What's Changed

ChaCha20-Poly1305 algorithm deprecation for SSH cipher option— The ChaCha20-Poly1305 authenticated encryption algorithm is deprecated for SSH cipher option. Configure aes-128-gcm and aes-256-gcm as the encryption algorithm for SSH Cipher option. [See ssh (System Services).]

OISM SBD bit in EVPN Type 3 route multicast flags extended community—In EVPN Type 3 Inclusive Multicast Ethernet Tag (IMET) route advertisements for interfaces associated with the supplemental bridge domain (SBD) in an EVPN optimized intersubnet multicast (OISM) network, we now set the SBD bit in the multicast flags extended community. We set this bit for interoperability with other vendors, and to comply with the IETF draft standard for OISM, draft-ietf-bess-evpn-irb-mcast. You can see this setting in the output from the show route table bgp.evpn.0 ? extensive command.

[See CLI Commands to Verify the OISM Configuration.]

Group-based Policy (GBP) tag displayed with show bridge mac-table command—On platforms that support VXLAN-GBP, the show bridge mac-table command now displays a GBP TAG output column that lists the GBP tag associated with the MAC address for a bridge domain or VLAN in a routing instance. Even if the device does not support or not using GBP itself, the output includes this information for GBP tags in packets received from remote EVPN-VXLAN peers.

[See Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.]

Updates to syslog EVPN_DUPLICATE_MAC messages—EVPN_DUPLICATE_MAC messages in the System log (syslog) now contain additional information to help identify the location of a duplicate MAC address in an EVPN network. These messages will include the following in addition to the duplicate MAC address:

• The peer device, if the duplicate MAC address is from a remote VXLAN tunnel endpoint (VTEP).

• The VLAN or virtual network identifier (VNI) value.

• The source interface name for the corresponding local interface or multihoming Ethernet segment identifier (ESI).

For example: Feb 27 22:55:13 DEVICE_VTEP1_RE rpd39839: EVPN_DUPLICATE_MAC: MAC address move detected for 00:01:02:03:04:03 within instance=evpn-vxlan on VNI=100 from 10.255.1.4 to ge-0/0/1.0.

For more on supported syslog messages, see System Log Explorer.]

New commit check for MAC-VRF routing instances with the encapsulate-inner-vlan statement configured— We introduced a new commit check that prevents you from configuring an IRB interface and the encapsulate-inner-vlan statement together in a MAC-VRF routing instance. Please correct or remove these configurations prior to upgrading to 23.2R2 or newer to avoid a configuration validation failure during the upgrade.

[See encapsulate-inner-vlan.]

See [ Easy EVPN LAG Configuration.]

The subscription path for the flow sensor is changed from /junos/security/spu/flow/usage to /junos/security/spu/flow/statistics. This change maintains a uniform path in request and response data.

Enhanced DDoS status operational command (PTX Series)—We've enhanced the aggregate DDoS status output field to display the aggregate count of all sub packet types.

Earlier to this release, the aggregate DDoS status output displayed only the packet type level output information.

[See show ddos-protection protocols.]

The show chassis fabric topology command displays interleaved source and destinations tags in In-Links and Out-Links output fields for PTX series devices in Junos Evolved release versions 21.4R1 and later.

On PTX10004, PTX10008, and PTX10016 routers, after executing the request node offline command, you must wait at least 180 seconds to execute the request chassis cb offline command.

Media Access Control Security (MACsec) session remains stable when changing exclude-protocol configuration—When you change the protocols excluded from MACsec using the exclude-protocol protocol-name option at the edit security macsec connectivity-association connectivity-association-name, the MACsec session remains stable.

[See exclude-protocol.]

Enhanced DDoS statistics operational command (PTX Series)—We've enhanced the aggregate DDoS statistics output field to display the aggregate statistics for BFD and DHCP protocols. The enhanced DHCP statistics output displays the collective DHCPv4 and DHCPv6 statistics for DDoS.

Earlier to this release, the aggregate DDoS statistics output displayed 0 for aggregate BFD and the aggregate DHCPv4v6.

Change in options and generated configuration for the EZ-LAG configuration IRB subnet-address statement—With the EZ-LAG subnet-address inet or subnet-address inet6 options at the edit services evpn evpn-vxlan irb irb-instance hierarchy, you can now specify multiple IRB subnet addresses in a single statement using the list syntax addr1 addr2 ... . Also, in the generated configuration for IRB interfaces, the commit script now includes default router-advertisement statements at the edit protocols hierarchy level for that IRB interface.

