Juniper JUNOS OS 10.4 - RELEASE NOTES REV 5, JUNOS OS 10.4 Release Note

Page 1

Junos®OS 10.4 Release Notes

Release 10.4R1 04 February 2011 Revision 5

These release notes accompany Release 10.4R1 of the Junos operating system (Junos OS). They describe device documentation and known problems with the software. Junos OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.

You can also find these release notes on the Juniper Networks Junos OS Documentation Web page, which is located at http://www.juniper.net/techpubs/software/junos.

Contents

Junos OS Release Notes for Juniper NetworksM Series Multiservice Edge Routers,

MX Series Ethernet Service Routers, and T Series Core Routers . . . . . . . . . . . . 6

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series

Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

MX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M

Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

MPLS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Page 2

JUNOS OS 10.4 Release Notes

Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series

Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Current Software Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Previous Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Errata and Changes in Documentation for Junos OS Release 10.4 for M

Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . . 73

Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series,

MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Basic Procedure for Upgrading to Release 10.4 . . . . . . . . . . . . . . . . . . . . 78

Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . . 81

Upgrading Juniper Network Routers Running Draft-Rosen Multicast

VPN to Junos OS Release 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Upgrading the Software for a Routing Matrix . . . . . . . . . . . . . . . . . . . . . . 83

Upgrading Using ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled

for Both PIM and NSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 85

Downgrade from Release 10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Junos OS Release Notes for Juniper Networks SRX Series Services Gateways

and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

New Features in Junos OS Release 10.4 for SRX Series Services Gateways

and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Hardware Features—SRX210, SRX220, and SRX240 Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Hardware Features—SRX220 Services Gateway with Power Over

Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Hardware Features—SRX1400 Services Gateway . . . . . . . . . . . . . . . . . . 113

Hardware Features—SRX3400 and SRX3600 Services Gateways . . . . 116

Advertising Bandwidth for Neighbors on a Broadcast Link Support . . . . . . . . 117

Group VPN Interoperability with Cisco’s GET VPN . . . . . . . . . . . . . . . . . . . . . 117

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX

Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . 118

Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Integrated Convergence Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Page 3

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 127

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Management and Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Multilink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Virtual LANs (VLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Unsupported CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Accounting-Options Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

AX411 Access Point Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Chassis Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Class-of-Service Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Ethernet-Switching Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Interfaces CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Protocols Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Routing Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Services Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

SNMP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

System Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

IPv6 and MVPN CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Known Limitations in Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 142

AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

DOCSIS Mini-PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 144

Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 148

IPv6 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

NetScreen-Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Point-to-Point Protocol over Ethernet (PPPoE) . . . . . . . . . . . . . . . . . . . 150

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Page 4

JUNOS OS 10.4 Release Notes

Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J

Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Outstanding Issues In Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . 152

Resolved Issues in Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . 169

Errata and Changes in Documentation for Junos OS Release 10.4 for SRX

Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 172

Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 172

Errata for the Junos OS Documentation . . . . . . . . . . . . . . . . . . . . . . . . . 173

Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . . 179

Hardware Requirements for Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 183

Transceiver Compatibility for SRX Series and J Series Devices . . . . . . . 183

Power and Heat Dissipation Requirements for J Series PIMs . . . . . . . . . 183

Supported Third-Party Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

J Series CompactFlash and Memory Requirements . . . . . . . . . . . . . . . . 184

Maximizing ALG Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Integrated Convergence Services Not Supported . . . . . . . . . . . . . . . . . . . . . 185

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX

Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 186

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 186

Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 187

New Features in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . 187

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX

Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Limitations in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . . . 190

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Spanning Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Page 5

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Outstanding Issues in Junos OS Release 10.4 for EX Series Switches . . . . . . 195

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Resolved Issues in Junos OS Release 10.4 for EX Series Switches . . . . . . . . 199

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Errata in Documentation for Junos OS Release 10.4 for EX Series

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX

Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . 205

Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Page 6

JUNOS OS 10.4 Release Notes

Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series Ethernet Service Routers, and T Series Core Routers

•

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 6

•

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 39

•

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 51

•

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 73

•

Upgrade and Downgrade Instructions for Junos OS Release 10.4forM Series, MX Series, and T Series Routers on page 78

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The following features have been added to Junos OS Release 10.4. Following the description is the title of the manual or manuals to consult for further information.

Class of Service

•

Hierarchical policer functionality extended to Modular Interface Cards (MICs) (MX Series routers)—Provides hierarchical policer feature parity with Enhanced Intelligent

Queuing (IQE) PICs. This is useful in provideredge applications using aggregate policing for general traffic and when applying a separate policer for premium traffic on a logical or physical interface.

Hierarchical policing on MICs supports the following features:

•

Ingress traffic is first classified into premium and non-premium traffic before a policer is applied.

•

The hierarchical policer contains two policers: premium and aggregate.

Premium trafficis policed by both the premium policer and the aggregate policer. While the premium policer rate-limits premium traffic, the aggregate policer only decrements the credits but does not drop packets. Non-premium traffic is rate-limited by the aggregate policer only, resulting in the following behavior:

•

Premium trafficis assured to have the bandwidth configuredforthe premium policer.

•

Non-premium traffic is policed to the specified rate limit.

For a list of supported MICs, refer to:

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/ general/mic-mx-series-supported.html.

The logical-interface-policer and physical-interface-policerstatements provide additional hierarchical policer parameters beyond those of the IQE PICs.

You can apply the policer at the inet, inet6, or mpls family level, as follows:

[edit interfaces ge-0/1/0 unit 0 family (inet | inet6 | mpls)] input-hierarchical-policer Test-HP;

Page 7

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

By making a hierarchical policer a logical-interface-policer, you can achieve aggregation within a logical interface. A hierarchical policer configured as a physical-interface-policer supports aggregation within a physical interface. Please note that you still apply the hierarchical policer at the interface and traffic of the families that do not have the hierarchical policer will be policer. This is different from IQE PICs, where you apply a hierarchical policer at the logical or physical interface.

For hierarchical policing of all traffic through a logical interface, a hierarchical policer can be made a logical-interface-policerand applied to all families in the logical interface. Similarly, you can achieve aggregation at the physical interface level.

[Network Interfaces, Class of Service, Policy]

•

DSCP classification for VPLS at the ingress PE (M320 with Enhanced Type III FPC and M120)—Enables you to configure DSCP classification for VPLS at an ingress PE

for encapsulation types vlan-vpls (IQ2 or IQ2E PICs) or ATM II IQ PIC. To configure, define the DSCP classifier at the [edit class-of-service classifiers dscp dscp-name] hierarchy level and apply the DSCP classifier at the [edit interfaces at-fpc-pic-port

unit-logical-unit-numberclassifiers]hierarchylevel.The ATM interfacemust be included

in the routing instance.

[Class of Service]

Interfaces and Chassis

•

Extend support for 64-bit Junos OS to include RE-1800 Series Routing Engines (M120, M320, MX960, MX480, and MX240 routers)—Supported Routing Engines

include:

•

RE-1800x2-A—Supports 64-bit Junos OS on M120 and M320 routers.

•

RE-1800x2-S—Supports 64-bit Junos OS on MX240, MX480, and MX960 routers.

•

RE-1800x4-S—Supports 64-bit Junos OS on MX240, MX480, and MX960 routers.

[System Basics]

•

Ethernet encapsulation for ATM scheduler (M7i, M10i, M120, and M320 [with Enhanced III FPC] routers)—Enables support for the configuration of an ATM scheduler

map on an Ethernet VPLS over a bridged ATM interface.

[Network Interfaces]

•

Synchronous Ethernet (SyncE) on MX80 routers and MX Series routers with MPCs—Supportsthe Ethernet synchronization messaging channel (ESMC), G.8264-like

clock selection mechanism, and external clocking on MX80 routers and MX Series routers with MPCs. Wireless backhaul and wireline transport services are the primary applications for these features.

The following features are supported:

•

On MX80 routers and MX Series routers, MPCs based on G.8261 and G.8262. This feature does not work on the fixed configuration version of the MX80 routers.

•

All Ethernet type ports are supported on MX80 routers and MX Series routers with MPCs

Page 8

JUNOS OS 10.4 Release Notes

•

ESMC support as per G.8264

•

CLI command selection of clock sources

•

Monitoring clock sources (maximum of two clock sources can be monitored simultaneously)

•

Revertive and nonrevertive modes

To configure SyncE, include the synchronization statement and its substatements at the [edit chassis] hierarchy level.

[Network Interfaces, Interfaces Command Reference]

•

Enhanced container interface allows ATM children for containers—M Series and T Series routers with ATM2 PICs automatically copy the parent container interface configuration to the children interfaces. Container interfaces do not go down during APS switchovers, thereby shielding upper layers. This feature allows the various ATM features to work over the container ATM for APS.

To specify ATMchildrenwithin a container interface, use the container-list cin statement and (primary | standby) option at the [edit interface at-fpc/pic/slot container] hierarchy level.

To configure a container interface, including its children, use the cin statement and its options at the [edit interface ci-n] hierarchy level.

Container ATM APS does not support inter-chassis APS. MLPPP over ATM CI is also not supported.

