Dell J-EX8208, J-EX8216, J-SRX210, J-SRX240 Owner's Manual

Junos®10.3 OS Release Notes for Dell

PowerConnect J-SRX Series Services
Gateways and J-EX Series Ethernet
Switches

Release 10.3R2
22 November 2010

These release notes accompany Release 10.3 of the Juniper Networks Junos operating
system (Junos OS) for Dell PowerConnect J-SRX Series Services Gateways and J-EX
Series Ethernet Switches. They describe device documentation and known problems
with the software.

You can also find these release notes at http://www.support.dell.com/manuals.

Contents

Junos OS Release Notes for Dell PowerConnect J-SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

New Features in Junos OS Release 10.3 for J-SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Advertising Bandwidth for Neighbors on a Broadcast Link Support . . . . . . . . . 5

Group VPN Interoperability with Cisco’s GET VPN . . . . . . . . . . . . . . . . . . . . . . 5

Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-SRX

Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1

Junos 10.3 OS Release Notes

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Multilink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Unsupported CLI Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . 17

Accounting-Options Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

AX411 Access Point Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chassis Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Class-of-Service Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Ethernet-Switching Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Interfaces CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Protocols Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Routing Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Services Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

SNMP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

System Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Known Limitations in Junos OS Release 10.3 for J-SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

J-Web Browser Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

NetScreen-Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Point-to-Point Protocol over Ethernet (PPPoE) . . . . . . . . . . . . . . . . . . . 28

Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Issues in Junos OS Release 10.3 for J-SRX Series Services Gateways . . . . . . 29

Outstanding Issues In Junos OS Release 10.3 for J-SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Resolved Issues in Junos OS Release 10.3 for J-SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Errata and Changes in Documentation for Junos OS Release 10.3 for J-SRX

Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Changes to the Junos Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . 42

Errata for the Junos OS Software Documentation . . . . . . . . . . . . . . . . . . 43

Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . . 45

2

HardwareRequirements for Junos OS Release10.3forJ-SRXSeriesServices

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Transceiver Compatibility for J-SRX Series Devices . . . . . . . . . . . . . . . . . 50

Stream Control Transmission Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 50

Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Upgrade and Downgrade Instructions for Junos OS Release 10.3 for J-SRX

Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Junos OS Release Notes for Dell PowerConnect J-EX Series Ethernet

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

New Features in Junos OS Release 10.3 for J-EX Series Ethernet

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-EX

Series Ethernet Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Limitations in Junos OS Release 10.3 for J-EX Series Ethernet Switches . . . . 54

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

J-Web Browser Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Outstanding Issues in Junos OS Release 10.3 for J-EX Series Ethernet

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Resolved Issues in Junos OS Release 10.3 for J-EX Series Ethernet

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Errata in Documentation for Junos OS Release 10.3 for J-EX Series Ethernet

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Dell Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

3

Junos 10.3 OS Release Notes

Junos OS Release Notes for Dell PowerConnect J-SRX Series Services Gateways

Powered by Junos OS, Dell PowerConnect J-SRX Series ServicesGateways provide robust
networking and security services. J-SRX Series Services Gateways range from lower-end
devices designed to secure small distributed enterprise locations to high-end devices
designed to secure enterprise infrastructure, data centers, and server farms. The J-SRX
Series Services Gateways include the J-SRX100, J-SRX210, and J-SRX240 devices.

•

New Features in Junos OS Release 10.3 for J-SRX Series Services Gateways on page 4

•

Advertising Bandwidth for Neighbors on a Broadcast Link Support on page 5

•

Group VPN Interoperability with Cisco’s GET VPN on page 5

•

Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-SRX Series
Services Gateways on page 6

•

Unsupported CLI Statements and Commands on page 17

•

Known Limitations in Junos OS Release 10.3 for J-SRX Series Services
Gateways on page 24

•

Issues in Junos OS Release 10.3 for J-SRX Series Services Gateways on page 29

•

Errata and Changes in Documentation for Junos OS Release 10.3 for J-SRX Series
Services Gateways on page 42

•

Hardware Requirements for Junos OS Release 10.3 for J-SRX Series Services
Gateways on page 50

•

Stream Control Transmission Protocol Overview on page 50

•

Upgrade and Downgrade Instructions for Junos OS Release 10.3 for J-SRX Series
Services Gateways on page 52

New Features in Junos OS Release 10.3 for J-SRX Series Services Gateways

The following features have been added to Junos OS Release 10.3. Following the
description is the title of the manual or manuals to consult for further information.

