Juniper JUNOS OS 10.4 - RELEASE NOTES, JUNOS OS 10.4 Release Note

Page 1

Junos®OS 10.4 Release Notes

Release 10.4R1 08 December 2010 Revision 1

These release notes accompany Release 10.4R1 of the Junos operating system (Junos OS). They describe device documentation and known problems with the software. Junos OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.

You can also find these release notes on the Juniper Networks Junos OS Documentation Web page, which is located at http://www.juniper.net/techpubs/software/junos.

Contents

Junos OS Release Notes for Juniper NetworksM Series Multiservice Edge Routers,

MX Series Ethernet Service Routers, and T Series Core Routers . . . . . . . . . . . . 6

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series

Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M

Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

MPLS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Page 2

JUNOS OS 10.4 Release Notes

Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series

Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Current Software Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Previous Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Errata and Changes in Documentation for Junos OS Release 10.4 for M

Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . . 66

Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series,

MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Basic Procedure for Upgrading to Release 10.4 . . . . . . . . . . . . . . . . . . . . . 71

Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . . 73

Upgrading Juniper Network Routers Running Draft-Rosen Multicast

VPN to Junos OS Release 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Upgrading the Software for a Routing Matrix . . . . . . . . . . . . . . . . . . . . . . 75

Upgrading Using ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled

for Both PIM and NSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . . 77

Downgrade from Release 10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Junos OS Release Notes for Juniper Networks SRX Series Services Gateways

and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

New Features in Junos OS Release 10.4 for SRX Series Services Gateways

and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Hardware Features—SRX210, SRX220, and SRX240 Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Hardware Features—SRX220 Services Gateway with Power Over

Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Hardware Features—SRX1400 Services Gateway . . . . . . . . . . . . . . . . . 104

Hardware Features—SRX3400 and SRX3600 Services Gateways . . . . 107

Advertising Bandwidth for Neighbors on a Broadcast Link Support . . . . . . . 108

Group VPN Interoperability with Cisco’s GET VPN . . . . . . . . . . . . . . . . . . . . 108

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX

Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 109

Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Integrated Convergence Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 118

Page 3

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Management and Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Multilink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Virtual LANs (VLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Unsupported CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Accounting-Options Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

AX411 Access Point Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Chassis Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Class-of-Service Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Ethernet-Switching Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Interfaces CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Protocols Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Routing Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Services Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

SNMP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

System Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

IPv6 and MVPN CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Known Limitations in Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 133

AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 135

Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 138

IPv6 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

NetScreen-Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Point-to-Point Protocol over Ethernet (PPPoE) . . . . . . . . . . . . . . . . . . . 141

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J

Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Outstanding Issues In Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . 143

Resolved Issues in Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . 161

Page 4

JUNOS OS 10.4 Release Notes

Errata and Changes in Documentation for Junos OS Release 10.4 for SRX

Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 166

Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 166

Errata for the Junos OS Documentation . . . . . . . . . . . . . . . . . . . . . . . . . 166

Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . . 170

Hardware Requirements for Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 174

Transceiver Compatibility for SRX Series and J Series Devices . . . . . . . . 174

Power and Heat Dissipation Requirements for J Series PIMs . . . . . . . . . 174

Supported Third-Party Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

J Series CompactFlash and Memory Requirements . . . . . . . . . . . . . . . . 175

Maximizing ALG Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Integrated Convergence Services Not Supported . . . . . . . . . . . . . . . . . . . . . 176

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX

Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . 177

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 177

Junos Software Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . 178

New Features in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . 178

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX

Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Limitations in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . . . . 181

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Outstanding Issues in Junos OS Release 10.4 for EX Series Switches . . . . . . 184

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Spanning Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Page 5

Resolved Issues in Junos OS Release 10.4 for EX Series Switches . . . . . . . . 189

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Errata in Documentation for Junos OS Release 10.4 for EX Series

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX

Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 193

Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Page 6

JUNOS OS 10.4 Release Notes

Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series Ethernet Service Routers, and T Series Core Routers

•

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 6

•

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 37

•

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 48

•

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 66

•

Upgrade and Downgrade Instructions for Junos OS Release 10.4forM Series, MX Series, and T Series Routers on page 70

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The following features have been added to Junos OS Release 10.4. Following the description is the title of the manual or manuals to consult for further information.

Class of Service

•

Hierarchical policer functionality extended to Modular Interface Cards (MICs) (MX Series routers)—Provides hierarchical policer feature parity with Enhanced Intelligent

Queuing (IQE) PICs. This is useful in provideredge applications using aggregate policing for general traffic and when applying a separate policer for premium traffic on a logical or physical interface.

Hierarchical policing on MICs supports the following features:

•

Ingress traffic is first classified into premium and non-premium traffic before a policer is applied.

•

The hierarchical policer contains two policers: premium and aggregate.

Premium trafficis policed by both the premium policer and the aggregate policer. While the premium policer rate-limits premium traffic, the aggregate policer only decrements the credits but does not drop packets. Non-premium traffic is rate-limited by the aggregate policer only, resulting in the following behavior:

•

Premium trafficis assured to have the bandwidth configuredforthe premium policer.

•

Non-premium traffic is policed to the specified rate limit.

For a list of supported MICs, refer to:

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/ general/mic-mx-series-supported.html.

The logical-interface-policer and physical-interface-policerstatements provide additional hierarchical policer parameters beyond those of the IQE PICs.

You can apply the policer at the inet, inet6, or mpls family level, as follows:

[edit interfaces ge-0/1/0 unit 0 family (inet | inet6 | mpls)] input-hierarchical-policer Test-HP;

Page 7

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

By making a hierarchical policer a logical-interface-policer, you can achieve aggregation within a logical interface. A hierarchical policer configured as a physical-interface-policer supports aggregation within a physical interface. Please note that you still apply the hierarchical policer at the interface and traffic of the families that do not have the hierarchical policer will be policer. This is different from IQE PICs, where you apply a hierarchical policer at the logical or physical interface.

For hierarchical policing of all traffic through a logical interface, a hierarchical policer can be made a logical-interface-policerand applied to all families in the logical interface. Similarly, you can achieve aggregation at the physical interface level.

[Network Interfaces, Class of Service, Policy]

•

DSCP classification for VPLS at the ingress PE (M320 with Enhanced Type III FPC and M120)—Enables you to configure DSCP classification for VPLS at an ingress PE

for encapsulation types vlan-vpls (IQ2 or IQ2E PICs) or ATM II IQ PIC. To configure, define the DSCP classifier at the [edit class-of-service classifiers dscp dscp-name] hierarchy level and apply the DSCP classifier at the [edit interfaces at-fpc-pic-port

unit-logical-unit-numberclassifiers]hierarchylevel.The ATM interfacemust be included

in the routing instance.

[Class of Service]

Interfaces and Chassis

•

Ethernet encapsulation for ATM scheduler (M7i, M10i, M120, and M320 [with Enhanced III FPC] routers)—Enables support for the configuration of an ATM scheduler

map on an Ethernet VPLS over a bridged ATM interface.

[Network Interfaces]

•

Synchronous Ethernet (SyncE) on MX80 routers and MX Series routers with MPCs—Supportsthe Ethernet synchronization messaging channel (ESMC), G.8264-like

clock selection mechanism, and external clocking on MX80 routers and MX Series routers with MPCs. Wireless backhaul and wireline transport services are the primary applications for these features.

The following features are supported:

•

On MX80 routers and MX Series routers, MPCs based on G.8261 and G.8262. This feature does not work on the fixed configuration version of the MX80 routers.

•

All Ethernet type ports are supported on MX80 routers and MX Series routers with MPCs

•

ESMC support as per G.8264

•

CLI command selection of clock sources

•

Monitoring clock sources (maximum of two clock sources can be monitored simultaneously)

•

Revertive and nonrevertive modes

Page 8

JUNOS OS 10.4 Release Notes

To configure SyncE, include the synchronization statement and its substatements at the [edit chassis] hierarchy level.

[Network Interfaces, Interfaces Command Reference]

•

Enhanced container interface allows ATM children for containers—M Series and T Series routers with ATM2 PICs automatically copy the parent container interface configuration to the children interfaces. Container interfaces do not go down during APS switchovers, thereby shielding upper layers. This feature allows the various ATM features to work over the container ATM for APS.

To specify ATMchildrenwithin a container interface, use the container-list cin statement and (primary | standby) option at the [edit interface at-fpc/pic/slot container] hierarchy level.

To configure a container interface, including its children, use the cin statement and its options at the [edit interface ci-n] hierarchy level.

Container ATM APS does not support inter-chassis APS. MLPPP over ATM CI is also not supported.

[Network Interfaces]

•

Signaling neighboring routers of fabric down on T1600 and T640 routers—The signaling of neighboring routers is supported when a T640 or T1600 router is unable to carry traffic due to all fabric planes being taken offline for one of the following reasons:

•

CLI or offline button pressed

•

Automatically taken offline by the SPMB due to high temperature.

•

PIO errors and voltage errors detected by the SPMB CPU to the SIBs.

The following scenarios are not supported by this feature:

•

All PFEs get destination errors on all planes to all destinations, even with the SIBs staying online.

•

Complete fabric loss caused by destination timeouts, with the SIBs still online.

When chassisd detects that all fabric planes are down, the router reboots all FPCs in the system. When the FPCs come back up, the interfaces will not be created again, since all fabric planes are down.

Once you diagnose and fix the cause of all fabric planes going down, you must then bring the SIBs back online. Bringing the SIBs back online brings up the interfaces.

Fabric down signaling to neighboring routers offers the following benefits:

•

FPCs reboot when the control plane connection to the Routing Engine times out.

•

Extends a simple approach to reboot FPCs when the dataplane blacks out.

When the router transitions from a state where SIBs are online or spare to a state where there are no SIBs are online, then all the FPCs in the system are rebooted. An ERRMSG

Page 9

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

indicates if all fabric planes are down, and the FPCs will reboot if any fabric planes do not come up in 2 minutes.

An ERRMSG indicates the reason for FPC reboot on fabric connectivity loss.

The chassisd daemon traces when an FPC comes online, but a PIC attach is not done because no fabric plane is present.

A CLI warning that the FPCs will reboot is issued when the last fabric plane is taken offline.

You will need to bring the SIBs online after determining why the SIBs were not online. When the first SIB goes online, and link training with the FPCs completes, the interfaces will be created.

Fabric down signaling to neighboring routers functionality is available by default, and no user configuration is required to enable it.

No new CLI commands or alarms are introduced for this feature. Alarms are already implemented for when the SIBs are not online.

[Network Interfaces, System Basics]

•

New enterprise-specific MIB to support digital optical monitoring (MX960, MX480, MX240, and 10-Gigabit Ethernet LAN/WAN PIC with XFP on T640 and T1600 routers)—Junos OS Release 10.4 introduces JUNIPER-DOM-MIB, a new

enterprise-specific MIB to extend MIB support for digital optical monitoring.

JUNIPER-DOM-MIB supports the SNMP Get request for statistics and SNMP Trap

notifications for alarms.

JUNIPER-DOM-MIB is part of the JUNIPER-SMI MIB hierarchy level.

The following MIB objects are supported by JUNIPER-DOM-MIB for digital optical monitoring:

•

jnxDomCurrentTable

•

jnxDomAlarmSet

•

jnxDomAlarmCleared

[SNMP MIBs and Traps Reference]

•

Transition of IPv4 traffic to IPv6 addresses using Dual Stack Lite (DS-Lite)—Adds support for DS-Lite, a means for transitioning IPv4 traffic to IPv6 addresses. This transition will become necessary as the supply of unique IPv4 addresses nears exhaustion. New subscriber homes are allocated IPv6 addresses and IPv6-capable equipment; DS-Lite provides a method for the private IPv4 addresses behind the IPv6 equipment to reach the IPv4 network. An IPv4 host communicateswith a NATendpoint over an IPv6 network using softwires. DS-Lite creates the IPv6 softwires that terminate on the services PIC. Packets coming out of the softwire can then have other services such as NAT applied on them.

[Services Interface, System Basics and Services Command Reference]

Page 10

JUNOS OS 10.4 Release Notes

•

IPv6 statistics from IQ2 and IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers—Support statistical accounting for IPv6 traffic traversing the IQ2 and

IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers.

For IQ2 and IQ2E PIC interfaces,the IPv6 trafficthat is reported will be the total statistics (sum of local and transit IPv6 traffic) in the ingress and egress direction. The IPv6 traffic in the ingress direction will be accounted separately only if the IPv6 family is configured for the logical interface.

Statistics are maintained for routed IPv6 packets in the egress direction.

Byte and packet counters are maintained in the ingress and egress direction.

Differences in IPv6 statistics for IQ2 interfaces and all other interfaces are as follows:

•

IQ2 and IQ2E PIC interfaces report the total statistics for the IPv6 traffic. For other interfaces, the transit statistics are reported.

•

IQ2 and IQ2E PIC interfaces report all IPv6 traffic received on the logical interface. For all other interfaces, only the routed traffic is accounted.

•

IQ2 and IQ2E PIC interfaces report IPv6 statistics for the Layer 2 frame size. For all other interfaces, the Layer 3 packet size is accounted.

The IPv6 statistics can be viewed by logging in to the individual IQ2 PIC or IQ2E PIC, or by using the CLI.

Local statistics are not accounted separately.

To display total IPv6 statistics for IQ2 and IQ2E PICs, use the show interfaces extensive command.

NOTE: The reported IPv6 statistics do not account for the traffic manager

drops in egress direction or the Packet Forwarding Engine/traffic manager drops in the ingress direction. Transitstatistics are not accountedseparately because the IQ2 and IQ2E PICs cannot differentiate between transit and local statistics.

[Network Interfaces]

•

100-Gigabit Ethernet PIC interoperability with VLAN steering—Supports interoperability with similar PICs from other vendors using a VLAN steering forwarding option. Previously, the PICs required interconnection to the same model PIC. Interoperabilitywith interfacesfromother vendors was not supported.Junos OS Release

10.4 introduces a new VLAN steering algorithm to configure 100-Gigabit Ethernet PIC interoperation with similar interfaces from other vendors.

Two packet forwarding modes exist under the forwarding-mode statement.SA multicast mode, for proprietary connection of two Juniper Networks 100-Gigabit Ethernet PICs, uses the Ethernet header SA MAC address multicast bit to steer the packets to the appropriate PFE. VLAN steering mode allows the PIC to connect to non-Juniper Networks equipment. On ingress, the PIC compares the outer VLAN ID against a

Page 11

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

user-defined VLAN ID and VLAN mask combination and steers the packet accordingly. Modifying the forwarding mode config reboots the PIC.

VLAN steering overview:

•

In VLAN steering mode, the SA multicast bit is not used for packet steering.

•

In SA multicast bit steering mode, VLAN ID and VLAN mask configuration is not used for packet steering.

•

Configuration of packet forwarding mode and VLAN steering mode uses CLI commands that result in a PIC reboot.

•

There are three tag types for ingress packets:

•

Untagged ingress packet–The packet is sent to PFE1.

•

Ingress packet with one VLAN–The packet forwards based on the VLAN ID.

•

Ingress packet with two VLANs–The packet forwards based on the outer VLAN ID.

•

VLAN rules describe how the router forwards packets. For VLAN steering, you must use one of the two rules available in the CLI:

•

Odd-even rule–Odd number VLAN IDs go to PFE1; even number VLAN IDs go to PFE0.

•

High-low rule–1 through 2047 VLAN IDs go to PFE0; 2048 through 4096 VLAN IDs go to PFE1.

•

When configured in VLAN steering mode, the PIC can be configured in two physical interface mode or in aggregated Ethernet (AE) mode:

•

Two physical interface mode–When the PIC is in two physical interface mode, it creates physical interfaces et-x/0/0:0 and et-x/0/0:1. Each physical interface can configure its own logical interface and VLAN. CLI enforces the followingrestrictions on commit:

•

The VLAN ID configuration must comply with the selected VLAN rule.

•

The previous restriction implies that the same VLAN ID cannot be configured on both physical interfaces.

•

AE mode–In AE mode, the two physical interfaces on the same PIC are aggregated into one AE physical interface. PIC egress traffic is based on the AE internal hash algorithm. PIC ingress traffic steering is based on the customized VLAN ID rule. CLI enforces the following restrictions on commit:

•

The PIC AE working in VLAN steering mode includes both links of this PIC, and only the links of this PIC.

•

The PIC AE working in SA multicast steering mode can include more than one PIC to achieve more than 100-gigabit capacity.

Page 12

JUNOS OS 10.4 Release Notes

To configure the PIC forwarding mode, include the forwarding-mode statement and its options at the [edit chassis fpc number pic number] hierarchy level.

[Network Interfaces]

•

New control queue disable feature (T Series routers with 10-Gigabit Ethernet PIC with oversubscription)—Providesa new CLI statement for disabling the control queue

feature for the 10-Gigabit Ethernet PIC with oversubscription. To disable the control queue, use the no-pre-classifier statement at the [chassis] hierarchy level.

When the no-pre-classifier statement is set, the control queue feature will be disabled for all ports on that 10-Gigabit Ethernet PIC with oversubscription. Deleting this configuration results in the control queue feature being re-enabled on all the ports of that PIC.

[edit chassis]

fpc 2 {

pic 0 {

no-pre-classifier;

}

NOTE:

1. This feature is applicable in both oversubscribed and line-rate modes.

2. The control queue feature is enabled by default in both oversubscribed

and line-rate modes, which can be overridden by the user configuration.

3. CLI show commands remain unchanged. When the control queue is

disabled, various show queue commands continue to show the control queue in the output. However, all control queue counters are reported as zeros.

4. Enabling or disabling the control queue feature results in the PIC being

bounced (offline/online).

Once the control queue feature is disabled, then the Layer 2 and Layer 3 controlpackets are subject to queue selection based on the BA classification. However, the following control protocol packets are not classified using BA classification, as they might not have a VLAN, MPLS, or IP header:

•

Untagged ARP packets

•

Untagged Layer 2 control packets such as LACP or Ethernet OAM

•

Untagged IS-IS packets

When the control queue feature is disabled, untagged ARP/IS-IS and other untagged Layer 2 control packets will go to the restricted queue corresponding to the forwarding class associated with queue 0.

[Network Interfaces]

Page 13

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Junos OS XML API and Scripting

New Junos OS XML API operational request tag elements—Table 1 on page 13 shows

the Junos OS Extensible Markup Language (XML) operational request tag elements that are new in Junos OS Release 10.4 along with the corresponding CLI command and response tag element for each one.

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release

10.4

Response Tag ElementCLI CommandRequest Tag Element

NONErequest dhcpv6 server reconfigure<requestdhcpv6-serverreconfigure-information>request_dhcpv6_ server_reconfigure_information

NONErequest system license update<request-license-update> request_license_update

request_package_nonstop_upgrade

get_amt_tunnel_information

get_rps_chassis_information

get_bios_version_information

congestionnotificationinformation> get_cos_congestion_notification_information

get_firewall_log_information

get_interface_information

NONErequest system software nonstop-upgrade<request-package-nonstop-upgrade>

<amt-instance-statistics>show amt statistics<get-amt-statistics> get_amt_statistics

<amt-summary>show amt summary<get-amt-summary> get_amt_summary

<amt-tunnel-information>show amt tunnel<get-amt-tunnel-information>

<rps-chassis-information>show chassis redundant-power-supply<get-rps-chassis-information>

NONEshow chassis routing-engine bios<get-bios-version-information>

<cos-congestion-notification-information>show class-of-service congestion-notification<get-cos-

<firewall-information>show firewall filter version<get-firewall-log-information>

<ingress-replication-information>show ingress-replication<get-interface-information>

identifier-origininformation> get_isis_context_ identifier_origin_information

<isis-context-identifier- information>show isis context-identifier<get-isis-context-

Page 14

JUNOS OS 10.4 Release Notes

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release

10.4 (continued)

Response Tag ElementCLI CommandRequest Tag Element

<isis-context-identifier-origin-information>show isis context-identifier identifier<get-isis-database-information> get_isis_database_information

<mpls-context-identifier-information>show mpls context-identifier<get-mpls-cspf-information> get_mpls_cspf_information

<domain-map-statistics>show network-access domain- map statistics<get-authentication-pending-table> get_authentication_pending_table

<ospf-context-id-information>show ospf context-identifier<get-ospf-database-information> get_ospf_database_information

<rps-led-information>show redundant-power-supply led<get-rps-power-supply-information> get_rps_power_supply_information

get_rps_status_information

get_rps_version_information

get_rip_general_statistics_information

get_idp_policy_template_information

<get-service-border-signalinggateway-charging-status> get_service_border_signaling_ gateway_charging_status

<get-service-bsg-denied-messages> get_service_bsg_denied_messages

accounting-statistics-information> get_services_l2tp_radius_acco unting_statistics_information

get_service_softwire_statistics _information

<rps-power-supply-information>showredundant-power-supply power-supply<get-rps-status-information>

<rps-status-information>show redundant-power-supply status<get-rps-version-information>

<rps-version-information>show redundant-power-supply version<get-rip-general-statistics-information>

<idp-policy-commit-status>show security idp policy-commit-status<get-idp-policy-template- information>

<bsg-charging-statistics>show services border-signaling-gateway

charging statistics

<bsg-charging-status>show services border-signaling-gateway

charging status

<service-l2tp-destination-information>show services l2tp destination<get-services-l2tp-radius-

<msp-session-table>show services sessions<get-service-softwire-statistics-information>

conversation_ information> get_service_sfw_conversation _information

<service-softwire-table- information>show services softwire<get_service_sfw_

Page 15

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release

10.4 (continued)

Response Tag ElementCLI CommandRequest Tag Element

sfw_flow_analysis_ information> get_service_sfw_flow_analysi s_information

flow_table_information> get_service_sfw_flow_table_i nformation

information> get_service_sfw_sip_register_i nformation

get_synchronous_ethernet_esmc-statistics

get_synchronous_ethernet_esmc_transmit

<get_synchronous_ethernet_global_information> get_-synchronous_ethernet_global_information

processes_information> get_system_resource_cleanup_ processes_information

show services softwire flows<get_service_

show synchronous-ethernet esmc transmit<get_synchronous_ethernet_esmc_transmit>

global-information

<service-fwnat-flow-table-

information>

<service-softwire-statistics-information>show services softwire statistics<get_service_sfw_

<service-sfw-flow-analysis-information>show services stateful-firewallflow-analysis<get_service_sfw_sip_register-

<clock-synchronization- statistics>show synchronous-ethernet esmc statistics<get_synchronous_ethernet_esmc-statistics>

<clock-synchronization-

esmc-transmit>

NONEshow synchronous-ethernet

<relay-group-information>show system relay group<get_system_resource_cleanup_

get_rollback_information

get_dhcp_binding_information

<clear_synchronous_ ethernet_esmc_ statistics>clear_synchronous_ ethernet_e smc_ statistics

<relay-group-member>show system relay member<get_rollback_information>

<relay-summary>show system relay summary<get_dhcp_binding_information>

clear synchronousethernet esmc statistics

<clock-synchronization-

clear-output>

Layer 2 Ethernet Services

•

Feature support for Trio 3D MPCs and MICs (MX Series routers)—Enables you to configurethe following features through Junos OS Release 9.1: load balancing, Ethernet OAM IEEE 802.1ag Phase 4 MIP support, LLDP, BPDU guard and loop guard, IRB support for interworking of LDP-VPLS and BGP-VPLS, BGP multihoming for Inter-AS VPLS, VPLS Ethernet as a core-facing interface, and limitations on next-hop flooding.

[Layer 2 Configuration]

Page 16

JUNOS OS 10.4 Release Notes

•

Ethernet CFM support on Trio 3D MPCs and MICs (MX Series routers)—Enables support for Ethernet connectivity fault management (CFM) defined by IEEE 802.1ag for family bridge interfaces.However, MEP configuration is not supported on aggregated Ethernet interfaces.

[Layer 2 Configuration]

MPLS Applications

•

MPLS support on services PICs—Adds MPLS label pop support for services PICs on Junos OS routers. Previously all MPLS traffic would be dropped at the services PIC. No changes are required to CLI configurations for this enhancement. In-service software upgrade (unified ISSU) is supported for tag next hops for MPLS on services PIC traffic, but no support is provided for tags over IPv6 packets or labels on multiple gateways.

[MPLS]

•

Adding descriptions for bypass LSP—You can now add a text describing a bypass LSP using the description option at the [edit protocols rsvp interface interface-name

link-protection bypass bypass-lsp-name] hierarchy level. Enclose any descriptive text

that includes spaces in quotation marks (" "). Any descriptive text you include is displayed in the output of the show rsvp session bypass command and has no effect on the operation of the bypass LSP.