See [ subnet-address (Easy EVPN LAG Configuration).]

The command request system zeroize has been updated to securely erase ATA disks on Routing Engines. This update makes it difficult to access data on the disks, using various levels of sanitization corresponding to degrees of difficulty, as defined in the NIST 800-88 standard. If the Routing Engine contains two disks, you can now sanitize the disks one at a time, using the disk1 or the disk2 option.

DDoS violation information shows incorrect default time and date (PTX Series)—When you clear the DDoS violation state using the clear ddos-protection protocols states command in Junos OS Evolved, the log message displays an incorrect default time and date. However, if you bypass the recovery time while clearing the DDoS violation state, the log message displays accurately.

See [ clear ddos-protection protocols.]

The system now checks the port number value (z) in the 'set interfaces et-x/y/z:n' configuration for a valid port range on PTX10002-36QDD. Previously, configurations with invalid port numbers were committed successfully. With this update, the system displays a UI error message and prevents committing configurations with invalid port numbers, ensuring configuration accuracy and preventing potential issues.

Three new VSA's have been added to code repository for 802.1x authentication on RADIUS server under Vendor ID: 2636: - 53: Event-Type - 54: Sub-Event-Type - 55: Juniper-Generic-Message

See [Radius Attributes and VSA list supported by 802.1X.]

Change to the commit process—In prior Junos OS Evolved releases, if you use the commit prepare command and modify the configuration before activating the configuration using the commit activate command, the prepared commit cache becomes invalid due to the interim configuration change. As a result, you cannot perform a regular commit operation using the commit command. The CLI shows an error message: 'error: Commit activation is pending, either activate or clear commit prepare'. If you now try running the commit activate command, the CLI shows an error message: 'error: Prepared commit cache invalid, failed to activate'. You then must clear the prepared configuration using the clear system commit prepared command before performing a regular commit operation. From this Junos and Junos OS Evolved release, when you modify a device configuration after 'commit prepare' and then issue a 'commit', the OS detects that the prepared cache is invalid and automatically clears the prepared cache before proceeding with regular 'commit' operation.

See [ Commit Preparation and Activation Overview .]

Disabled CDN auto download (Junos OS Evolved) — The PKI process periodically, by default every 24 hours, polls the CDN server for the latest default trusted CA bundle and updates the list for any changes to the trusted CAs in the bundle. If there are any changes, PKI process loads them in the background. The auto download of CA certificates might generate core files. We've disabled the service of PKI query to CDN server periodically to download the latest trusted CA bundle.

Feature bandwidth information in CLI output (PTX Series)—Starting in this release, the show system license command output displays bandwidth only if an IFL and Advance or Premium features are configured.PR1783572

ChaCha20-Poly1305 algorithm deprecation for SSH cipher option - The ChaCha20-Poly1305 authenticated encryption algorithm is deprecated for SSH cipher option. Configure aes-128-gcm and aes-256-gcm as the encryption algorithm for SSH Cipher option.

[See ssh (System Services).]PR1783811

New CLIs introduced to collect Layer 2 bridging and Layer 2 protocols for smart debugging.PR1791299

Remote port-mirroring configuration error messages (PTX10002-36QDD)—When you configure remote port-mirroring and restart the Packet Forwarding Engine (PFE), syslog displays error messages indicating unbind failures.PR1800337

Corrected show ddos-protection protocols CLI command (PTX10003, PTX10008, and PTX10016)—When you clear the DDoS state and then execute the show ddos-protection protocols CLI command, the output accurately displays that the policer was never violated. Earlier to this release, the show ddos-protection protocols CLI command output displayed that the policer was no longer violated, which indicates that violation occurred and wasn't cleared correctly.

[See show ddos-protection protocols.]

Option to disable path MTU discovery—Path MTU discovery is enabled by default. To disable it for IPv4 traffic, you can configure the no-path-mtu-discovery statement at the [edit system internet-options] hierarchy level. To reenable it, use the path-mtu-discovery statement.

[See Path MTU Discovery.]

Disable power redundancy alarms for JNP10K-PWR-DC2 PSM (PTX10008 and PTX10016)— The JNP10K-PWR-DC2 PSM supports power redundancy across two DIP switches. When all input feeds are not connected to power supplies, it triggers a chassis alarm such as PSM 5 Input B0 and B1 Failed. Starting in Junos OS Evolved Release 24.2R1, you can disable this chassis alarm by using the set chassis alarm psm psm number input input number ignore command.