[Network Interfaces]

•

Signaling neighboring routers of fabric down on T1600 and T640 routers—The signaling of neighboring routers is supported when a T640 or T1600 router is unable to carry traffic due to all fabric planes being taken offline for one of the following reasons:

•

CLI or offline button pressed

•

Automatically taken offline by the SPMB due to high temperature.

•

PIO errors and voltage errors detected by the SPMB CPU to the SIBs.

The following scenarios are not supported by this feature:

•

All PFEs get destination errors on all planes to all destinations, even with the SIBs staying online.

•

Complete fabric loss caused by destination timeouts, with the SIBs still online.

When chassisd detects that all fabric planes are down, the router reboots all FPCs in the system. When the FPCs come back up, the interfaces will not be created again, since all fabric planes are down.

Once you diagnose and fix the cause of all fabric planes going down, you must then bring the SIBs back online. Bringing the SIBs back online brings up the interfaces.

Page 9

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Fabric down signaling to neighboring routers offers the following benefits:

•

FPCs reboot when the control plane connection to the Routing Engine times out.

•

Extends a simple approach to reboot FPCs when the dataplane blacks out.

When the router transitions from a state where SIBs are online or spare to a state where there are no SIBs are online, then all the FPCs in the system are rebooted. An ERRMSG indicates if all fabric planes are down, and the FPCs will reboot if any fabric planes do not come up in 2 minutes.

An ERRMSG indicates the reason for FPC reboot on fabric connectivity loss.

The chassisd daemon traces when an FPC comes online, but a PIC attach is not done because no fabric plane is present.

A CLI warning that the FPCs will reboot is issued when the last fabric plane is taken offline.

You will need to bring the SIBs online after determining why the SIBs were not online. When the first SIB goes online, and link training with the FPCs completes, the interfaces will be created.

Fabric down signaling to neighboring routers functionality is available by default, and no user configuration is required to enable it.

No new CLI commands or alarms are introduced for this feature. Alarms are already implemented for when the SIBs are not online.

[Network Interfaces, System Basics]

•

New enterprise-specific MIB to support digital optical monitoring (MX960, MX480, MX240, and 10-Gigabit Ethernet LAN/WAN PIC with XFP on T640 and T1600 routers)—Junos OS Release 10.4 introduces JUNIPER-DOM-MIB, a new

enterprise-specific MIB to extend MIB support for digital optical monitoring.

JUNIPER-DOM-MIB supports the SNMP Get request for statistics and SNMP Trap

notifications for alarms.

JUNIPER-DOM-MIB is part of the JUNIPER-SMI MIB hierarchy level.

The following MIB objects are supported by JUNIPER-DOM-MIB for digital optical monitoring:

•

jnxDomCurrentTable

•

jnxDomAlarmSet

•

jnxDomAlarmCleared

[SNMP MIBs and Traps Reference]

•

Transition of IPv4 traffic to IPv6 addresses using Dual Stack Lite (DS-Lite)—Adds support for DS-Lite, a means for transitioning IPv4 traffic to IPv6 addresses. This transition will become necessary as the supply of unique IPv4 addresses nears exhaustion. New subscriber homes are allocated IPv6 addresses and IPv6-capable equipment; DS-Lite provides a method for the private IPv4 addresses behind the IPv6 equipment to reach the IPv4 network. An IPv4 host communicateswith a NATendpoint

Page 10

JUNOS OS 10.4 Release Notes

over an IPv6 network using softwires. DS-Lite creates the IPv6 softwires that terminate on the services PIC. Packets coming out of the softwire can then have other services such as NAT applied on them.

[Services Interface, System Basics and Services Command Reference]

•

Support for SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320, MX240, MX480, MX960, T640 and T1600 routers)Supports a 4-port SONET/SDH

OC48 Enhanced IQ (IQE) PIC (Type 3) with per data-link connection identifier (DLCI) queuing. Supported FPCs include T640-FPC3-ES, M320-FPC3-E3, and MX-FPC3. Classof service (CoS) enables enhanced egress queuing, buffering, and trafficshaping.

CoS supports eight queues per logical interface, a per-unit scheduler, and two shaping rates: a Committed Information Rate (CIR) and Peak Information Rate (PIR) per data-link connection identifier (DLCI). Other CoS features include, but are not restricted to, sharing of excess bandwidth among logical interfaces, five levels of priorities (including Strict High), ingress behavior aggregate (BA) classification, queue rate-limit policer, ingress rewrite, egress rewrite, and a forwarding class to queue remapping per DLCI.

The SONET/SDH OC48/STM 16 PIC supports CoS features similar to those in IQ2E PICs, in terms of behavior and configurationstatements. This PIC supports the following Layer 2 protocols: PPP, Frame Relay, and Cisco HDLC encapsulations.

For more information, see the PC-4OC48-STM16-IQE-SFP documentation for your router:

•

SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T1600 Router)

•

SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T640 Router)

•

SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (MX Series Routers)

•

SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320 Router)

[PIC Guide, Network Interfaces, Class of Service]

•

IPv6 statistics from IQ2 and IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers—Support statistical accounting for IPv6 traffic traversing the IQ2 and

IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers.

For IQ2 and IQ2E PIC interfaces,the IPv6 trafficthat is reported will be the total statistics (sum of local and transit IPv6 traffic) in the ingress and egress direction. The IPv6 traffic in the ingress direction will be accounted separately only if the IPv6 family is configured for the logical interface.

Statistics are maintained for routed IPv6 packets in the egress direction.

Byte and packet counters are maintained in the ingress and egress direction.

Differences in IPv6 statistics for IQ2 interfaces and all other interfaces are as follows:

•

IQ2 and IQ2E PIC interfaces report the total statistics for the IPv6 traffic. For other interfaces, the transit statistics are reported.

•

IQ2 and IQ2E PIC interfaces report all IPv6 traffic received on the logical interface. For all other interfaces, only the routed traffic is accounted.

Page 11

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

IQ2 and IQ2E PIC interfaces report IPv6 statistics for the Layer 2 frame size. For all other interfaces, the Layer 3 packet size is accounted.

The IPv6 statistics can be viewed by logging in to the individual IQ2 PIC or IQ2E PIC, or by using the CLI.

Local statistics are not accounted separately.

To display total IPv6 statistics for IQ2 and IQ2E PICs, use the show interfaces extensive command.

NOTE: The reported IPv6 statistics do not account for the traffic manager

drops in egress direction or the Packet Forwarding Engine/traffic manager drops in the ingress direction. Transitstatistics are not accountedseparately because the IQ2 and IQ2E PICs cannot differentiate between transit and local statistics.

[Network Interfaces]

•

100-Gigabit Ethernet PIC interoperability with VLAN steering—Supports interoperability with similar PICs from other vendors using a VLAN steering forwarding option. Previously, the PICs required interconnection to the same model PIC. Interoperabilitywith interfacesfromother vendors was not supported.Junos OS Release

10.4 introduces a new VLAN steering algorithm to configure 100-Gigabit Ethernet PIC interoperation with similar interfaces from other vendors.

Two packet forwarding modes exist under the forwarding-mode statement.SA multicast mode, for proprietary connection of two Juniper Networks 100-Gigabit Ethernet PICs, uses the Ethernet header SA MAC address multicast bit to steer the packets to the appropriate PFE. VLAN steering mode allows the PIC to connect to non-Juniper Networks equipment. On ingress, the PIC compares the outer VLAN ID against a user-defined VLAN ID and VLAN mask combination and steers the packet accordingly. Modifying the forwarding mode config reboots the PIC.

VLAN steering overview:

•

In VLAN steering mode, the SA multicast bit is not used for packet steering.

•

In SA multicast bit steering mode, VLAN ID and VLAN mask configuration is not used for packet steering.

•

Configuration of packet forwarding mode and VLAN steering mode uses CLI commands that result in a PIC reboot.

•

There are three tag types for ingress packets:

•

Untagged ingress packet–The packet is sent to PFE1.

Ingress packet with one VLAN–The packet forwards based on the VLAN ID.

Ingress packet with two VLANs–The packet forwards based on the outer VLAN ID.

Page 12

JUNOS OS 10.4 Release Notes

•

VLAN rules describe how the router forwards packets. For VLAN steering, you must use one of the two rules available in the CLI:

•

Odd-even rule–Odd number VLAN IDs go to PFE1; even number VLAN IDs go to PFE0.

•

High-low rule–1 through 2047 VLAN IDs go to PFE0; 2048 through 4096 VLAN IDs go to PFE1.

•

When configured in VLAN steering mode, the PIC can be configured in two physical interface mode or in aggregated Ethernet (AE) mode:

•

Two physical interface mode–When the PIC is in two physical interface mode, it creates physical interfaces et-x/0/0:0 and et-x/0/0:1. Each physical interface can configure its own logical interface and VLAN. CLI enforces the followingrestrictions on commit:

•

The VLAN ID configuration must comply with the selected VLAN rule.

•

The previous restriction implies that the same VLAN ID cannot be configured on both physical interfaces.

•

AE mode–In AE mode, the two physical interfaces on the same PIC are aggregated into one AE physical interface. PIC egress traffic is based on the AE internal hash algorithm. PIC ingress traffic steering is based on the customized VLAN ID rule. CLI enforces the following restrictions on commit:

•

The PIC AE working in VLAN steering mode includes both links of this PIC, and only the links of this PIC.