[MPLS]

Multicast

•

Nonstop active routing PIM support for IPv6—Starting with Release 10.4, Junos OS extends the nonstop active routing support for Protocol Independent Multicast (PIM), which is already supported on IPv4, to include the IPv6 address families. The extension of nonstop active routing PIM support to IPv6 enables IPv6 routers to maintain self-generation IDs, multicastsession states, dynamic interface states, list of neighbors, and RPSets across Routing Engine switchovers.

The nonstop active routing support for PIM on IPv6 is similar to the nonstop active routing PIM support on IPv4 except for the following:

•

Nonstop active routing support for PIM on IPv6 supports an embedded rendezvous point (RP) on non-RP routers.

•

Nonstop active routing support for PIM on IPv6 does not support auto-RP,as auto-RP is not supported on IPv6.

For more information about nonstop active routing PIM support on IPv4 and IPv6, see the Junos OS High Availability Configuration Guide.

[High Availability, Multicast]

Routing Policy and Firewall Filters

•

New routing policy system log message—Junos OS Release 10.3 supports a new routing policy system log message. The RPD_PLCY_CFG_NH_NETMASK system log message provides information about ignored netmasks. If you have a policy statement with a term that contains a next-hop address with a netmask, the netmask is ignored.

Page 17

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The following sample shows the new systemlog message (depending on your network configuration, the type of message you see might be different):

Jun 18 11:22:43 pro5-d rpd[1403]: RPD_PLCY_CFG_NH_NETMASK: Netmask ignored for

next hop: 10.0.0.1/24.

[System Log Messages Reference]

•

Support for displaying the firewall filter version information—You can display the version number of the firewall filter installed in the Routing Engine. The initial version number is 1 and increments by one when you modify the firewall filter settings or an associated prefix action. To show the version number of the installed firewall filter, use the show firewall filter version operational mode command.

[Routing Protocols and Policies Command Reference]

Routing Protocols

•

Point-to-multipoint (P2MP) LSP load balancing across aggregated Ethernet links (M Series except M320)—Enables you to load-balance VPLS multicast and P2MP

multicast traffic over link aggregation. This feature also re-load-balances traffic after a change in the next-hop topology. Next-hop topology changes might include but are not limited to:

•

Layer 2 membership change in the link aggregation

•

Indirect next-hop change

•

Composite next-hop change

No new configuration is required to configure this feature. The load balancing over aggregated links is automatically enabled with this release. For a sample topology and configuration example, see Junos OS Policy Framework Configuration Guide.

[Policy]

•

Support for disabling traps for passive OSPFv2 interfaces—You can now disable interface state change traps for passive OSPF interfaces. Passive OSPF interfaces advertise address information as an internal OSPF route, but do not run the actual protocol. If you are only interested in receiving notifications for active OSPF interfaces, disabling traps for passive OSPF interfaces reduces the number of notificationsreceived and processed by the SNMP server. This allows you to more quickly and easily scan the logs for potential issues on active OSPF interfaces.

To disable and stop receiving notifications for statechanges in a passiveOSPF interface, include the no-interface-state-traps statement at the following hierarchy levels:

•

[edit logical-systems logical-system-name protocols ospf area area-id interface

interface-name]

•

[edit logical-systems logical-system-name routing-instances routing-instance-name

protocols ospf area area-id interface interface-name]

Page 18

JUNOS OS 10.4 Release Notes

•

[edit protocols ospf area area-id interface interface-name]

•

[edit routing-instances routing-instance-name protocols ospf area area-id interface

interface-name]

[Routing Protocols]

•

Behavior change for BGP-independent AS domains—Independent domains use the transitive path attribute 128 (attribute set) messages to tunnel the independent domain’s BGP attributes through the internal BGP (IBGP) core. In Junos OS Release

10.3 and later,if you have not configured an independent domain in any routing instance, BGP treats the received attribute 128 message as an unknown attribute. The AS path field in the show route command has been updatedto display an unrecognized attribute and associated hexadecimal value if you have not configured an independent domain. The following is a sample output of the AS path field (depending on your network configuration, the output might be different):

AS path: [12345] I Unrecognized Attributes: 40 bytes AS path: Attr flags e0 code 80: 00 09 eb 1a 40 01 01 00 40 02 08 02 03 fd e9 fd e9 01

2d 40 05 04 00 00 00 64 c0

[Routing Protocols]

•

Support for disabling the attribute set messages on independent AS domains for BGP loop detection—BGP loop detection for a specific route uses the localautonomous

system (AS) domain for the routing instance. By default, all routing instances belong to a single primary routing instance domain. Therefore, BGP loop detection uses the local ASs configured on all of the routing instances. Depending on your network configuration, this default behavior can cause routes to be looped and hidden.

To limit the local ASs in the primary routing instance, configure an independent AS domain for a routing instance. Independent domains use the transitive path attribute 128 (attribute set) messages to tunnel the independent domain’s BGP attributes through the internal BGP (IBGP) core. If you want to configure independent domains to maintain the independence of local ASs in the routing instance and perform BGP loop detection only for the specified local ASs in the routing instance, disable attribute set messages on the independent domain. To disable attribute set messages, include the independent-domain no-attrset statement at the following hierarchy levels:

•

[edit logical-systems logical-system-name routing-instances routing-instance-name

routing-options autonomous-system autonomous-system]

•

[edit routing-instances routing-instance-name routing-options autonomous-system

autonomous-system]

[Routing Protocols]

Services Applications

•

NAT-PT with DNS ALG support (M Series and T Series routers)—You can configure Domain Name Service (DNS) application-level gateways (ALGs) using NAT with protocol translation (NAT-PT) for IPv6 to IPv4. The implementation is described in RFC 2766 and RFC 2694.

Page 19

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

When you configure NAT-PT with DNS ALGsupport, you must configure two NAT rules. The first NAT rule ensures that the DNS query and response packets are translated correctly. For this rule to work, you must configure a DNS ALG application and reference it in the rule. The second rule is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG.

•

To configure the correct translation of the DNS query and response packets, include the dns-alg-pool dns-alg-pool or dns-alg-prefix dns-alg-prefix statement at the [edit

services nat rule rule-name term term-name then translated] hierarchy level.

•

To configure the DNS ALG application, include the application application-name statement at the [edit applications] hierarchy level, then reference it at the [edit

services nat rule rule-name term term-name from] hierarchy level.

•

To configure destination translation with the DNS ALG address map, use the

use-dns-map-for-destination-translation statement at the [edit services nat rule rule-name term term-name then translated] hierarchy level. This statement correlates

the DNS query or response processing done by the first rule with the actual data sessions processed by the second rule.

You can also control the translation of IPv6 and IPv4 DNS queries in the following ways.

•

For translation control of IPv6 DNS queries, use the

do-not-translate-AAAA-query-to-A-query statement at the [edit applications application application-name] hierarchy level.

•

For translation control of IPv4 queries, use the

do-not-translate-A-query-to-AAAA-query statement at the [edit applications application application-name] hierarchy level.

NOTE: The above two statements cannot be configured together. You can only configure one at a time, but not both.

To check that the flows are established properly, use the show services

stateful-firewall flows command or the show services stateful-firewall conversations

command.

[Services Interfaces]

•

Enhancements to active flow monitoring—Add support for extraction of bandwidth usage information for billing purposes in PIC-based sampling configurations. This capability is supported on M Series, MX Series, and T Series routers and applies only to IPv4 and IPv6 traffic. It is enabled only at the global instance hierarchy level and is not available for per Packet Forwarding Engine instances. To configure the sampling of traffic for billing purposes, include the template as-peer-billing-template-name statement at the [edit forwarding-options sampling family (inet | inet6) output

flow-server server-name version version-number] hierarchy level. To define the peer-AS

billing functionality, include the peer-as-billing-template statement at the [edit services

flow-monitoring version9 template template-name] hierarchy level. For a list of the

template fields, see the Junos OS Services Interfaces ConfigurationGuide. You can apply

Page 20

JUNOS OS 10.4 Release Notes

the existing destination class usage (DCU) policy option configuration for use with this feature.

In addition, the MPLS top label IP address is added as a new field in the existing MPLS-IPv4 flow template. Youcan use this field to gather MPLS forwarding equivalence class (FEC) -based traffic information for MPLS network capacity planning. These ALGs that use Junos Services Framework (JSF) (M Series) is a PIC-only feature applied on sampled traffic and collected by the services PIC or DPC. You can define it for either global or per Packet Forwarding Engine instances for MPLS traffic.

The show services accounting aggregation template operational command has been updated to include new output fields that reflect the additional functionality.

[Services Interfaces, System Basics and Services Command Reference]

•

Support for the RPM timestamp on the Services SDK (M Series, MX Series, and T Series)—Real-time performance monitoring (RPM), which has been supported on the

Adaptive Services (AS) interface, is now supported by the Services SDK. RPM is supported on all platforms and service PICs that support the Services SDK.

RPM timestamping is needed to account for any latency in packet communications. You can apply timestamps on the client, the server, or both the client and server. RPM timestamping is supported only with the icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types.

To specify the Services SDK interface, include the destination-interface statement at the [edit services rpm probe probe-owner test test-name] hierarchy level:

destination-interface ms-fpc/pic/port.logical-unit-number;

To specify the RPM client router and the RPM server router, include the rpm statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:

rpm (client | server);

To enable RPM on the Services SDK on the AS interface, configure the object-cache-size,

policy-db-size, and package statements at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level. For

the Services SDK, package-name in the package package-name statement is

jservices-rpm.

user@host# show chassis fpc 1 {

pic 2 {

adaptive-services {

service-package {

extension-provider {

control-cores 1;

data-cores 1; object-cache-size 512; policy-db-size 64; package jservices-rpm; syslog daemon any;

}

Page 21

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

}

[Services Interfaces]

•

ALGs using Junos OS Services Framework (JSF) (M Series with MS PICs and MX Series with MS DPCs)—Application-level gateways (ALGs) intercept and analyze

specified traffic, allocate resources, and define dynamic policies to permit traffic to pass securely through a device. Beginning with Junos OS Release 10.4 on the specified routers, you can use JSF ALGs with the following services:

•

Stateful firewall

•

Network Address Translation (NAT)

To use JSF to run ALGs, you must configure the jservices-alg package at the [edit

chassis fpc slot pic slot adaptive-services service-package extension-provider package]

hierarchy level. In addition, you must configure the ALG application at the [edit

applicationsapplicationapplication-name] hierarchylevel,and referencethe application

in the stateful firewall rule or the NAT rule in those respective configurations.

[Services Interfaces]

•

Enhancements to port mirroring with next-hop groups (MX Series only)—Adds support for binding up to two port-mirroring instances to the same MX Series Packet FowardingEngine. This enables you to choose multiple mirror destinations by specifying different port-mirroring instances in the filters. Filters must include the

port-mirror-instanceinstance-name statementat the [edit firewall filter filter-name term term-name then] hierarchy level. You must also include the port-mirror-instance instance-name statement at the [edit chassis fpc number] hierarchy level to specify the

FPC to be used.

Inline port mirroring allows you to configure instances that are not bound to the FPC specified in the firewall filter then port-mirror-instance instance-name action. Instead, you can define the then next-hop-group action. Inline port-mirroring aims to decouple the port-mirror destination from the input parameters, such as rate. While the input parameters are programmed in the Switch Interface Board (SIB), the next-hop destination for the mirrored packet is available in the packet itself.

A port-mirroring instance can now inherit input parameters from another instance that specifies it. To configure this option, include the input-parameters-instance

instance-name statement at the [edit forwarding-options port-mirror instance instance-name] hierarchy level.

You can also now configure port mirroring to next-hop groups using a tunnel interface.

[Services Interfaces]

•

Multiple IDP detector support (M120, M320, and MX Series routers with Enhanced III FPCs)—The IDP detector provides information about services, contexts, and

anomalies that are supported by the associated protocol decoder.

The specified routers now support loading multiple IDP detectors simultaneously. When a policy is loaded, it is also associated with a detector. If the new policy being loaded has an associated detector that matches the detector already being used by

Page 22

JUNOS OS 10.4 Release Notes

the existing policy, the new detector is not loaded and both policies use a single associated detector. However, if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection. Note that with the specified routers, a maximum of four detectors can be loaded at any given time.

Multiple IDP detector support for the specified routers functions in a similar way to the existing IDP detector support on J Series and SRX Series devices, except for the maximum number of decoder binary instances that are loaded into the process space.

To view the current policy and the corresponding detector version, use the show security

idp status detail command.

For more information, see the Junos OS Security Configuration Guide.

[Services Interfaces]

•

NAT using Junos OS Services Framework (JSF) (M Series and T Series with Multiservices PICs and MX Series with Multiservices DPCs)—The Junos OS Services

Framework (JSF) is a unified framework for Junos OS services integration. JSF Services integration will allow the option of running Junos OS services on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4, you can use JSF to run NAT on the specified routers.

To use JSF to run NAT, you must configure the jservices-nat package at the [edit chassis

fpc slot pic slot adaptive-services service-packageextension-provider package] hierarchy

level. In addition, you must configure NAT rules and a service set with a Multiservice interface. Tocheck the configuration, use the show configurationservicesnat command. To show the run time (dynamic state) information on the interface, use the show

services sessions and show services nat pool commands.

[Services Interfaces]

•

Stateful firewall using Junos OS Services Framework (JSF) (M Series with MS PICs, MX Series with MS DPCs, and T Series routers)—The Junos OS Services Framework

(JSF) is a unified framework for Junos OS services integration. JSF Services integration will allow the option of running Junos OS services on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4, you can use JSF to run stateful firewall on the specified routers.

To use JSF to run stateful firewall, you must configure the jservices-sfw package at the

[edit chassis fpc slot pic slot adaptive-services service-package extension-provider package] hierarchy level. In addition, you must configure stateful firewall rules and a

service set with a Multiservice interface. To check the configuration, use the show

configurationservices stateful-firewall command. To show the run time (dynamic state)

information on the interface, use the show services sessions command.

[Services Interfaces]

Page 23

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Subscriber Access Management

•

Redirecting HTTP redirect requests (MX Series routers)—Enables support for HTTP traffic requests from subscribers to be aggregated from access networks onto a BRAS router, where HTTP traffic can be intercepted and redirected to a captive portal. A captive portal provides authentication and authorization services for redirected subscribers before granting access to protected servers outside of a walled garden. A walled garden defines a group of servers where access is provided to subscribers without reauthorization through a captive portal. You can use a captive portal page as the initial page a subscriber sees after logging in to a subscriber session and as a page used to receive and manage HTTP requests to unauthorized Web resources. An HTTP redirectremoteserver that resides in a walled garden behind Junos OS routers processes HTTP requests redirected to it and responds with a redirect URL to a captive portal.

To configure HTTP redirect, include the captive-portal-content-delivery statement at the [edit services] hierarchy level.

[Subscriber Access]

•

Filter support for service packet counting—You can count service packets, applying them to a specific named counter (__junos-dyn-service-counter), for use by RADIUS.

To enable service packet accounting, specify the service-accounting action at the [edit

firewall family family-name filter filter-name term term-name then] hierarchy level.

[Policy Framework, Subscriber Access]

•

Support for domain maps that apply configuration options based on subscriber domain names (MX Series and M Series routers)—You use domain maps to apply

access options and session-specific parameters to subscribers whose domain name corresponds to the domain map name. You can also create a default domain map that the router uses for subscribers whose username does not include a domain name or has a non-matching domain name.

Domain maps apply subscriber-related characteristics such as profiles (access, dynamic, and tunnel), target and AAA logical system mapping, address pool usage, and PADN routing information.

You configure domain maps at the [edit access domain] hierarchy level.

[Subscriber Access]

•

L2TP LAC support for subscriber management (MX Series routers)—You can now configure an L2TP access concentrator (LAC) on MPC-equipped MX Series routers.

As part of the new L2TP LAC support, you can configure how the router selects a tunnel for a PPP subscriber from among a set of available tunnels. The default tunnel selection method is to fail over between tunnel preference levels. When a PPP user tries to log in to a domain, the router attempts to connect to a destination in that domain by means of the associated tunnel with the highest preference level. If the destination is unreachable, the router then moves to the next lower preference level and repeats the process. No configuration is required for this tunnel selection method.

You can include the fail-over-within-preference statement at the [edit services l2tp] hierarchy level to configure tunnel selection failover within a preference level. With this

Page 24

JUNOS OS 10.4 Release Notes

method, when the router tries to connect to a destination and is unsuccessful, it selects a new destination at the same preference level. If all destinations at a preference level are marked as unreachable, the router does not attempt to connect to a destination at that level. It drops to the next lower preference level to select a destination. If all destinations at all preference levels are marked as unreachable, the router chooses the destination that failed first and tries to make a connection. If the connection fails, the router rejects the PPP user session without attempting to contact the remote router.

By default, the router uses a round-robin selection process among tunnels at the same preference level. Include the weighted-load-balancing statement at the statement at the [edit servicesl2tp] hierarchy level to specify that the tunnel with the highest weight within a preference is selected until its maximum sessions limit is reached. Then the tunnel with the next highest weight is selected until its limit is reached, and so on. The tunnel with the highest configured maximum sessions value has the greatest weight.

Another feature of L2TP LACs on MX Series routers is the ability to control whether the LAC sends the Calling Number AVP 22 to the LNS. The AVP value is derived from the Calling-Station-Id and identifies the interface that is connected to the customer in the access network. By default, the LAC includes this AVP in ICRQ packets it sends to the LNS. In some networks you may wish to conceal your networkaccessinformation. To prevent the LAC from sending the Calling Number AVP to the LNS, include the

disable-calling-number-avp statement at the [edit services l2tp] hierarchy level.

[Subscriber Access]

•

Support for dynamic interface sets (M120, M320, and MX Series routers)—Enables you to configure sets of subscriber interfaces in dynamic profiles. Interface sets are used for providing hierarchical scheduling. Previously, interface sets were supported for interfaces configured in the static hierarchies only.

Supported subscriber interfaces include static and dynamic demux, static and dynamic PPPoE, and static and dynamic VLAN interfaces.

To configure an interface set in a dynamic profile, include the interface-set

interface-set-name statement at the [edit dynamic-profiles interfaces] hierarchy level.

To add a subscriber interface to the set, include the interface interface-name unit

logical-unit-number statement at the [edit dynamic-profiles interfaces interface-set interface-set-name]hierarchy level. Youapplytrafficshaping and scheduling parameters

to the interface-set by including the interface-set interface-set-name and

output-traffic-control-profile profile-name statements at the static [editclass-of-service interfaces] hierarchy level.

A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set name, and includes a predefined variable, $junos-interface-set-name. The VSA is supported for RADIUS Access-Accept messages only; change of authorization (CoA) requests are not supported.

[Subscriber Access]

•

Support for service session accounting statistics (MX Series routers)—You can now capture accounting statistics for subscriber service sessions. Subscriber management supports service session accounting based on service activation and deactivation, as

Page 25

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

well as interim accounting. Time-based accounting is supported for all service sessions. Time and volume-based accounting is supported for classic firewall filter and fast update firewall filter service sessions only.

To provide volume service accounting, the well-known accounting counter (junos-dyn-service-counter) must also be configured for the classic firewall filter and fast update firewall filter service. You define the counter at the [edit firewall family

family filter filter term term then] hierarchy level.

The following VSAs (vendor ID 4874) are used for service accounting:

Attribute Number

Service-Statistics26-69

Enable or disable statistics for the service.

ValueDescriptionAttribute Name

•

0 = disable

•

1 = enable time statistics

•

2 = enable time and volume statistics

Acct-Service-Session26-83

service.

Service-Interim-Acct-Interval26-140

Amount of time between interim accounting updates for this service.

string: service-nameName of the

•

range = 600–86400 seconds

•

0 = disabled

[Subscriber Access]

•

Subscriber secure policy traffic mirroring supported for L2TP sessions on the LAC (MX Series routers)—The L2TP access concentrator (LAC) implementation supports

RADIUS-initiated per-subscriber traffic mirroring. Both subscriber ingress traffic (from the subscriber into the tunnel) and subscriber egress traffic (from the tunnel to the subscriber) is mirrored at the (subscriber-facing) ingress interface on the LAC. The ingress traffic is mirrored after PPPoE decapsulation and before L2TP encapsulation. The egress traffic is mirrored after L2TP decapsulation. The mirrored packet includes the complete HDLC frame sent to the LNS.

[Subscriber Access]

•

Support for static and dynamic CoS on L2TP LACsubscriber interfaces(M120,M320, and MX Series routers)—Enables you to configure static and dynamic CoS for L2TP

accessconcentrator (LAC) tunnels that transport PPP subscribers at Layer 2 and Layer 3 of the network.

IP and L2TP headers are added to packets arriving at the LAC from a subscriber before being tunneled to the L2TP network server (LNS). Classifiers and rewrite-rules enable you to properly transfer the type-of-service (ToS) value or the 802.1p value from the inner IP header to the outer IP header of the L2TP packet.

For ingress tunnels, you configure fixed or behavior aggregate (BA) classifiers for the PPP interface or an underlying VLAN interface at Layer 2. You can configure Layer 3

Page 26

JUNOS OS 10.4 Release Notes

classifiers for a family of PPP interfaces. Layer 2 and Layer 3 classifiers can co-exist for a PPP subscriber.

For example, to classify incoming packets for a PPP subscriber, include the classifier

type classifier-name statement at the [edit class-of-service interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit dynamic-profiles class-of-service interfaces pp0 unit logical-unit-number] hierarchy level.

On egress tunnels, you configure rewrite rules to set the ToS or 802.1p value of the outer header. For example, to configure a rewrite-rule definition for an interface with

802.1p encapsulation, include the [rewrite-rule ieee-802.1 (rewrite-name | default) statementat the edit class-of-service interfacesinterface-name unit logical-unit-number] hierarchy level or the [edit dynamic-profiles class-of-service interfaces pp0 unit

logical-unit-number] hierarchy level.

Rewriterulesare applied accordinglytothe forwarding class, packet loss priority (PLP), and code point. The proper transfer of the inner IP header to the outer IP header of the L2TP packet depends on the classifier and rewrite rule configurations.

The following table shows how the classifier and rewrite-rule values transfer from the inner IP header to the outer IP header. The inner IP header (ob001) is classified with assured-forwarding and low loss priority at the ingress interface. Based on the assured-forwarding class and low loss priority in the rewrite rule, the outer IP header is set to ob001 at the egress interface.

Outer IP HeaderCode PointLoss PriorityForwarding ClassInner IP Header

ob001001lowassured-forwardingob001

[Subscriber Access, Class of Service]

•

L2TP tunnel profiles and AAA support for tunnels in subscriber management (MX Series routers)—You can configure a set of attributes to define an L2TP tunnel for PPP

subscribers. More than one tunnel can be defined for a tunnel profile. Tunnel profiles are applied by a domain map before RADIUS authentication. When the RADIUS Tunnel-Group VSA [26-64] is specified in the RADIUS login, then the RADIUS tunnel profile (group) overrides a tunnel profile specified by the domain map. The tunnel is then configured according to RADIUS tunnel attributes and VSAs.

To configure a tunnel profile, include the tunnel-profile profile-name statement at the

[edit access] hierarchy level. To define a tunnel for a profile, include the tunnel tunnel-id

statement at the [edit access tunnel-profile profile-name] hierarchy level.

Define the attributes of the tunnel at the [edit access tunnel-profile profile-name tunnel

tunnel-id] hierarchy level. You must configure a preference for the tunnel and the IP

address of the LNS tunnel endpoint; all other attributes are optional. Include the

preferencenumber statement to configure the preference. Include the remote-gateway address server-ip-address statement to configure the LNS address.

You can optionally configure the remaining tunnel attributes. Include the

remote-gateway name server-name statement to configure the LNS hostname. Include

the source -gatewayaddressclient-ip-addressstatementand the source-gatewayname

client-name statements to configure the local (LAC) tunnel endpoint. Although you

Page 27

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

can configure a medium type (medium type) and protocol type (tunnel tunnel-type) for the tunnel, only the default values of ipv4 and l2tp are supported in this release. Include the identification name statement to configure an assignment ID for the tunnel. Include the max-sessions number statement to configure the maximum number of sessions permitted for the tunnel. Include the secret password statement to configure a cleartext password for authentication by the remote tunnel endpoint (LNS). Finally, you can configure a logical system and routing instance for the tunnel by including the

logical-system logical-system-name and routing-instance routing-instance-name

statements.

The following table shows the RADIUS attributes that are now supported for defining a tunnel.

Attribute Number

Tunnel-Type64

DescriptionAttribute Name

•

The tunneling protocol to use (in the case of a tunnel initiator) or the tunneling protocol already in use (in the case of a tunnel terminator).