•

Software Features on page 5

4

Advertising Bandwidth for Neighbors on a Broadcast Link Support

Software Features

Security

•

Policy usability—This feature is supported on all J-SRX Series devices.

In a Junos OS stateful firewall, security policies enforce rules for transit traffic, in terms
of what traffic can pass through the firewall, and the actions that need to take place
on the traffic as it passes through the firewall. Periodically, traffic does not pass for a
number of reasons. For example, traffic does not match a correct policy configuration
or the source of the traffic is incorrect. The source of the problem can sometimes be
difficult to identify. The show security match-policies command allows you to
troubleshoot traffic problems in the five tuples: source port, destination port, source
IP address, destination IP address, and protocol. The command works offline to identify
where the exact problem in the transit traffic exists. It uses the actual search engine
to identify the problem and thus enables you to use the appropriate match policy for
the traffic.

Advertising Bandwidth for Neighbors on a Broadcast Link Support

This feature is supported on all J-SRX Series devices.

You can now advertise bandwidth for neighbors on a broadcast link. The network link is
a point-to-multipoint (P2MP) link in the OSPFv3 link state database. This feature uses
existing OSPF neighbor discovery to provide automatic discovery without configuration.
It allows each node to advertise a different metric to every other node in the network to
accurately represent the cost of communication. To support this feature, a new
interface-type under the OSPFv3 interface configuration has been added to configure
the interface as p2mp-over-lan.OSPFv3then uses LAN procedures for neighbor discovery
and flooding, but represents the interface as P2MP in the link state database.

The interface type and router LSA are available under the following hierarchies:

•

[protocols ospf3 area area-id interface interface-name]

•

[routing-instances routing-instances-name protocols ospf3 area area-id interface

interface-name]

[LN1000 Mobile Secure Router User Guide]

Group VPN Interoperability with Cisco’s GET VPN

Cisco’s implementation of GDOI is called Group Encryption Transport (GET) VPN. While
group VPN in Junos OS and Cisco's GET VPN are both based on RFC 3547, The Group
Domain of Interpretation, there are some implementation differences that you need to
be aware of when deploying GDOI in a networking environment that includes both Dell
security devices and Cisco routers. This topic discusses important items to note when
using Cisco routers with GET VPN and Dell security devices with group VPN.

Group servers and group members on Dell security devices cannot interoperate with
Cisco GET VPN members. Group members on Dell security devices can interoperate with
Cisco GET VPN servers, with the following caveats:

5

Junos 10.3 OS Release Notes

The group VPN in Release 10.3 of Junos OS has been tested with Cisco GET VPN servers
running Version 12.4(22)T and Version 12.4(24)T.

To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group
includes a Dell security device. The Cisco GET VPN server implements a proprietary ACK
for unicast rekey messages. If a group member does not respond to the unicast rekey
messages,the group member is removed from the group and is not able to receive rekeys.
An out-of-date key causes the remote peer to treat IPsec packets as bad SPIs. The Dell
security device can recover from this situation by reregistering with the server to download
the new key.

Antireplay must be disabled on the Cisco server when a VPN group of more than two
members includes a Dell security device. The Cisco server supports time-based antireplay
by default. A Dell security device will not be able to interoperate with a Cisco group
member if time-based antireplay is used since the timestamp in the IPsec packet is
proprietary. Dell security devices are not able to synchronize time with the Cisco GET
VPN server and Cisco GET VPN members as the sync payload is also proprietary.
Counter-based antireplay can be enabled if there are only two group members.

