What's Changed

Disabled CDN auto download (Junos OS Evolved)— The PKI process periodically, by default every 24 hours, polls the CDN server for the latest default trusted CA bundle and updates the list for any changes to the trusted CAs in the bundle. If there are any changes, PKI process loads them in the background. The auto download of CA certificates might generate core files. We've disabled the service of PKI query to CDN server periodically to download the latest trusted CA bundle.

On Junos OS Evolved, password authentication for SCP based configuration archival is supported.

Previously, the Junos OS Evolved system default scheduler was named "default" (no brackets), while the Junos OS system default scheduler is named "<default>" (with brackets). Now, the Junos OS Evolved system default scheduler is also named "<default>" (with brackets).

EVPN system log messages for CCC interface up and down events—Devices will now log EVPN and EVPN-VPWS interface up and down event messages for interfaces configured with circuit cross-connect (CCC) encapsulation types. You can look for error messages with message types EVPN_INTF_CCC_DOWN and EVPN_INTF_CCC_UP in the device system log file (/var/log/syslog).

The system now checks the port number value (z) in the 'set interfaces et-x/y/z:n' configuration for a valid port range on PTX10002-36QDD. Previously, configurations with invalid port numbers were committed successfully. With this update, the system displays a UI error message and prevents committing configurations with invalid port numbers, ensuring configuration accuracy and preventing potential issues.

Change to the commit process—In prior Junos OS Evolved releases, if you use the commit prepare command and modify the configuration before activating the configuration using the commit activate command, the prepared commit cache becomes invalid due to the interim configuration change. As a result, you cannot perform a regular commit operation using the commit command. The CLI shows an error message: 'error: Commit activation is pending, either activate or clear commit prepare'. If you now try running the commit activate command, the CLI shows an error message: 'error: Prepared commit cache invalid, failed to activate'. You then must clear the prepared configuration using the clear system commit prepared command before performing a regular commit operation. From this Junos and Junos OS Evolved release, when you modify a device configuration after 'commit prepare' and then issue a 'commit', the OS detects that the prepared cache is invalid and automatically clears the prepared cache before proceeding with regular 'commit' operation.

[See Commit Preparation and Activation Overview.]

Remote port-mirroring configuration error messages (PTX10002-36QDD)—When you configure remote port-mirroring and restart the Packet Forwarding Engine (PFE), syslog displays error messages indicating unbind failures.PR1800337

New CLIs introduced to collect Layer 2 bridging and Layer 2 protocols for smart debugging. PR1803119

Disable power redundancy alarms for JNP10K-PWR-DC2 PSM (PTX10008 and PTX10016)- The JNP10K-PWR-DC2 PSM supports power redundancy across two DIP switches. When all input feeds are not connected to power supplies, it triggers a chassis alarm such as PSM 5 Input B0 and B1 Failed. Starting in Junos OS Evolved Release 24.2R1, you can disable this chassis alarm by using the set chassis alarm psm psm number input input number ignore command.

[See JNP10K-PWR-DC2 Power Supply.]

DDoS protection protocols statistics update (PTX Series)—Starting in Junos OS Evolved Release 23.2R2, the show ddos-protection protocols statistics displays the Max arrival rate and Arrival rate output values as expected. Earlier to this release, the Max arrival rate and Arrival rate output values were displayed larger than expected.

[See show ddos-protection protocols parameters.]

Corrected show ddos-protection protocols CLI command (PTX10003, PTX10008, and PTX10016)—When you clear the DDoS state and then execute the show ddos-protection protocols CLI command, the output accurately displays that the policer was never violated. Earlier to this release, the show ddos-protection protocols CLI command output displayed that the policer was no longer violated, which indicates that violation occurred and wasn't cleared correctly.

[See show ddos-protection protocols.]