•

Only L2TP tunnels are currently supported.

•

Tunnel-Medium-Type65

Tunnel-Assignment -Id82

Tunnel-Preference83

Tunnel-Client-Auth-Id90

Tunnel-Server-Auth-Id91

Transport medium to use when creating a tunnel for protocols that can operate over multiple transports.

•

Only IPv4 is currently supported.

Address of the initiator end of the tunnel.Tunnel-Client-Endpoint66

Address of the server end of the tunnel.Tunnel-Server-Endpoint67

Password used to authenticate to a remote server.Tunnel-Password69

Indicates to the tunnel initiator the particular tunnel to which a session is assigned.

•

If more than one set of tunneling attributesisreturned by the RADIUS server to the tunnel initiator, this attributeis included in each set to indicatethe relative preference assigned to each tunnel.

•

Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only).

Name used by the tunnel initiator during the authentication phase of tunnel establishment.

Name used by the tunnel terminator during the authentication phase of tunnel establishment.

The following table shows the RADIUS VSAs that are now supported for defining a tunnel.

Attribute Number

ValueDescriptionAttribute Name

Tunnel-Virtual-Router26-8

Virtual router name for tunnel connection.

string: tunnel-virtual-router

Page 28

JUNOS OS 10.4 Release Notes

Attribute Number

ValueDescriptionAttribute Name

Tunnel password in clear text.Tunnel-Password26-9

string: tunnel-password

Tunnel-Max-Sessions26-33

allowed in a tunnel.

Tunnel-Group26-64

Name of the tunnel group (profile) assigned to a domain map.

integer: 4-octetMaximum number of sessions

string: tunnel-group-name

[Subscriber Access]

•

Dynamic reconfiguration of extended DHCPv6 local server clients (MX Series routers)—You can enable dynamic reconfiguration of DHCPv6 clients to enable the

extended DHCPv6 local server to initiate a client update without waiting for the client to initiate a request. In subscriber management scenarios, a client may need to be quickly updated with its network address and configuration in the event of server changes, such as a restructuring of the service provider’s addressing scheme or a change in the local server IP addressesthat were provided to the clients. Include the reconfigure statementto enable dynamic reconfiguration with default values for all DHCPv6 clients at the [edit system services dhcp-local-server dhcpv6] hierarchy level, and for DHCPv6 clients serviced by a specified group of interfaces at the [edit system services

dhcp-local-server dhcpv6 group group-name] hierarchy level.

Optional statements enable you to modify default reconfiguration values: The number of reconfiguration attempts, the interval between the first and second attempts, what happens to the client if all reconfiguration attempts fail, what happens to the client in the event of a RADIUS-initiateddisconnect,whether to bind clients that do not support reconfiguration, and whether to send an authentication token. Issue the request dhcpv6

server reconfigure command to initiate reconfiguration. Use the show dhcpv6 server binding and show dhcpv6 server statistics commands to monitor client-server

interactions.

[Subscriber Access]

•

Support for ascend data filters (RADIUS attribute 242) in subscriber firewall filters (MX Series routers)—You can now configure subscriber management to use ascend

data filters (ADFs) to create and apply firewall filters to subscriber traffic. The ADF creates a rule that specifies match conditions on the source and destination IP address, the protocol, and the source and destination port, and also specifies the action to perform (such as accept or discard). The ADF rule also specifies the filter direction, and can optionally provide traffic class and policer information. The router supports ADF rules for family types inet and inet6.

Subscriber management uses dynamic profilestoobtain the ADF rules from the RADIUS server. You can use the new Junos OS predefined variables ($junos-adf-rule-v4 for familyinet and $junos-adf-rule-v6 for inet6) to map ADF rules to Junos OS functionality, or you can statically create ADF rules.

Page 29

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

To configure ADF support, use the following stanza at the [edit dynamic-profiles

profile-name interfaces interface-name unit logical-unit-number family family] hierarchy

level:

filter {

adf {

counter; input-precedence precedence; output-precedence precedence; rule rule-value;

}

[Subscriber Access, System Basics and Services Command Reference]

•

Per-interface DHCP tracing operations (MX Series routers)—In addition to the existing global DHCP tracing operation, you can now trace DHCP operations for a specific interface or a range of interfaces.

Configuring interface-based tracing is a two-step procedure. First configure the tracing options that you want to use, such as the file used for the trace operation and the trace flags. In the second step, enable the tracing operation on the specific interface or range of interfaces.

•

To configure the per-interface tracing options, use the interface-traceoptions statementat the [edit system services dhcp-local-server] hierarchy levelfor the DHCP local server or at the [edit forwarding-options dhcp-relay] hierarchy level for the DHCP relay agent.

•

To enable tracing on an interface or interface range, use the trace statement at the

[edit system services dhcp-local-server group group-name interface interface-name]

hierarchy level for the DHCP local server, or the [edit forwarding-options dhcp-relay

group group-name interface interface-name] hierarchy level for the DHCP relay agent.

You can also enable tracing for DHCPv6 at the [edit system services dhcp-local-server

dhcpv6 group group-name interface interface-name] hierarchy level.

[Subscriber Access]

•

Automaticbinding of stray DHCP requests (MX Series routers)—The default behavior has changed for handling DHCP requests that are received but which have no entry in the database (stray requests). Beginning with Junos OS Release 10.4,automatic binding of stray requests is enabled by default. In Junos OS Release 10.3 and earlier releases, automatic binding of stray requests is disabled by default.

By default, DHCP relay and DHCP relay proxy now attempt to bind the requesting client by creating a database entry and forwarding the request to the DHCP server. If the server responds with an ACK, the client is bound and the ACK is forwarded to the client. If the server responds with a NAK, the database entry is deleted and the NAK is forwarded to the client. This behavior occurs regardless of whether authentication is configured.

In Junos OS Release 10.3 and earlier releases, DHCP relay drops stray requests and forwards a NAK to the client when authentication is configured. Otherwise, DHCP relay attempts to bind the requesting client. In those releases, DHCP relay proxy always

Page 30

JUNOS OS 10.4 Release Notes

drops stray requests and forwards a NAK to the client, regardless of the authentication configuration.

You can override the new default configuration to cause DHCP relay and DHCP relay proxy to drop all stray requests instead of attempting to bind the clients. To disable automatic binding behavior globally, include the no-bind-on-request statement at the

[edit forwarding-options dhcp-relay overrides] hierarchy level. To disable automatic

binding behavior for a group, include the statement at the [edit forwarding-options

dhcp-relay overrides group group-name] hierarchy level. To disable automatic binding

behavior for a specific interface in a group, include the statement at the [edit

forwarding-options dhcp-relay overrides group group-name interface interface-name]

hierarchy level.

[Subscriber Access]

•

Support for VPLS Layer 2 wholesale configuration in a subscriber access network—Enables you to configure Layer 2 wholesaling within a subscriber access

network. Wholesale access is the process by which an access network provider (wholesaler) partitions the access network into separately manageable and accountable subscriber segments for resale to other network providers. An access network provider may elect to wholesale all or part of its network to one or more service providers (retailers).

NOTE: In this release, Layer 2 wholesaling supports the use of only the

default logical system using multiple routing instances.

The Juniper Networks Layer 2 wholesale solution is similar to the Layer 3 wholesale solution in many ways. However, when configuring the Juniper Networks Layer 2 wholesale solution, keep the following in mind:

•

No Layer 3 components (address assignment, Layer 3 interfaces, and so on) are involved.

•

S-VLANs must be unique to any Gigabit Ethernet or Aggregated Ethernet interfaces within the entire network (not just unique to one router).

•

Layer 2 wholesale supports only CoA disconnect and variable modification; CoA service activation is not supported.

NOTE: For general information about configuring dynamic wholesale for

your subscriber access network, see the Broadband Subscriber Management Solutions Guide.

Page 31

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

To configure Layer 2 wholesale for a subscriber access network:

•

Configure a VLAN dynamic profile. See the Subscriber Access Configuration Guide for details.

•

Include the routing-instances statement along with the $junos-routing-instance dynamic variable at the [edit dynamic-profiles profile-name interface

$junos-interface-name] hierarchy level.

•

Include the interfaces statement along with the $junos-interface-name dynamic variable at the [edit dynamic-profiles profile-name interface “$junos-interface-name”

routing-instances “$junos-routing-instance”] hierarchy level.

•

Include the interfaces statement along with the $junos-interface-ifd-name dynamic variable at the [edit dynamic-profiles profile-name] hierarchy level.

•

Include the unit statement along with the $junos-interface-unit dynamic variable at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name”] hierarchy level.

•

(Optional) Include the encapsulation statement at the [edit dynamic-profiles

profile-nameinterface “$junos-interface-ifd-name”unit$junos-interface-unit] hierarchy

level and specify the unit encapsulation as vlan-vpls or vlan-ccc.

NOTE: If you choose not to specify an encapsulation for the logical

interface, you must specify encapsulation for the physical interface.

•

Include the vlan-tags statement and define the outer VLAN tag using the

$junos-stacked-vlan-id dynamic variable and the inner VLAN tag using the $junos-vlan-id dynamic variable at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

•

Include the input-vlan-map statement at the [edit dynamic-profiles profile-name

interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level and

define the map settings as follows:

NOTE: You configure the input-vlan-map statement only when there is

a need to either push an outer tag on a single-tagged subscriber packet or modify the outer tag in a subscriber dual-tagged packet.

•

Specify the action that you want the input VLAN map to take. See the Network Interfaces Configuration Guide for details on how to configure input-vlan-map

statement options.

•

Include the output-vlan-map statement at the [edit dynamic-profiles profile-name

interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level and

specify the action that you want the output VLAN map to take. See the Network

Include the vlan-id statementalongwith the $junos-vlan-map-id dynamic variable.

Page 32

JUNOS OS 10.4 Release Notes

Interfaces Configuration Guide for details on how to configure output-vlan-map statement options.

NOTE: You configure the output-vlan-map statement only when there

is a need to either pop or modify the outer tag found in a dual-tagged packet meant for the subscriber.

•

Specify the unit family as vpls at the [edit dynamic-profiles profile-name interface

“$junos-interface-ifd-name” unit $junos-interface-unit family] hierarchy level.

•

Include the flexible-vlan-tagging statement for any interfaces you plan to use at the

[edit interfaces interface-name] hierarchy level.

•

Include the encapsulation statement for any interfaces you plan to use at the [edit

interfaces interface-name] hierarchy level and specify the encapsulation as follows: flexible-ethernet-services.

•

Use the vlan-vpls or flexible-ethernet-services options if you specified the vlan-vpls option for the encapsulation statement at the [edit dynamic-profiles profile-name

interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

NOTE: Using the vlan-vpls encapsulation option in both the dynamic profile and when configuring the physical interface limits the VLAN ID value to a number greater than or equal to 512. Using the

flexible-ethernet-services encapsulation option does not result in a

limitation to the VLAN ID value.

•

Use the flexible-ethernet-services option if you plan to configure logical interfaces with different encapsulations at the [edit dynamic-profiles profile-name interface

“$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

NOTE: This encapsulation type does not have a VLAN ID limitation.

•

Use the extended-vlan-vpls option if you chose not to specify an option for the

encapsulation statement at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

NOTE: This encapsulation type can support multiple TPIDs and does not have a VLAN ID limitation.

•

Specify the vpls option for the instance-type statement for any retailer routing instances you plan to use at the [edit routing-instances instance-name] hierarchy level.

Page 33

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

Include the qualified-bum-pruning-mode statement in any retailer routing instances you plan to use at the [edit routing-instances instance-name] hierarchy level.

•

Specify the permanent option for the connectivity-type statement at the [edit

routing-instances instance-nameprotocols vpls] hierarchy level to ensure that the

routing instance (pseudo-wire) remains operational.

•

Configure the VLAN Interfaces to use the dynamic profile. See the Subscriber Access Configuration Guide for details.

•

Define access to your RADIUS server and specify the access profile at the [edit

access] hierarchy level.

To view the logical system and routing instance for each subscriber, use the show

subscriber operational command.

[Subscriber Access]

System Logging

•

New and deprecated system log tags—The following system log messages are new in this release:

•

ASP_SFW_DELETE_FLOW

•

CHASSISD_FM_FABRIC_DOWN

•

CHASSISD_FPC_FABRIC_DOWN_REBOOT

•

CHASSISD_FRU_INTEROP_UNSUPPORTED

•

CHASSISD_RE_CONSOLE_FE_STORM

•

RPD_AMT_CFG_ADDR_FMLY_INVALID

•

RPD_AMT_CFG_ANYCAST_INVALID

•

RPD_AMT_CFG_ANYCAST_MCAST

•

RPD_AMT_CFG_LOC_ADDR_INVALID

•

RPD_AMT_CFG_LOC_ADDR_MCAST

•

RPD_AMT_CFG_PREFIX_LEN_SHORT

•

RPD_AMT_CFG_RELAY_INVALID

•

RPD_BGP_CFG_ADDR_INVALID

•

RPD_BGP_CFG_LOCAL_ASNUM_WARN

•

RPD_CFG_TRACE_FILE_MISSING

•

RPD_LDP_GR_CFG_IGNORED

•

RPD_MC_CFG_FWDCACHE_CONFLICT

Page 34

JUNOS OS 10.4 Release Notes

•

RPD_MC_CFG_PREFIX_LEN_SHORT

•

RPD_MSDP_CFG_SA_LIMITS_CONFLICT

•

RPD_MSDP_CFG_SRC_INVALID

•

RPD_MVPN_CFG_PREFIX_LEN_SHORT

•

RPD_PLCY_CFG_COMMUNITY_FAIL

•

RPD_PLCY_CFG_FWDCLASS_OVERRIDDEN

•

RPD_PLCY_CFG_IFALL_NOMATCH

•

RPD_PLCY_CFG_PARSE_GEN_FAIL

•

RPD_PLCY_CFG_PREFIX_LEN_SHORT

•

RPD_RSVP_COS_CFG_WARN

•

RPD_RT_INST_IMPORT_PLCY_WARNING

•

RPD_OSPF_IF_COST_CHANGE

•

RPD_OSPF_TOPO_IF_COST_CHANGE

•

RPD_VPLS_INTF_NOT_IN_SITE

[System Log]

•

Added interface information to BFD session up/down system log tags—Added peer address information for BFDD_TRAP_MHOP_STATE_DOWN and

BFDD_TRAP_MHOP_STATE_UP.

[System Log]

VPNs

•

Disable TTL propagation behavior for the routes in a VRF routing instance—Enables you to control TTL decrementing for individual VPNs. In prior releases, Junos OS enabled control of TTL behavior only at the router level for all LDP-signaled and all RSVP-signaled label-switched paths. With this feature, you can control the behavior on individual VPN routes. To configure, include the vrf-propagate-ttl or

no-vrf-propagate-ttl statement at the [edit routing-instances instance-name] hierarchy

level. The instance-specific behavior overrides the router behavior configured at the

[edit protocols mpls] hierarchy level with the no-propagate-ttl statement. The show route extensive and show route detail commands display the TTL action for each VRF

routing instance.

[VPNs]

•

Support for Layer 3 VPN composite next hops and a larger number of Layer 3 VPN labels on T Series routers—Layer 3 VPN composite next hops can now be enabled on

T Series routers with Enhanced Scaling FPCs by including the l3vpn-composite-nexthop statement at the [edit routing options] or [edit logical-systems logical-system-name

Page 35

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

routing options] hierarchy levels.This statementenablesBGP to accept largernumbers

of Layer 3 VPN BGP updates with unique inner VPN labels. Including the

l3vpn-composite-nexthop statement in the configuration enhances scaling and

convergence performance of PE routers participating in a Layer 3 VPN in a multivendor environment.

The Junos OS provides the configuration statement memory-enhanced to reallocate the jtree memory for routes and Layer 3 VPNs. This statement has the followingoptions:

•

route—Include this statement when you want to support larger routing tables (with

more routes) over firewall filters. For example, you can enable this option when you want to support a large number of routes for Layer 3 VPNs implementedusing MPLS. However, we recommend enabling this option only if you do not have a very large firewall configuration.

To allocate more memory for routing tables, include the route statement at the [edit

chassis memory-enhanced] hierarchy level:

[edit chassis memory-enhanced] route;

•

vpn-label—Include this statement when you want to enhance memory to support a

larger number of Layer 3 VPN labels accepted by the l3vpn-composite-nexhop statement.

To allocate more memory for Layer 3 VPN labels, include the vpn-label statement at the [edit chassis memory-enhanced] hierarchy level:

[edit chassis memory-enhanced] vpn-label;

NOTE:

•

With Junos Release 10.4, the memory-enhanced route statement at the

[edit chassis] hierarchy level replaces the route-memory-enhanced

statement at the [edit chassis] hierarchy level.

[VPNs, System Basics]

•

Egress protection LSPs—If there is a link or node failure in the core network, a protection mechanism such as MPLS fast reroute can be triggered on the transport LSPs between the PE routersto repair the connection within tens of milliseconds. An egress protection LSP addresses the problem of when a link failure occurs at the edge of the network (for example, a link failure between a PE router and a CE device).

Page 36

JUNOS OS 10.4 Release Notes

To enable an egress protection LSP, you need to configure the following statements:

•

context-identifier—Specifies an IPv4 address used to define the pair of PE routers

participating in the egress protection LSP. The context identifier is used to assign an identifier to the protector PE router. The identifier is propagated to the other PE routers participating in the network, making it possible for the protected egress PE router to signal the egress protection LSP to the protector PE router. Configure the

context-identifierstatement at the [edit protocolsl2circuit neighbor neighbor-address interfaceinterface-name egress-protectionprotector-pe]and the [edit protocols mpls egress-protection] hierarchy levels.

•

egress-protection—Configures the protector information for the protected Layer 2

circuit and also configures the protector Layer 2 circuit itself at the [edit protocols

l2circuit] hierarchy level. Configures an LSP as an egress protection LSP at the [edit protocols mpls label-switched-path lsp-name] hierarchy level. It also configures the

context identifier at the [edit protocols mpls] hierarchy level.

•

protected-l2circuit—Specifies which Layer 2 circuit is to be protected by the egress

protect LSP. This statement includes the following sub-statements: ingress-pe,

egress-pe, and virtual-circuit-id. These sub-statements specify the address of the

PE router at the ingress of the Layer 2 circuit, the address of the PE router at the egress of the Layer 2 circuit, and the Layer 2 circuit’s identifier respectively. Configure the protected-l2circuit statement at the [edit protocols l2circuit neighbor address

interface interface-name] hierarchy level.

Documentation

•

protector-pe—Specify the IPv4 address of the protector PE router. The protector PE

router must have a connection to the same CE device as the protected PE router for the egress protect LSP to function. This statement includes the following sub-statements: context-identifier and lsp. The lsp statement specifies the LSP to be used as the actual egress protection LSP. Configure the protector-pe statement at the [edit protocols l2circuit neighbor neighbor-address interface interface-name

egress-protection] hierarchy level.

[VPNs]

•

Local switching support for the ignore-encapsulation-mismatch statement—The

ignore-encapsulation-mismatch statement has been extended to support local

switching. You can now configure this statement at the [edit protocols l2circuit

local-switchinginterface interface-name] hierarchy level. This statement allows a Layer

2 circuit to be established even though the encapsulation configured on the CE device interface does not match the encapsulation configured on the Layer 2 circuit interface. Local switching allows you to configure a Layer 2 circuit entirely on the local router, terminating the circuit on a local interface.

[VPNs]

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX

•

Series, and T Series Routers on page 37

• Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 48

Page 37

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series,

MX Series, and T Series Routers on page 66

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Class of Service

•

Changestothe output of the show interfaces queue command—Previously, the output of the show interfaces queue interface-name displayed the max-queues-per-interface information HW supported queues, as shown below:

Egress queues: 4 supported, 4 in use

The first value indicates either the default or the value specified through the

max-queues-per-interface statement. Now this is changed to HW supported queues.

The first value does not change with respect to the changes to max-queues-per-interface as before.

[Class of Service]

Forwarding and Sampling

•

APR packet policing on TCC Ethernet interfaces—In Junos OS Release 10.4, the APR packet policing is effective on the TCC Ethernet interfaces.

•

High CPU utilization of the DFWD process—You might notice a high CPU utilization by the DFWD process if the interface lo0 is configured as part of the interface group

•

Bridge domain naming (Layer 2 platforms)—You cannot include the slash mark (/) in a bridge domain name at the [edit bridge-domains bridge-domain-name] hierarchy level.

[Layer 2]

Interfaces and Chassis

•

SFC and LCC Routing Engine (RE) name changes—The SFC Routing Engine name is changed from RE-TXP-SFC to RE-DUO-2600, and the LCC Routing Engine name is changed from RE-TXP-LCC to RE-DUO-1800.

[Software Installation and Upgrade]

•

Enhancement to show oam ethernet link-fault-management detail command—The output of the showoamethernetlink-fault-management detail command now includes the following two new fields: OAM total symbol error event information and OAM total

frame error event information. These fields display the total number of errored symbols

and errored frames, respectively, and are updated at every interval regardless of whether the threshold for sending event TLVs has been crossed. Previously, the show oam

ethernet link-fault management detail command displayed only the number of errored

symbols reported in TLVeventstransmitted since the OAM layerwasresetand displays the number of errored frames detected since the OAM layer was reset.

Page 38

JUNOS OS 10.4 Release Notes

[Interfaces Command Reference]

•

Enhancement to show oam ethernet connectivity-fault-management commands—The output of the show oam ethernet connectivity-fault-management mep-statistics, show

oam ethernet connectivity-fault-management interfaces, and show oam ethernet connectivity-fault-management mep-databasecommands includes the following three

new fields: Out of sync 1DMs received,which displaysthe number of out-of-sync one-way delay measurement packetsreceived;Valid DMMs received, which displaysthe number of valid two-way delay measurement request packets received, and Invalid DMMs

received, which displays the number of invalid two-way delay measurement request

packets received.

[Interfaces Command Reference]

•

New command to clear ETH-DM delay-statistics (MX Series routers)—A new command, clear oam ethernet connectivity-fault-management delay-statistics,enables you to clear ITU-T Y.1731 Ethernet frame delay measurement (ETH-DM) delay-statistics and ETH-DM frame counts. Use the maintenance-association

maintenance-association-name and maintenance-domain maintenance-domain-name

options to clear delay-statistics and frame counts for specific maintenance associations and maintenance domains. You can also use the one-way and two-way options to clear only one-way delay statistics or two-way delay statistics, respectively.

[Interfaces Command Reference]

•

Circuit Emulation (CE) interfaces firmware compatibility for ATM IMA on M7i, M10i, M40e, M120, and M320 routers—Provides a Firmware mismatch syslog message and

a show interface command output message in the IMA Group state and IMA Link state if the PIC's firmware is not compatible in Junos OS Release 10.0 and later releases.

NOTE: CE PICs requirefirmwareversion rom-ce-9.3.pbin or rom-ce-10.0.pbin

for ATM IMA functionality on M7i, M10i, M40e, M120, and M320 routerswith Junos OS Release 10.0R1.

CE PICs manufactured with the 560-028081.pbin firmware will produce the following entry in /var/log/messages when Junos OS is upgraded to Release 10.0R1 or newer releases:

Firmware mismatch. Need to upgrade PIC PROM Binary CPU firmware for IMA.

If you configure IMA with this combination of Junos OS and CE PIC firmware, the following entry will be seen.

Firmware error. Need to upgrade PIC PROM Binary CPU firmware for IMA.

The show interfaces ce-fpc/pic/port command output will show the following:

Physical link is Down IMA Group state : NE: Firmware Error IMA Link state : Line: Firmware Error

The customer must contact JTAC for a PIC firmware upgrade to proceed with IMA.

[Interfaces Command Reference, System Log Messages Reference]

Page 39

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

Support for configuring shaping overhead—Support for CLI based configuration of shaping overhead has been added to the PD-5-10XGE-SFPP Type 4 PIC.

•

Set bandwidth value on aggregated Ethernet interfaces—You can now set the bandwidth value by using the bandwidth value statement at the [edit interfaces

aggregate-interface unit number] hierarchy level.

Additionally, the show interfaces aggregate-inteface extensive and the show interfaces

aggregate.logical-interface commands now show the bandwidth of the aggregatewhen

it is configured. Also, the SNMP OID ifSpeed/ifHighSpeed of the aggregate logical interface shows the corresponding bandwidth, when it is configured. When it is not configured, the command shows it as the sum of the bandwidths of the member links of the aggregate, as before.