•

The PIC AE working in SA multicast steering mode can include more than one PIC to achieve more than 100-gigabit capacity.

To configure the PIC forwarding mode, include the forwarding-mode statement and its options at the [edit chassis fpc number pic number] hierarchy level.

[Network Interfaces]

•

New control queue disable feature (T Series routers with 10-Gigabit Ethernet PIC with oversubscription)—Providesa new CLI statement for disabling the control queue

feature for the 10-Gigabit Ethernet PIC with oversubscription. To disable the control queue, use the no-pre-classifier statement at the [chassis] hierarchy level.

When the no-pre-classifier statement is set, the control queue feature will be disabled for all ports on that 10-Gigabit Ethernet PIC with oversubscription. Deleting this configuration results in the control queue feature being re-enabled on all the ports of that PIC.

[edit chassis]

fpc 2 {

pic 0 {

no-pre-classifier;

}

Page 13

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

NOTE:

1. This feature is applicable in both oversubscribed and line-rate modes.

2. The control queue feature is enabled by default in both oversubscribed

and line-rate modes, which can be overridden by the user configuration.

3. CLI show commands remain unchanged. When the control queue is

disabled, various show queue commands continue to show the control queue in the output. However, all control queue counters are reported as zeros.

4. Enabling or disabling the control queue feature results in the PIC being

bounced (offline/online).

Once the control queue feature is disabled, then the Layer 2 and Layer 3 controlpackets are subject to queue selection based on the BA classification. However, the following control protocol packets are not classified using BA classification, as they might not have a VLAN, MPLS, or IP header:

•

Untagged ARP packets

•

Untagged Layer 2 control packets such as LACP or Ethernet OAM

•

Untagged IS-IS packets

When the control queue feature is disabled, untagged ARP/IS-IS and other untagged Layer 2 control packets will go to the restricted queue corresponding to the forwarding class associated with queue 0.

[Network Interfaces]

Junos OS XML API and Scripting

New Junos OS XML API operational request tag elements—Table 1 on page 13 shows

the Junos OS Extensible Markup Language (XML) operational request tag elements that are new in Junos OS Release 10.4 along with the corresponding CLI command and response tag element for each one.

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release

10.4

Response Tag ElementCLI CommandRequest Tag Element

NONErequest dhcpv6 server reconfigure<requestdhcpv6-serverreconfigure-information>request_dhcpv6_ server_reconfigure_information

request_license_update

request_package_nonstop_upgrade

NONErequest system license update<request-license-update>

NONErequest system software nonstop-upgrade<request-package-nonstop-upgrade>

Page 14

JUNOS OS 10.4 Release Notes

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release

10.4 (continued)

Response Tag ElementCLI CommandRequest Tag Element

<amt-instance-statistics>show amt statistics<get-amt-statistics> get_amt_statistics

<amt-summary>show amt summary<get-amt-summary> get_amt_summary

<amt-tunnel-information>show amt tunnel<get-amt-tunnel-information> get_amt_tunnel_information

<rps-chassis-information>show chassis redundant-power-supply<get-rps-chassis-information> get_rps_chassis_information

NONEshow chassis routing-engine bios<get-bios-version-information> get_bios_version_information

<cos-congestion-notification-information>show class-of-service congestion-notification<get-coscongestionnotificationinformation> get_cos_congestion_notification_information

get_firewall_log_information

get_interface_information

identifier-origininformation> get_isis_context_ identifier_origin_information

get_isis_database_information

get_mpls_cspf_information

get_authentication_pending_table

get_ospf_database_information

get_rps_power_supply_information

<firewall-information>show firewall filter version<get-firewall-log-information>

<ingress-replication-information>show ingress-replication<get-interface-information>

<isis-context-identifier- information>show isis context-identifier<get-isis-context-

<isis-context-identifier-origin-information>show isis context-identifier identifier<get-isis-database-information>

<mpls-context-identifier-information>show mpls context-identifier<get-mpls-cspf-information>

<domain-map-statistics>show network-access domain- map statistics<get-authentication-pending-table>

<ospf-context-id-information>show ospf context-identifier<get-ospf-database-information>

<rps-led-information>show redundant-power-supply led<get-rps-power-supply-information>

get_rps_status_information

<rps-power-supply-information>showredundant-power-supply power-supply<get-rps-status-information>

Page 15

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release

10.4 (continued)

Response Tag ElementCLI CommandRequest Tag Element

<rps-status-information>show redundant-power-supply status<get-rps-version-information> get_rps_version_information

<rps-version-information>show redundant-power-supply version<get-rip-general-statistics-information> get_rip_general_statistics_information

<idp-policy-commit-status>show security idp policy-commit-status<get-idp-policy-template- information> get_idp_policy_template_information

<get-service-border-signalinggateway-charging-status> get_service_border_signaling_ gateway_charging_status

<get-service-bsg-denied-messages> get_service_bsg_denied_messages

accounting-statistics-information> get_services_l2tp_radius_acco unting_statistics_information

get_service_softwire_statistics _information

conversation_ information> get_service_sfw_conversation _information

sfw_flow_analysis_ information> get_service_sfw_flow_analysi s_information

charging statistics

charging status

show services softwire flows<get_service_

<bsg-charging-statistics>show services border-signaling-gateway

<bsg-charging-status>show services border-signaling-gateway

<service-l2tp-destination-information>show services l2tp destination<get-services-l2tp-radius-

<msp-session-table>show services sessions<get-service-softwire-statistics-information>

<service-softwire-table- information>show services softwire<get_service_sfw_

<service-fwnat-flow-table-

information>

flow_table_information> get_service_sfw_flow_table_i nformation

information> get_service_sfw_sip_register_i nformation

get_synchronous_ethernet_esmc-statistics

<service-softwire-statistics-information>show services softwire statistics<get_service_sfw_

<service-sfw-flow-analysis-information>show services stateful-firewallflow-analysis<get_service_sfw_sip_register-

<clock-synchronization- statistics>show synchronous-ethernet esmc statistics<get_synchronous_ethernet_esmc-statistics>

Page 16

JUNOS OS 10.4 Release Notes

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release

10.4 (continued)

Response Tag ElementCLI CommandRequest Tag Element

get_synchronous_ethernet_esmc_transmit

<get_synchronous_ethernet_global_information> get_-synchronous_ethernet_global_information

processes_information> get_system_resource_cleanup_ processes_information

get_rollback_information

get_dhcp_binding_information

<clear_synchronous_ ethernet_esmc_ statistics>clear_synchronous_ ethernet_e smc_ statistics

Layer 2 Ethernet Services

•

Feature support for Trio 3D MPCs and MICs (MX Series routers)—Enables you to configurethe following features through Junos OS Release 9.1: load balancing, Ethernet OAM IEEE 802.1ag Phase 4 MIP support, LLDP, BPDU guard and loop guard, IRB support for interworking of LDP-VPLS and BGP-VPLS, BGP multihoming for Inter-AS VPLS, VPLS Ethernet as a core-facing interface, and limitations on next-hop flooding.

show synchronous-ethernet esmc transmit<get_synchronous_ethernet_esmc_transmit>

global-information

clear synchronousethernet esmc statistics

<clock-synchronization-

esmc-transmit>

NONEshow synchronous-ethernet

<relay-group-information>show system relay group<get_system_resource_cleanup_

<relay-group-member>show system relay member<get_rollback_information>

<relay-summary>show system relay summary<get_dhcp_binding_information>

<clock-synchronization-

clear-output>

[Layer 2 Configuration]

•

Ethernet CFM support on Trio 3D MPCs and MICs (MX Series routers)—Enables support for Ethernet connectivity fault management (CFM) defined by IEEE 802.1ag for family bridge interfaces.However, MEP configuration is not supported on aggregated Ethernet interfaces.

[Layer 2 Configuration]

MPLS Applications

•

MPLS support on services PICs—Adds MPLS label pop support for services PICs on Junos OS routers. Previously all MPLS traffic would be dropped at the services PIC. No changes are required to CLI configurations for this enhancement. In-service software upgrade (unified ISSU) is supported for tag next hops for MPLS on services PIC traffic, but no support is provided for tags over IPv6 packets or labels on multiple gateways.

[MPLS]

Page 17

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

Adding descriptions for bypass LSP—You can now add a text describing a bypass LSP using the description option at the [edit protocols rsvp interface interface-name

link-protection bypass bypass-lsp-name] hierarchy level. Enclose any descriptive text

that includes spaces in quotation marks (" "). Any descriptive text you include is displayed in the output of the show rsvp session bypass command and has no effect on the operation of the bypass LSP.

[MPLS]

Multicast

•

Nonstop active routing PIM support for IPv6—Starting with Release 10.4, Junos OS extends the nonstop active routing support for Protocol Independent Multicast (PIM), which is already supported on IPv4, to include the IPv6 address families. The extension of nonstop active routing PIM support to IPv6 enables IPv6 routers to maintain self-generation IDs, multicastsession states, dynamic interface states, list of neighbors, and RPSets across Routing Engine switchovers.