According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds
before a key expires and the Cisco GET VPN member triggers rekeys 60 seconds before
a key expires. When interacting with a Cisco GET VPN server, a Dell security device member
would match Cisco behavior.

A Cisco GET VPN member accepts all keys downloaded from the GET VPN server.Policies
associated with the keys are dynamically installed.A policy does not have to be configured
on a Cisco GET VPN member locally, but a deny policy can optionally be configured to
prevent certain traffic from passing through the security policies set by the server. For
example, the server can set a policy to have traffic between subnet A and subnet B be
encrypted by key 1. The member can set a deny policy to allow OSPF traffic between
subnet A and subnet B not be encrypted by key 1. However, the member cannot set a
permit policy to allow more traffic to be protected by the key. The centralized security
policy configuration does not apply to the Dell security device.

On a Dell security device, the ipsec-group-vpn configuration statement in the permit
tunnel rule in a scope policy references the group VPN. This allows multiple policies
referencinga VPN to share an SA. This configurationis required to interoperate with Cisco
GET VPN servers.

Logical key hierarchy (LKH), a method for adding and removing group members, is not
supported with group VPN on Dell security devices.

GET VPN members can be configured for cooperativekeyservers(COOP KSs), an ordered
list of servers with which the member can register or reregister. Multiple group servers
cannot be configured on group VPN members.

Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-SRX Series Services Gateways

The following current system behavior, configuration statement usage, and operational
mode command usage might not yet be documented in the Junos OS documentation:

6

Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-SRX Series Services Gateways

Application Layer Gateways (ALGs)

•

The show security alg msrpc object-id-map CLI command has a chassis cluster node
option to permit the output to be restricted to a particular node or to query the entire
cluster. The show security alg msrpc object-id-map node CLI command options are

<node-id | all | local | primary>.

AppSecure

•

When you create custom application or nested application signatures for Junos OS
application identification, the order value must be unique among all predefined and
custom application signatures. The order value determines the application matching
priority of the application signature.

NOTE: The order value range for predefined signatures is 1 through 32,767.

We recommend that you use an order range higher than 32,767 for custom
signatures.

The order value is set with the set services application-identification application

application-name signature order command. You can also view all signature order

valuesby entering the show services application-identification|display set | match order
command. You will need to change the order number of the custom signature if it
conflicts with another application signature.

•

The output of the show services application-identification application-system-cache
command has been changed. The new output includes the cache statuses and the
timeout value for maintaining mapping details for each application as shown in the
following sample:

user@host> show services application-identification application-system-cache

Application System Cache Configurations:
application-cache: on
nested-application-cache: on
cache-entry-timeout: 3600 seconds
pic: 2/0
Vsys-ID IP address Port Protocol Application
0 5.0.0.1 80 TCP HTTP

0 7.0.0.1 80 TCP HTTP:FACEBOOK

7

Junos 10.3 OS Release Notes

Chassis Cluster

•

Removing Control VLAN 4094 in Chassis Cluster— For J-SRX Series branch devices
(J-SRX100, J-SRX210, and J-SRX240), the existing virtual LAN (VLAN) tag used for
control-link traffic will be replaced with the use of experimental Ether type 0x88b5.
However, backward compatibility is also supported for devices that have already
deployed chassis cluster with VLAN tagging in place.

•

To toggle between VLAN and Ether type modes, use the following command:

set chassis cluster control-link-vlan enable/disable

NOTE: You must perform a reboot to initialize this configuration change.

•

To show whether control port tagging is enabled or disabled, use the following
command:

set chassis cluster information

•

To view the chassis cluster information, use the following command:

show chassis cluster information

user@host > show chassis cluster information

The following is a sample output of the command:

node0

----------------------------------------------------­Control link statistics:
Control link 0:

Fabric link statistics:
Probes sent: 1248

Sequence number of last probe received: 0
Chassis cluster LED information:
Current LED color: Green
Control port tagging: Disabled

Cold Synchronization:

•

In a chassis cluster configuration on a J-SRX100, J-SRX210, or J-SRX240 device, the
default values of the heartbeat-threshold and heartbeat-interval options in the [edit

chassis cluster] hierarchy are 8 beats and 2000 ms, respectively. These values cannot

be changed on these devices.