•

Network interfaces show command output (All platforms)—The output of the show

interfaces detail/extensive command now adds a table that shows complete (not

truncated) names of the forwarding classes associated with queues.

[Network Interfaces]

•

Negotiate IP address option removed—The negotiate IP address option is no longer allowed in the MLFR and MFR encapsulations.

•

Hardware restrictions in the output of the show interfaces extensive command—When

using the show interfaces extensive command with a 100-Gigabit Ethernet PIC, the “Filter statistics” section will not be displayed because the hardware does not include those counters.

•

Increase in unit numbering for demux0 and pp0 interfaces—The unit numbering for demux0 and pp0 interfaces has been increased to 1,073,741,823.

•

Show chassis environment cb command on MX80 routers—The show chassis environment cb command is now available for the MX80 routers.

Junos OS XML API and Scripting

•

The jcs:load-configuration templatenowacceptsthe$commit-optionsparameter—The

jcs:load-configuration template, included in the import file junos.xsl, now accepts the $commit-options parameter to customize the commit operation. The parameter must

be passed to the jcs:load-configuration template as a node-set.

The default value for $commit-options is null. Supported options are:

•

check—Check the correctness of the candidate configuration syntax, but do not

commit the changes.

•

force-synchronize—Force the commit on the other Routing Engine (ignore any

warnings).

•

log—Write the specified message to the commit log. This is identical to the CLI

configuration mode command commit comment.

•

synchronize—Synchronize the commit on both Routing Engines.

Page 40

JUNOS OS 10.4 Release Notes

To specify commit options, include the desired options within the <commit-options> tag. Use the := operator to create a node-set and assign it to a variable. Pass this variable as the argument for the $commit-options parameter when you call the

jcs:load-configuration template.

For example, to commit the configuration with the synchronize and log options, use the following syntax for the node-set:

var $options := {

<commit-options> {

<synchronize>; <log> "synchronizing commit";

}

[Configuration and Operations Automation Guide]

•

Junos XML management protocol support for the interface-ranges attribute of the

<get-configuration> operation—By default, the Junos XML protocol operation <get-configuration> parallels the default behavior of the CLI configuration mode show

command, which displays the [edit interfaces interface-range] hierarchy as a separate hierarchy in the configuration. To display the inherited tag elements of each interface range as children of the interface elements that are members of that range, a client application combines the interface-ranges="interface-ranges" attribute with the

inherit="inherit" attribute in the <get-configuration> tag of a remote procedure call

(RPC).

If the inherit and interface-ranges attributes are included in the <get-configuration> tag and the client application requests Junos XML-tagged output (the format="xml" attribute is included or the format attribute is omitted), the Junos XML protocol server includes the junos:interface-range="source-interface-range" attribute in the opening tags of configurationelements that are inherited from an interface range. The attribute does not appear if the client application requests formatted ASCII output by including the format="text" attribute in the <get-configuration> tag.

[XML Management Protocol]

MPLS Application

•

Disable RSVP local revertive mode—Configure the no-local-reversion statement at the [edit protocols rsvp] hierarchy level to disable RSVP local revertive mode (local revertive mode as specified in RFC 4090, Fast Reroute Extensions to RSVP-TE for LSP). RSVP local revertive mode is supported on all Juniper Networks routers running the Junos OS software by default. If you configure the no-local-reversion statement, the Juniper Networks router uses global revertive mode instead. You might need to disable RSVP local revertive mode on Juniper Networks routers if your network includes equipment that does not support this mode.

[MPLS]

•

Enhancement to the show mpls lsp extensive command—In Junos OS Release 10.3 and later, the show mpls lsp extensive command displays more detailed Constrained Shortest Path First (CSPF) messages. You can now see the reason(s) for the CSPF path computation and rejection. The following list shows some of the enhanced CSPF

Page 41

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

messages (depending on your network configuration, the type of messages you see might be different):

•

17 Aug 3 13:17:33.601 CSPF: computation result ignored, new path less avail bw[3 times]

•

16 Aug 3 13:02:51.283 CSPF: computation result ignored, new path no benefit[2 times]

[Routing Protocols and Policies Command Reference]

•

Enhancement to CSPF traceoptions—In Junos OS Release 10.3 and later, the Constrained Shortest Path First (CSPF) trace messages have been updated to provide more detailed information about CSPF path computation and rejection. You configure the CSPF traceoptions by including the cspf flag at the [edit protocolsmplstraceoptions

flag] hierarchy level. The following list shows some of the enhanced CSPF trace

messages (depending on your network configuration, the type of messages you see might be different):

•

Aug 3 13:26:06.844628 New avail bw 0.91% 100.00% 100.00% 100.00% without rounding

•

Aug 3 13:26:06.844676 Old avail bw 0.91% 100.00% 100.00% 100.00% without rounding

•

Aug 3 13:26:06.844697 CSPF reoptimize: Avail bw gain on new path 0 (without rounding 0.00%)

•

Aug 3 13:26:06.844714 CSPF reoptimize: new path is safe but no benefit

•

Aug 3 13:26:06.844731 CSPF reoptimize: result rejected, new path no benefit

•

Aug 3 13:26:06.844765 mpls lsp blue-to-green primary CSPF: computation result ignored, new path no benefit

[MPLS]

Platform and Infrastructure

•

Enhancement to show interfaces command—The show interfaces command includes a new field, INET6 Address flags, that displays a flag for any IPv6 address that is in a state other than “permanent” or “ready-to-use.”

[Interfaces Command Reference]

Routing Protocols

•

New community-count routing policy match condition for BGP routes—You can now configure the number of BGP community entries required for an incoming route to match. This allows you to accept BGP routes based on a specific number of or range of BGP community entries. To configure the number of community entries, specify the

from statement and include the community-count value (equal | orhigher | orlower)

match condition statement at the following hierarchy levels:

•

[edit policy-options policy-statement policy-name term term-name]

Page 42

JUNOS OS 10.4 Release Notes

•

[edit logical-systems logical-system-name policy-options policy-statement policy-name term term-name]

If you configure multiple community-count match condition statements, the matching is effectively a logical AND operation. The following example accepts BGP routes with two, three, or four communities. If a route contains three communities, it is considered a match and is accepted. If a route contains one community, it is not considered a match and is rejected.

[edit] policy-options {

policy-statement import-bgp {

term community {

from {

community-count 2 orhigher;

community-count 4 orlower; } then {

accept; }

}

[Routing Policy]

•

Enhancement to the PIM system log messages—The RPD_PIM_NBRDOWN and the RPD_PIM_NBRUP system log messages have been updated to include the name of the routing instance. This enhancement is also applicable to Junos OS Release 10.0R4,

10.1R4, 10.2R2, and 10.3R1. The following sample shows the enhanced PIM system log messages (depending on your network configuration, the type of messages you see might be different):

Jun 15 21:54:43.831533 RPD_PIM_NBRDOWN: Instance PIM.master: PIM neighbor 11.1.1.2

(so-0/1/3.0) removed due to: the interface is purged

Jun 15 21:53:28.941198 RPD_PIM_NBRUP: Instance PIM.master: PIM new neighbor 11.1.1.2

interface so-0/1/3.0

[System Log Messages Reference]

Page 43

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Services Applications

•

New configuration to avoid IDP traffic loss (M120, M320, MX240, MX480, and MX960 routers)—When the Multiservices PIC or DPC configured for a service set is

either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit

services service-set service-set-name service-set-options] hierarchy level and (for TCP

traffic only) the ignore-errors tcp statement at the [edit interfaces interface-name

services-options] hierarchy level. When you configure these statements, the affected

packets are forwarded, in the event of a Multiservices PIC or DPC failure or offlining, as though interface-style services were not configured. This issue applies only to M120, M320, and MX Series routers.

[Services Interfaces]

•

Enhancements to the show services pgcp statistics extensive command—Two new fields have been added to the output of the show services pgcp statistics extensive command: the number of Add commands received that have emergency status, and the number of inactivity notifications (it/ito) on the root termination.

The following is a sample of the section of the output showing Add commands with emergency status:

Received Commands Total Wildcard Success Error

Add 0 0 0 0 Add (emergency) 0 0 0 0

AuditValue 1 0 1 0 Modify 1 0 1 0 ServiceChange 0 0 0 0 Subtract 0 0 0 0

The following is a sample of the section of the output showing inactivity notifications on the root termination:

ROOT Notify Total Wildcard Success Error

ocp/mg_overloaded 0 0 0 0 it/ito 1404 0 1404 0

[Border Gateway Function (BGF), System Basics and Services Command Reference]

•

Support for softwire rules—The match direction output command is now supported for

softwire rules.

[Services Interfaces]

•

Command to manage the behavior for reserved ports allocationand port parity—Port allocation in a NAT pool can now be controlled with the preserve-parity and

preserve-range commands. Preserve-parity allocates even ports for packets with even

destination ports, and odd ports for packetswith odd destination ports. Preserve-range allocates ports within a range of 0 through 1023 assuming the original packet contains

Page 44

JUNOS OS 10.4 Release Notes

a destination port in the reserved range. This behavior is applicable to control sessions and not to data sessions.

[Services Interfaces]

•

Increase in address-only source dynamic pool addresses—The number of address ranges in a NAT pool has increased to 32. The total number of addresses in an address-only source dynamic NAT has increased to 16,777,216.

[Services Interfaces]

•

Border Gateway Function (BGF) apply implicit latching on TCP gates when the gate is created.—By default, latching of gates is done by explicit latch requests. You can

configure implicit latching of gates by entering the set implicit-tcp-latch and set

implicit-tcp-source-filter configuration statements at the [edit services pgcp gateway gateway-name h248-options] hierarchy level.

The new configuration statements result in the following actions:

•

implicit-tcp-latch—If explicit latching has been applied (using using ipnapt/latch)

on either gate of a gate pair, implicit latching is not applied. If explicit latching has not been applied on either gate:

•

Latching is applied to both gates of the gate pair.

•

When either of the gates latches, latching is automatically disabled on the other gate.

•

implicit-tcp-source-filter—Applies source address (but not source port) filtering on

incoming packets, using the current remote destination address under the following conditions:

•

Explicit source filtering has not been applied by use of gm/saf.

•

Explicit latching has not been applied by use of ipnapt/latch.

[Border Gateway Function (BGF), Services Interfaces]

Subscriber Access Management

•

Modification to the interface-description-format statement—The

interface-description-format statement has been modified for Junos OS Release 10.4.

As in previous releases, the router includes both the adapter and subinterface as part of the interface description by default. You can now optionally exclude either or both the adapter and subinterface from the description.

[Subscriber Access]

•

Support for DSL Forum VSAs (MX Series routers)—Digital Subscriber Line (DSL) attributesare RADIUS VSAsthat are defined by the DSL Forum. The attributes transport DSL information that is not supported by standard RADIUS attributesand which convey information about the associated DSL subscriber and data rate. The attributes are defined in RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes. Junos OS uses the vendor ID 3561, which is assigned by the Internet Assigned Numbers Authority (IANA), for the DSL Forum VSAs.

Page 45

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Subscriber management supports DSL Forum VSAs in pass-through mode. In pass-through mode, the router does not process DSL values, but rather passes the values received from the subscriber to the RADIUS server, without performing any parsing or manipulation.

[Subscriber Access]

•

Required pppoe-options subhierarchy for configuring static and dynamic PPPoE interfaces(M120, M320, MX Series routers)—When you configure a static or dynamic

pp0 (PPPoE) logical interface,you must include the pppoe-options subhierarchy in the

configuration. Failure to include the pppoe-options subhierarchy causes the commit operation to fail.

This requirement is in effect for configuration of static PPPoE logical interfaces as of Junos OS Release 10.2 and later, and has always been in effect for configuration of dynamic PPPoE subscriber interfaces in a PPPoE dynamic profile. For example, the following configuration now causes the commit operation to fail for both static and dynamic PPPoE logical interfaces:

pp0 {

unit 0 {

}

To configure a static PPPoE logical interface in Junos OS Release 10.2 and higher-numbered releases, you must include the pppoe-options subhierarchy at the

[edit interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit logical-systems logical-system-name interfaces pp0 unit logical-unit-number] hierarchy

level. At a minimum, the pppoe-options subhierarchy must include the name of the PPPoE underlying interface and the server statement, which configures the router to act as a PPPoE server. For example:

[edit interfaces] ... pp0 {

unit 0 {

pppoe-options {

underlying-interface ge-1/0/0.0; server;

} ...

}

To configure a dynamic PPPoE subscriber interface in a PPPoE dynamic profile, you must include the pppoe-options subhierarchy at the [edit dynamic-profiles profile-name

interfaces pp0 unit “$junos-interface-unit”] hierarchy level. At a minimum, the pppoe-options subhierarchy must include the name of the underlying Ethernet interface,

represented by the $junos-underlying-interface predefined dynamic variable, and the

server statement. For example:

[edit] dynamic-profiles {

pppoe-profile {

interfaces {

pp0 {

Page 46

JUNOS OS 10.4 Release Notes

unit "$junos-interface-unit" {

pppoe-options {

underlying-interface "$junos-underlying-interface";

server; } ...

}

[Network Interfaces, Subscriber Access]

•

Subscriber access statistics—RADIUS reports subscriber statistics as an aggregate of both IPv4 statistics and IPv6 statistics.

•

For an IPv4-only configuration, the standard RADIUS attributes report the IPv4 statistics and the IPv6 VSA results are all reported as 0.

•

For an IPv6-only configuration, the standard RADIUS attributes and the IPv6 VSA statistics are identical, both reporting the IPv6 statistics.

•

When both IPv4 and IPv6 are configured, the standard RADIUS attributes report the combined IPv4 and IPv6 statistics. The IPv6 VSAs report IPv6 statistics.

[Subscriber Access]

•

Change to operation of RADIUS attribute Framed-IPv6-Prefix [97] (M120, M320, MX Series routers)—The operation of the standard RADIUS attribute

Framed-IPv6-Prefix [97] has been modified in Junos OS Release 10.4 and later. In these releases, the Framed-IPv6-Prefix attribute communicates the router advertisement prefix from RADIUS to the network access server (NAS). In Junos OS Release 10.3 and earlier, the Framed-IPv6-Prefixattribute communicated the DHCPv6 delegated prefix from RADIUS to the NAS.

[Subscriber Access]

User Interface and Configuration

•

Change in the commit | display detail option—If the number of commit messages exceeds a pagewhen the commit command is used with the | display detail pipe option, the more pagination option on the screen is no longer available. Instead, the messages roll up on the screen by default, just like using the commit command with the | no more pipe option.

[CLI User Guide]

•

New configuration statement to configure retry attemptsfor checking the keepalive status of a Point-to-Point (PPP) protocol session—Junos OS introduces the

keepalive-retries number-of-retries statement at the [edit access profile profile-name client client-name ppp] hierarchy level. Include this statement in the configuration to

reduce the detection time for PPP client session timeouts or failures if you have configured the keepalive timeout interval (using the keepalive statement).

[System Basics]

Page 47

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

New configuration statement to enable the processing of IPv4-mapped IPv6 addresses—JunosOSintroducesthe allow-v4mapped-packets configuration statement

at the [edit system] hierarchy level. By default, the Junos OS disables the processing of IPv4-mapped IPv6 packets to protect against malicious packets from entering the network. To enable the processing of such IPv4-mapped IPv6 packets, include the

allow-v4mapped-packets statement in the CLI configuration.

[System Basics]

•

New option introduced for the show | display inheritance operational mode command—Junos OS now provides the no-comments option for the show | display

inheritance command. This option enables you to view CLI configurationdetails without

inline comments marked with ##.

[CLI User Guide]

•

Enhancement to the show chassis sibs command—The show chassis sibs command now displays an appropriate reason when a SIB transitions to the Offline state. For instance, if ths SIB is taken offline using the request chassis sib command, the output of the show chassis sibs command displays---Offlinedbyclicommand---in the output.

[System Basics and Services Command Reference]

•

New option for the ping mpls l2vpn and ping mpls l2circuit commands—The ping mpls

l2vpn and ping mpls l2circuit commands provide a new option reply-mode that enables

you to specify the reply mode for the ping request. The reply-mode option provides the

application-level-control-channel, ip-udp, and no-reply options.

[System Basics and Services Command Reference]

•

Enhancementto the output of the showchassishardware detail command—Theshow

chassis hardware detail command now displays DIMM information for the following

Routing Engines:

Table 2: Routing Engines Displaying DIMM Information

RoutersRouting Engines

MX240, MX480, and MX960 routersRE-S-1800x2 and RE-S-1800x4

M120 and M320 routersRE-A-1800x2

[System Basics and Services Command Reference]

•

Enhancement to the show chassis fpc command—The show chassis fpc command now displays accurate temperature readings for the FPC.

[System Basics and Services Command Reference]

Page 48

JUNOS OS 10.4 Release Notes

VPNs

•

SCU support for VRF routing instances with vrf-table-label configured—You can now configure source class usage (SCU) to count packets on Layer 3 VPNs configured with the vrf-table-label statement. Include the source-class-usage statement at the

[edit routing-instances routing-instance-name vrf-table-label] hierarchy level. The source-class-usage statement at this hierarchy level is supported only for the virtual

routing and forward (VRF) instance type. Previously, you could not enable SCU when the vrf-table-label statement was configured. Destination class usage (DCU) is not supported when the vrf-table-label is configured.

[VPNs, Network Interfaces]

Documentation

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

on page 6

• Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 48

• Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series,

MX Series, and T Series Routers on page 66

• Upgrade and Downgrade Instructions for Junos OSRelease 10.4for M Series, MX Series,

and T Series Routers on page 70

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The current software release is Release 10.4R1. For information about obtaining the software packages, see “Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers” on page 70.

•

Current Software Release on page 48

•

Previous Releases on page 55

Current Software Release

Outstanding Issues in Junos OS Release10.4for M Series, MX Series, and T Series Routers

Class of Service

•

On T Series routers, when the class of service scheduling or queueing parameters on an interface with a high traffic utilization (close to the line rate or oversubscribed) is changed, the FPC which hosts the interface might restart. This issue is specific to non-ES type FPCs. [PR/565307]

•

When a firewall filter containing the packet loss priority (PLP) rewrite references a policer that also contains the PLP rewrite, a two time PLP rewrite occurs with the PLP bits of the packets matching the filter condition set on the PLP set action in the policer, and later the PLP set action is set on the firewall filter. [PR/566896]

Page 49

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Forwarding and Sampling

•

A high CPU utilization by the DFWD process might occur if the interfacelo0 is configured as part of the interface group 0. [PR/497242]

•

On a sampled traffic on a multi services PIC, the multicast convergence slows down with the message "RPD_KRT_Q_RETRIES: Indirect Next Hop Update: No buffer space available." [PR/554363]

•

Making any circuit cross-connect (CCC) filter changes might render the Packet Forwarding Engine busy which might cause a slow statistics response. [PR/554722]

•

When a loopback filter is configured, packets sent by the ASICtothe PacketForwarding Engine’s CPU for generation of TTL expiry notification are dropped. [PR/555028]

•

In Junos OS Release 10.2 and above, the Packet Forwarding Engine process tracing is enabled by default. This results in the MIB2D process not being able to communicate with the Packet Forwarding Engine process. [PR/566681]

•

When a firewall filter with multiple terms references the same three color policer and has the same count variable configured, any IP packets that match the second or later terms might get corrupted. Use different count variables in each term to prevent this issue. [PR/567546]

High Availability

•

The SSH keys are not in sync between the master and backup Routing Engine when SSH is enabled after a graceful Routing Engine switchover (GRES). [PR/455062]

•

When a container interface (used in AE interfaces) is freed in the memory, the child nexthop (member link) on the master Routing Engine is also freed. However, in some cases, the child nexthop on the backup Routing Engine is not freed resulting in a crash. [PR/562295]

Interfaces and Chassis

•

When the Rx power level is a negative value, the SFP diagnostics output displays an invalid receiver power level reading. [PR/235771]

•

When an ATM II interface is configured as a Layer 2 circuit with cell transport mode on a router running Junos OS Release 8.2 or lower,interoperabilityissues with other network equipment and another Juniper Networks routers running Junos OS Release 8.3 or higher might occur. [PR/255622]

•

Upon a link up event, old packets from the previous link down are still dequeued. This leads to huge latency reports. [PR/515842]

•

Discrepancies exist in MAC and filter statistics between Trio MPC and I+EZ DPCs. [PR/517926]

•

The queue counter of the aggregated Ethernet is counted up after the statistics are cleared and the FPC is restarted. [PR/528027]

•

The multipoint-destination configurationstatementis not supported on IQE PICs. While the configuration of this statement is accepted without problems initially, subsequent reconfiguration of the interface might cause the FPC and Packet Forwarding Engine to reboot. [PR/529423]

Page 50

JUNOS OS 10.4 Release Notes

•

When the show interfaces command is used, no service set attachment information is displayed. This information is visible under the interfaces hierarchy (configuration). [PR/541574]

•

On a DPCE 20x 1 Gigabit Ethernet and 2x 10 Gigabit Ethernet, the link status of the interface goes down when the TX router towards the peer is removed. [PR/542668]

•

When a member link is added to an existing aggregated interface, a multicast distribution tree (MDT) mismatch might occur among the FPCs. This issue occurs only when graceful Routing Engine switchover (GRES) is enabled. [PR/558745]

•

If the cable of a TX router is removed from the interface on an MIC-3D-20GE-SFP, the state of the interface remains in the "up up" state. [PR/561254]

•

Under certain circumstances, the ping request to a VRRP master address is not successful even when the accept-dataoption is configured on a VRRP group associated with an IRB interface. However, after the MAC aging timer expires, the ping request is successful. [PR/565147]

•

A Layer 2 instability and rapid VRRP mastership change might cause MPC-3D-16XGE-SFPP to restart. [PR/560716]

Layer 2 Ethernet Services

•

The release message is not sent to the DHCP server even though the

send-release-on-delete flag is set under the DHCP relay configuration. As a workaround,

to deactivate or deconfigure an interface, clear all the bindings on the interface before you deactivate or delete the interface. To deactivate or deconfigure the relay, clear all the bindings before you deactivate or delete the relay. [PR/498920]

•

The PIM neighborship does not appear over the IRB interface after the dense port concentrator (DPC) is restarted. [PR/559101]

Page 51

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Network Management

•

The value of IfHighSpeed for the current bandwidth of an interface is in units of 1,000,000 bits per seconds. According to RFC 2683, the ifHighSpeed must be rounded to the nearest whole value on both the physical interfaces and logical interfaces. [PR/507004]

MPLS Applications

•

When the no-decrement-ttl statement is included at the [edit protocols mpls] or the

[edit protocols mpls label-switched-path path-name] hierarchy level, the VPN Label TTL action field in the output of the show route extensive command displays vrf-propagate-ttl as the action. This is a display issue only and has no operational

impact on the forwarding behavior. This is relevant to Layer 3 VPN scenarios where BGP routes resolve over RSVP LSPs and the no-propagate-ttl statement is not configured at the [edit protocols mpls] hierarchy level. [PR/563505]

Platform and Infrastructure

•

The SFC management interface em0 is often displayed as fxp0 in several warning messages. [PR/454074]

•

On restarting with a large-scale configuration (16,000 logical interfaces per MPC), the MPC-3D-16XGE-SFPP card may take up to 15 minutes to come up. [PR/478548]

•

The dynamic auto-sensed VPLS interfaces fail after modifications are made to the routing instance. Before making configuration changes to any routing instance, clear any active logical interfaces that are part of the routing instance using the clear

auto-configuration interfaces operational command. Modifying a routing instance

configuration when the configuration is actively being used by subscribers can result in an unpredictable behavior. [PR/512902]

•

The GRE key tunnel performance falls by 10 percent when 4000 or more tunnels or more are configured on the MS-PIC. [PR/520855]

•

An NTP server might not reply to clients with a source address that is explicitly configured. [PR/540430]

•

The IPv6 BGP neighbors might not come back to the up state when an FPC associated with that session is manually taken offline, removed, and re-inserted. [PR/552376]

•

With the IRB and AE interfaces in a bridge-domain, the old nexthop data is not cleared from the Packet Forwarding Engines when they are updated. This causes the Packet Forwarding Engine to crash when that nexthop is later referenced. [PR/560813]

•

On an MX960 router, when an MPC is installed and OSPF and IS-IS is activated simultaneously, the "jtree memory free using incorrect value 8 correct 0" message is displayed for all DPCs. [PR/562719]

•

On standalone routers with graceful Routing Engine switchover (GRES) (set chassis

redundancy graceful-switchover) enabled, or on multi chassis routers (TX, TXP), when

the interfaces are moved from one aggregate bundle to another using a single commit operation, out of order logical interface messages might be sent to the Packet Forwarding Engine. When this occurs, the error messages similar to the following are displayed:

Page 52

JUNOS OS 10.4 Release Notes

ABTX-2 lcc2-master /kernel: if_pfe: Error 4 (Exists Already) on IF command 23 (IFL add) LABTX-2 lcc2-master /kernel: if_pfe: Error 9 (No IFL) on IF command 34 (IFL config encap) LABTX-2 lcc2-master /kernel: if_pfe: Error 9 (No IFL) on IF command 33 (IFL config flags) LABTX-2 lcc2-master /kernel: if_pfe: Error 9 (No IFL) on IF command 201 (Unknown) LABTX-2 lcc2-master /kernel: if_pfe: Error 5 (Invalid) on IF command 87 (Ae add IFL) LABTX-2 lcc2-master lcc2-fpc0 IF: ifl_add() duplicate subunit 0 (ifd 243) LABTX-2 lcc2-master lcc2-fpc0 NH(nh_ucast_l2rw_add): Invalid ifl index 125 LABTX-2 lcc1-master lcc1-fpc3 NH: Null ifl (87)

When these messages are displayed, the state of the Packet Forwarding Engine can be corrupted and might cause the FPCs to crash at a later time. Hence, it is recommended that upon encountering these error messages, reboot the router or reboot the FPCs under a maintenance window.