The nonstop active routing support for PIM on IPv6 is similar to the nonstop active routing PIM support on IPv4 except for the following:

•

Nonstop active routing support for PIM on IPv6 supports an embedded rendezvous point (RP) on non-RP routers.

•

Nonstop active routing support for PIM on IPv6 does not support auto-RP,as auto-RP is not supported on IPv6.

For more information about nonstop active routing PIM support on IPv4 and IPv6, see the Junos OS High Availability Configuration Guide.

[High Availability, Multicast]

MX Series

•

Support for MX Series—While these features have been available on the MX Series routers in the past, we have now qualified the following features on the Trio chipset.

For MPLS, RSVP, and LDP:

•

BFD session failure action for LDP LSPs (including ECMP)

•

RSVP Graceful Restart interop with Cisco using Nodal Hello support

•

Failure action on BFD session down of RSVP LSPs in JUNOS

•

RSVP transit

•

L3VPN testing using RSVP

•

NSR: RSVP ingress

•

BFD via LDP

Page 18

JUNOS OS 10.4 Release Notes

For Multicast:

•

OSPF

•

OSPF Database Protection

•

RFC 4136 OSPF Refresh and Flooding Reduction in Stable Topologies

•

PIM SSM in provider space (Draft-Rosen 7)

•

NG MVPN - PIM-SSM I-PMSI and deployment scenario testing

•

MVPN C-PIM in plain ASM mode

•

NGEN MVPN hub and spoke support with GRE S-PMSI transport

•

PIM Join suppression support

•

Translating PIM states to IGMP/MLD messages

•

Disable PIM for IPv6 via CLI

•

IPv6 multicast support over L3VPNs

•

PIM neighbor should be maintained wherever possible

•

Data MDT SAFI (draft-rosen-l3vpn-mvpn-profiles)

•

Inter-provider Option A support with Rosen 7

•

Rosen 7 interoperability with Cisco IOS

For VPNs:

•

VPLS: Configurable label block size (min 2)

•

Interoperate LDP-VPLS and BGP-VPLS with FEC 128

•

LDP-VPLS

•

Interprovider VPLS Option "E": EBGP redistribution of labeled routes

Miscellaneous:

•

Support to commit configuration from op/event scripts

•

Per PFE per packet load balancing

•

Next Hop Handling Enhancements (Phase 3)

•

Support local-as alias hidden command

•

MIB Enhancements for Manual Bypass Tunnel Management

•

ISIS LFA

•

Improve IGMPv3 performance using bulk updates

Page 19

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

Improve IGMPv3 performance using bulk updates - with snooping

•

Allow ASM group override of SSM ranges

Routing Policy and Firewall Filters

•

New routing policy system log message—Junos OS Release 10.3 supports a new routing policy system log message. The RPD_PLCY_CFG_NH_NETMASK system log message provides information about ignored netmasks. If you have a policy statement with a term that contains a next-hop address with a netmask, the netmask is ignored. The following sample shows the new systemlog message (depending on your network configuration, the type of message you see might be different):

Jun 18 11:22:43 pro5-d rpd[1403]: RPD_PLCY_CFG_NH_NETMASK: Netmask ignored for

next hop: 10.0.0.1/24.

[System Log Messages Reference]

•

Support for displaying the firewall filter version information—You can display the version number of the firewall filter installed in the Routing Engine. The initial version number is 1 and increments by one when you modify the firewall filter settings or an associated prefix action. To show the version number of the installed firewall filter, use the show firewall filter version operational mode command.

[Routing Protocols and Policies Command Reference]

Routing Protocols

•

Point-to-multipoint (P2MP) LSP load balancing across aggregated Ethernet links (M Series except M320)—Enables you to load-balance VPLS multicast and P2MP

multicast traffic over link aggregation. This feature also re-load-balances traffic after a change in the next-hop topology. Next-hop topology changes might include but are not limited to:

•

Layer 2 membership change in the link aggregation

•

Indirect next-hop change

•

Composite next-hop change

No new configuration is required to configure this feature. The load balancing over aggregated links is automatically enabled with this release. For a sample topology and configuration example, see Junos OS Policy Framework Configuration Guide.

[Policy]

•

Support for disabling traps for passive OSPFv2 interfaces—You can now disable interface state change traps for passive OSPF interfaces. Passive OSPF interfaces advertise address information as an internal OSPF route, but do not run the actual protocol. If you are only interested in receiving notifications for active OSPF interfaces, disabling traps for passive OSPF interfaces reduces the number of notificationsreceived and processed by the SNMP server. This allows you to more quickly and easily scan the logs for potential issues on active OSPF interfaces.

To disable and stop receiving notifications for statechanges in a passiveOSPF interface, include the no-interface-state-traps statement at the following hierarchy levels:

Page 20

JUNOS OS 10.4 Release Notes

•

[edit logical-systems logical-system-name protocols ospf area area-id interface

interface-name]

•

[edit logical-systems logical-system-name routing-instances routing-instance-name

protocols ospf area area-id interface interface-name]

•

[edit protocols ospf area area-id interface interface-name]

•

[edit routing-instances routing-instance-name protocols ospf area area-id interface

interface-name]

[Routing Protocols]

•

Behavior change for BGP-independent AS domains—Independent domains use the transitive path attribute 128 (attribute set) messages to tunnel the independent domain’s BGP attributes through the internal BGP (IBGP) core. In Junos OS Release

10.3 and later,if you have not configured an independent domain in any routing instance, BGP treats the received attribute 128 message as an unknown attribute. The AS path field in the show route command has been updatedto display an unrecognized attribute and associated hexadecimal value if you have not configured an independent domain. The following is a sample output of the AS path field (depending on your network configuration, the output might be different):

AS path: [12345] I Unrecognized Attributes: 40 bytes AS path: Attr flags e0 code 80: 00 09 eb 1a 40 01 01 00 40 02 08 02 03 fd e9 fd e9 01

2d 40 05 04 00 00 00 64 c0

[Routing Protocols]

•

Support for disabling the attribute set messages on independent AS domains for BGP loop detection—BGP loop detection for a specific route uses the localautonomous

system (AS) domain for the routing instance. By default, all routing instances belong to a single primary routing instance domain. Therefore, BGP loop detection uses the local ASs configured on all of the routing instances. Depending on your network configuration, this default behavior can cause routes to be looped and hidden.

To limit the local ASs in the primary routing instance, configure an independent AS domain for a routing instance. Independent domains use the transitive path attribute 128 (attribute set) messages to tunnel the independent domain’s BGP attributes through the internal BGP (IBGP) core. If you want to configure independent domains to maintain the independence of local ASs in the routing instance and perform BGP loop detection only for the specified local ASs in the routing instance, disable attribute set messages on the independent domain. To disable attribute set messages, include the independent-domain no-attrset statement at the following hierarchy levels:

•

[edit logical-systems logical-system-name routing-instances routing-instance-name

routing-options autonomous-system autonomous-system]

•

[edit routing-instances routing-instance-name routing-options autonomous-system

autonomous-system]

[Routing Protocols]

Page 21

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Services Applications

•

NAT-PT with DNS ALG support (M Series and T Series routers)—You can configure Domain Name Service (DNS) application-level gateways (ALGs) using NAT with protocol translation (NAT-PT) for IPv6 to IPv4. The implementation is described in RFC 2766 and RFC 2694.

When you configure NAT-PT with DNS ALGsupport, you must configure two NAT rules. The first NAT rule ensures that the DNS query and response packets are translated correctly. For this rule to work, you must configure a DNS ALG application and reference it in the rule. The second rule is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG.

•

To configure the correct translation of the DNS query and response packets, include the dns-alg-pool dns-alg-pool or dns-alg-prefix dns-alg-prefix statement at the [edit

services nat rule rule-name term term-name then translated] hierarchy level.

•

To configure the DNS ALG application, include the application application-name statement at the [edit applications] hierarchy level, then reference it at the [edit

services nat rule rule-name term term-name from] hierarchy level.

•

To configure destination translation with the DNS ALG address map, use the

use-dns-map-for-destination-translation statement at the [edit services nat rule rule-name term term-name then translated] hierarchy level. This statement correlates

the DNS query or response processing done by the first rule with the actual data sessions processed by the second rule.

You can also control the translation of IPv6 and IPv4 DNS queries in the following ways.

•

For translation control of IPv6 DNS queries, use the

do-not-translate-AAAA-query-to-A-query statement at the [edit applications application application-name] hierarchy level.

•

For translation control of IPv4 queries, use the

do-not-translate-A-query-to-AAAA-query statement at the [edit applications application application-name] hierarchy level.

NOTE: The above two statements cannot be configured together. You can only configure one at a time, but not both.

To check that the flows are established properly, use the show services

stateful-firewall flows command or the show services stateful-firewall conversations

command.