8

Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-SRX Series Services Gateways

Command-Line Interface (CLI)

•

On AX411 Access Points, the possible completions available for the CLI command set

wlan access-point < ap_name > radio < radio_num > radio-options channel number ?

have changed from previous implementations.

Now this CLI command displays the following possible completions:

Example 1:

user@host# set wlan access-point ap6 radio 1 radio-options channel number ?
Possible completions:
36 Channel 36
40 Channel 40
44 Channel 44
48 Channel 48
52 Channel 52
56 Channel 56
60 Channel 60
64 Channel 64
100 Channel 100
108 Channel 108
112 Channel 112
116 Channel 116
120 Channel 120
124 Channel 124
128 Channel 128
132 Channel 132
136 Channel 136
140 Channel 140
149 Channel 149
153 Channel 153
157 Channel 157
161 Channel 161
165 Channel 165
auto Automatically selected

Example 2:

user@host# set wlan access-point ap6 radio 2 radio-options channel number ?
1 Channel 1
2 Channel 2
3 Channel 3
4 Channel 4
5 Channel 5
6 Channel 6
7 Channel 7
8 Channel 8
9 Channel 9
10 Channel 10
11 Channel 11
12 Channel 12

9

Junos 10.3 OS Release Notes

13 Channel 13
14 Channel 14
auto Automatically selected

•

On AX411 Access Points, the possible completions available for the CLI command set

wlan access-point mav0 radio 1 radio-options mode? have changed from previous

implementations.

Now this CLI command displays the following possible completions:

•

Example 1:
user@host# set wlan access-point mav0 radio 1 radio-options mode ?
Possible completions:

5GHz Radio Frequency -5GHz-n
a Radio Frequency -a
an Radio Frequency -an
[edit]

•

Example 2:
user@host# set wlan access-point mav0 radio 2 radio-options mode ?
Possible completions:

2.4GHz Radio Frequency --2.4GHz-n
bg Radio Frequency -bg
bgn Radio Frequency -bgn

10

Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-SRX Series Services Gateways

•

On J-SRX Series devices, the show system storage partitions command now displays
the partitioning scheme details on J-SRX Series devices.

•

Example 1:

show system storage partitions (dual root partitioning)

user@host# show system storage partitions

Boot Media: internal (da0)
Active Partition: da0s2a
Backup Partition: da0s1a
Currently booted from: active (da0s2a)
Partitions Information:
Partition Size Mountpoint
s1a 293M altroot
s2a 293M /
s3e 24M /config
s3f 342M /var
s4a 30M recovery

•

Example 2:

show system storage partitions (single root partitioning)

user@host# show system storage partitions

Boot Media: internal (da0)
Partitions Information:
Partition Size Mountpoint
s1a 898M /
s1e 24M /config
s1f 61M /var

•

Example 3:

show system storage partitions (usb)

user@host# show system storage partitions

Boot Media: usb (da1)
Active Partition: da1s1a
Backup Partition: da1s2a
Currently booted from: active (da1s1a)
Partitions Information:
Partition Size Mountpoint
s1a 293M /
s2a 293M altroot
s3e 24M /config
s3f 342M /var
s4a 30M recovery

11

Junos 10.3 OS Release Notes

•

On J-SRX100, J-SRX210, and J-SRX240 devices, support for Layer LAG is added in both
standalone and cluster mode.