As a workaround, split the operation into two commits, that is, remove the interface from one bundle and perform a commit, and then add it to another bundle and perform a commit. [PR/565658]

Routing Protocols

•

When aggregate interfaces are used for VPN applications, load balancing may not occur with a Layer 2 circuit configuration. [PR/471935]

•

Under certain circumstances, the BGP path selection does not follow the local preference. This might lead to incorrect BGP path selections. [PR/513233]

•

When the received next hop for a route has the same address of the EBGP peer to which the route is readvertised, the next hop is erroneously set to the peer's address instead of the next hop to self. [PR/533647]

•

When an interface is added to a routing instance with rpf-check enabled, the routing protocol process might crash if a route-distinguisher is also changed at the same time. [PR/539321]

•

In instances with scaledLACPconfigurations, the periodic packet management process (ppmd) might experience memory leaks. [PR/547484]

•

When a policy matching an extended community using a 4-byte AS and a wildcard is configured, the match condition might fail to match the relevant communities. As a workaround, configure exact matches. [PR/550539]

•

In Junos OS Release 10.0 and later, a direct route to a VRF with a rib-group is not advertised as an inet-vpn route to the IBGP neighbor due to the error "BGP label allocation failure: Need a nexthop address on LAN." [PR/552377]

•

On an NSR LDP, an LDP database entry mismatch exists between the master and the backup Routing Engines. The backup Routing Engine does not replicate the LDP socket with the error "jsr_sdrl_set_data: No space dlen." [PR/552945]

•

When a default route target is sent by a BGP peer, th eBGP does not track the VPN routes covered by this route target. When the default route target goes away, the BGP

Page 53

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

does not withdraw the VPN routes that were previously covered by that default route target. [PR/556432]

•

On a 3D MPC, the load balance might be broken when a BGP multipath is configured. [PR/557099]

•

On M Series, MX Series, and T Series routers, the Virtual Router Redundancy Protocol (VRRP) process might become unresponsive when processing is delegated to the Packet Forwarding Engine. As a workaround, remove the delegate-processing option from the [protocols vrrp] hierarchy level. [PR/559033]

•

When the Link Layer DiscoveryProtocol (LLDP) advertisement interval value is changed from 30 seconds to 60 seconds, and the show lldp detail command is executed, the output shows 60 seconds. However, the Routing Engine forwards the LLDP packet every 30 seconds. When the interface is deactivated and activated again, the LLDP packets are forwarded every 60 seconds correctly. [PR/560857]

•

Under certain circumstances, the routing protocol process crashes while receiving the IGMP SNMP GetNext request. [PR/561842]

•

The multicast snooping process might crash and prevent a commit when the

apply-group statement is used at the bridge-domain <*> hierarchy level. [PR/562776]

•

The routing protocol process might crash in the following environments:

•

Auto-export is configured for route leaking between VRFs.

•

Communities are added in the import policy of the second VPN routing and forwarding (VRF) table.

[PR/563231]

•

On M10i and M7i routers, the distributed PPMD process is disabled by default. However, it should be enabled by default since it is supported by the Enhanced CFEB (CFEB-E). [PR/565957]

•

IS-IS might not use the MPLS label-switched paths (LSPs) if the names of the label-switched paths are similar in the first 32 characters. [PR/568093]

•

Under certain circumstances, processing of links with maximum metric set by IS-IS shortest path first (SPF) computation algorithm might lead to suboptimal routing decisions. [PR/569649]

Services Applications

•

The output of the show services ids destination-table command might not display any flow and related statistics in the IDS anomaly table for a certain period of time after the flows are activated. [PR/490584]

•

In scaled environments, the thread in the Multiservices PIC or DPC for cflow might run too long. This causes the PIC or DPC to crash. [PR/494457]

•

The data channel applications for protocols such as FTP, TFTP, RTSP, and SIP are not in the same application group as their control channel applications. For example, control channel application junos:ftp is in the group junos:file-server, but the corresponding data application junos:system:ftp-data is not in any group. [PR/507865]

Page 54

JUNOS OS 10.4 Release Notes

•

On M Series and MX Series routers, after a hot-standby RMS, all existing flows are dropped and it takes some time for new flows to appear with the state. This is due to the limitation of the RMS. All existing traffic is dropped, and RPC is most impacted as it has a long retry timer and takes a long time to recover. [PR/535597]

•

When unit 0 of the Multiservices PIC interface is not specified, the monitor interface

traffic command does not display the input packet’snumber properly for that particular

ms-I/F interface. [PR/544318]

•

On Multiservices 500 PICs with graceful Routing Engine switchover, wrong record values are seen for the IPv4 netflow export packets. This error occurs when the route records does not get installed. [PR/545422]

•

The MS400 PIC crashes due to a memory allocation failure when the PIC tries to respond to a Routing Engine CLI request. [PR/558237]

User Interface and Configuration

•

In the J-Web interface , the “Generate Report” option under Monitor Event and Alarms opens the report in the same web page. [PR/433883]

•

Selectingthe monitor port for any port in the Chassis Viewer page displays the common Port Monitoring page instead of the corresponding Monitoring page of the selected port. [PR/446890]

•

On MX Series routers, J-Web does not display the USB-related information under Monitor>SystemView>System Information>Storage. [PR/465147]

•

When a new-line character (\n) is used within the op script argument descriptions, the help output might display incorrectly, and could result in extra output being displayed when the op script executes. [PR/485253]

•

In the J-Webinterface, the options Access Concentrator, Idle Timeout, and Service Name for PPPoE logical interfaces are not supported on MX Series routers. [PR/493451]

•

The J-Web interfacedoes not display the drop-profile-map, excess-priority, excess-rate, and rate-limit (transmit rate) parameters which are supported for the schedulers configuration. Use these parameters using the CLI. [PR/495947]

•

Warning messages related to pending commits are not triggered when the following operations are performed:

•

Software->Upload

•

Software->Install Package

•

Maintain->Reboot

As a workaround, commit all pending commits beforeperforming the operations listed above. [PR/514853]

•

The annotate option does not appear when it is used with the edit private command for class of service. [PR/535574]

•

When a HTTPS connection is used for the J-Web interface in the Internet Explorer to savea report from the View Events page (Monitor->Events and Alarms->View events),

Page 55

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

the following error message is displayed “Internet Explorer was not able to open the Internet site.”

This issue also appears in the following places on the J-Web interface:

•

maintain->config management->history

•

maintain->customer support->support information->Generate Reports

•

Troubleshoot port->Generate Reports

•

maintain->files

•

Monitor->Routing->Route Information->Generate Reports

[PR/542887]

•

The J-Web pages loads inconsistently when Add IPv4 or IPv6 filters are used in the Internet Explorer and Firefox Web browsers. [PR/543607]

•

After the "delete:" action is performed, the "replace" actions do not take effect in the "load replace terminal" operation. [PR/556971]

•

The javascript error, "Object Expected" occurs when J-Web pages are navigated before the page loads completely. [PR/567756]

VPNs

•

On a routerconfiguredfornonstop active routing (NSR) (the nonstop-routing statement is included at the [edit routing-options] hierarchy level), if a nonstop active routing switchoveroccursafterthe configuration for routing instances changes in certain ways, the BGP sessions between PE and CE routers might not be established after the switchover. [PR/399275]

•

The routing protocol process crashes when the rd value of an old instance is different from the rd value of a new instance in the VLAN ID. [PR/512499]

Previous Releases

Release 10.3R2

The following issues have been resolved since Junos OS Release 10.3R2. The identifier following the description is the tracking number in our bug database.

Class of Service

•

When a VLAN ID is changed, the following message appears in the messages log: "COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL 74. Reason: File exists.” This log message appears when the configuration is committed with VPLS configured on the Gigabit Ethernet interface,and a class-of-service classifier or rewrite rules that contain IEEE 802.1P on the interface are used. [PR/408552: This issue has been resolved.]

•

When a logical interface set has a shaping-rate less than the sum of transmit-rates of its queues and when the configurationis corrected so that the logical interface set gets the correct shaping-rate,ADPC might crash. [PR/523507: This issue has been resolved.]

Page 56

JUNOS OS 10.4 Release Notes

•

During a graceful Routing Engine switchover, the traffic control profile might not be applied on the interfaces. As a workaround, deactivate and reactivate class of service. [PR/533862: This issue has been resolved.]

•

When per-unit-scheduler is applied under the interfaces hierarchy level, and shaping rate is applied under the class-of-service interface hierarchy level in the same commit operation, port shaping rate does not work and the total logical interface transmitted byte rate exceeds the physical interface shaping rate. As a workaround, configure

shaping-ratewithin a traffic-control-profile and apply that to an interface, or deactivate

and activate shaping-rateusing the class-of-service interfaceinterface-nameshaping-rate command. [PR/539590: This issue has been resolved.]

•

Under certain conditions, the class of service configuration might not take effect on an IQ2 PIC. [PR/541814: This issue has been resolved.]

•

When the rate-limit option is configured on a physical interface on IQ2 PICs, the show

interface queue command might not display the RL-dropped counters. [PR/547218:

This issue has been resolved.]

•

The egress rate limit over a logical interface may drop large packets. [PR/547506: This issue has been resolved.]

•

In Junos OS Release 10.2 and later, the cosd process might crash while a configured commit is processed, as this process accesses a memory location that has already been freed. However, this issue is encountered rarely. [PR/548367: This issue has been resolved.]

Forwarding and Sampling

•

Port mirroring does not work under the bridge-domain forwarding-option filter. [PR/529272: This issue has been resolved.]

•

The policer counter might be missing in the SNMP walk. Reboot the router to solve this problem. [PR/535715: This issue has been resolved.]

•

When logical systems are configured, the show bridge-domains command might time out and return the following error message: “error: timeout communicating with l2-learning daemon.” [PR/536604: This issue has been resolved.]

•

A scheduler is associated with a forwarding class, and when a forwarding class is mapped to a differentqueue, the associated scheduler is not applied to the new queue. [PR/540568: This issue has been resolved.]

•

In Junos OS Release 10.2, the Routing Engine-based sampling might not work if the routing table inet.0 has a route for 128.0.0.1. The issue occurs when this route points to an external interface. [PR/540891: This issue has been resolved.]

•

A GRE interface might experience an incoming packetloss if a firewall filter is configured on the forwarding table. [PR/541901: This issue has been resolved.]

Page 57

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

High Availability

•

On M120 routers, the message: "stream blocked detected message" displays when an FEB is switched from the backup to the primary. [PR/540644: This issue has been resolved.]

Interfaces and Chassis

•

The output of the monitor interface interface-namecommand is misaligned. [PR/70077: This issue has been resolved.]

•

An OAM trace displays an incorrect next-hop MAC value. [PR/494588: This issue has been resolved.]

•

When traffic flows into the MPC on which a bridge-domain configuration is being changed or the card is booting up, the forwarding software tries to access uninitialized memory for a short duration. This is a cosmetic issue and does not have any functional impact. [PR/506344: This issue has been resolved.]

•

On M7i routers with Junos OS Release 8.5 or later, the output of the show interfaces

fxp0 command shows the fxp0 interface to be in the link up state even when the

interface is disabled with no cables connected. [PR/508261: This issue has been resolved.]

•

When the VRRP6 master changes, there is no log output for VRRP IPv6. [PR/514821: This issue has been resolved.]

•

When the PIC is configured with encapsulation atm-ccc-cell-relay psuedowires, and the PIC throughput exceeds152 Mbps, data loss occursand the following error message is displayed: “[Warning] ce_wp_poll_hspi_stats:2006: PF/Winpath SPI interface error, rx_err_sm 243.” This error message is not seen when encapsulation atm-ccc-vc-mux is used.

As a workaround, use the atm-ccc-vc-mux encapsulation (AAL5 ATM PW), or use atm-ccc-cell-relay and configure a larger cell bundle size. When the cell bundle size is 5, the PIC passes 190 Mbps without error. [PR/515632: This issue has been resolved.]

•

When a SIB is taken offline via a CLI command, the output of the show chassis sibs command does not display the message “Offlined by cli command.” However, this message is correctly displayedfor the FPCs. [PR/519842: This issue has been resolved.]

•

The statistics get for LSQ interfaces fails in a scaled LSQ configuration when the show

interfaces queue lsq-w/x/y:z command is executed. [PR/523260: This issue has been

resolved.]

•

When MLPPP interfaces of an MS-PIC are taken offline, the following syslog message displays: “RT: itable unset idx 372 to proto MLPPP iftable failed (Invalid arguments) on FE -1.” [PR/528649: This issue has been resolved.]

•

In Junos OS Release 10.0 and later, a significantly large number of the following messages appear on the MX960 and SRX5800 routers:

MX960 /kernel: PCF8584(WR): transmit failure on byte 1 MX960 /kernel: PCF8584(WR): (i2c_s1=0x80, group=0xe, device=0x54) MX960 /kernel: PCF8584(WR): busy at start, attempting to clear MX960 /kernel: PCF8584(WR): (i2c_s1=0x00, group=0xe, device=0x54)

Page 58

JUNOS OS 10.4 Release Notes

MX960 /kernel: PCF8584(RD): ack failure on 2nd last byte

These messages are not an indication of a fan failure. They are cosmetic and can be ignored. [PR/531253: This issue has been resolved.]

•

On Trio MPCs, multiple changes to a single term in quick succession results in an incorrect filter state in the Packet Forwarding Engine. This causes the MPC to crash. [PR/532791: This issue has been resolved.]

•

An XE circuit on the MPC-3D-16XGE-SFPP might cause a high CPU utilization on the MPC. [PR/535057: This issue has been resolved.]

•

On MX960 routers, the link status stays in the "Link ok" state when the SCB is removed without taking it offline using the CLI or switch. [PR/536860: This issue has been resolved.]

•

The SCB displays an incorrect state when it is removed without taking it offline using the CLI or buttons. This is not a cosmetic error and might impact the traffic. [PR/536866: This issue has been resolved.]

•

The "frame-relay-ether-type" encapsulation is not programmed to the hardware properly. Because of this, the incoming packet parsing fails and the packets are discarded. [PR/539484: This issue has been resolved.]

•

On MX Series routers with 10.x Power Budget, after a “Power Budget: Chassis experiencing power shortage” alarm occurs, the alarm does not clear even after the power budget problem is cleared. [PR/540522: This issue has been resolved.]

•

The MX-MPC1-3D-Q accepts VLAN tagged packets even when the interface is not configured with VLAN tagging. [PR/540620: This issue has been resolved.]

•

The link-up time on a 16x 10-Gigabit Ethernet MPC is not less than the other platforms (ADPC and other MPCs) due to the emission dispersion compensation (EDC) functionality of the PHY device on the MPC. This causes a delay of 50 mS to 150 mS and cannot be changed. [PR/540694: This issue has been resolved.]

•

The sonet-options raise-rdi-on-rei and trigger options do not work well together. Turning the raise-rdi-on-rei option on and off again requires the trigger option to flap in order to assert or clear the RDI-L alarm. As a workaround, when both sonet-options

raise-rdi-on-reiand trigger options are configured,flapthe sonet-options trigger as well.

[PR/540745: This issue has been resolved.]

•

With Junos OS Release 10.2 and later, when a logical interface on an ATM-II IQ PIC is disabled, the FPC is taken offline and brought back online, and the PIC is reenabled, the logical interface stays down with atm_maker_check_indq error messages. [PR/541688: This issue has been resolved.]

•

When a Gigabit Ethernet or an XE interface on IQ2 PICs is disabled, and the link status is up, the traffic received from the interface might still be forwarded. [PR/543388: This issue has been resolved.]

•

When neither the per-unit scheduler nor the hierarchical-scheduler is configured on a physical interface and the physical interface has the overhead-accounting bytes configured, it does not take effect. [PR/544608: This issue has been resolved.]

Page 59

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

When logical interfaces are created, the NPC crashes and the FPC goes down. [PR/545314: This issue has been resolved.]

•

Chassisd crashes when the show chassis clocks command is executed. [PR/545510: This issue has been resolved.]

•

When configuration changes are made that are unrelated to the interfaces, interface sets, or PICs, a commit failure occurs with the following error message: "error: iflset xxxx configured for nonexisting ifd ge-x/x/x." [PR/546184: This issue has been resolved.]

•

On a 10-Gigabit Ethernet PIC, a log is generated when the SFP is plugged in. However, no log is generated when the SFP is not plugged in. [PR/548251: This issue has been resolved.]

•

A CFM ping commandfailswhen the maintenance domain or maintenance association is longer than 32 characters. [PR/550014: This issue has been resolved.]

•

If a bridge-domain contains more than one AggregatedEthernet, and the IRB interfaces experiences the right sequence of MAC moves, the FPC might restart. [PR/550824: This issue has been resolved.]

•

On a 10-port oversubscribed 10-Gigabit Ethernet PIC for T Series routers (PD-5-10XGE-SFPP), the reactions configured under the [optics-options] stanza do not take effect for "low-light" conditions. [PR/550851: This issue has been resolved.]

•

If the number of VPLS connection exceeds 31, frequent FPC and NPC crashes might occur. [PR/552099]

•

The EOA family configurations over a container ATM interface might be deleted and added again upon every commit (including unrelated commits). [PR/553077: This issue has been resolved.]

•

When a remote PE's address is configured on a local loopback interface, the MVPN PIM neighborship to that PE in a different VRF might be affected. [PR/558584]

•

On MX960 routers with PWR-MX960-4100-AC PEMs (high capacity AC PEMs), the MPCs and DPCs do not power up when the system boots with only HC-AC PEM2,PEM3 being switched on, and PEM0,PEM1 being present but switched off. [PR/562125]

Layer 2 Ethernet Services

•

On MX Series routers, when both the top and bottom fan trays are enhanced and a mastership switch is performed, the alarm "craftd[1337]: Minor alarm set, Mix of FAN-TRAYS" displays. This only occurs after a switchover or an upgrade. This alarm is temporary, is cleared within a few seconds, and does not cause any routing or forwarding issues on the chassis. [PR/541617: This issue has been resolved.]

•

The AE interface does not show the system identifier for the attached interfaces in actor role. Because of this, the AE interface gets stuck in the detached state after it is rebooted from both ends. Additionally,the AE interface flaps when the backup Routing Engine is rebooted and a graceful Routing Engine switchover (GRES) is performed. [PR/547739: This issue has been resolved.]

Page 60

JUNOS OS 10.4 Release Notes

•

The DHCP relay bindings remain in a release state with a negative lease time. [PR/549520: This issue has been resolved.]

•

The L2CPD might have a memory leak when LLDP is enabled. [PR/549531: This issue has been resolved.]

MPLS Applications

•

With BFD enabled over IGP and an RSVP session built across it, when the RSVP peer does not support RSVP Hello (or is disabled), the BFD session down event triggers only the IGP neighbor to go down. The RSVP session remains up until a session timeout occurs. [PR/302921: This issue has been resolved.]

•

The rlist entry corresponding to the previouslyexisting rlist is not removed, which causes the routing protocol process to crash. [PR/513160: This issue has been resolved.]

•

When a protected link flaps, certain RSVP routes do not lose association with the p2mp_nh. [PR/530750: This issue has been resolved.]

•

Under NGEN-MVPN with vrf-table-label configured on the provider edge, the provider router connecting to that provider edge might keep an old P2MP MPLS label entry upon label-switched path optimization or reroute.Thereis no workaround. [PR/538144: This issue has been resolved.]

•

An LSP with auto-bw might stay down for approximately 30 minutes after a Routing Engine switchover or a Routing Engine restart when graceful restart fails. As a workaround, disable and reenable the MPLS or OSPF stanza. [PR/539524: This issue has been resolved.]

•

When RSVP path-mtu allow-fragmentation is configured,trafficredirection away from its intended destination might occur. [PR/544365: This issue has been resolved.]

•

On a P2MP LSP setup, the routing protocol process of the transit router might core when the topology changes with respect to the ingress sub-LSP router. There is no workaround. [PR/549778: This issue has been resolved.]

•

In Junos OS Release 10.2, when the clear mpls lsp autobandwidth command is executed at the ingress router, the updated Maximum AvgBW Utilization field displays a value that is much higher than the actual bandwidth. [PR/550289: This issue has been resolved.]

•

On MX80 routers, the MPLS LSP statistics do not record the transit traffic on a single-hop LSP with an implicit NULL label. [PR/551124: This issue has been resolved.]

•

When a large number of P2MP LSPs exist during periods of high network instability with many links flapping, and MBB re-routing of a P2MP LSP occurs, an MPLS route can become stale. This can cause a routing protocol process assertion failure on a transit router. [PR/555219: This issue has been resolved.]

Page 61

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Network Management

•

The SNMP process might restart when a core dump is generated. [PR/517230: This issue has been resolved.]

•

In Junos OS Release 10.2 and later, the size of the MIB2D process might increase as a result of memory leaks. This causes the MIB2D process to crash as it reaches its maximum permitted size. [PR/546872: This issue has been resolved.]

•

In Junos OS Release 9.2 and later, a memory leak occurs in the subagent in a scenario where the snmpd process is not running, or there are issues in communication with a subagent and traps are being generated by the subagent. [PR/547003: This issue has been resolved.]

•

When the firewall filter policer configuration is changed, the SNMP MIBs might not update correctly. As a result, the counters are inaccessible. [PR/555719: This issue has been resolved.]

Platform and Infrastructure

•

Redirect drops that are not real errors is taken into account for "Iwo HDRF" error statistics that is reported in the output of the show pfe statistics errors command on I-chip based routers. Since redirect drops are expected in a VPLS (and Ethernet in general) environment, this behavior could be misleading. [PR/430344: This issue has been resolved.]

•

After an 8216 Routing Engine upgrade to Junos OS Release 9.6 with "chassis" deactivated, the backup RoutingEngine starts to reboot with the panic message "panic: filter_idx_alloc: invalid filter index," and crashes when the chassis configuration is enabled and committed. After the Routing Engine finally comes online, the CLI response is slow and the Routing Engine reboots again after approximately three minutes. To stop these reboots, deactivate the chassis on the backup Routing Engine. [PR/489029: This issue has been resolved.]

•

On T Series routers, the FPC might continuously reboot upon installation. [PR/510414: This issue has been resolved.]

•

When the system default-router a.b.c.d command is used, the default route is not installed in the Packet Forwarding Engine. [PR/523663: This issue has been resolved.]

•

In an MPLS environment, the source NAT or PAT for traffic between two remote VPNs does not work when the vrf-table-label option is removed from the VRF where the inside-service interfaces are located. [PR/524294: This issue has been resolved.]

•

When VPLS is configured on the router, the following log messages will appear when the interface goes down:

RT-HAL,rt_entry_delete_msg_proc,XXX: route add posthandler failed RT-HAL,rt_msg_handler,XXX: route process failed

These messages can be ignored. [PR/524548: This issue has been resolved.]

•

After the MS-PIC’s homing PE interfaces used for MVPN are taken offline and brought back online, the following message may be logged: “flip-re0 fpc3 SLCHIP(0): %PFE-3: Channel 8189 (iif=701) on stream 32 already exists.” [PR/527813: This issue has been resolved.]

Page 62

JUNOS OS 10.4 Release Notes

•

The Packet Forwarding Engine incorrectly imposes a rate limit function for the host-bound virtual LAN tagged packets with IEEE 802.1p value of 1. There is no workaround. [PR/529862: This issue has been resolved.]