[Services Interfaces]

•

Enhancements to active flow monitoring—Add support for extraction of bandwidth usage information for billing purposes in PIC-based sampling configurations. This capability is supported on M Series, MX Series, and T Series routers and applies only to IPv4 and IPv6 traffic. It is enabled only at the global instance hierarchy level and is

Page 22

JUNOS OS 10.4 Release Notes

not available for per Packet Forwarding Engine instances. To configure the sampling of traffic for billing purposes, include the template as-peer-billing-template-name statement at the [edit forwarding-options sampling family (inet | inet6) output

flow-server server-name version version-number] hierarchy level. To define the peer-AS

billing functionality, include the peer-as-billing-template statement at the [edit services

flow-monitoring version9 template template-name] hierarchy level. For a list of the

template fields, see the Junos OS Services Interfaces ConfigurationGuide. You can apply the existing destination class usage (DCU) policy option configuration for use with this feature.

In addition, the MPLS top label IP address is added as a new field in the existing MPLS-IPv4 flow template. Youcan use this field to gather MPLS forwarding equivalence class (FEC) -based traffic information for MPLS network capacity planning. These ALGs that use Junos Services Framework (JSF) (M Series) is a PIC-only feature applied on sampled traffic and collected by the services PIC or DPC. You can define it for either global or per Packet Forwarding Engine instances for MPLS traffic.

The show services accounting aggregation template operational command has been updated to include new output fields that reflect the additional functionality.

[Services Interfaces, System Basics and Services Command Reference]

•

Support for the RPM timestamp on the Services SDK (M Series, MX Series, and T Series)—Real-time performance monitoring (RPM), which has been supported on the

Adaptive Services (AS) interface, is now supported by the Services SDK. RPM is supported on all platforms and service PICs that support the Services SDK.

RPM timestamping is needed to account for any latency in packet communications. You can apply timestamps on the client, the server, or both the client and server. RPM timestamping is supported only with the icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types.

To specify the Services SDK interface, include the destination-interface statement at the [edit services rpm probe probe-owner test test-name] hierarchy level:

destination-interface ms-fpc/pic/port.logical-unit-number;

To specify the RPM client router and the RPM server router, include the rpm statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:

rpm (client | server);

To enable RPM on the Services SDK on the AS interface, configure the object-cache-size,

policy-db-size, and package statements at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level. For

the Services SDK, package-name in the package package-name statement is

jservices-rpm.

user@host# show chassis fpc 1 {

pic 2 {

adaptive-services {

service-package {

extension-provider {

control-cores 1;

Page 23

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

data-cores 1; object-cache-size 512; policy-db-size 64; package jservices-rpm; syslog daemon any;

}

[Services Interfaces]

•

ALGs using Junos OS Services Framework (JSF) (M Series with MS PICs and MX Series with MS DPCs)—Application-level gateways (ALGs) intercept and analyze

specified traffic, allocate resources, and define dynamic policies to permit traffic to pass securely through a device. Beginning with Junos OS Release 10.4 on the specified routers, you can use JSF ALGs with the following services:

•

Stateful firewall

•

Network Address Translation (NAT)

To use JSF to run ALGs, you must configure the jservices-alg package at the [edit

chassis fpc slot pic slot adaptive-services service-package extension-provider package]

hierarchy level. In addition, you must configure the ALG application at the [edit

applicationsapplicationapplication-name] hierarchylevel,and referencethe application

in the stateful firewall rule or the NAT rule in those respective configurations.

[Services Interfaces]

•

Enhancements to port mirroring with next-hop groups (MX Series only)—Adds support for binding up to two port-mirroring instances to the same MX Series Packet FowardingEngine. This enables you to choose multiple mirror destinations by specifying different port-mirroring instances in the filters. Filters must include the

port-mirror-instanceinstance-name statementat the [edit firewall filter filter-name term term-name then] hierarchy level. You must also include the port-mirror-instance instance-name statement at the [edit chassis fpc number] hierarchy level to specify the

FPC to be used.

Inline port mirroring allows you to configure instances that are not bound to the FPC specified in the firewall filter then port-mirror-instance instance-name action. Instead, you can define the then next-hop-group action. Inline port-mirroring aims to decouple the port-mirror destination from the input parameters, such as rate. While the input parameters are programmed in the Switch Interface Board (SIB), the next-hop destination for the mirrored packet is available in the packet itself.

A port-mirroring instance can now inherit input parameters from another instance that specifies it. To configure this option, include the input-parameters-instance

instance-name statement at the [edit forwarding-options port-mirror instance instance-name] hierarchy level.

You can also now configure port mirroring to next-hop groups using a tunnel interface.

[Services Interfaces]

Page 24

JUNOS OS 10.4 Release Notes

•

Multiple IDP detector support (M120, M320, and MX Series routers with Enhanced III FPCs)—The IDP detector provides information about services, contexts, and

anomalies that are supported by the associated protocol decoder.

The specified routers now support loading multiple IDP detectors simultaneously. When a policy is loaded, it is also associated with a detector. If the new policy being loaded has an associated detector that matches the detector already being used by the existing policy, the new detector is not loaded and both policies use a single associated detector. However, if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection. Note that with the specified routers, a maximum of four detectors can be loaded at any given time.

Multiple IDP detector support for the specified routers functions in a similar way to the existing IDP detector support on J Series and SRX Series devices, except for the maximum number of decoder binary instances that are loaded into the process space.

To view the current policy and the corresponding detector version, use the show security

idp status detail command.

For more information, see the Junos OS Security Configuration Guide.

[Services Interfaces]

•

NAT using Junos OS Services Framework (JSF) (M Series and T Series with Multiservices PICs and MX Series with Multiservices DPCs)—The Junos OS Services

Framework (JSF) is a unified framework for Junos OS services integration. JSF Services integration will allow the option of running Junos OS services on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4, you can use JSF to run NAT on the specified routers.

To use JSF to run NAT, you must configure the jservices-nat package at the [edit chassis

fpc slot pic slot adaptive-services service-packageextension-provider package] hierarchy

level. In addition, you must configure NAT rules and a service set with a Multiservice interface. Tocheck the configuration, use the show configurationservicesnat command. To show the run time (dynamic state) information on the interface, use the show

services sessions and show services nat pool commands.

[Services Interfaces]

•

Stateful firewall using Junos OS Services Framework (JSF) (M Series with MS PICs, MX Series with MS DPCs, and T Series routers)—The Junos OS Services Framework

(JSF) is a unified framework for Junos OS services integration. JSF Services integration will allow the option of running Junos OS services on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4, you can use JSF to run stateful firewall on the specified routers.

To use JSF to run stateful firewall, you must configure the jservices-sfw package at the

[edit chassis fpc slot pic slot adaptive-services service-package extension-provider package] hierarchy level. In addition, you must configure stateful firewall rules and a

service set with a Multiservice interface. To check the configuration, use the show

configurationservices stateful-firewall command. To show the run time (dynamic state)

information on the interface, use the show services sessions command.

Page 25

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

[Services Interfaces]

Subscriber Access Management

•

Redirecting HTTP redirect requests (MX Series routers)—Enables support for HTTP traffic requests from subscribers to be aggregated from access networks onto a BRAS router, where HTTP traffic can be intercepted and redirected to a captive portal. A captive portal provides authentication and authorization services for redirected subscribers before granting access to protected servers outside of a walled garden. A walled garden defines a group of servers where access is provided to subscribers without reauthorization through a captive portal. You can use a captive portal page as the initial page a subscriber sees after logging in to a subscriber session and as a page used to receive and manage HTTP requests to unauthorized Web resources. An HTTP redirectremoteserver that resides in a walled garden behind Junos OS routers processes HTTP requests redirected to it and responds with a redirect URL to a captive portal.

To configure HTTP redirect, include the captive-portal-content-delivery statement at the [edit services] hierarchy level.

[Subscriber Access]

•

Filter support for service packet counting—You can count service packets, applying them to a specific named counter (__junos-dyn-service-counter), for use by RADIUS.

To enable service packet accounting, specify the service-accounting action at the [edit

firewall family family-name filter filter-name term term-name then] hierarchy level.

[Policy Framework, Subscriber Access]

•

Support for domain maps that apply configuration options based on subscriber domain names (MX Series and M Series routers)—You use domain maps to apply

access options and session-specific parameters to subscribers whose domain name corresponds to the domain map name. You can also create a default domain map that the router uses for subscribers whose username does not include a domain name or has a non-matching domain name.

Domain maps apply subscriber-related characteristics such as profiles (access, dynamic, and tunnel), target and AAA logical system mapping, address pool usage, and PADN routing information.

You configure domain maps at the [edit access domain] hierarchy level.

[Subscriber Access]

•

L2TP LAC support for subscriber management (MX Series routers)—You can now configure an L2TP access concentrator (LAC) on MPC-equipped MX Series routers.

As part of the new L2TP LAC support, you can configure how the router selects a tunnel for a PPP subscriber from among a set of available tunnels. The default tunnel selection method is to fail over between tunnel preference levels. When a PPP user tries to log in to a domain, the router attempts to connect to a destination in that domain by means of the associated tunnel with the highest preference level. If the destination is unreachable, the router then moves to the next lower preference level and repeats the process. No configuration is required for this tunnel selection method.

Page 26

JUNOS OS 10.4 Release Notes

You can include the fail-over-within-preference statement at the [edit services l2tp] hierarchy level to configure tunnel selection failover within a preference level. With this method, when the router tries to connect to a destination and is unsuccessful, it selects a new destination at the same preference level. If all destinations at a preference level are marked as unreachable, the router does not attempt to connect to a destination at that level. It drops to the next lower preference level to select a destination. If all destinations at all preference levels are marked as unreachable, the router chooses the destination that failed first and tries to make a connection. If the connection fails, the router rejects the PPP user session without attempting to contact the remote router.