Field name update in the CLI output (Junos)—Starting in this release, the show system license command output field name changed from invalid to license not installed.PR1812126

Feature name updates in CLI output (Junos) —Starting in this release, the show system license command output displays the feature name.PR1815591

SSH key options for user account credentials. You can configure key-options <key-options> option at the set system login user <user> authentication ssh-rsa|ssh-ecdsa|ssh-ed25519 <ssh key> hierarchy level.

[See login.]

Process generates a live core when its related process generates a core (ACX Series, PTX Series, and QFX Series)—For related processes, when one process stops responding and generates a core file, by default, the system also generates a live core for the related process. By generating a live core for the related process, the system provides more complete diagnostic data at the time of the failure, which enables you to perform a more thorough root cause analysis and resolve issues faster. You can disable this feature for an individual process or for all processes by configuring the no-livecore-dump-on-crash statement at the edit system processes process-name or edit system processes all-processes hierarchy level, respectively. The process pairs that support this feature are:

• bfdd and bfddagent

• cfmd and cfmd-agent

• dot1xd and dot1xd-agent

• l2ald and l2ald-agent

• l2cpd and l2cpd-agent

• mcsnoopd and mcsnoopd-agent

• ppmd and ppmdagent

• routing and rpdagent

[See processes.]

Deprecation of jnxLEDTable —The jnxLEDTable table is no longer supported.

A new counter "Sessions hit due to high rate" is added to show services service-sets screen-session-limit-counters command for all subscriber traffic. This counter tracks the sessions that come up on the screen irrespective of the alarm-without-drop configuration. When "alarm-without-drop" option is disabled, all the counters display updated statistics. When "alarm-without-drop" is enabled, then: - The screen-drop counters on show services service-sets statistic screen-drop command do not increase. - The "sessions hit due to high rate" value is displayed.

[See alarm-without-drop (IDS Screen Next Gen Services), show services service-sets statistic screen-drops (Next Gen Services), and show services service-sets statistic screen-session-limit-counters (Next Gen Services).]PR1849594

The show agent sensors command output for gRPC sensors is truncated on the Junos OS Evolved platform to align with the output format of the Junos OS platform.

Configuring export profile parameters for dial-out telemetry traffic, such as 'dscp', 'forwarding-class', and 'payload-size', will now result in an error. Previously, these parameters were ignored because the telemetry traffic adhered to global configuration settings for host-bound traffic. This ensures clarity and prevents misconfiguration, aligning export profiles strictly with supported parameters.

Commit script input to identify software upgrades during boot time (ACX Series, PTX Series, and QFX Series)—The junos-context node-set includes the sw-upgrade-in-progress tag. Commit scripts can test the sw-upgrade-in-progress tag value to determine if the commit is taking place during boot time and a software upgrade is in progress. The tag value is yes if the commit takes place during the first reboot after a software upgrade, software downgrade, or rollback. The tag value is no if the device is booting normally.

[See Global Parameters and Variables in Junos OS Automation Scripts.]

Non-revertive switchover for sender based MoFRR— In earlier Junos releases, source-based MoFRR ensured that the traffic reverted to the primary path from the backup path, when the primary path or session was restored. This reversion could result in traffic loss. Starting in Junos OS 22.4R3-S1, source-based MoFRR will not revert to the primary path, i.e. traffic will continue to flow through the backup path as long as the traffic flow rate on the backup path does not go below the configured threshold set under protocols mvpn hot-root-standby min-rate.

[See min-rate.]

In a firewall filter configured with a port-mirror-instance or port-mirror action, if l2-mirror action is also configured, then port-mirroring instance family should be any. In the absence of the l2-mirror action, port-mirroring instance family should be the firewall filter family.