•

A router might send raw IPv6 host-generated packets over the Ethernet towards its BGP IPv6 peers. [PR/536336: This issue has been resolved.]

•

BGP authentication does not work with the 64-bit Junos OS BGP route reflector on a JCS platform. BGP sessions fail to establish, and the following error message is observed: "... /kernel: tck_auth_ok Packet from XXX.XXX.XXX.XXX:XXXXX wrong MD5 digest." [PR/538076: This issue has been resolved.]

•

On M10i routers, an upgrade to Junos OS Release 10.2 fails and aborts when the PIC combinations are verified. As a workaround, first verify the PIC combinations manually against PSN-2010-06-777, then use the force option to override the warnings and force the upgrade. [PR/540468: This issue has been resolved.]

•

In Junos OS Release 10.3, the following messages may be seen in the syslog: “/kernel: sysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of param /kernel: sysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of param.” These messages are cosmetic. [PR/540808: This issue has been resolved.]

•

During SNMP queries in Junos OS Release 10.2 and later, the size of the MIB2D process might increase as a result of memory leaks in a statistics-associated library routine (libstats).This causes the MIB2D process to crash as it reachesits maximum permitted size. [PR/541251: This issue has been resolved.]

•

During router bootup, the error messages: "can't re-use a leaf (nd6_prune)!" and "can't re-use a leaf (nd6_mmaxtries)!" display. [PR/543422: This issue has been resolved.]

•

The backup Routing Engine might cause the kernel to crash when a configuration change occurs on the AE bundle during a next-hop index allocation. [PR/544092: This issue has been resolved.]

•

On TX Matrix routers with T640-FPC3 FPCs and a large number of routes, when an AE interface in an ECMP path is taken down, small packet drops might occur in the traffic on the other ECMP link. This issue does not occur when an indirect next hop is used. [PR/545166: This issue has been resolved.]

•

In Junos OS Release 10.0 and later, the FPCs in M320 and T Series routers might crash when the error “PFE: Detected error next-hop” (corrupted next-hop) is encountered. [PR/546606: This issue has been resolved.]

•

On M120 routers, multicast packet drops occur when both the Fast Ethernet and the SFP Gigabit Ethernet PICs are located on the same Packet Forwarding Engine. [PR/546835: This issue has been resolved.]

•

In Junos OS Release 9.3 and later, when routers using Enhanced FPCs (T640-FPCx-ES or T1600-FPC4-ES FPCs) have a configuration involving CBF LSPs and aggregate

Page 63

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

interfaces, a jtree corruption might occur when a flap from a member link in the aggregate occurs on the remote end, or the FPC of the remote router is rebooted. To avoid this issue, use the indirect-next-hop option (routing-options forwarding-table

indirect-next-hop). The error message “PFE: Detected error nexthop:" indicates a jtree

corruption. [PR/548436: This issue has been resolved.]

•

In a multicast VPN scenario, if the default-vpn-source is configured under protocol PIM, then the FPC holding is configured, the MS-PIC might core when it is taken offline. [PR/550061: This issue has been resolved.]

•

A kernel core is generated when a logical interface that is a member of an AE bundle is activated and deactivated. [PR/553392: This issue has been resolved.]

Routing Protocols

•

The output of the show ospf statistics command does not display the hello packet statistics. [PR/427725: This issue has been resolved.]

•

The mirror receive task variable may not be cleared when the routing protocol process is heavily scaled. Hence, the NSR replication for RIP status stays in the "InProgress" state indefinitely. [PR/516003: This issue has been resolved.]

•

Under rare circumstances, multiple commits might crash both Routing Engines. The routing protocol process dumps core and restarts only on the master Routing Engine. This issue occurs when commits are executed within one minute. [PR/516479: This issue has been resolved.]

•

Upon an NSR mastership switch or ISSU upgrade, the multicast resolve route for IPv4 224/4 or inet6 ff00::/8 might be missing within the forwarding-table. To recover from this condition, deactivate and activate the protocol pim stanza, or restart the routing protocol process. [PR/522605: This issue has been resolved.]

•

For Junos OS Release 9.5 and above, the BGP parse community begins with “0” as the octal value. This behavior is different in earlier releases. [PR/530086: This issue has been resolved.]

•

The overload bit in the ISIS LSP MT-TLV may trigger the IS-IS to install a default route to the overload bit advertiser. And the output of the show isis database extensive command displays an unknown TLV. [PR/533680: This issue has been resolved.]

•

The routing protocol process might crash due to an invalid prefix-length value in one of the flow-spec routes. [PR/534757: This issue has been resolved.]

•

If there is enough join state associated with a neighbor and that neighbor goes down and comes back up quickly, then that join state may be stranded in an unresolved state until the clear pim join command is issued. [PR/539962: This issue has been resolved.]

•

On Type 2 Trio MPC, multiple changes to a single term in quick succession can cause an incorrect filter state in the Packet Forwarding Engine. This causes the MPC to crash. [PR/540674: This issue has been resolved.]

•

The routing protocol process might crash when a BGP connection attempt meets with an RST from the peer. This is due to an unlikely race condition. [PR/540895: This issue has been resolved.]

Page 64

JUNOS OS 10.4 Release Notes

•

Under certain timing conditions, an interior gateway protocol topology change can result in the BGP routes referencing an incorrect egress interface. This problem can occur when active and inactive BGP routes are learned from the same peer and the inactive BGP routes are deleted at the time of the topology change. [PR/543911: This issue has been resolved.]

•

In instances with scaledLACPconfigurations, the periodic packet management process (ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.]

•

When two identical local interface addresses are shared between two VRFs via auto-export, the routing protocol process might cause a high CPU utilization. [PR/547897: This issue has been resolved.]

•

When the primary loopback address changes, the routing protocolprocessmight crash when a new data mdt is created. [PR/549483: This issue has been resolved.]

•

If a PIM <S, G> join arrives when there is no route to the source, PIM RPF checking is disabled, and a matching multicast route is present, the output interfaces associated with the PIM <S, G> join are not added to the multicast route. [PR/550703: This issue has been resolved.]

•

The IPv6 entries are removed from the output of the show pim interfaces command when the corresponding interface is in the down state. This is a cosmetic issue. [PR/550799: This issue has been resolved.]

•

On MX80 routers, even when static routes are configured, the management port does not forward traffic to the user ports. [PR/552952: This issue has been resolved.]

•

When an interface-basedIPv6 BGP session with a 2-byte AS format is used, the system might crash. [PR/553772: This issue has been resolved.]

•

An IS-IS adjacency flap at a precise interval can cause the routing protocol process to restart on a neighbor, as it is in the process of purging the LSAs of the previously down node from the local database. [PR/554233: This issue has been resolved.]

Services Applications

•

In Junos OS Release 10.0 and later, the routing instance name is restricted to 63 characters. [PR/533882: This issue has been resolved.]

•

The BGP_IPV4_NEXT_HOP field on the jflow v9 record matches the originatorID instead of the BGP next hop. [PR/534598: This issue has been resolved.]

•

When traffic is forwarded in an L2TP session and a teardown request is received, the ASPIC crashes with a memory access violation in mlppp_output. [PR/537225: This issue has been resolved.]

•

On M Series routers configured for L2TP tunneling with several thousands of PPP connections, when all the PPP sessions expire at the same time, the MS-PIC might hang and become unusable. To recover the service, restart the PIC. [PR/541793: This issue has been resolved.]

Page 65

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

On SG3 PICs (Multiservices 500) with graceful Routing Engine switchover (GRES), wrong record values are seen for the IPv4 netflow export packets. This error occurs when the route records are not installed. [PR/545422: This issue has been resolved.]

•

The IPv6 and MPLS route counts are not reflected in the output of the show service

accounting status command. [PR/550793: This issue has been resolved.]

User Interface and Configuration

•

In a router configured with a large number of interfaces, when few interfaces are constantly added and deleted, a minor memory leak may be observed in the "pfed" process. [PR/522346: This issue has been resolved.]

•

While a configuration with a long as-path is displayed in XML format using the show

configuration | display xml | no-more command, the closing tag for the as-path <path>

is wrongly displayed as </path instead of </path>. [PR/525772: This issue has been resolved.]

•

The xnm service currentlydoes not support logging of remote-host addresses in system accounting. [PR/535534: This issue has been resolved.]

•

It is possible to login to J-Web from a web browser having a cipher strength of 40 and 56 bits. This could create a security issue. As a workaround, use a web browser that supports 128 bit of cipher strength. [PR/539477: This issue has been resolved.]

•

The system continues to use the TACACS server configuration even after it is removed. As a workaround, deactivateand reactivate the accounting configuration.[PR/544770: This issue has been resolved.]

•

When the load set command is used to refresh a script file, the script does not refresh, and exits from the CLI after displaying the rpc-related errors. [PR/555316: This issue has been resolved.]

VPNs

•

When two MVPN routing instances and at least one L2VPN routing instance are configured, the commit fails with the following message: “RPD_RT_DUPLICATE_RD: routing-instance xxx has duplicate route-distinguisher." As a workaround, configure the route-distinguisher-id for each instance manually. [PR/511514: This issue has been resolved.]

•

If a VPN routing and forwarding (VRF) instance contains a static route that is resolved via a route that is auto-exported from another routing instance, the static route may not be removed when the physical interface goes down. [PR/531540: This issue has been resolved.]

•

When a CE-facing interface in a VPLS instance is deactivated, the routing protocol process may get into a loop leading to a high CPU utilization. [PR/531987: This issue has been resolved.]

•

Under certain circumstances, the containerinterfaces might not send the proper martini modes to the routing protocol process. This results in incorrect control-word-related

Page 66

JUNOS OS 10.4 Release Notes

information sent to the Packet Forwarding Engine. [PR/541998: This issue has been resolved.]

•

In a Live/Standby MVPN extranet setup, with the primary provider on PE1, the backup provider on PE2, and a receiver on PE3 and receivers also on PE1 and PE2, traffic drops occur for 25 seconds afterevery35 seconds. [PR/542984: This issue has been resolved.]

Documentation

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

on page 6

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX

Series, and T Series Routers on page 37

• Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series,

MX Series, and T Series Routers on page 66

• Upgrade and Downgrade Instructions for Junos OSRelease 10.4for M Series, MX Series,

and T Series Routers on page 70

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Changes to the Junos OS Documentation Set

The following are the changes made to the Junos OS documentation set:

•

The term “Multiplay” has been replaced with “Session Border Control” in the Junos OS Release Notes.

•

The Integrated Multi-Service Gateway (IMSG) pathway page now includes three complete configuration examples:

•

IMSG—Basic Configuration

•

IMSG—Dual BGFs

•

IMSG—Server Clusters

The configuration examples are applicable to Junos OS Release 10.2 and later.

•

The Junos OS Layer 2 Configuration Guide provides an overview of the Layer 2 functions supported on Juniper Networks routers, including configuring bridge domains, MAC addresses and VLAN learning and forwarding, and spanning-tree protocols. It also details the routing instance types used by Layer 2 applications. This material was formerly covered in the Junos OS MX Series Ethernet Services Routers Layer 2 Configuration Guide.

•

The title of the Junos OS Hierarchy and RFC Reference is now Junos OS Hierarchy and Standards Reference.

•

Documentation for the extended DHCP relay agent feature is no longer included in the

Policy Framework Configuration Guide. For DHCP relay agent documentation, see the Subscriber Access Configuration Guide or the documentation for subscriber access

management.

Page 67

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

The new Junos OS Technical Documentation index page (http://www.juniper.net/techpubs/software/junos/index.html ) consolidates documentation for Junos OS features that are common to all platforms that run Junos OS. The new index page provides direct access to core Junos OS information and links to information for Junos OS features that run on particular platforms.

•

In Junos OS Release 10.3R1 and later, PDF files are not available for individual HTML pages in the Junos OS documentation set. PDF files are available for the complete Junos OS Release 10.3 configuration guides at

http://www.juniper.net/techpubs/software/junos/junos103/index.html. PDF files for the

complete hardware guides are accessible at the following URLs:

•

For M Series routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/m-series/

•

For MX Series routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/mx-series/

•

For T Series and TX Matrix routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/t-series/

In addition, individual HTML pages have a Print link in the upper left corner of the text area on the page.

Errata

This section lists outstanding issues with the documentation.

High Availability

•

TX Matrix Plus routers and T1600 routers that are configured as part of a routing matrix do not currently support nonstop active routing. [High Availability]

Interfaces and Chassis

•

For the T320, T640, and T1600 routers, external clock synchronization is not supported on sonic clock generators (SCG) with DB-9 external clock interfaces.

[System Basics, Hardware Guides]

•

The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces Configuration Guide states the following:

•

For Layer 2 circuit cell relay and Layer 2 trunk modes, include the atm-l2circuit-mode

cell statement at the [edit chassis fpc slot pic slot] hierarchy level and the encapsulation atm-ccc-cell-relay statement at the [edit interfaces interface-name]

hierarchy level.

This configurationis correct and interoperates with routers running all versions of Junos OS.

However, the chapter does not mention that you can also include the encapsulation

atm-ccc-cell-relay statement at the [edit interfaces interface-name unit

Page 68

JUNOS OS 10.4 Release Notes

logical-unit-number] hierarchy level. when you include the statement at the [edit interfaces interface-name unit logical-unit-number]] hierarchy level, keep the following

points in mind:

•

This configuration interoperates only between Juniper Networks routers running Junos OS Release 8.2 or earlier.

•

This configuration does not interoperate with other network equipment, including a Juniper Networks router running Junos OS Release 8.3 or later, unless it is also configured with the same use-null-cw statement.

•

For a Juniper Networks router running Junos OS Release 8.3 or later to interoperate with another Juniper Networks router running Junos OS Release 8.2 or earlier, on the router running Junos OS Release 8.3 or later, include the use-null-cw statement at the [edit interfaces interface-name atm-options] hierarchy level.

•

The use-null-cw statement inserts (for sending traffic) or strips (for receiving traffic) an extra null control word in the MPLS packet.

•

The use-null-cw statement is not supported on a router running Junos OS Release

8.2 or earlier.

[Network Interfaces]

•

With Junos OS Release 10.1 and later, you need not include the tunnel option or the

clear-dont-fragment-bit statement when configuring allow-fragmentation on a tunnel.

[Services Interfaces]

J-Web Interface

•

To access the J-Web interface, your management device requires the following software:

•

Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version

3.0

•

Language support—English-version browsers

•

Supported OS—Microsoft Windows XP Service Pack 3

MX Series 3D Universal Edge Routers

•

The MX Series 3D Universal Edge Routers are sometimes referred to as MX Series Ethernet Services Routers. Both names refer to the same MX Series routers. This will be standardized to MX Series 3D Universal Edge Routers in the documentation in later releases.

•

For a complete list of available features on MX80 routers please contact your sales engineer or the Juniper Technical Assistance Center.

Page 69

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Subscriber Access Management

The Subscriber Access ConfigurationGuide contains the followingdynamic variable errors:

•

The Configuring a Dynamic Profile for Client Access topic erroneously uses the

$junos-underlying-interface variable when a IGMP interface is configured in the client

access dynamic profile. The following example provides the appropriate use of the

$junos-interface-name variable:

[edit dynamic-profiles access-profile] user@host# set protocols igmp interface $junos-interface-name

•

Table 25 in the Dynamic Variables Overview topic neglects to define the

$junos-igmp-version predefined dynamic variable. This variable is defined as follows:

$junos-igmp-version—IGMP version configured in a client access profile. The Junos OS

obtains this informationfrom the RADIUS server when a subscriber accesses the router. The version is applied to the accessing subscriber when the profile is instantiated. You specify this variable at the [dynamic-profiles profile-name protocols igmp] hierarchy level for the interface statement.

In addition, the Subscriber Access Configuration Guide erroneously specifies the use of a colon (:) when you configure the dynamic profile to define the IGMP version for client interfaces. The followingexampleprovides the appropriate syntax for setting the IGMP interface to obtain the IGMP version from RADIUS:

[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name] user@host# set version $junos-igmp-version

•

The Subscriber Access Configuration Guide and the System Basics Configuration Guide contain information about the override-nas-information statement. This statement does not appear in the CLI and is not supported.

[Subscriber Access, System Basics]

•

When you modify dynamic CoS parameters with a RADIUS change of authorization (CoA)message,the Junos OS acceptsinvalid configurations.For example,if you specify that a transmit rate that exceeds the allowed 100 percent, the system does not reject the configuration and returns unexpected shaping behavior.

[Subscriber Access]

•

We do not support multicast RIF mapping and ANCP when configured simultaneously on the same logical interface. For example, we do not support when a multicast VLAN and ANCP are configured on the same logical interface, and the subscriber VLANs are the same for both ANCP and multicast.

[Subscriber Access]

•

The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the Subscriber Access Configuration Guide erroneously states that dynamic CoS is supported for

dynamic VLANs on the Trio MPC/MIC family of products.In the current release, dynamic CoS is supported only on static VLANs on Trio MPC/MIC interfaces.

Page 70

JUNOS OS 10.4 Release Notes

[Subscriber Access]

•

The Subscriber Access ConfigurationGuide incorrectlydescribes the authentication-order statement as it is used for subscriber access management. When configuring the

authentication-order statement for subscriber access management, you must always

specify the radius method. Subscriber access management does not support the

password keyword (the default), and authentication fails when you do not specify an

authentication method.

[Subscriber Access]

User Interface and Configuration

•

The show system statistics bridge command displays system statistics on MX Series routers. [System Basics Command Reference]

VPNs

•

In Chapter 19, Configuring VPLS of the VPNs Configuration Guide, an incorrect statement that caused contradictory information about which platforms support LDP BGP interworking has been removed. The M7i router was also omitted from the list of supported platforms. The M7i router does support LDP BGP interworking.

[VPNs]

Documentation

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

on page 6

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX

Series, and T Series Routers on page 37

• Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 48

• Upgrade and Downgrade Instructions for Junos OSRelease 10.4for M Series, MX Series,

and T Series Routers on page 70

• Upgrade and Downgrade Instructions for Junos OSRelease 10.4for M Series, MX Series,

and T Series Routers on page 70

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

This section discusses the following topics:

•

Basic Procedure for Upgrading to Release 10.4 on page 71

•

Upgrading a Router with Redundant Routing Engines on page 73

•

Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1 on page 73

•

Upgrading the Software for a Routing Matrix on page 75

•

Upgrading Using ISSU on page 76

•

Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR on page 76

Page 71

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 77

•

Downgrade from Release 10.4 on page 78

Basic Procedure for Upgrading to Release 10.4

In order to upgrade to Junos OS 10.0 or later, you must be running Junos OS 9.0S2, 9.1S1,

9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or you must specify the no-validate option on the request system software install command.

When upgrading or downgradingthe Junos OS,always use the jinstall package. Use other packages (such as the jbundle package) only when so instructed by a Juniper Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the Junos OS Installation and Upgrade Guide.

NOTE: You cannot upgrade by more than three releases at a time. For

example, if your routing platform is running Junos OS Release 10.0 you can upgrade to Junos OS Release 10.3 but not to Junos OS Release 10.4 As a workaround, first upgrade to Junos OS Release 10.3 and then upgrade to Junos OS Release 10.4.

NOTE: With Junos OS Release 9.0 and later, the compact flash disk memory requirement for Junos OS is 1 GB. For M7i and M10i routers with only 256 MB memory, see the Customer Support Center JTAC Technical Bulletin PSN-2007-10-001 at

https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001&actionBtn=Search.

NOTE: Before upgrading, back up the file system and the currently active Junos configuration so that you can recover to a known, stable environment in case the upgrade is unsuccessful. Issue the following command:

user@host> request system snapshot

The installation process rebuilds the file system and completely reinstalls the Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the routing platform,such as configurationtemplates and shell scripts (the only exceptions are the juniper.conf and ssh files) might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the Junos OS System Basics Configuration Guide.

Page 72

JUNOS OS 10.4 Release Notes

The download and installation process for Junos OS Release 10.4 is the same as for previous Junos OS releases.

If you are not familiar with the download and installation process, follow these steps:

1. Using a Web browser, follow the links to the download URL on the Juniper Networks

Web page. Choose either Canada and U.S. Version or Worldwide Version:

•

https://www.juniper.net/support/csc/swdist-domestic/ (customers in the United

States and Canada)

•

https://www.juniper.net/support/csc/swdist-ww/ (all other customers)

2. Log in to the Juniper Networks authentication system using the username (generally

your e-mail address) and password supplied by Juniper Networks representatives.

3. Download the software to a local host.

4. Copy the software to the routing platform or to your internal software distribution

site.

5. Install the new jinstall package on the routing platform.

NOTE: We recommend that you upgrade all software packages out of

band using the console because in-band connections are lost during the upgrade process.

Customers in the United States and Canada use the following command:

user@host> request system software add validate reboot

source/jinstall-10.4R1.9-domestic-signed.tgz

All other customers use the following command:

user@host> request system software add validate reboot

source/jinstall-10.4R1.9-export-signed.tgz

Replace source with one of the following values:

•

/pathname—For a software package that is installed from a local directory on the

router.

•

For software packages that are downloaded and installed from a remote location:

•

ftp://hostname/pathname

•

http://hostname/pathname

•

scp://hostname/pathname (available only for Canada and U.S. version)

The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release.

Page 73

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process can take 5 to 10 minutes.

Rebooting occurs only if the upgrade is successful.

NOTE: After you install a Junos OS Release 10.4 jinstall package, you cannot

issue the request system software rollback command to return to the previously installed software. Instead you must issue the request system software add

validate command and specify the jinstall package that corresponds to the

previously installed software.

NOTE: Before you upgrade a router that you are using for voice traffic, you should monitor call traffic on each virtual BGF. Confirm that no emergency calls are active. When you have determined that no emergency calls are active, you can wait for nonemergency call traffic to drain as a result of graceful shutdown, or you can force a shutdown. For detailed information on how to monitor call traffic before upgrading, see the Junos OS Multiplay Solutions Guide.

Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform a Junos OS installation on each Routing Engine separately to avoid disrupting network operation as follows:

1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine

and save the configuration change to both Routing Engines.

2. Install the new Junos OS release on the backup Routing Engine while keeping the

currently running software version on the master Routing Engine.

3. After making sure that the new software version is running correctly on the backup

Routing Engine, switch over to the backup Routing Engine to activatethe new software.

4. Install the new software on the original master Routing Engine that is now active as

the backup Routing Engine.

For the detailed procedure, see the Junos OS Installation and Upgrade Guide.

Upgrading Juniper Network RoutersRunning Draft-Rosen Multicast VPN to Junos OS Release 10.1

In releases prior to Junos OS Release 10.1, the draft-rosen multicast VPN feature implements the unicast lo0.x address configured within that instance as the source address used to establish PIM neighbors and create the multicast tunnel. In this mode, the multicast VPN loopback address is used for reverse path forwarding (RPF) route resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN loopback address is also used as the source address in outgoing PIM control messages.

Page 74

JUNOS OS 10.4 Release Notes

In Junos OS Release 10.1 and later, you can use the router’s main instance loopback (lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM state for the multicast VPN. We strongly recommend that you perform the following procedure when upgrading to Junos OS Release 10.1 if your draft-rosen multicast VPN network includes both Juniper Network routers and other vendors’ routers functioning as provider edge (PE) routers. Doing so preservesmulticastVPN connectivity throughout the upgrade process.

Because Junos OS Release 10.1 supports using the router’s main instance loopback(lo0.0) address, it is no longer necessary for the multicast VPN loopback address to match the main instance loopback adddress lo0.0 to maintain interoperability.

NOTE: You might want to maintain a multicast VPN instance lo0.x address

to use for protocol peering (such as IBGP sessions), or as a stable router identifier, or to support the PIM bootstrap server function within the VPN instance.

Complete the following steps when upgrading routers in your draft-rosen multicast VPN network to Junos OS Release 10.1 if you want to configure the routers’s main instance loopback address for draft-rosen multicast VPN:

1. Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the

loopback address for draft-rosen Multicast VPN.

NOTE: Do not configure the new feature until all the M7i and M10i routers

in the network have been upgraded to Junos OS Release 10.1.

2. After you have upgraded all routers, configure each router’s main instance loopback

address as the source address for multicast interfaces. Include the default-vpn-source

interface-name loopback-interface-name] statement at the [edit protocols pim]

hierarchy level.

3. After you have configured the router’s main loopback address on each PE router,

delete the multicast VPN loopback address (lo0.x) from all routers.

