What's Changed

OISM SBD bit in EVPN Type 3 route multicast flags extended community—In EVPN Type 3 Inclusive Multicast Ethernet Tag (IMET) route advertisements for interfaces associated with the supplemental bridge domain (SBD) in an EVPN optimized intersubnet multicast (OISM) network, we now set the SBD bit in the multicast flags extended community. We set this bit for interoperability with other vendors, and to comply with the IETF draft standard for OISM, draft-ietf-bess-evpn-irb-mcast. You can see this setting in the output from the show route table bgp.evpn.0 ? extensive command.

[See CLI Commands to Verify the OISM Configuration.]

Group-based Policy (GBP) tag displayed with show bridge mac-table command—On platforms that support VXLAN-GBP, the show bridge mac-table command now displays a GBP TAG output column that lists the GBP tag associated with the MAC address for a bridge domain or VLAN in a routing instance. Even if the device doesn?t support or isn?t using GBP itself, the output includes this information for GBP tags in packets received from remote EVPN-VXLAN peers.

[See Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.]

EVPN system log messages for CCC interface up and down events—Devices will now log EVPN and EVPN-VPWS interface up and down event messages for interfaces configured with circuit cross-connect (CCC) encapsulation types. You can look for error messages with message types EVPN_INTF_CCC_DOWN and EVPN_INTF_CCC_UP in the device system log file /var/log/syslog.

Starting from Junos 21.4R1 platforms with the following Routing Engines which have Intel CPUs with microcode version 0x35 observe the error warning, "000: Firmware Bug: TSC_DEADLINE disabled due to Errata; please update microcode to version: 0x3a (or later)" on the console. RE-S-X6-64G RE-S-X6-128G REMX2K-X8-64G RE-PTX-X8-64G RE-MX2008-X8-64G RE-MX2008-X8-128GPR1783225

Change to the commit process—In prior Junos OS and Junos OS Evolved releases, if you use the commit prepare command and modify the configuration before activating the configuration using the commit activate command, the prepared commit cache becomes invalid due to the interim configuration change. As a result, you cannot perform a regular commit operation using the commit command. The CLI shows an error message: 'error: Commit activation is pending, either activate or clear commit prepare'. If you now try running the commit activate command, the CLI shows an error message: 'error: Prepared commit cache invalid, failed to activate'. You then must clear the prepared configuration using the clear system commit prepared command before performing a regular commit operation. From this Junos and Junos OS Evolved release, when you modify a device configuration after 'commit prepare' and then issue a 'commit', the OS detects that the prepared cache is invalid and automatically clears the prepared cache before proceeding with regular 'commit' operation.

[See Commit Preparation and Activation Overview]. PR1806197

When you run the run show lldp local-information interface interface-name | display xml command, the output is displayed under the lldp-local-info root tag and in the lldp-local-interface-info container tag. When you run the run show lldp local-information interface | display xml command, the lldp-tlv-filter and lldp-tlv-select information are displayed under the lldp-local-interface-info container tag in the output.

Change in use of RSA signatures with SHA-1 hash algorithm?Starting in Junos OS Release 24.2R1, there is a behavioural change by OpenSSH 8.8/8.8p1. OpenSSH 8.8/8.8p1 disables the use of RSA signatures with SHA-1 hash algorithm by default. You can use RSA signatures with SHA-256 or SHA-512 hash algorithm.

For MPC5E line card with flexible-queuing-mode enabled, queue resources are shared between scheduler block 0 and 1. Resource monitor CLI output displays an equal distribution of the total available and used queues between scheduler blocks. This correctly represents the queue availability to the routing engine.

Enhancement to fix output with Junos PyEz for duplicate keys in PKI (MX Series, SRX Series, EX Series)—In earlier releases, though the CLI output displayed all the duplicate keys for the corresponding hash algorithms in PKI using show security pki local-certificate detail | display json command, for the same requested data, Junos PyEz displayed the last key only. Starting this release, the CLI output and the PyEz displays all the duplicate keys with the enhanced tags.