In cluster mode, the following CLI is now enabled to specify the number of aggregated
interfaces.

set chassis aggregated-devices ethernet device-count xxx

Support to add multiple links from each chassis to a reth interface is also available. In
the below example, 2 links from each chassis is added to reth3.

set interfaces ge-0/0/8 gigether-options redundant-parent reth3
set interfaces ge-0/0/9 gigether-options redundant-parent reth3
set interfaces ge-5/0/8 gigether-options redundant-parent reth3
set interfaces ge-5/0/9 gigether-options redundant-parent reth3

The following CLI is used for enabling LACP on reth interface:

set interfaces reth3 redundant-ether-options lacp active

Configuration

•

On J-SRX100, J-SRX210, and J-SRX240 devices, the current Junos OS default
configuration is inconsistent with the one in Secure Services Gateways, thus causing
problems when users migrate to J-SRX Series devices. As a workaround, users should
ensure the following steps are taken:

•

The ge-0/0/0 interface should be configured as the Untrust port (with the DHCP
client enabled).

•

The rest of the on-board ports should be bridged together, with a VLAN IFL and
DHCP server enabled (where applicable).

•

Default policies should allow trust->untrust traffic.

•

Default NAT rules should apply interface-nat for all trust->untrust traffic.

•

DNS/Wins parameters should be passed from server to client and, if not available,
users should preconfigure a DNS server (required for download of security packages).

Flow and Processing

•

On J-SRX Series devices, the factory default for the maximum number of backup
configurations allowed is five. Therefore, you can have one active configuration and a
maximum of five rollback configurations. Increasing this backup configuration number
will result in increased memory usage on disk and increased commit time.

To modify the factory defaults, use the following commands:

root@host# set system max-configurations-on-flash number

root@host# set system max-configuration-rollbacks number

where max-configurations-on-flash indicates backup configurations to be stored in the
configurationpartitionand max-configuration-rollbacks indicatesthe maximum number
of backup configurations.

12

Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-SRX Series Services Gateways

•

On J-SRX Series devices, when you configure identical IPs on a single interface, you no
longer get a warning message; instead, a syslog message appears.

Interfaces and Routing

•

On J-SRX Series devices, to minimize the size of system logs, the default logging level
in the factory configuration has been changed from any any to any critical.

•

On J-SRX100, J-SRX210, and J-SRX240 devices, the autoinstallation functionality on
an interface enables a DHCP client on the interface and remains in the DHCP client
mode. In previous releases, after a certain period, the interface changed from being a
DHCP client to a DHCP server.

•

On T1/E1 Mini-Physical Interface Module installed on J-SRX210 and J-SRX240 devices,
the Loopback LED is turned ON based on the Loopback configuration as well as when
the FDL loopback commands are executed from the remote-end. The Loopback LED
remains OFF when no FDL Loopback commands are executed from the remote-end,
even though remote-loopback-respond is configured on the HOST.

•

On J-SRX100, J-SRX210 and J-SRX240 devices, support for USB auto-installation is
added. This feature simplifies the upgrading of Junos OS images in cases where there
is no console access to a J-SRX Series device located at a remote site. Allows you to
upgrade the Junos OS image with minimum configuration effort by simply inserting a
USB flash drive into the USB port of the J-SRX Series device and performing a few
simple steps. This feature can also be used for reformatting boot device and recovering
J-SRX Series services gateway after a boot media corruption.

J-Web

•

URL separation for J-Web and dynamic VPN—This feature prevents the dynamic VPN
users from accessing J-Web accidentally or intentionally. Unique URLs for J-Web and
dynamic VPN add support to the webserverfor parsing all the HTTP requests it receives.
The webserver also provides access permission based on the interfaces enabled for
J-Web and dynamic VPN.

