What's Changed

Duplicate MAC detection timeout (QFX5000 Series switches)—The default setting for auto-recovery-time is 5 minutes on these platforms only.

SSH key options for user account credentials. You can configure key-options key-options option at the set system login user user authentication [ssh-rsa|ssh-ecdsa|ssh-ed25519] ssh key hierarchy level.

[See login.]

Changes to show system alarms command output (QFX5130 and QFX5220)—When the current version of the firmware is less than the minimum supported version, you can now see alarms for this mismatch in the output of the command. These alarms were not shown previously. For example, when you have a firmware version mismatch, you should now see output similar to the following:

Displays the event log of learned MAC addresses. By default mac-learning-logs are stored in UTC timestamps. To view the logs in system timezone, use the show ethernet-switching mac-learning-log use-system-timezone command. The show ethernet-switching mac-learning-log use-system-timezone command also prints the time zone abbreviations [IST, UTC, etc] in the timestamp. To view the logs in system timezone by default by using the show ethernet-switching mac-learning-log command, you need to configure the system-timezone statement at the [edit protocols l2-learning mac-learning-log] hierarchy level.

When you run the request vmhost zeroize command to zeroize a single Routing Engine on a dual Routing Engine device, the CLI incorrectly displays a message indicating that it will zeroize both Routing Engines.

Deprecated license trace (Junos OS Evolved)—We've deprecated the CLI option show system license liblicense-trace.

On the MPC7E-10G line card, when you configure the 10-Gigabit Ethernet ports to operate as 1-Gigabit Ethernet ports, use the speed statement at both the edit interfaces <interface name> gigether-options and edit interfaces interface <name hierarchy> levels.

Control Maximum 802.1X Client Connections per Interface—By default, dot1x interfaces configured in multiple supplicant mode have a client limit of 100 authenticated connections per interface. Any additional connection attempts beyond this limit will be automatically blocked.

New option for debug collector data storage path—We've included the option outdir to specify an output directory for storing debug collector data in a customised path. This allows you to organise and access diagnostic information more efficiently, adapting storage to your specific requirements.

[See request system debug-info.]</p>

High-power optics support with CLI configuration option (QFX5240 and QFX5241)—You can enable high-power optics across all ports by configuring the high-power-mode option for each port. This feature supports up to 32 high-power modules, allowing you to benefit from enhanced connection capabilities. Ensure you configure the necessary settings to initialize and utilize high-power optics effectively, optimizing your network's performance.

FEC statistics display (QFX5700)—The show interfaces interface-name extensive command displays the FEC statistics on the host side because of the PHY introduction. This CLI display change is applicable to all PHY platforms.

Default :0 sub interface for single subport (QFX5220-32CD)—When you configure number-of-sub-ports 1 using the set chassis fpc fpc number pic pic number port port number speed speed number-of-sub-ports 1 command, the :0 sub-interface is created automatically. This configuration delivers deterministic sub-interface naming, simplifying provisioning, automation templates, and monitoring across platforms, maintaining parity with other implementations.

Multicast queues share a common buffer pool (QFX5240-64OD, QFX5230-64CD, and QFX5250-64OE)—Multicast (mcast) queues no longer use dedicated buffers and will instead share a common buffer pool. This change addresses limited multicast resources and the growing number of ports, which can constrain buffer availability and, in some cases, prevent certain ports from receiving buffer allocations.

Deprecation of shell option—The shell option no longer requires a separate configuration and is now the default behavior. Deprecating the shell option enhances efficiency and simplifies management tasks.

Tacacs authorisation support for local authentication without password—Starting in Junos OS Evolved Release 25.4R1, you need not configure password under edit system authentication-order to enable password-options.

Commit validation for unique user IDs—We have added support to validate the user configuration to ensure that each user is assigned a unique UID. A commit fails if duplicate UIDs are detected, ensuring stronger validation and preventing identity conflicts. Previously, a commit was successful even when multiple users shared the same UID, triggering only a warning and logging a syslog message.

Stale ui-state.db data in persistent NETCONF sessions post-mgd restart— Existing NETCONF sessions might fetch stale data from ui-state.db after mgd -N restart. New sessions correctly map the refreshed database. Scripts must establish new sessions post-restart to access updated values. Functional configuration remains unaffected. [Script failures monitoring "local-host" NETCONF sessions]-Scripts might fail when including "local-host" NETCONF sessions in monitoring operations. Internal sessions are now excluded from tracking. Scripts must filter out "local-host" sessions. No impact to internal application functionality.

Generate genstate YANG modules on Junos devices—You can use show system schema operational command or equivalent RPC to generate the genstate YANG modules in the specified output directory on a device.

[See show system schema.]