) value.

    • The source interface name for the corresponding local interface or multihoming Ethernet segment identifier (ESI).

    For example: Feb 27 22:55:13 DEVICE_VTEP1_RE rpd39839: EVPN_DUPLICATE_MAC: MAC address move detected for 00:01:02:03:04:03 within instance=evpn-vxlan on VNI=100 from 10.255.1.4 to ge-0/0/1.0.

    For more on supported syslog messages, see System Log ExplorerSystem Log Explorer.]

  • New commit check for MAC-VRF routing instances with the encapsulate-inner-vlan statement configured— We introduced a new commit check that prevents you from configuring an IRB interface and the encapsulate-inner-vlan statement together in a MAC-VRF routing instance. Please correct or remove these configurations prior to upgrading to 23.2R2 or newer to avoid a configuration validation failure during the upgrade.

    [See encapsulate-inner-vlan.]

  • Optimized mesh group routes (ACX Series)show route snooping for inet.1 or inet6.1 table and show route snooping table inet.1 | inet6.1 display only CE mesh group routes for platforms that support EVPN-MPLS or EVPN-VxLAN multicast. In earlier releases, other mesh groups like the VE mesh group were also displayed.

  • Limit on number of IP address associations per MAC address per bridge domain in EVPN MAC-IP database—By default, devices can associate a maximum of 200 IP addresses with a single MAC address per bridge domain. We provide a new CLI statement to customize this limit, mac-ip-limit statement at the edit protocols evpn hierarchy level. In most use cases, you don?t need to change the default limit. If you want to change the default limit, we recommend that you don?t set this limit to more than 300 IP addresses per MAC address per bridge domain. Otherwise, you might see very high CPU usage on the device, which can degrade system performance.

    [See mac-ip-limit.]

Infrastructure

  • Option to disable path MTU discovery—Path MTU discovery is enabled by default. To disable it for IPv4 traffic, you can configure the no-path-mtu-discovery statement at the [edit system internet-options] hierarchy level. To reenable it, use the path-mtu-discovery statement.

    [See Path MTU Discovery.]

Interfaces and Chassis

  • ACX7509: In the CLI, using the command request chassis feb slot slot-number offline, if you make the primary FEB offline, a traffic loss warning message is displayed and the FEB offline request is rejected. If offline/restart is still intended for primary FEB, use the force option in addition to the command. WARNING message displayed in the CLI: "warning: RCB and FEB work in the paired slot mode. FEB %s offline/restart will result in traffic loss and does not cause a switchover. Please re-try after initiating a mastership switchover using 'request chassis routing-engine master switch' CLI. If offline/restart is still intended, use 'force' option in addition to this CLI."

Junos OS API and Scripting

  • <get-trace> RPC support removed (ACX Series and PTX Series)—The show trace application app-name operational command and equivalent <get-trace> RPC both emit raw trace data. Because the <get-trace> RPC does not emit XML data, we've removed support for the <get-trace> RPC for XML clients.

Network Management and Monitoring

  • Change in use of RSA signatures with SHA-1 hash algorithm—Starting in Junos OS Release 24.2R1, there is a behavioural change by OpenSSH 8.8/8.8p1. OpenSSH 8.8/8.8p1 disables the use of RSA signatures with SHA-1 hash algorithm by default. You can use RSA signatures with SHA-256 or SHA-512 hash algorithm.

Platform and Infrastructure

  • Starting Junos Evolved Release, support for Network Time Protocol (NTP) over TLS (RFC 8915 compliant) for the ACX-series and PTX-series includes:

    • Support to configure local-certificate for server and certificate verification option for client.

    • Verification of x.509 certificates to establish a TLS channel between client and server. - TLS NTS-KE protocol support.

    • Support for NTS secured client-server NTP communication at server and client.

    • Support for new NTS options in commands system ntp nts, system ntp server <server_name> nts remote-identity, and show ntp associations no-resolve commands.

System Management

  • Additional Upgrade fields for the show system applications detail command (ACX Series and PTX Series)—The show system applications detail command and corresponding RPC include additional Upgrade output fields. The fields provide information about notifications and actions related to various upgrade activities.

    [See show system applications (Junos OS Evolved).]

User Access and Authentication

  • Starting in Junos OS Release and Junos OS Evolved Release, when you run the run show lldp local-information interface <interface-name> | display xml command, the output is displayed under the lldp-local-info root tag and in the lldp-local-interface-info container tag. When you run the run show lldp local-information interface | display xml command, the lldp-tlv-filter and lldp-tlv-select information are displayed under the lldp-local-interface-info container tag in the output.

  • Viewing files with the file compare files command requires users to have maintenance permission—The file compare files command in Junos OS Evolved requires a user to have a login class with maintenance permission.

    [See Login Classes Overview.]

VPNs

  • Increase in revert-delay timer range— The revert-delay timer range is increased to 600 seconds from 20 seconds.

  • Configure min-rate for IPMSI traffic explicitly— In a source-based MoFRR scenario, you can set a min-rate threshold for IPMSI traffic explicitly by configuring ipmsi-min-rate under set routing-instances protocols mvpn hot-root-standby min-rate. If not configured, the existing min-rate will be applicable to both IPMSI and SPMSI traffic.

    [See min-rate.]