•

CLI changes: A new configuration attribute management-url is introduced at the

[edit system services web-management] hierarchy level to control J-Web access

when both J-Web and dynamic VPN are enabled on the same interface. The following
example describes the configuration of the new attribute:

web-management {

traceoptions {

level all;
flag dynamic-vpn;

flag all;
}
management-url my-jweb;
http;
https {

system-generated-certificate;
}
limits {

debug-level 9;
}

13

Junos 10.3 OS Release Notes

session {

session-limit 7;
}

}

•

Disabling J-Web: Dynamic VPN must have the configured HTTPS certificate and
the webserver to communicate with the client. Therefore, the configuration at the

[edit systemservicesweb-management] hierarchy level required to start the appweb

webserver cannot be deleted or deactivated. To disable J-Web, the administrator
must configure a loopback interface of lo0 for HTTP or HTTPS. This ensures that
the webserver rejects all J-Web access requests.

web-management {

traceoptions {

level all;

flag dynamic-vpn;

flag all;
}
management-url my-jweb;
http {

interface lo0.0;
}
https {

system-generated-certificate;
}
limits {

debug-level 9;
}
session {

session-limit 7;
}

}

•

Changes in the Web access behavior: The following section illustrates the changes
in the Web access behavior when J-Web and dynamic VPN do not share and do
share the same interface:

Case 1: J-Web and dynamic VPN do not share the same interface.

Scenario

http(s)://server host

http(s)://server
host//configured

http(s)://server

host//dynamic-vpn

attribute

J-Web is enabled,
and dynamic VPN
is configured.

Navigates to the J-Web
login page on the
J-Web enabled
interface or to the
dynamic VPN login
page on the dynamic
VPN enabled interface
depending on the
server host chosen

Navigates to the J-Web
login page if the J-Web
attribute is configured;
otherwise, navigates to
the PageNotFoundpage

Navigates to the
dynamic VPN login
page

14

Changes in Default Behavior and Syntax in Junos OS Release 10.3 for J-SRX Series Services Gateways

J-Web is not
enabled, and
dynamic VPN is
not configured.

J-Web is enabled,
and dynamic VPN
is not configured.

J-Web is not
enabled, and
dynamic VPN is
configured.

Navigates to the Page
Not Found page

Navigates to the J-Web
login page

Navigates to the
dynamic VPN login
page

Navigates to the Page
Not Found page

Navigates to the J-Web
login page if the J-Web
attribute is configured;
otherwise, navigates to
the PageNotFoundpage

Navigates to the Page
Not Found page

Case 2: J-Web and dynamic VPN do share the same interface.

Scenario

J-Web is enabled,
and dynamic VPN is
configured.

http(s)://server
host

Navigates to the
dynamic VPN
login page

http(s)://server
host//configured attribute

Navigates to the J-Web
login page if the attribute is
configured; otherwise,
navigates to the Page Not
Found page

Navigates to the
PageNotFoundpage

Navigates to the
PageNotFoundpage

Navigates to the
dynamic VPN login
page

http(s)://server
host//dynamic-vpn

Navigates to the
dynamic VPN login
page

J-Web is not
enabled, and
dynamic VPN is not
configured.

J-Web is enabled,
and dynamic VPN is
not configured.

J-Web is not
enabled, and
dynamic VPN is
configured.

•

On J-SRX100, J-SRX210, and J-SRX240 devices, the LED status (Alarm,HA, ExpressCard,

Navigates to the
Page Not Found
page

Navigates to the
J-Web login page

Navigates to the
dynamic VPN
login page

Navigates to the Page Not
Found page

Navigates to the J-Web
login page if the J-Web
attribute is configured;
otherwise, navigates to the
Page Not Found page

Navigates to the Page Not
Found page

Navigates to the
PageNotFoundpage

Navigates to the
PageNotFoundpage

Navigates to the
dynamic VPN login
page

PowerStatus,and Power) shown in the front panel for Chassis View does not replicate
the exact status of the device.

•

On all J-SRX Series devices, the BIOS version is displayed on system identification on
the J-Web dashboard.

NOTE: Delete your browser cookies to view this change.

15

Junos 10.3 OS Release Notes

•

J-Web login page is updated with the new Juniper Networks logo and trademark.

•

The options to configure the Custom Attacks, Custom Attack Groups, and Dynamic
Attack Groups are disabled because they cannot be configured from J-Web.