Python 2 interpreter option deprecated for Juniper Extension Toolkit (JET) applications (ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7332, ACX7348, ACX7509, PTX10001-36MR, PTX10002-36QDD, PTX10003, PTX10004, PTX10008, PTX10016, PTX10K-LC1202-36MR (line cards for PTX10016, PTX10008 and PTX10004), QFX5130-32CD, QFX5130-48C, QFX5130-48CM, QFX5130E-32CD, QFX5220-32CD, QFX5220-128C, QFX5230-64CD, QFX5240-64OD, QFX5240-QD, QFX5700, and QFX5700E)—Python 2.7 is already not supported on Junos OS Evolved devices as of an earlier release. The python statement at the edit system extensions extension-service application file <filename> hierarchy level was used to interpret JET applications written in Python 2. This statement is now deprecated. To run daemonized on-device JET applications written in Python 3, use the python3 statement.

[See file (JET).]

DES deprecation for SNMPv3-The Data Encryption Standard (DES) privacy protocol for SNMPv3 is deprecated due to weak security and vulnerability to cryptographic attacks. For enhanced security, configure the triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (CFB128-AES-128 Privacy Protocol) as the encryption algorithm for SNMPv3 users. [See privacy-3des and privacy-aes128.]

Maximum limit of PTP local masters (PTX10008)— You can configure up to 512 PTP masters at the edit protocols ptp master interface interface-name multicast-mode hierarchy level on PTX10008 series routers. Earlier the system was rejecting the commit while trying to configure more than 128 PTP masters.

Support added for source and destination port optimization for port ranges for ipv6 input firewall filters.

MLD snooping proxy and l2-querier source-address (ACX7024, ACX7100-32C, PTX10001-36MR, QFX5120-32C, and QFX5130-32CD)— The source-address configured for proxy and l2-querier under the mld-snooping hierarchy should be an IPv6 link-local address in the range of fe80::/64. The CLI help text has been updated to "Source IPv6 link local address to use for proxy/L2 querier". In earlier releases, the CLI help text read, "Source IP address to use for proxy/L2 querier."

[See source-address.]

Extension of traceoptions support for VLANs in IGMP/MLD snooping— The traceoptions option is supported under the edit routing-instance protocols igmp-snooping vlan and edit routing-instance protocols mld-snooping vlan hierarchy. traceoptions can be enabled for both specific and all vlans.

[See vlan (IGMP Snooping) .]PR1845242

Process generates a live core when its related process generates a core (ACX Series, PTX Series, and QFX Series)—For related processes, when one process stops responding and generates a core file, by default, the system also generates a live core for the related process. By generating a live core for the related process, the system provides more complete diagnostic data at the time of the failure, which enables you to perform a more thorough root cause analysis and resolve issues faster. You can disable this feature for an individual process or for all processes by configuring the no-livecore-dump-on-crash statement at the [edit system processes process-name] or [edit system processes all-processes] hierarchy level, respectively. The process pairs that support this feature are:

• bfdd and bfddagent

• cfmd and cfmd-agent

• dot1xd and dot1xd-agent

• l2ald and l2ald-agent

• l2cpd and l2cpd-agent

• mcsnoopd and mcsnoopd-agent

• ppmd and ppmdagent

• routing and rpdagent

[See processes.]

Compact format deprecated for JSON-formatted state data (ACX Series, PTX Series, and QFX Series)—We've removed the compact option at the [edit system export-format state-data json] hierarchy level because Junos devices no longer support emitting JSON-formatted state data in compact format.

Optimize database size option for improved memory allocation and reduced fragmentation (ACX Series, PTX Series, and QFX Series)—You can optimize memory allocation and reduce file space usage for the configuration database by configuring the optimize-db-size statement at the [edit system configuration-database] hierarchy level. This feature minimizes fragmentation, which ensures more efficient use of database resources. By reducing database file usage, you can configure a more scaled configuration for the same database size.

[See configuration-database.]

Configuration database maximum size increased (PTX10001-36MR, PTX10002-36QDD, PTX10003, PTX10004, PTX10008, and PTX10016)—We've enhanced the extend-size statement at the [edit system configuration-database] hierarchy level to increase the maximum database size. When you configure the extend-size statement, the maximum size of the configuration database is extended to 4 GB. In earlier releases, the maximum database size is 1.4 GB.

[See configuration-database.]