We also recommend that you remove the multicast VPN loopback address from all PE routers from other vendors. In Junos OS releases prior to 10.1, to ensure interoperability with other vendors’ routers in a draft-rosen multicast VPN network, you had to perform additional configuration. Remove that configuration from both the Juniper Networks routers and the other vendors’ routers. This configuration should be on Juniper Networks routers and on the other vendors’ routers where you configured the lo0.mvpn address in each VRF instance as the same addressasthe main loopback (lo0.0) address.

This configuration is not required when you upgrade to Junos OS Release 10.1 and use the main loopback address as the source address for multicast interfaces.

Page 75

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

NOTE: To maintain a loopback address for a specific instance, configure

a loopback address value that does not match the main instance address (lo0.0).

For more information about configuring the draft-rosen Multicast VPN feature, see the Junos OS Multicast Configuration Guide.

Upgrading the Software for a Routing Matrix

A routing matrix can use either a TX Matrix router as the switch-card chassis (SCC) or a TX Matrix Plus router as the switch-fabric chassis (SFC). By default, when you upgrade software for a TX Matrix router or a TX Matrix Plus router, the new image is loaded onto the TX Matrix or TX Matrix Plus router (specified in the Junos OS CLI by using the scc or

sfc option) and distributed to all T640 routers or T1600 routers in the routing matrix

(specified in the Junos OS CLI by using the lcc option). To avoid network disruption during the upgrade, ensure the following conditions before beginning the upgrade process:

•

A minimum of free disk spaceand DRAM on each Routing Engine. The software upgrade will fail on any Routing Engine without the required amount of free disk space and DRAM. To determine the amount of disk space currentlyavailable on all Routing Engines of the routing matrix, use the CLI show system storage command. To determine the amount of DRAM currently available on all the Routing Engines in the routing matrix, use the CLI show chassis routing-engine command.

•

The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and T640 routers or T1600 routers (LCC) are all re0 or are all re1.

•

The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and T640 routers or T1600 routers (LCC) are all re1 or are all re0.

•

All master Routing Engines in all routers run the same version of software. This is necessary for the routing matrix to operate.

•

All master and backup Routing Engines run the same version of software before beginning the upgrade procedure. Different versions of the Junos OS can have incompatible message formats especially if you turn on GRES. Because the steps in the process include changing mastership, running the same version of software is recommended.

•

For a routing matrix with a TX Matrix router, the same Routing Engine model is used within a TX Matrix router (SCC) and within a T640 router (LCC) of a routing matrix. For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using two RE-1600s is supported. However, an SCC or an LCC with two different Routing Engine models is not supported. We suggest that all Routing Engines be the same model throughout all routers in the routing matrix. To determine the Routing Engine type, use the CLI show chassis hardware | match routing command.

•

For a routing matrix with a TX Matrix Plus router, the SFC contains two model RE-DUO-C2600-16G Routing Engines, and each LCC contains two model RE-DUO-C1800-8G Routing Engines.

Page 76

JUNOS OS 10.4 Release Notes

NOTE: It is considered best practice to make sure that all master Routing

Engines are re0 and all backup Routing Engines are re1 (or vice versa). For the purposes of this document, the master Routing Engine is re0 and the backup Routing Engine is re1.

To upgrade the software for a routing matrix, perform the following steps:

1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine

(re0) and save the configuration change to both Routing Engines.

2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping

the currently running software version on the master Routing Engine (re0).

3. Load the new Junos OS on the backup Routing Engine. Aftermaking sure that the new

software version is running correctly on the backup Routing Engine (re1), switch mastership back to the original master Routing Engine (re0) to activate the new software.

4. Install the new software on the new backup Routing Engine (re0).

For the detailed procedure, see the Routing Matrix with a TX Matrix Feature Guide or the

Routing Matrix with a TX Matrix Plus Feature Guide.

Upgrading Using ISSU

Unified in-service software upgrade (ISSU) enablesyou to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic. Unified in-service software upgrade is only supported by dual Routing Engine platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) must be enabled. For additional information about using unified in-service software upgrade, see the Junos High Availability Configuration Guide.

Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR

Junos OS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the following PIM features are not currently supported with NSR. The commit operation fails if the configuration includes both NSR and one or more of these features:

•

Anycast RP

•

Draft-Rosen multicast VPNs (MVPNs)

•

Local RP

•

Next-generation MVPNs with PIM provider tunnels

•

PIM join load balancing

Junos OS 9.3 Release introduced a new configuration statement that disables NSR for PIM only, so that you can activate incompatible PIM features and continue to use NSR for the other protocols on the router: the nonstop-routing disable statement at the [edit

protocolspim] hierarchy level. (Note that this statementdisablesNSR for all PIM features,

not only incompatible features.)

Page 77

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

If neither NSR nor PIM is enabledon the routerto be upgraded or if one of the unsupported PIM features is enabled but NSR is not enabled, no additional steps are necessary and you can use the standard upgrade procedure described in other sections of these instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use the standard reboot or ISSU procedures described in the other sections of these instructions.

Because the nonstop-routing disable statement was not available in Junos OS Release

9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to be upgraded from Junos OS Release 9.2 or earlier to a later release, you must disable PIM before the upgrade and reenable it after the router is running the upgraded Junos OS and you have entered the nonstop-routing disable statement. If your router is running Junos OS Release 9.3 or later, you can upgrade to a later release without disabling NSR or PIM–simply use the standard reboot or ISSU procedures described in the other sections of these instructions.

To disable and reenable PIM:

1. On the router running Junos OS Release 9.2 or earlier, enter configuration mode and

disable PIM:

[edit]

user@host# deactivate protocols pim

user@host# commit

2. Upgrade to Junos OS Release 9.3 or later software using the instructions appropriate

for the router type. Youcan either use the standard procedure with reboot or use ISSU.

3. After the router reboots and is running the upgraded Junos OS, enter configuration

mode, disable PIM NSR with the nonstop-routing disable statement,and then reenable PIM:

[edit]

user@host# set protocols pim nonstop-routing disable

user@host# activate protocols pim

user@host# commit

Upgrade Policy for Junos OS Extended End-Of-Life Releases

An expanded upgrade and downgrade path is now available for the Junos OS Extended End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of two adjacent later EEOL releases.You can also downgrade directly from one EEOL release to one of two adjacent earlier EEOL releases.

For example, Junos OS Releases 9.3, 10.0,and 10.4 are all EEOL releases. Youcan upgrade from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to

10.4,you first need to upgrade to Junos OS release 9.3 or 10.0, and then upgrade a second time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either

10.0 or 9.3. To downgrade from release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5.

Page 78

JUNOS OS 10.4 Release Notes

For upgrades and downgrades to or from a non-EEOL release, the current policy is that you can upgrade and downgrade by no more than three releases at a time. This policy remains unchanged.

For more information on EEOL releases and to review a list of EEOL releases, see

http://www.juniper.net/support/eol/junos.html.

Downgrade from Release 10.4

To downgrade from Release 10.4 to another supported release, follow the procedure for upgrading, but replace the 10.4 jinstall package with one that corresponds to the appropriate release.

NOTE: Youcannot downgrade more than three releases. For example, if your

routing platform is running Junos OS Release 9.3, you can downgrade the software to Release 9.0 directly, but not to Release 8.5 or earlier; as a workaround, you can first downgrade to Release 9.0 and then downgrade to Release 8.5.

Documentation

For more information, see the Junos OS Installation and Upgrade Guide.

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

on page 6

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX

Series, and T Series Routers on page 37

• Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 48

• Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series,

MX Series, and T Series Routers on page 66

Page 79

Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers

Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust networking and security services. SRX Series Services Gateways range from lower-end devices designed to secure small distributed enterprise locations to high-end devices designed to secure enterprise infrastructure, data centers, and server farms. The SRX Series Services Gateways include the SRX100, SRX210, SRX220, SRX240, SRX650, SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Juniper Networks J Series Services Routers running Junos OS provide stable, reliable, and efficient IP routing, WAN and LAN connectivity, and management services for small to medium-sized enterprise networks. These routers also provide network security features, including a stateful firewall with access control policies and screens to protect against attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320, J2350, J4350, and J6350 devices.

•

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 79

•

Advertising Bandwidth for Neighbors on a Broadcast Link Support on page 108

•

Group VPN Interoperability with Cisco’s GET VPN on page 108

•

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 109

•

Unsupported CLI on page 124

•

Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 133

•

Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 143

•

Errataand Changes in Documentationfor Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 166

•

Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 174

•

Maximizing ALG Sessions on page 176

•

Integrated Convergence Services Not Supported on page 176

•

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 177

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The following features have been added to Junos OS Release 10.4. Following the description is the title of the manual or manuals to consult for further information.

•

Software Features on page 80

•

Hardware Features—SRX210, SRX220, and SRX240 Services Gateways on page 100

Page 80

JUNOS OS 10.4 Release Notes

•

Hardware Features—SRX220 Services Gateway with Power Over Ethernet on page 101

•

Hardware Features—SRX1400 Services Gateway on page 104

•

Hardware Features—SRX3400 and SRX3600 Services Gateways on page 107

Software Features

Application Layer Gateways (ALGs)

•

Rewrite rule for DSCP at VoIP ALGs—This feature is supported on all SRX Series and J Series devices.

Differentiated Services Code Point (DSCP) is a modification of the type-of-service byte for class of service (CoS). Six bits of this byte are reallocated for use as the DSCP field, where each DSCP specifies a particular per-hop behavior that is applied to a packet.

A rewrite rule modifies the appropriate CoS bits in an outgoing packet to meet the requirements of the targeted peer. Each rewrite rule reads the current CosS value that is configured at the voice over IP (VoIP) Application Layer Gateway (ALG) level. Every packet that hits the VoIP ALG is marked by this CoS value.

You can configure a rewrite rule for a DSCP Differentiated Services (DiffServ) marker at the VoIP ALG level to address VoIP signaling and its respective Real-Time Transport Protocol (RTP) streams. You can configure the rewrite rule such that all VoIP traffic hitting the ALG gets a rewrite marker while its respective RTP/Real-Time Control Protocol (RTP/RTCP) traffic gets a different rewrite marker.

[Junos OS CLI Reference, Junos OS Integrated Convergence Services Configuration and Administration Guide]

Chassis Cluster

Increasing the number of zones and virtual routers—This feature is supported on SRX5600 and SRX5800 devices.

The maximum number of zones, virtual routers, and IFLs (IFLs only for chassis cluster mode) that can be configured on an SRX5800 device has been increased to 2000.

In a chassis cluster environment, as the number of logical interfaces is scaled upward, the time before triggering a failover needs to be increased accordingly. At maximum capacity on an SRX5600 or SRX5800 device, we recommend that you increase the configured time for failover detection to at least 5 seconds. [Junos OS CLI Reference]

Configuration Wizards

This feature is supported on SRX100, SRX210, SRX240, and SRX650 devices.

The J-Web interface now has a set of wizards that simplify the basic configuration of the SRX Series devices. The Setup wizard automatically appears when you first start the device or when it is in factory default mode and you point to the Web management URL. Three other wizards in the J-Web interface enable you to configure basic firewall policies, basic IPsec VPN settings, and basic NAT settings.

Page 81

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Flow and Processing

•

NetFlowV9 support —Thisfeature is supportedon SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices.

NetFlow Services Export Version 9 (NetFlow V9) provides an extensible and flexible method for using templates to observe packets on a router. Each template indicates the format in which the device exports data.

In Junos OS Release 10.4, PIC-based Netflow V9 is supported, along with Netflow V5 and V8, which were disabled in Junos OS Release 9.4. Routing Engine-based Netflow has been supported since Junos OS Release 9.4.

[Junos OS CLI User Guide, Junos OS Interfaces Configuration Guide for Security Devices]

•

Packet capture—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Packet capture is a datapath-debugging feature that helps you effectively create a filter for specific traffic and apply an action profile to the traffic. The action profile specifies a variety of actions at different processing units. One of the supported actions is packet dump, which sends the packet to the Routing Engine and stores it in propriety form. You can view the packets by entering the show security datapath-debug capture command.

The performance of packet capture is improved and is comparable to the trace performance.

[Junos OS Security Configuration Guide]

•

Screen logs—Screen log enhancement is supported on all SRX Series and J Series devices.

The new log format captures all required information in the screen log. This allows you to view all log information for a device instead of having to search through device-specific logs.

The new log structureis as follows:<67>1 2009-08-18T19:47:23.191srx5800-00 RT_IDS

- RT_SCREEN_TCP [junos@2636.1.1.1.2.26 attack-name="SYN flood Src-IP based!" source-address="112.0.0.110" source-port="80" destination-address="111.0.0.113" destination-port="3033" source-zone-name="mobiles" interface-name="reth1.112" action="alarm-without-drop"]

[Junos OS Security Configuration Guide]

Page 82

JUNOS OS 10.4 Release Notes

Integrated Convergence Services

The Integrated Convergence Services features listed in this section are supported on SRX220 devices that have high memory, Power over Ethernet (PoE), and media gateway capability in addition to existing support on SRX210 and SRX240 devices with Voice capability.

•

Accounting feature—You can configure Integrated Convergence Services to collect and generate accounting information for successful and unsuccessful voice subscriber transactions. The voice daemon generates and collects accounting data about calls made and received between Session Initiation Protocol (SIP), Foreign Exchange Station (FXS), and Foreign Exchange Office (FXO) stations.

You can use the accounting feature for calls made when the SRX Series media gateway (SRX Series MGW) is in control or when the SRX Series survivable call server (SRX Series SCS) is in control.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Call park—The call park feature allows users to park an active call and pick up their call or that of another user later. To use the call park feature, you configure a primary logical extension, which you can think of as a parking lot. You must also configure a range of logical extensions following the primary one that are used to park individual calls.

When you handle a call, you can transfer it to the parking lot without the caller hearing the transfer process. When you park the call, you are told the logical extension number of the parking slot before your connection to the call is dropped. You or another user can pick up the call and resume the conversation from any phone by calling the extension number of the parking slot.

This featureis supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Defining a SIP registrar address separate from the peer call server—By default, the SIP registrar and the peer call server (SIP server) are handled by the same service and therefore have the same address. Under these circumstances, the SRX Series MGW sends SIP REGISTRAR and INVITE messages to the IP address configured for the peer call server.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Direct inward dialing lists—You can associate a list of direct inward dialing (DID) numbers with a trunk to be used for assignment to stations. You do not need to assign these DIDs to stations directly. The software assigns a DID number to a single station exclusively. If an incoming call is made to an unassigned DID number, it is directed to and handled by auto-attendant.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Disabling SIP registration to the peer call server—The SRX Series MGW sends registration messages to the peer call server. For some network environments in which all media gateways are known to the peer call server, the SRX Series MGW is not

Page 83

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

required to register to it. To do so could cause complications. For example, the peer call server could drop the registration message “silently,” that is, without informing the SRX Series MGW. In this case, the SRX Series MGW might retransmit the message, incurring unnecessary processing and adding to the network load.

When you configure peer call server information, you can disable transmission of the registration message to the peer call server to avoid these problems.

NOTE: Disabling transmission of the SRX Series MGW registration to the

peer call server does not disable registration of an FXS station to the SRX Series MGW on the device running Integrated Convergence Services.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Disabling SIP registration to the proxy server—By default, Integrated Convergence Services SIP trunks register to the SIP service provider’s peer proxy server. For some SIP networks, the peer proxy server is informed about all SIP trunks that communicate with it. In such network environments, the SIP trunk does not need to send a REGISTER message to the peer proxy server. To do so would increase network load unnecessarily. To accommodate these network environments, you can configure the SIP trunk not to register to the peer proxy server.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

DSCP marking for RTP packets generated by SRX Series Integrated Convergence Services—Configure DSCP marking to set the desired DSCPbits for Real-Time Transport

Protocol (RTP) packets generated by SRX Series Integrated Convergence Services.

Differentiated Services code point (DSCP) bits are the 6-bit bitmap in the IP header used by devices to decide the forwarding priority of packet routing. When the DSCP bits of RTP packets generated by Integrated Convergence Services are configured, the downstream device can then classify the RTP packets and direct them to a higher priority queue in order to achieve better voice quality when packet traffic is congested. Juniper Networks devices provide classification, priority queuing, and other kinds of class-of-service (CoS) configuration under the CoS configuration hierarchy.

Note that the Integrated Convergence Services DSCP marking feature marks only RTP packets of calls that it terminates, which include calls to peer call servers and to peer proxy servers that provide SIP trunks. If a call is not terminated by Integrated Convergence Services, then DSCP marking does not apply.

To configure the DSCP marking bitmap for calls terminated by Integrated Convergence Services and the address of the peer call server or peer proxy server to which these calls are routed, use the media-policy statement at the [editservicesconverged-services] hierarchy level.

set services convergence-service service-class < name > dscp < bitmap > set services convergence-service service-classmedia-policy<name > term < term-name > from peer-address [< addresses >] set services convergence-service service-class media-policy < name > term then service-class < name >

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

Page 84

JUNOS OS 10.4 Release Notes

•

Hunt group—A hunt group enables a group of users to handle calls collectively. A hunt group specifies a logical extension that outside parties can call. Member stations belonging to the hunt group are specified in a preconfigured station group. When a call comes in on the logical extension, the call is directed to the phone whose station is specified first in the preconfigured station group, and that phone rings. The next incoming call is directed to the second station specified in the station group and its phone rings, and so on.

To connect the call, the system hunts through the configured stations in order one at a time. It rings a phone up to the time limit that you specify beforeit tries the next phone in the configured order

This featureis supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Interoperability with Microsoft and Cisco call servers and IP phones—This feature addresses SRX Series media gateway (SRX Series MGW) interoperability with Microsoft and Cisco call servers and IP phones, in addition to the current support for Avaya call servers and IP phones. This feature helps to provide a comprehensive joint enterprise communications offering.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Pickup group—Pickup groups enable users to handle incoming calls collectively, as a group. Members of the same pickup group can answer incoming calls directed at any phone extension number within the group. When a phone is called, the first available agent takes the call, whether it comes in on their phone or another phone within the group. To pick up a call, the user dials the digits *8. After the user takes the call, the phone whose number was called no longer rings. Users can belong to one or more pickup groups concurrently.

The pickup group feature rings only one phone at a time. If the first phone tried is busy, the next one is tried, and so on. A pickup group can include up to 20 members, whose phones can be either analog or SIP, but not a mix of both.

This feature is supported when the SRX Series survivable call server (SRX Series SCS) is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Ring group—A ring group can include up to five members. A ring group allows incoming calls to be handled by any member of the group. You configure a ring group with a logical extension that outside parties can call. Calls coming into the logical extension are forwarded to all phones simultaneously. The first member to answer the call takes it, and the phones of other members of the group stop ringing. A ring group can include both SIP and analog stations.

This featureis supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

Page 85

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Interfaces and Routing

•

1-Port Gigabit Ethernet SFP Mini-PIM—This feature is supported on SRX210, SRX220, and SRX240 devices.

Small form-factorpluggables (SFPs) are hot-pluggablemodularinterface transceivers for Gigabit and FastEthernet connections. Gigabit Ethernet SFP Mini-PIMs can be used in copper and optical environments.

The 1-Port Gigabit Ethernet SFP Mini-PIM interfaces a single Gigabit Ethernet device or a network. It supports a variety of transceivers with data speeds of 10 Mbps/100 Mbps/1 Gbps with extended LAN or WAN connectivity.

The 1-Port SFP Gigabit Ethernet mini-PIM supports the following features:

•

10 Mbps/100 Mbps/1 Gbps link speed

•

Half-duplex/full-duplex support

•

Autonegotiation

•

Encapsulations

•

MTU size of 1514 bytes (default) and 9010 bytes (jumbo frames)

•

Loopback

•

Online insertion and removal of transceivers

[Junos OS Interfaces Configuration Guide for Security Devices]

IPsec

•

Virtual router support for route-based VPNs—This feature is supported on all SRX Series and J Series devices.

This feature includes routing-instance support for route-based VPNs. You can now configure different subunits of the st0 interface in different routing instances. The following functions are supported for nondefault routing instances:

NOTE: IKE is not supported in a custom VR (virtual router).The IKE gateway

external interface must reside in the default virtual router (inet.0).

•

Manual key management

•

Transit traffic

•

Self-traffic

•

VPN monitoring

•

Hub-and-spoke VPNs

•

Encapsulating Security Payload (ESP) protocol

•

Authentication Header (AH) protocol

Page 86

JUNOS OS 10.4 Release Notes

•

Aggressive mode or main mode

•

st0 anchored on the loopback (lo0) interface

•

Maximum number of virtual routers supported on an SRX Series device

•

Applications such as Application Layer Gateway (ALG), Intrusion Detection and Prevention (IDP), and Unified Threat Management (UTM)

•

Dead peer detection (DPD)

•

Chassis cluster active/backup

•

OSPF over st0

•

RIP over st0

[Junos OS Administration Guide for Security Devices, Junos OS CLI Reference, Junos OS Security Configuration Guide]

IPv6 Support

•

Active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6) can be deployed in active/active (failover) chassis cluster configurations in addition to the existing support of active/passive (failover) chassis cluster configurations. [Junos OS Security Configuration Guide]

•

Address books and address sets in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

This feature is supported in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

SRX Series and J Series devices running IP version 6 (IPv6) deployed in active/active (failover) chassis cluster configurations, the address book entries can include any combination of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS) names.

To configure IPv6 address entries, specify an IPv6 address when you use the address statement at the [edit security zones security-zone name address-book] hierarchy level.

The address set configuration considers names of the address book entries, and not the IP addresses, so there are no additional considerationsrelated to IPv6 traffic. [Junos OS Security Configuration Guide]

•

Advanced flow—This feature is supported on all SRX Series and J Series devices.

IPv6 advanced flow adds IPv6 support for firewall, NAT, NAT-PT, multicast (local link and transit), IPsec, IDP, Junos framework, TCP proxy, and session manager on SRX Series and J Series devices. MIBs are not used in the IPv6 flow.

IPv6 security is available to avoid impact on the existing IPv4 system. If IPv6 security is enabled, extended sessions and gates are allocated. The existing address fields and

Page 87

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

gates are used to store the index of extended sessions or gates. If IPv6 security is disabled, the IPv6 security related resources are not allocated.

New logs are used for IPv6 flowtrafficto prevent impact on performancein the existing IPv4 system.

The behavior and implementation of the IPv6 advanced flow are the same as those of the IPv4 flow.

Some of the differences are as follows:

•

Header parse—IPv6 advanced flow stops parsing the headers and interprets the packet as the corresponding protocol packet if it encounters the following extension headers:

•

TCP/UDP

•

ESP/AH

•

ICMPv6

IPv6 advanced flow continues parsing headers if it encounters the followingextension headers:

•

Hop-by-Hop

•

Routing and Destination, Fragment

IPv6 advanced flow interprets the packets as an unknown protocol packet if it encounters the extension header No Next Header.

•

Sanity checks—IPv6 advanced flow supports the following sanity checks:

•

TCP Length

•

UDP Length

•

Hop-by-Hop

•

IP data length error

•

Layer 3 sanity checks (for example, IP version and IP length)

•

ICMPv6 packets—In IPv6 advanced flow, the ICMPv6 packets share the same behavior as normal IPv6 traffic with the following exceptions:

•

Embedded ICMPv6 Packet

•

Path MTU message

•

Host inbound and outbound traffic—IPv6 advanced flow supports all route and management protocols running on the Routing Engine, including OSPF v3, RIPng, Telnet, and SSH. Note that flow label is not used in the flow.

•

Tunnel traffic—IPv6 advanced flow supports the following tunnel types:

Page 88

JUNOS OS 10.4 Release Notes

•

IPv4 IPIP

•

IPv4 GRE

•

IPv4 IPsec

•

Dual-stack lite

[Junos OS Security Configuration Guide]

•

DNS ALG for routing, NAT, and NAT-PT—This feature is supported on all SRX Series and J Series devices.

Domain Name System (DNS) is the part of the ALG that handles DNS traffic. The DNS ALG module has been working as expected for IPv4. In Junos OS Release 10.4, this feature implements IPv6 support on DNS ALG for routing, NAT, and NAT-PT.

When the DNS ALG receives a DNS query from the DNS client, a security check is done on the DNS packet. When the DNS ALG receives a DNS reply from the DNS server, a similar security check is done, and then the session for the DNS traffic closes.

When the DNS traffic works in NAT mode, the DNS ALG translates the public address in a DNS reply to a private address when the DNS client is on a private network, and similarly translates a private address to a public address when the DNS client is on a public network. When DNS traffic works in NAT-PT mode, the DNS ALG translates the IP address in a DNS reply packetbetween the IPv4 address and the IPv6 address when the DNS client is in an IPv6 network and the server is in an IPv4 network, and vice versa.