[See JNP10K-PWR-DC2 Power Supply.]

Zeroize a specific disk—The Routing Engine of your device has multiple disks for redundancy. Use the command request system zeroize (disk1|disk2) to zeroize only one of the disks. Use disk1 to zeroize the primary disk (/dev/sda) and disk2 to zeroize the backup disk (/dev/sdb).

[See request system zeroize (Junos OS Evolved).]

Change in the XML tags displayed for the show virtual-network-functions command in JDM (Junos node slicing)—To align the XML tags displayed for the show virtual-network-functions gnf-name | display xml with the new XML validation logic, we have replaced the underscores (_) in the output with hyphens (-) as shown below:

Old output:

New output:

This change is applicable to any RPC that previously had underscores in the XML tag name.

<get-trace> RPC support removed (ACX Series and PTX Series)—The show trace application app-name operational command and equivalent <get-trace> RPC both emit raw trace data. Because the <get-trace> RPC does not emit XML data, we've removed support for the <get-trace> RPC for XML clients.

Non-revertive switchover for sender based MoFRR— In earlier Junos releases, source-based MoFRR ensured that the traffic reverted to the primary path from the backup path, when the primary path or session was restored. This reversion could result in traffic loss. Starting in Junos OS Evolved 22.4R3-S1, source-based MoFRR will not revert to the primary path, i.e. traffic will continue to flow through the backup path as long as the traffic flow rate on the backup path does not go below the configured threshold set under protocols mvpn hot-root-standby min-rate.

[See min-rate.]

With this release, the CLI does not allow you to delete the ?management-instance? configuration from the edit system hierarchy level if you have configured syslog messages for remote hosts with the ?mgmt_junos? instance as routing instance at the edit system syslog hierarchy level and at the edit system hierarchy level. If you try to delete the management-instance configuration at the edit system hierarchy level without deleting it from the edit system syslog hierarchy level, the CLI shows a commit error.PR1785475

Change in use of RSA signatures with SHA-1 hash algorithm—Starting in Junos OS Release 24.2R1, there is a behavioural change by OpenSSH 8.8/8.8p1. OpenSSH 8.8/8.8p1 disables the use of RSA signatures with SHA-1 hash algorithm by default. You can use RSA signatures with SHA-256 or SHA-512 hash algorithm.

Starting Junos Evolved Release 24.2R1, support for Network Time Protocol (NTP) over TLS (RFC 8915 compliant) for the ACX-series and PTX-series includes:

• Support to configure local-certificate for server and certificate verification option for client.

• Verification of x.509 certificates to establish a TLS channel between client and server. - TLS NTS-KE protocol support.

• Support for NTS secured client-server NTP communication at server and client.

• Support for new NTS options in commands system ntp nts, system ntp server <server_name> nts remote-identity, and show ntp associations no-resolve commands.

Additional Upgrade fields for the show system applications detail command (ACX Series and PTX Series)—The show system applications detail command and corresponding RPC include additional Upgrade output fields. The fields provide information about notifications and actions related to various upgrade activities.

[See show system applications (Junos OS Evolved).]

Starting in Junos OS Release 24.2R1 and Junos OS Evolved Release 24.2R1, when you run the run show lldp local-information interface <interface-name> | display xml command, the output is displayed under the lldp-local-info root tag and in the lldp-local-interface-info container tag. When you run the run show lldp local-information interface | display xml command, the lldp-tlv-filter and lldp-tlv-select information are displayed under the lldp-local-interface-info container tag in the output.

Viewing files with the file compare files command requires users to have maintenance permission—The file compare files command in Junos OS Evolved requires a user to have a login class with maintenance permission.

[See Login Classes Overview.]

Viewing files with the file compare files command requires users to have maintenance permission—The file compare files command in Junos OS and Junos OS Evolved requires a user to have a login class with maintenance permission.

[See Login class overview.]

Increase in revert-delay timer range— The revert-delay timer range is increased to 600 seconds from 20 seconds.

[See min-rate.]

Configure min-rate for IPMSI traffic explicitly— In a source-based MoFRR scenario, you can set a min-rate threshold for IPMSI traffic explicitly by configuring ipmsi-min-rate under set routing-instances protocols mvpn hot-root-standby min-rate. If not configured, the existing min-rate will be applicable to both IPMSI and SPMSI traffic.

[See min-rate.]