By default, the router uses a round-robin selection process among tunnels at the same preference level. Include the weighted-load-balancing statement at the statement at the [edit servicesl2tp] hierarchy level to specify that the tunnel with the highest weight within a preference is selected until its maximum sessions limit is reached. Then the tunnel with the next highest weight is selected until its limit is reached, and so on. The tunnel with the highest configured maximum sessions value has the greatest weight.

Another feature of L2TP LACs on MX Series routers is the ability to control whether the LAC sends the Calling Number AVP 22 to the LNS. The AVP value is derived from the Calling-Station-Id and identifies the interface that is connected to the customer in the access network. By default, the LAC includes this AVP in ICRQ packets it sends to the LNS. In some networks you may wish to conceal your networkaccessinformation. To prevent the LAC from sending the Calling Number AVP to the LNS, include the

disable-calling-number-avp statement at the [edit services l2tp] hierarchy level.

[Subscriber Access]

•

Support for dynamic interface sets (M120, M320, and MX Series routers)—Enables you to configure sets of subscriber interfaces in dynamic profiles. Interface sets are used for providing hierarchical scheduling. Previously, interface sets were supported for interfaces configured in the static hierarchies only.

Supported subscriber interfaces include static and dynamic demux, static and dynamic PPPoE, and static and dynamic VLAN interfaces.

To configure an interface set in a dynamic profile, include the interface-set

interface-set-name statement at the [edit dynamic-profiles interfaces] hierarchy level.

To add a subscriber interface to the set, include the interface interface-name unit

logical-unit-number statement at the [edit dynamic-profiles interfaces interface-set interface-set-name]hierarchy level. Youapplytrafficshaping and scheduling parameters

to the interface-set by including the interface-set interface-set-name and

output-traffic-control-profile profile-name statements at the static [editclass-of-service interfaces] hierarchy level.

A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set name, and includes a predefined variable, $junos-interface-set-name. The VSA is supported for RADIUS Access-Accept messages only; change of authorization (CoA) requests are not supported.

[Subscriber Access]

Page 27

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

Support for service session accounting statistics (MX Series routers)—You can now capture accounting statistics for subscriber service sessions. Subscriber management supports service session accounting based on service activation and deactivation, as well as interim accounting. Time-based accounting is supported for all service sessions. Time and volume-based accounting is supported for classic firewall filter and fast update firewall filter service sessions only.

To provide volume service accounting, the well-known accounting counter (junos-dyn-service-counter) must also be configured for the classic firewall filter and fast update firewall filter service. You define the counter at the [edit firewall family

family filter filter term term then] hierarchy level.

The following VSAs (vendor ID 4874) are used for service accounting:

Attribute Number

Service-Statistics26-69

Enable or disable statistics for the service.

ValueDescriptionAttribute Name

•

0 = disable

•

1 = enable time statistics

•

2 = enable time and volume statistics

Acct-Service-Session26-83

service.

Service-Interim-Acct-Interval26-140

Amount of time between interim accounting updates for this service.

string: service-nameName of the

•

range = 600–86400 seconds

•

0 = disabled

[Subscriber Access]

•

Subscriber secure policy traffic mirroring supported for L2TP sessions on the LAC (MX Series routers)—The L2TP access concentrator (LAC) implementation supports

RADIUS-initiated per-subscriber traffic mirroring. Both subscriber ingress traffic (from the subscriber into the tunnel) and subscriber egress traffic (from the tunnel to the subscriber) is mirrored at the (subscriber-facing) ingress interface on the LAC. The ingress traffic is mirrored after PPPoE decapsulation and before L2TP encapsulation. The egress traffic is mirrored after L2TP decapsulation. The mirrored packet includes the complete HDLC frame sent to the LNS.

[Subscriber Access]

•

Support for static and dynamic CoS on L2TP LACsubscriber interfaces(M120,M320, and MX Series routers)—Enables you to configure static and dynamic CoS for L2TP

accessconcentrator (LAC) tunnels that transport PPP subscribers at Layer 2 and Layer 3 of the network.

IP and L2TP headers are added to packets arriving at the LAC from a subscriber before being tunneled to the L2TP network server (LNS). Classifiers and rewrite-rules enable you to properly transfer the type-of-service (ToS) value or the 802.1p value from the inner IP header to the outer IP header of the L2TP packet.

Page 28

JUNOS OS 10.4 Release Notes

For ingress tunnels, you configure fixed or behavior aggregate (BA) classifiers for the PPP interface or an underlying VLAN interface at Layer 2. You can configure Layer 3 classifiers for a family of PPP interfaces. Layer 2 and Layer 3 classifiers can co-exist for a PPP subscriber.

For example, to classify incoming packets for a PPP subscriber, include the classifier

type classifier-name statement at the [edit class-of-service interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit dynamic-profiles class-of-service interfaces pp0 unit logical-unit-number] hierarchy level.

On egress tunnels, you configure rewrite rules to set the ToS or 802.1p value of the outer header. For example, to configure a rewrite-rule definition for an interface with

802.1p encapsulation, include the [rewrite-rule ieee-802.1 (rewrite-name | default) statementat the edit class-of-service interfacesinterface-name unit logical-unit-number] hierarchy level or the [edit dynamic-profiles class-of-service interfaces pp0 unit

logical-unit-number] hierarchy level.

Rewriterulesare applied accordinglytothe forwarding class, packet loss priority (PLP), and code point. The proper transfer of the inner IP header to the outer IP header of the L2TP packet depends on the classifier and rewrite rule configurations.

The following table shows how the classifier and rewrite-rule values transfer from the inner IP header to the outer IP header. The inner IP header (ob001) is classified with assured-forwarding and low loss priority at the ingress interface. Based on the assured-forwarding class and low loss priority in the rewrite rule, the outer IP header is set to ob001 at the egress interface.

Outer IP HeaderCode PointLoss PriorityForwarding ClassInner IP Header

ob001001lowassured-forwardingob001

[Subscriber Access, Class of Service]

•

L2TP tunnel profiles and AAA support for tunnels in subscriber management (MX Series routers)—You can configure a set of attributes to define an L2TP tunnel for PPP

subscribers. More than one tunnel can be defined for a tunnel profile. Tunnel profiles are applied by a domain map before RADIUS authentication. When the RADIUS Tunnel-Group VSA [26-64] is specified in the RADIUS login, then the RADIUS tunnel profile (group) overrides a tunnel profile specified by the domain map. The tunnel is then configured according to RADIUS tunnel attributes and VSAs.

To configure a tunnel profile, include the tunnel-profile profile-name statement at the

[edit access] hierarchy level. To define a tunnel for a profile, include the tunnel tunnel-id

statement at the [edit access tunnel-profile profile-name] hierarchy level.

Define the attributes of the tunnel at the [edit access tunnel-profile profile-name tunnel

tunnel-id] hierarchy level. You must configure a preference for the tunnel and the IP

address of the LNS tunnel endpoint; all other attributes are optional. Include the

preferencenumber statement to configure the preference. Include the remote-gateway address server-ip-address statement to configure the LNS address.

You can optionally configure the remaining tunnel attributes. Include the

remote-gateway name server-name statement to configure the LNS hostname. Include

Page 29

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

the source -gatewayaddressclient-ip-addressstatementand the source-gatewayname

client-name statements to configure the local (LAC) tunnel endpoint. Although you

can configure a medium type (medium type) and protocol type (tunnel tunnel-type) for the tunnel, only the default values of ipv4 and l2tp are supported in this release. Include the identification name statement to configure an assignment ID for the tunnel. Include the max-sessions number statement to configure the maximum number of sessions permitted for the tunnel. Include the secret password statement to configure a cleartext password for authentication by the remote tunnel endpoint (LNS). Finally, you can configure a logical system and routing instance for the tunnel by including the

logical-system logical-system-name and routing-instance routing-instance-name

statements.

The following table shows the RADIUS attributes that are now supported for defining a tunnel.

Attribute Number

Tunnel-Type64

DescriptionAttribute Name

•

The tunneling protocol to use (in the case of a tunnel initiator) or the tunneling protocol already in use (in the case of a tunnel terminator).

•

Only L2TP tunnels are currently supported.

•

Tunnel-Medium-Type65

Tunnel-Assignment -Id82

Tunnel-Preference83

Tunnel-Client-Auth-Id90

Tunnel-Server-Auth-Id91

Transport medium to use when creating a tunnel for protocols that can operate over multiple transports.

•

Only IPv4 is currently supported.

Address of the initiator end of the tunnel.Tunnel-Client-Endpoint66

Address of the server end of the tunnel.Tunnel-Server-Endpoint67

Password used to authenticate to a remote server.Tunnel-Password69

Indicates to the tunnel initiator the particular tunnel to which a session is assigned.

•

If more than one set of tunneling attributesisreturned by the RADIUS server to the tunnel initiator, this attributeis included in each set to indicatethe relative preference assigned to each tunnel.