To support NAT-PT mode in a DNS ALG, the NAT module should support NAT-PT. [Junos OS Security Configuration Guide]

•

Dual-stack lite—This featureis supported on SRX650,SRX3400,SRX3600, SRX5600, and SRX5800 devices.

IPv6 dual-stack lite (DS-Lite) is a technology for maintaining connectivity between legacyIPv4 devices and networks despite a depleted IPv4 address pool and as a service provider networks transition to IPv6-only deployments.

DS-Lite allows IPv4 customers to continue accessing IPv4 internet content with minimum disruption to their home networks, while enabling IPv6 customers to access IPv6 content.

The DS-Lite deployment model consists of the following components:

•

Softwire Initiator (SI) in the DS-Lite home router (SI is not available in Junos release

10.4)

•

Softwire Concentrator (SC) in the DS-Lite carrier-grade Network Address Translation (NAT)

A softwire is a tunnel-over-IPv6 network. The SI finds the SC address, encapsulates an IPv4 packet, and transmits it across the softwire. The SC receives an IPv4 packet in the IPv6 softwire packet and decapsulates the IPv6 software packet to retrieve the inner IPv4 packet. Multiple SIs can have the same SC as the endpoint of the softwires.

Page 89

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The DS-Lite carrier-grade NAT performs IPv4-IPv4 address translations to multiple subscribers through a single global IPv4 address. Overlapping address spaces used by subscribers are disambiguated through the identification of tunnel endpoints.

A new command for displaying information on softwires, show security softwires, is available in Junos OS Release 10.4.

[Junos OS Security Configuration Guide Junos OS CLI Reference]

•

Firewall security policy in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

This feature is now supported in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

The matching criteria for security policy rules is based on zones, address objects, and applications. To support security policy rules for IPv6 traffic, you have to configure zone and address objects with IPv6 values. You can also select IPv6 applications.

Note that in security policy rules, the meaning of the wildcard any has changed. When flow support is enabled for IPv6 traffic, the wildcard any matches any IPv4 or IPv6 address. In Junos OS Release 10.4, new wildcards are introduced to match any IPv4 or any IPv6 address: any-ipv4 and any-ipv6 in active/active chassis cluster. When flow support is not enabled for IPv6 traffic, any matches IPv4 addresses.

IPv6 support for IDP and UTM are not included in Junos OS Release 10.4.If your current security policy uses rules with any IP address wildcards and IDP and UTM features enabled,you will encounter configuration commit errors because IDP and UTM features do not support IPv6 addresses. To resolve these errors, modify the rule returning the error so that it uses the any-ipv4 wildcard, and create separate rules for IPv6 traffic that do not include IDP or UTM features. [Junos OS Security Configuration Guide]

•

Flow-based processing in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

In Junos OS Release 10.4, we support IPv6 flow-based processing in active/active (failover) chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

IPv6 flow support enables processing of IPv6 traffic by the security features of SRX Series and J Series devices. IPv6 flow support is disabled by default, and IPv6 packets are dropped.

To enable flow-based processing for IPv6 traffic, modify the mode statement at the [edit security forwarding-options family inet6] hierarchy level.

The [show security flow session source-prefix] and [show security flow session

destination-prefix] commands you use to monitor session statistics now take IPv6

address arguments. In addition, the [show security flow session family (inet|inet6)] option is added to filter session statistics by protocol family.

[Junos OS CLI Reference, Junos OS Interfaces Configuration Guide for Security Devices, Junos OS Security Configuration Guide]

•

FTP ALG for routing—This feature is supported on all SRX Series and J Series devices.

Page 90

JUNOS OS 10.4 Release Notes

File Transfer Protocol (FTP) is the part of the ALG that handles FTP traffic. The PORT/PASV requests and corresponding 200/227 responses in FTP are used to announce the TCP port, which the host listens to for the FTP data connection.

EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG supports EPRT/EPSV/229 already, but only for IPv4 addresses.

In Junos OS Release 10.4, EPRT/EPSV/229 commands are updated to support both IPv4 and IPv6 addresses.

[Junos OS CLI Reference, Junos OS Security Configuration Guide]

•

ICMP ALG for routing, NAT, and NAT-PT — This feature is supported on all SRX Series and J Series devices. ALGs support Internet Control Message Protocol version 6 (ICMPv6) an integral part of IPv6 that must be fully implemented by every IPv6 node. The ICMP ALG handles ICMP traffic by monitoring all ICMP messages and then performing the following actions:

•

Closes the session

•

Modifies the payload

In routing mode, the ICMP ALG closes a session if it receives one of the following message types:

•

Echo reply (type 129) message

•

Destination unreachable (type 1) error message

In Network Address Translation (NAT mode), the ICMP ALG performs the following actions:

•

Closes the session if it receives an echo reply (type 129) message or a destination unreachable (type 1) error message

•

Modifies the identifier or sequence number of the echo request

•

Retains the original identifier and sequence number for the echo reply

•

Translates the embedded IPv6 packet for the ICMPv6 error message

In a Network Address Translation-Protocol Translation (NAT-PT) environment, the ALG performs the following actions:

•

Closes the session if it receives an echo reply (type 129) message or a destination unreachable (type 1) error message

•

Translates an ICMPv4 ping message to an ICMPv6 ping message

•

Translates an ICMPv6 ping message to an ICMPv4 ping message

•

Translates an ICMPv4 error message to an ICMPv6 error message and translates its embedded IPv4 packet to an IPv6 packet

•

Translates an ICMPv6 error message to an ICMPv4 error message and translates its embedded IPv6 packet to an IPv4 packet

Page 91

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

ICMP ALG drops ICMP traffic when translation from IPv4 and IPv6 is not possible. Note that ICMP ALG is always enabled and cannot be disabled by means of the command-line interface (CLI).

[Junos OS Security Configuration Guide]

•

Interfacesin active/active chassis cluster—Thisfeature is supported on all SRX Series and J Series devices.

A logical interface can be configured with an IPv4 address, IPv6 address, or both in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

To configure an IPv6 address for a logical interface, use the inet6 statement at the [edit interfaces interface-name unit logical-unit family] hierarchy level. [Junos OS Interfaces Configuration Guide for Security Devices]

•

Multicast flow—This feature is supported on all SRX Series and J Series devices.

The IPv6 multicast flow adds or enhances the following features:

•

IPv6 transit multicast, which includes the following packet functions:

•

Normal packet handling

•

Fragment handling

•

Packet reordering

•

Protocol-Independent Multicast version 6 (PIMv6) flow handling

•

Other multicast routing protocols such as Multicast Listener Discover (MLD)

The structure and processing of IPv6 multicast data session are the same as that of IPv4. Each data session has the following:

•

One template session

•

Several sessions

The reverse path forwarding (RPF) check behavior for IPv6 is the same as that of IPv4. Incoming multicast data is accepted only if RPF check succeeds. In IPv6 multicast flow, incoming Multicast Listener Discovery (MLD) protocol packets are accepted only if MLD or PIM is enabled in the security zone for the incoming interface. Sessions for multicast protocol packets have a default timeout value of 300 seconds. This value cannot be configured. The null register packet is sent to the rendezvous point.

In IPv6 multicast flow, a mulitcast router has the following three roles:

•

Designated router

•

Intermediate router

•

Rendezvous point

[Junos OS Class of Service Configuration Guide]

•

NAT—This feature is supported on all SRX Series and J Series devices.

Page 92

JUNOS OS 10.4 Release Notes

IPv6 Network Address Translation (IPv6 NAT) provides address translation between IPv6 hosts. NAT between IPv6 hosts is done in a similar manner and forsimilar purposes as IPv4 NAT. IPv6 NAT in Junos OS provides the following NAT types:

•

Source NAT

•

Destination NAT

•

Static NAT

[Junos OS Security Configuration Guide]

•

NAT-PT—This feature is supported on all SRX Series and J Series devices.

IPv6 Network Address Translation-Protocol Translation (NAT-PT) provides address and protocol translation between IPv4 and IPv6 addressed network devices. IPv6 NAT-PT supports both traditional NAT-PT and bidirectional NAT-PT. IPv6 NAT-PT supports Internet Control Message Protocol (ICMP), TCP, and UDP protocol packets. [Junos OS Security Configuration Guide]

•

Packet filtering—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

The packet-filteringoptions for IPv6 addresses and IPv6 style source prefix, destination prefix, and interface is supported in addition to the existing functionality of IPv4 datapath-debug.

[Junos OS Security Configuration Guide, Junos OS CLI Reference]

•

Screens—This feature is now supported on all SRX Series and J Series devices.

IPv6 support is extended for the following screen features:

•

Syn-flood/syn-proxy/syn-cookie

•

Syn-ack-ack-proxy

•

Ip-spoofing

[Junos OS Security Configuration Guide]

•

Zone configuration in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6) can be deployed in active/active chassis cluster configurations with security zone configuration in addition to the existing support of active/passive chassis cluster configurations.

The security zone configuration considers names of the interfaces, and not the IP addresses, hence there are no additional considerations related to the zone interface configuration.

You can also use the zone configurationto explictlypermit inbound trafficfrom network system services and system protocols. Note that you can now use the host inbound traffic configuration to permit traffic from the following IPv6-related services and protocols: DHCPv6, neighbor discovery (ND) protocol, OSPF3, and RIPng. [Junos OS Security Configuration Guide]

Page 93

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

J-Web

•

IPv6 addressing support for J-Web—This feature is supported on SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices.

J-Web now supports IPv6 addressing configuring security features such as policies, zones, screens, address books, host inbound system services, protocols, and flow-forwarding options.

The following pages have been enhanced:

•

Zones/Screens Configuration page

•

Security Policy Configuration page

•

Security Policy Element Configuration page

•

Security Flow Element Configuration page

•

J-Web Chassis View—The changes and enhancements to the J-Web Chassis View apply to SRX1400 devices.

The following enhancements have been made to the J-Web Chassis View on the Dashboard:

•

Displaysthe front or rear panel view of the device and shows which slotsare occupied. When you insert or removea card, the Chassis View reflects the change immediately.

•

Port colors change to indicate the port link status. For example, the ge port lights steadily green when the port is up and red when the port is down.

•

Displays Help tips when your hover the mouse over a port.

Page 94

JUNOS OS 10.4 Release Notes

Point-to-Point Protocol over Ethernet (PPPoE)

•

R2CP radio-to-router protocol support—This feature is supported on all SRX Series and

J Series devices.

Junos OS Release 10.4 supports the Network Centric Waveform (NCW) radio-specific radio-to-router control protocol (R2CP), which is similar to the PPPoE radio-to-router protocol. Both of these protocols exchange dynamic metric changes in the network that the routers use to update the OSPF topologies.

In radio-router topologies, the router connects to the radio over a Gigabit Ethernet link and the radio transmits packets over the radio frequency (RF) link. The radio periodically sends metrics to the router, which uses RF link characteristics and other data to inform the router on the shaping and OSPF link capacity. The router uses this information to shape the data traffic and provide the OSPF link cost for its SPF calculations. The radio functions like a Layer 2 switch and can only identify remote radio-router pairs using Layer 2 MAC addresses. With R2CP the router receives metrics for each neighboring router, identified by the MAC address of the remote router. The R2CP daemon translates the MAC addresses to link the local IPv6 addresses and sends the metrics for each neighbor to OSPF. Processing these metrics is similar to the handling of PPPoE PADQ metrics. Unlike PPPoE, which is a point-to-point link, these R2CP neighbors are treated as nodes in a broadcast LAN.

You must configure each neighbor node with a per-unit scheduler for CoS.The scheduler context defines the attributes of Junos class-of-service(CoS). To define CoS for each radio, you can configure virtual channels to limit traffic. You need to configure virtual channels for as many remote radio-router pairs as there are in the network. You configure virtual channels on a logicalinterface. You can configure each virtual channel to have a set of eight queues with a scheduler and an optional shaper. When the radio initiates the session with a peer radio-router pair, a new session is created with the remote MAC address of the router and the VLAN over which the traffic flows. Junos OS chooses from the list of free virtual channels and assigns the remote MAC and the eight CoS queues and the scheduler to this remote MAC address. All traffic destined to this remote MACaddress is subjected to the CoS that is defined in the virtual channel.

A virtual channel group is a collection of virtual channels. Each radio can have only one virtual channel group assigned uniquely. If you have more than one radio connected to the router, you must have one virtual channel group for each local radio-to-router pair.

Although a virtual channel group is assigned to a logical interface, a virtual channel is not the same as a logical interface. The only features supported on a virtual channel are queuing, packet scheduling, and accounting. Rewrite rules and routing protocols apply to the entire logical interface.

[LN1000 Mobile Secure Router User Guide]

Page 95

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Security

•

Display multiple policy matches—This feature is supported on all SRX Series and J Series devices.

The addition of the result-count option in Junos OS Release 10.4 extends the functionality of the show security match-policies command and lets you display up to 16 policy matches for the given set of criteria. The first policy in the list is the policy applied to all matching traffic. All policies after the first one are shadow policies (shadowed by the first one) and are not encountered. [Junos OS Security Configuration Guide]

•

DHCPv6 server—This feature is supported on all SRX Series and J Series devices.

Dynamic Host Configuration Protocolversion6 (DHCPv6) local server is now supported on all SRX Series and J Series devices to provide addressing for IPv6 clients.

Some features include:

•

Configuration for a specific interface or a group of interfaces

•

Stateless Address Autoconfiguration (SLAAC)

•

Prefix delegation, including access-internal route installation

•

DHCPv6 server groups

To configure DHCPv6 local server on a device, you include the DHCPv6 statement at the [edit system services dhcp-local-server] hierarchy level. The DHCPv6 address pool is configured in the [edit access address-assignment pool] hierarchy level using the family inet6 statement.

NOTE: Existing DHCPv4 configurations in the [edit system services dchp]

hierarchy will not be impacted when upgrading to 10.4, or by adding a DCHPv6 configuration.

[Junos OS Administration Guide for Security Devices, Junos OS CLI Reference]

•

On-box reporting—This feature is supported on SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices.

On-box reporting offers a comprehensive reporting facility where your security management team can spot a security event when it occurs, immediately access and review pertinent details about the event, and quickly decide appropriate remedial action.

J-Web reports provide summary graphics of current security events, Web traffic, and resource utilization. When event activity occurs, you can quickly drill down to detailed information about the specific item.

In Junos OS Release 10.4, on-box reporting capabilities include:

•

Real-time threat event monitoring

•

Dynamic visuals for quick threat identification, tracking, and analysis

Page 96

JUNOS OS 10.4 Release Notes

•

Event-specific drill-down to determine traffic characteristics and policy rule matches

•

Composite reports of recent threats or traffic

[Junos OS Administration Guide for Security Devices]

•

Optional CP Session Capacity Expansion on Fully Configured Devices—This feature is supported on SRX3400, SRX3600, and SRX5800 devices.

The session capacity for the central point (CP) for fully configured SRX3400, SRX3600, and SRX5800 devices can be expanded as shown in the following list.

Maximum Concurrent CP Sessions on a Fully Loaded System

SRX Series Devices With Expanded CapacityDefault

3 million2.25 millionSRX3400

6 million2.25 millionSRX3600

14.0 million12.5 millionSRX5800

On an SRX3400 or SRX3600 device, you expand the maximum CP session capacity by installing the SRX3K-EXTREME-LTU license.

On an SRX5800 device, you expand the maximum CP session capacity by specifying the maximize-cp-sessions optimization option in the edit security forwarding-process

application-services command. Using this optimization technique precludes other

optimization methods, disables advanced GTP processing, and reduces routing capacity to 100K prefixes.

[Junos OS Security Configuration Guide]

SNMP

•

SNMP enterprise-specific MIBs—This feature is supported on all SRX Series and J Series devices.

Junos OS Release 10.4 adds support for enterprise-specific MIBs for the SRX1400 device.

[SRX1400, SRX3400, and SRX3600 Services Gateways MIB Reference]

SRX Series Image Upgrade Using a USB Device

•

This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

The SRX Series Image Upgrade using a USB device feature simplifies the upgrading of Junos OS images in cases where there is no console access to an SRX Series device located at a remote site. This feature allows you to upgrade the Junos OS image with minimum configuration effort by simply inserting a USB flash drive into the USB port of the SRX Series device and performing a few simple steps.

NOTE: USB upgrades are not supported on chassis clusters.

Page 97

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Before you begin the installation, ensure the following prerequisites are met:

•

Junos OS upgrade image and autoinstall.conf file are copied to the USB device.

•

Adequate space is available on the SRX Series device to install the software image.

To use a USB flash drive to install the Junos OS image on an SRX Series device:

1. Insert the USB flash drive into the USB port of the SRX Series device and wait for

the LEDs to blink amber, then steadily light amber, indicating that the SRX Series device detects the Junos OS image.

If the LEDs do not turn amber, press the Power button or power-cycle the device and wait for the LEDs to steadily light amber.

2. Press the Reset Config button on the SRX Series device and wait for the LEDs to

turn green, indicating that the Junos OS upgrade image has successfully installed.

If the USB device is plugged in, the Reset Config button always performs as an image upgrade button. Any other functionality of this button is overridden until you remove the USB flash drive.

3. Remove the USB flash drive. The SRX Series device restarts automatically and

loads the new Junos OS version.

NOTE: If an installationerror occurs, the LEDs light red, which might indicate

that the Junos OS image on the USB flash drive is corrupted. An installation error can also occur if the current configuration on the SRX Series device is not compatible with the new Junos OS version on the USB. You must haveconsoleaccesstothe SRX Series device to troubleshootan installation error.

[Junos OS Administration Guide for Security Devices]

VPNs

•

IKE and IPsec predefined proposals for dynamic VPN—This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

In earlier releases, the administrators had to configure individual Internet KeyExchange (IKE) and IP Security (IPsec) proposals for all IKE and IPsec policy configurations. This procedure was tedious and time consuming when the administrators had to configure many VPN policies because they had to configure custom proposals for all IKE and IPsec configurations.

Junos OS Release 10.4 supports proposal-set configuration in IKE and IPsec; the administrator can select basic, compatible,or standard proposal sets for dynamic VPN clients. Each proposal set consists of two or more predefined proposals. The server selects one predefined proposal from the set configured and pushes it to the client in the client configuration. The client uses this proposal in negotiations with the server to establish the connection.

Page 98

JUNOS OS 10.4 Release Notes

The default values for IKE and IPsec security association (SA) rekey timeout are as follows:

•

For IKE SA, the rekey timeout is 28800 seconds.

•

For IPsec SA, the rekey timeout is 3600 seconds.

The basic use cases of proposals are as follows:

•

IKE and IPsec both use proposal sets.

The server selects a predefined proposal from the proposal set and sends it to the client, along with the default rekey timeout value.

•

IKE uses a proposal set, and IPsec uses a custom proposal.

The server sends a predefined IKE proposal from the configured IKE proposal set to the client, along with the default rekey timeout value. For IPsec, the server sends the setting that is configured in the IPsec proposal.

•

IKE uses a custom proposal, and IPsec uses a proposal set.

The server sends a predefined IPsec proposal from the configured IPsec proposal set to the client, along with the default rekey timeout value. For IKE, the server sends the setting that is configured in the IKE proposal.

NOTE: If IPsec uses the standardproposal set and perfect forwardsecrecy

(PFS) is not configured, then the default PFS is set as group2. For other proposal sets, PFS will not be set because it is not configured.

[Junos OS CLI Reference, Junos OS Security Configuration Guide]

•

Local authentication and IP address assignment for dynamic VPN—This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

A client application sends an authentication request and a request for an IP address on behalf of an unauthenticated client at the same time. The communicationbetween the client and AUTHD is minimized because the IP address request is not sent as a separate message.

After successful local authentication, AUTHD performs the following tasks:

•

Assigns the address from the predefined (or statically assigned) address pools if the address matches the criteria specified by the client application.

•

Assigns attributes such as wins server and name-server address.

•

Updates the associated client entry in the session database.

Note: For client applications that rely on a RADIUS or other external server for authentication, AUTHD might not assign IP addresses.

Page 99

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

This feature is used to perform the following:

•

Assign an IP address to the client after successful authentication.

•

Provide a mechanism in AUTHD for linking an address pool to a client profile and assigning an IP address to the client from the pool.

•

Provide a mechanism in AUTHD for assigning IP version 4 (IPv4) addresses to the users.

•

Provide different IP addresses for multiple logins by the same user.

•

Allow configuration changes in the address pool after address assignment.

Address pools are defined at the [edit access address-assignment] hierarchy.

[Junos OS CLI Reference, Junos OS Administration Guide for Security Devices]

•

Local IP address management for VPN XAuth support—This feature is supported on SRX100, SRX210, SRX240, SRX650, J4350, and J6350 devices.

When you configure extended authentication (XAuth), you must enter the username and password, after the Internet Key Exchange (IKE) phase 1 security association (SA) is established. AUTHD verifies the credentials received from you.

After successful authentication, AUTHD sends the following network parameters to IKE or XAuth:

•

IP address

•

Domain Name System (DNS)

•

Windows Internet Naming Service (WINS)

The IP address can be drawn from a locally configured IP address pool. AUTHD requires IKE or XAuth to release the IP address when it is no longer in use.

IKE provides a mechanism for establishing IP Security (IPsec) tunnels.

[Junos OS CLI User Guide, Junos OS Security Configuration Guide]

•

Support group Internet Key Exchange(IKE) IDs for dynamic VPN configuration —This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

The existing design of the dynamic virtual private network (VPN) uses unique Internet Key Exchange (IKE) ID for each user connection. For each user, VPN needs to be configured with an individual IKE gateway, an IPsec VPN, and a security policy using the IPsec VPN. This is cumbersome when there are a large number of users. The design is modified to allow a number of users to share a set of IKE or IPsec VPN (or policy configuration) using shared-ike-id or group-ike-id. This reduces the number of times the VPN needs to be configured.

The shared-ike-id and group-ike-id allow you to configure VPN once for multiple users.

All users connecting through a shared-ike-id configuration use the same IKE ID and presharedkey. The user credentialsare verified in the extended authentication (XAuth)

Page 100

JUNOS OS 10.4 Release Notes

phase of AUTHD. The credential of a user is configured either in Radius or in the access database of AUTHD.

When using group-ike-id or shared-ike-id for user connection management and licensing, the users on the client PC must use the same user credentials for both WebAuthandXAuth login (that is, the two client login windows) to prevent undesirable behavior and incorrect CLI output on the server.

NOTE: We recommend that you use group-ike-id whenever possible.

For group-ike-id, a part of the configuration for a user IKE ID is common to the group. The IKE ID is the concatenation of an individual part and the common part of IKE ID. For example, a user can use a group-ike-id configuration with a common part ".juniper.net" and the individual part “X”. The IKE ID can be "X.juniper.net". Httpd-gk generates the individual part of the IKE ID.

The group-ike-id does not require extended authentication (XAuth). However, for dynamic VPN, XAuth is needed to retrieve the network attributes such as IP address for the client. Therefore, if XAuth is not configured for group-ike-id and the administrator uses the IKE gateway in a dynamic VPN client, a warning message appears.

This feature introduces new commands for ike sa and dynamic-vpn and new options in the IKE Gateway Add/Edit page of J-Web.

[Junos OS CLI Reference, Junos OS Security Configuration Guide]

Hardware Features—SRX210, SRX220, and SRX240 Services Gateways

AX411 Access Point Support on SRX220 Services Gateways

SRX220 Services Gateways running Junos OS Release 10.4R1 or later releases support the AX411 Access Point in the same manner as do the SRX210, SRX240, and SRX650 Services Gateways. Support for the SRX220 Services Gateway is not documented in the

AX411 Access Point Hardware Guide or in the WLAN Configuration and Administration Guide, but wherever those guides indicate support for the SRX210 Services Gateway,

that support applies to the SRX220 Services Gateway as well.

1-Port Small Form-Factor Pluggable (SFP) Gigabit Ethernet Mini-Physical Interface Module (Mini-PIM)

The 1-Port Small Form-Factor Pluggable (SFP) Gigabit Ethernet Mini-Physical Interface Module (Mini-PIM) complements the on-board 10/100/1000 Mbps Ethernet interfaces with extended LAN or WAN connectivity. It offers support for a variety of transceivers.

This Mini-PIM can be used in copper and optical environments to provide maximum flexibilitywhen upgrading from an existing infrastructure to Metro Ethernet. This Mini-PIM is supported on the following devices:

•

SRX210 Services Gateway

•

SRX220 Services Gateway

•

SRX240 Services Gateway

Juniper JUNOS OS 10.4 - RELEASE NOTES, JUNOS OS 10.4 Release Note

Specifications and Main Features

Frequently Asked Questions

User Manual