Multilink

•

When data and LFI streams are present, we recommend the following configuration
to get less latency for LFI traffic and to avoid out of order transmission of data traffic:

Configure the following schedulers

•

set class-of-service schedulers S0 buffer-size temporal 20K

•

set class-of-service schedulers S0 priority low

•

set class-of-service schedulers S2 priority high

•

set class-of-service schedulers S3 priority high

Configure the following scheduler map

•

set class-of-service scheduler-maps lsqlink_map forwarding-class best-effort
scheduler S0

•

set class-of-service scheduler-maps lsqlink_map forwarding-class
assured-forwarding scheduler S2

•

set class-of-service scheduler-maps lsqlink_map forwarding-class network-control
scheduler S3

Attach scheduler map to all member links

•

set class-of-service interfaces t1-2/0/0 unit 0 scheduler-map lsqlink_map

Even after this configuration, if Out-of-range sequence number drops are observed on
reassembly side, please increase drop-timeout of the bundle to 200ms

PoE

•

On J-SRX210 PoE devices, SDK packages might not work.

Security

•

Any change in the Unified Access Control’s (UAC) contact interval and timeout values
in the J-SRX Series device will be effective only after the next reconnectionof the J-SRX
Series device with the Infranet Controller.

•

The maximum size of a redirect payload is 1450 bytes. The size of the redirect URL is
restrictedto1407bytes(excluding a few HTTP headers). If a user accesses a destination
URL that is larger than 1407 bytes, the Infranet Controller authenticates the payload,
the exact length of the redirect URL is calculated, and the destination URL is trimmed
such that it can fit into the redirect URL. The destination URL can be fewer than 1407
bytes based on what else is present in the redirect URL, for example, policy ID. The
destination URL in the default redirect URL is trimmed such that the redirect packet
payload size is limited to 1450 bytes, and if the length of the payload is larger than

16

Unsupported CLI Statements and Commands

1450 bytes, the excess length is trimmed and the user is directed to the destination
URL that has been resized to 1450 bytes.

WLAN

•

While configuring the AX411 Access Point on your J-SRX Series devices, you must enter
the WLAN admin password using the set wlan admin-authentication password
command. This command prompts for the password and the password entered is
stored in encrypted form.

NOTE:

•

Without wlan config option enabled, the AX411 Access Points will be
managed with the default password.

•

Changing the wlan admin-authentication password when the wlan

subsystem option is disabled might result in mismanagement of Access

Points . You might have to power cycle the Access Points manually to
avoid this issue.

•

The J-SRX Series devices that are not using the AX411 Access Point can
optionally delete the wlan config option.

•

Accessing the AX411 Access Point through SSH is disabled by default. You can enable
the SSH access using the set wlan access-point < name > external system services

enable-ssh command.

VLAN

•

Native-vlan-id can be configured only when either flexible-vlan-tagging mode or
interface-mode trunk is configured. The commit error has been corrected, which was

previously indicating vlan-tagging mode instead of flexible-vlan-tagging mode.

Unsupported CLI Statements and Commands

This section lists unsupported CLI statements and commands.

17

Junos 10.3 OS Release Notes

Accounting-Options Hierarchy

•

On J-SRX100, J-SRX210, and J-SRX240 devices, the accounting, source-class, and

destination-class statements in the [accounting-options] hierarchy level are not

supported.

AX411 Access Point Hierarchy

•

On J-SRX100 devices, there are CLI commands for wireless LAN configurations related
to the AX411 Access Point. However, at this time the J-SRX100 devices do not support
the AX411 Access Point.