In a firewall filter configured with a port-mirror-instance or port-mirror action, if l2-mirror action is also configured, then port-mirroring instance family should be any. In the absence of the l2-mirror action, port-mirroring instance family should be the firewall filter family.PR1818423

Support added for interface-group match condition for MPLS firewall filter family. PR1818968

Licensing (MX Series)-The PWHT for layer 3 VPNs or BNG feature moved from premium tier to advanced tier.PR1843429

The CVBC does not require any documentation. As described in the assessment tab, there is a change to the warning message displayed on the CLI. We don't usually document warning messages displayed on the CLI.PR1856239

Changes to the XML output for ping RPCs (MX480)—We've updated the junos-rpc-ping YANG module and the corresponding Junos XML RPCs to ensure that the RPC XML output conforms to the YANG schema. As a result, we changed the XML output for the following ping RPCs:

• <ping>—The XML output emits <ping-error-message> and <ping-warning-message> tags instead of <xnm:error> and <xnm:warning> tags.

• <request-ping-ce-ip>—The XML output is enclosed in an <lsping-results> root element.

• <request-ping-ethernet>—

  • The <ethping-results> root tag includes a <cfm-loopback-reply-entry> or <cfm-loopback-reply-entry-rapid> tag for each received response. In earlier releases, a single tag enclosed all responses.

  • The XML output includes only application specific error tags and omits <xnm:error> tags.

  • The <cfm-loopback-reply-entry-rapid> tag is now reflected in the YANG schema.

• <request-ping-overlay>—The <ping-overlay-results> element includes a new child tag <hash-udp-src-port>.

Update to IGMP snooping membership command options— The instance option is now visible when issuing the show igmp snooping membership ? command. Earlier, the instance option was available but not visible when ? was issued to view all possible completions for the show igmp snooping membership command.

[See show igmp snooping membership.]

Extension of traceoptions support for VLANs in IGMP/MLD snooping— The traceoptions option is supported under the [edit routing-instance protocols igmp-snooping vlan] and [edit routing-instance protocols mld-snooping vlan] hierarchy. traceoptions can be enabled for both specific and all vlans.

[See vlan (IGMP Snooping)].PR1845242

You can configure VLAN termination cause codes to specify RADIUS attribute values for different termination scenarios on Junos OS MX Series platforms supporting the Layer-2 Bitstream Access (L2BSA) feature. You can diagnose and manage network issues effectively by understanding the specific reasons for VLAN termination. Ensure that the correct termination cause codes are sent by validating configuration and testing scenarios to correctly interpret network events. When a subscriber logs out, the system occasionally sends an incorrect termination cause value to RADIUS. The subscriber VLAN "Account-Terminate-Cause" in "Acct-Stop" message for different L2BSA subscriber logout error scenarios is modified to display correct reasons for termination.

[See "VLAN Termination Causes and Code Values" and "show network-access aaa terminate-code"].PR1854701

Viewing files with the file compare files command requires users to have maintenance permission—The file compare files command in Junos OS and Junos OS Evolved requires a user to have a login class with maintenance permission.

[See Login Classes Overview.

Changes to the show system information and show version command output (ACX Series, EX Series, MX Series, QFX Series, SRX Series, and vSRX)—The show system information command output lists the Hostname field first instead of last. The show version command output includes the Family field. The Family field identifies the device family under which the device is categorized, for example, junos, junos-es, junos-ex, or junos-qfx.

[See show system information and show version.]

Access privileges for request support information command (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series Firewalls, and vSRX Virtual Firewall)—The request support information command is designed to generate system information for troubleshooting and debugging purposes. Users with the specific access privileges maintenance, view, and view-configuration can execute request support information command.

Increase in revert-delay timer range—The revert-delay timer range is increased to 600 seconds from 20 seconds.

[See min-rate.]

Configure min-rate for IPMSI traffic explicitly—In a source-based MoFRR scenario, you can set a min-rate threshold for IPMSI traffic explicitly by configuring ipmsi-min-rate under set routing-instances protocols mvpn hot-root-standby min-rate. If not configured, the existing min-rate will be applicable to both IPMSI and SPMSI traffic.

[See min-rate.]