•

Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only).

Name used by the tunnel initiator during the authentication phase of tunnel establishment.

Name used by the tunnel terminator during the authentication phase of tunnel establishment.

Page 30

JUNOS OS 10.4 Release Notes

The following table shows the RADIUS VSAs that are now supported for defining a tunnel.

Attribute Number

Tunnel-Virtual-Router26-8

Virtual router name for tunnel connection.

ValueDescriptionAttribute Name

string: tunnel-virtual-router

Tunnel password in clear text.Tunnel-Password26-9

Tunnel-Max-Sessions26-33

allowed in a tunnel.

Tunnel-Group26-64

Name of the tunnel group (profile) assigned to a domain map.

string: tunnel-password

integer: 4-octetMaximum number of sessions

string: tunnel-group-name

[Subscriber Access]

•

Dynamic reconfiguration of extended DHCPv6 local server clients (MX Series routers)—You can enable dynamic reconfiguration of DHCPv6 clients to enable the

extended DHCPv6 local server to initiate a client update without waiting for the client to initiate a request. In subscriber management scenarios, a client may need to be quickly updated with its network address and configuration in the event of server changes, such as a restructuring of the service provider’s addressing scheme or a change in the local server IP addressesthat were provided to the clients. Include the reconfigure statementto enable dynamic reconfiguration with default values for all DHCPv6 clients at the [edit system services dhcp-local-server dhcpv6] hierarchy level, and for DHCPv6 clients serviced by a specified group of interfaces at the [edit system services

dhcp-local-server dhcpv6 group group-name] hierarchy level.

Optional statements enable you to modify default reconfiguration values: The number of reconfiguration attempts, the interval between the first and second attempts, what happens to the client if all reconfiguration attempts fail, what happens to the client in the event of a RADIUS-initiateddisconnect,whether to bind clients that do not support reconfiguration, and whether to send an authentication token. Issue the request dhcpv6

server reconfigure command to initiate reconfiguration. Use the show dhcpv6 server binding and show dhcpv6 server statistics commands to monitor client-server

interactions.

[Subscriber Access]

•

Support for ascend data filters (RADIUS attribute 242) in subscriber firewall filters (MX Series routers)—You can now configure subscriber management to use ascend

data filters (ADFs) to create and apply firewall filters to subscriber traffic. The ADF creates a rule that specifies match conditions on the source and destination IP address, the protocol, and the source and destination port, and also specifies the action to perform (such as accept or discard). The ADF rule also specifies the filter direction, and can optionally provide traffic class and policer information. The router supports ADF rules for family types inet and inet6.

Page 31

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Subscriber management uses dynamic profilestoobtain the ADF rules from the RADIUS server. You can use the new Junos OS predefined variables ($junos-adf-rule-v4 for familyinet and $junos-adf-rule-v6 for inet6) to map ADF rules to Junos OS functionality, or you can statically create ADF rules.

To configure ADF support, use the following stanza at the [edit dynamic-profiles

profile-name interfaces interface-name unit logical-unit-number family family] hierarchy

level:

filter {

adf {

counter; input-precedence precedence; output-precedence precedence; rule rule-value;

}

[Subscriber Access, System Basics and Services Command Reference]

•

Per-interface DHCP tracing operations (MX Series routers)—In addition to the existing global DHCP tracing operation, you can now trace DHCP operations for a specific interface or a range of interfaces.

Configuring interface-based tracing is a two-step procedure. First configure the tracing options that you want to use, such as the file used for the trace operation and the trace flags. In the second step, enable the tracing operation on the specific interface or range of interfaces.

•

To configure the per-interface tracing options, use the interface-traceoptions statementat the [edit system services dhcp-local-server] hierarchy levelfor the DHCP local server or at the [edit forwarding-options dhcp-relay] hierarchy level for the DHCP relay agent.

•

To enable tracing on an interface or interface range, use the trace statement at the

[edit system services dhcp-local-server group group-name interface interface-name]

hierarchy level for the DHCP local server, or the [edit forwarding-options dhcp-relay

group group-name interface interface-name] hierarchy level for the DHCP relay agent.

You can also enable tracing for DHCPv6 at the [edit system services dhcp-local-server

dhcpv6 group group-name interface interface-name] hierarchy level.

[Subscriber Access]

•

Automaticbinding of stray DHCP requests (MX Series routers)—The default behavior has changed for handling DHCP requests that are received but which have no entry in the database (stray requests). Beginning with Junos OS Release 10.4,automatic binding of stray requests is enabled by default. In Junos OS Release 10.3 and earlier releases, automatic binding of stray requests is disabled by default.

By default, DHCP relay and DHCP relay proxy now attempt to bind the requesting client by creating a database entry and forwarding the request to the DHCP server. If the server responds with an ACK, the client is bound and the ACK is forwarded to the client. If the server responds with a NAK, the database entry is deleted and the NAK is forwarded to the client. This behavior occurs regardless of whether authentication is configured.

Page 32

JUNOS OS 10.4 Release Notes

In Junos OS Release 10.3 and earlier releases, DHCP relay drops stray requests and forwards a NAK to the client when authentication is configured. Otherwise, DHCP relay attempts to bind the requesting client. In those releases, DHCP relay proxy always drops stray requests and forwards a NAK to the client, regardless of the authentication configuration.

You can override the new default configuration to cause DHCP relay and DHCP relay proxy to drop all stray requests instead of attempting to bind the clients. To disable automatic binding behavior globally, include the no-bind-on-request statement at the

[edit forwarding-options dhcp-relay overrides] hierarchy level. To disable automatic

binding behavior for a group, include the statement at the [edit forwarding-options

dhcp-relay overrides group group-name] hierarchy level. To disable automatic binding

behavior for a specific interface in a group, include the statement at the [edit

forwarding-options dhcp-relay overrides group group-name interface interface-name]

hierarchy level.

[Subscriber Access]

•

Support for VPLS Layer 2 wholesale configuration in a subscriber access network—Enables you to configure Layer 2 wholesaling within a subscriber access

network. Wholesale access is the process by which an access network provider (wholesaler) partitions the access network into separately manageable and accountable subscriber segments for resale to other network providers. An access network provider may elect to wholesale all or part of its network to one or more service providers (retailers).

NOTE: In this release, Layer 2 wholesaling supports the use of only the

default logical system using multiple routing instances.

The Juniper Networks Layer 2 wholesale solution is similar to the Layer 3 wholesale solution in many ways. However, when configuring the Juniper Networks Layer 2 wholesale solution, keep the following in mind:

•

No Layer 3 components (address assignment, Layer 3 interfaces, and so on) are involved.

•

S-VLANs must be unique to any Gigabit Ethernet or Aggregated Ethernet interfaces within the entire network (not just unique to one router).

•

Layer 2 wholesale supports only CoA disconnect and variable modification; CoA service activation is not supported.

NOTE: For general information about configuring dynamic wholesale for

your subscriber access network, see the Broadband Subscriber Management Solutions Guide.

Page 33

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

To configure Layer 2 wholesale for a subscriber access network:

•

Configure a VLAN dynamic profile. See the Subscriber Access Configuration Guide for details.

•

Include the routing-instances statement along with the $junos-routing-instance dynamic variable at the [edit dynamic-profiles profile-name interface

$junos-interface-name] hierarchy level.

•

Include the interfaces statement along with the $junos-interface-name dynamic variable at the [edit dynamic-profiles profile-name interface “$junos-interface-name”

routing-instances “$junos-routing-instance”] hierarchy level.

•

Include the interfaces statement along with the $junos-interface-ifd-name dynamic variable at the [edit dynamic-profiles profile-name] hierarchy level.

•

Include the unit statement along with the $junos-interface-unit dynamic variable at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name”] hierarchy level.

•

(Optional) Include the encapsulation statement at the [edit dynamic-profiles

profile-nameinterface “$junos-interface-ifd-name”unit$junos-interface-unit] hierarchy

level and specify the unit encapsulation as vlan-vpls or vlan-ccc.

NOTE: If you choose not to specify an encapsulation for the logical

interface, you must specify encapsulation for the physical interface.

•

Include the vlan-tags statement and define the outer VLAN tag using the

$junos-stacked-vlan-id dynamic variable and the inner VLAN tag using the $junos-vlan-id dynamic variable at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

•

Include the input-vlan-map statement at the [edit dynamic-profiles profile-name

interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level and

define the map settings as follows:

NOTE: You configure the input-vlan-map statement only when there is

a need to either push an outer tag on a single-tagged subscriber packet or modify the outer tag in a subscriber dual-tagged packet.

•

Specify the action that you want the input VLAN map to take. See the Network Interfaces Configuration Guide for details on how to configure input-vlan-map

statement options.

•

Include the output-vlan-map statement at the [edit dynamic-profiles profile-name

interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level and

specify the action that you want the output VLAN map to take. See the Network

Include the vlan-id statementalongwith the $junos-vlan-map-id dynamic variable.

Page 34

JUNOS OS 10.4 Release Notes

Interfaces Configuration Guide for details on how to configure output-vlan-map statement options.

NOTE: You configure the output-vlan-map statement only when there

is a need to either pop or modify the outer tag found in a dual-tagged packet meant for the subscriber.