Chassis Hierarchy

•

On J-SRX100, J-SRX210, and J-SRX240 devices, the following chassis hierarchy CLI
commands are not supported. However, if you enter these commands in the CLI editor,
they appear to succeed and do not display an error message.

set chassis craft-lockout

set chassis routing-engine on-disk-failure

Class-of-Service Hierarchy

•

On J-SRX100, J-SRX210, and J-SRX240 devices,the followingclass-of-service hierarchy
CLI commands are not supported. However, if you enter these commands in the CLI
editor, they appear to succeed and do not display an error message.

set class-of-service classifiers ieee-802.1ad

set class-of-service interfaces interface-name unit 0 adaptive-shaper

Ethernet-Switching Hierarchy

•

On J-SRX100, J-SRX210, and J-SRX240 devices, the following Ethernet-switching
hierarchy CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.

set ethernet-switching-options bpdu-block disable-timeout

set ethernet-switching-options bpdu-block interface

set ethernet-switching-options mac-notification

set ethernet-switching-options voip interface access-ports

set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class

Firewall Hierarchy

•

On J-SRX100, J-SRX210, and J-SRX240 devices, the following Firewall hierarchy CLI
commands are not supported. However, if you enter these commands in the CLI editor,
they appear to succeed and do not display an error message.

18

Unsupported CLI Statements and Commands

set firewall family vpls filter

set firewall family mpls dialer-filter d1 term

Interfaces CLI Hierarchy

On all J-SRX100, J-SRX210, and J-SRX240 devices, the following interface hierarchy CLI
commands are not supported. However, if you enter these commands in the CLI editor,
they appear to succeed and do not display an error message.

•

Aggregated Interface CLI on page 19

•

ATM Interface CLI on page 19

•

Ethernet Interfaces on page 20

•

GRE Interface CLI on page 21

•

IP Interface CLI on page 21

•

LSQ Interface CLI on page 21

•

PT Interface CLI on page 21

•

T1 Interface CLI on page 22

•

VLAN Interface CLI on page 22

Aggregated Interface CLI

•

The followingCLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.

request lacp link-switchover ae0

set interfaces ae0 aggregated-ether-options lacp link-protection

set interfaces ae0 aggregated-ether-options link-protection

ATM Interface CLI

•

The followingCLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.

set interfaces at-1/0/0 container-options

set interfaces at-1/0/0 atm-options ilmi

set interfaces at-1/0/0 atm-options linear-red-profiles

set interfaces at-1/0/0 atm-options no-payload-scrambler

set interfaces at-1/0/0 atm-options payload-scrambler

set interfaces at-1/0/0 atm-options plp-to-clp

set interfaces at-1/0/0 atm-options scheduler-maps

19

Junos 10.3 OS Release Notes

set interfaces at-1/0/0 unit 0 atm-l2circuit-mode

set interfaces at-1/0/0 unit 0 atm-scheduler-map

set interfaces at-1/0/0 unit 0 cell-bundle-size

set interfaces at-1/0/0 unit 0 compression-device

set interfaces at-1/0/0 unit 0 epd-threshold

set interfaces at-1/0/0 unit 0 inverse-arp

set interfaces at-1/0/0 unit 0 layer2-policer

set interfaces at-1/0/0 unit 0 multicast-vci

set interfaces at-1/0/0 unit 0 multipoint

set interfaces at-1/0/0 unit 0 plp-to-clp

set interfaces at-1/0/0 unit 0 point-to-point

set interfaces at-1/0/0 unit 0 radio-router

set interfaces at-1/0/0 unit 0 transmit-weight

set interfaces at-1/0/0 unit 0 trunk-bandwidth

Ethernet Interfaces

•

The followingCLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.

set interfaces ge-0/0/1 gigether-options ignore-l3-incompletes

set interfaces ge-0/0/1 gigether-options mpls

set interfaces ge-0/0/0 stacked-vlan-tagging

set interfaces ge-0/0/0 native-vlan-id

set interfaces ge-0/0/0 radio-router

set interfaces ge-0/0/0 unit 0 interface-shared-with

20

set interfaces ge-0/0/0 unit 0 input-vlan-map

set interfaces ge-0/0/0 unit 0 output-vlan-map

set interfaces ge-0/0/0 unit 0 layer2-policer

set interfaces ge-0/0/0 unit 0 accept-source-mac