•

Specify the unit family as vpls at the [edit dynamic-profiles profile-name interface

“$junos-interface-ifd-name” unit $junos-interface-unit family] hierarchy level.

•

Include the flexible-vlan-tagging statement for any interfaces you plan to use at the

[edit interfaces interface-name] hierarchy level.

•

Include the encapsulation statement for any interfaces you plan to use at the [edit

interfaces interface-name] hierarchy level and specify the encapsulation as follows: flexible-ethernet-services.

•

Use the vlan-vpls or flexible-ethernet-services options if you specified the vlan-vpls option for the encapsulation statement at the [edit dynamic-profiles profile-name

interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

NOTE: Using the vlan-vpls encapsulation option in both the dynamic profile and when configuring the physical interface limits the VLAN ID value to a number greater than or equal to 512. Using the

flexible-ethernet-services encapsulation option does not result in a

limitation to the VLAN ID value.

•

Use the flexible-ethernet-services option if you plan to configure logical interfaces with different encapsulations at the [edit dynamic-profiles profile-name interface

“$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

NOTE: This encapsulation type does not have a VLAN ID limitation.

•

Use the extended-vlan-vpls option if you chose not to specify an option for the

encapsulation statement at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

NOTE: This encapsulation type can support multiple TPIDs and does not have a VLAN ID limitation.

•

Specify the vpls option for the instance-type statement for any retailer routing instances you plan to use at the [edit routing-instances instance-name] hierarchy level.

Page 35

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

Include the qualified-bum-pruning-mode statement in any retailer routing instances you plan to use at the [edit routing-instances instance-name] hierarchy level.

•

Specify the permanent option for the connectivity-type statement at the [edit

routing-instances instance-nameprotocols vpls] hierarchy level to ensure that the

routing instance (pseudo-wire) remains operational.

•

Configure the VLAN Interfaces to use the dynamic profile. See the Subscriber Access Configuration Guide for details.

•

Define access to your RADIUS server and specify the access profile at the [edit

access] hierarchy level.

To view the logical system and routing instance for each subscriber, use the show

subscriber operational command.

[Subscriber Access]

System Logging

•

New and deprecated system log tags—The following system log messages are new in this release:

•

ASP_SFW_DELETE_FLOW

•

CHASSISD_FM_FABRIC_DOWN

•

CHASSISD_FPC_FABRIC_DOWN_REBOOT

•

CHASSISD_FRU_INTEROP_UNSUPPORTED

•

CHASSISD_RE_CONSOLE_FE_STORM

•

RPD_AMT_CFG_ADDR_FMLY_INVALID

•

RPD_AMT_CFG_ANYCAST_INVALID

•

RPD_AMT_CFG_ANYCAST_MCAST

•

RPD_AMT_CFG_LOC_ADDR_INVALID

•

RPD_AMT_CFG_LOC_ADDR_MCAST

•

RPD_AMT_CFG_PREFIX_LEN_SHORT

•

RPD_AMT_CFG_RELAY_INVALID

•

RPD_BGP_CFG_ADDR_INVALID

•

RPD_BGP_CFG_LOCAL_ASNUM_WARN

•

RPD_CFG_TRACE_FILE_MISSING

•

RPD_LDP_GR_CFG_IGNORED

•

RPD_MC_CFG_FWDCACHE_CONFLICT

Page 36

JUNOS OS 10.4 Release Notes

•

RPD_MC_CFG_PREFIX_LEN_SHORT

•

RPD_MSDP_CFG_SA_LIMITS_CONFLICT

•

RPD_MSDP_CFG_SRC_INVALID

•

RPD_MVPN_CFG_PREFIX_LEN_SHORT

•

RPD_PLCY_CFG_COMMUNITY_FAIL

•

RPD_PLCY_CFG_FWDCLASS_OVERRIDDEN

•

RPD_PLCY_CFG_IFALL_NOMATCH

•

RPD_PLCY_CFG_PARSE_GEN_FAIL

•

RPD_PLCY_CFG_PREFIX_LEN_SHORT

•

RPD_RSVP_COS_CFG_WARN

•

RPD_RT_INST_IMPORT_PLCY_WARNING

•

RPD_OSPF_IF_COST_CHANGE

•

RPD_OSPF_TOPO_IF_COST_CHANGE

•

RPD_VPLS_INTF_NOT_IN_SITE

[System Log]

•

Added interface information to BFD session up/down system log tags—Added peer address information for BFDD_TRAP_MHOP_STATE_DOWN and

BFDD_TRAP_MHOP_STATE_UP.

[System Log]

VPNs

•

Disable TTL propagation behavior for the routes in a VRF routing instance—Enables you to control TTL decrementing for individual VPNs. In prior releases, Junos OS enabled control of TTL behavior only at the router level for all LDP-signaled and all RSVP-signaled label-switched paths. With this feature, you can control the behavior on individual VPN routes. To configure, include the vrf-propagate-ttl or

no-vrf-propagate-ttl statement at the [edit routing-instances instance-name] hierarchy

level. The instance-specific behavior overrides the router behavior configured at the

[edit protocols mpls] hierarchy level with the no-propagate-ttl statement. The show route extensive and show route detail commands display the TTL action for each VRF

routing instance.

[VPNs]

•

Support for Layer 3 VPN composite next hops and a larger number of Layer 3 VPN labels on T Series routers—Layer 3 VPN composite next hops can now be enabled on

T Series routers with Enhanced Scaling FPCs by including the l3vpn-composite-nexthop statement at the [edit routing options] or [edit logical-systems logical-system-name

Page 37

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

routing options] hierarchy levels.This statementenablesBGP to accept largernumbers

of Layer 3 VPN BGP updates with unique inner VPN labels. Including the

l3vpn-composite-nexthop statement in the configuration enhances scaling and

convergence performance of PE routers participating in a Layer 3 VPN in a multivendor environment.

The Junos OS provides the configuration statement memory-enhanced to reallocate the jtree memory for routes and Layer 3 VPNs. This statement has the followingoptions:

•

route—Include this statement when you want to support larger routing tables (with

more routes) over firewall filters. For example, you can enable this option when you want to support a large number of routes for Layer 3 VPNs implementedusing MPLS. However, we recommend enabling this option only if you do not have a very large firewall configuration.

To allocate more memory for routing tables, include the route statement at the [edit

chassis memory-enhanced] hierarchy level:

[edit chassis memory-enhanced] route;

•

vpn-label—Include this statement when you want to enhance memory to support a

larger number of Layer 3 VPN labels accepted by the l3vpn-composite-nexhop statement.

To allocate more memory for Layer 3 VPN labels, include the vpn-label statement at the [edit chassis memory-enhanced] hierarchy level:

[edit chassis memory-enhanced] vpn-label;

NOTE:

•

With Junos Release 10.4, the memory-enhanced route statement at the

[edit chassis] hierarchy level replaces the route-memory-enhanced

statement at the [edit chassis] hierarchy level.

[VPNs, System Basics]

•

Egress protection LSPs—If there is a link or node failure in the core network, a protection mechanism such as MPLS fast reroute can be triggered on the transport LSPs between the PE routersto repair the connection within tens of milliseconds. An egress protection LSP addresses the problem of when a link failure occurs at the edge of the network (for example, a link failure between a PE router and a CE device).

Page 38

JUNOS OS 10.4 Release Notes

To enable an egress protection LSP, you need to configure the following statements:

•

context-identifier—Specifies an IPv4 address used to define the pair of PE routers

participating in the egress protection LSP. The context identifier is used to assign an identifier to the protector PE router. The identifier is propagated to the other PE routers participating in the network, making it possible for the protected egress PE router to signal the egress protection LSP to the protector PE router. Configure the

context-identifierstatement at the [edit protocolsl2circuit neighbor neighbor-address interfaceinterface-name egress-protectionprotector-pe]and the [edit protocols mpls egress-protection] hierarchy levels.

•

egress-protection—Configures the protector information for the protected Layer 2

circuit and also configures the protector Layer 2 circuit itself at the [edit protocols

l2circuit] hierarchy level. Configures an LSP as an egress protection LSP at the [edit protocols mpls label-switched-path lsp-name] hierarchy level. It also configures the

context identifier at the [edit protocols mpls] hierarchy level.

•

protected-l2circuit—Specifies which Layer 2 circuit is to be protected by the egress

protect LSP. This statement includes the following sub-statements: ingress-pe,

egress-pe, and virtual-circuit-id. These sub-statements specify the address of the

PE router at the ingress of the Layer 2 circuit, the address of the PE router at the egress of the Layer 2 circuit, and the Layer 2 circuit’s identifier respectively. Configure the protected-l2circuit statement at the [edit protocols l2circuit neighbor address

interface interface-name] hierarchy level.

Documentation

•

protector-pe—Specify the IPv4 address of the protector PE router. The protector PE

router must have a connection to the same CE device as the protected PE router for the egress protect LSP to function. This statement includes the following sub-statements: context-identifier and lsp. The lsp statement specifies the LSP to be used as the actual egress protection LSP. Configure the protector-pe statement at the [edit protocols l2circuit neighbor neighbor-address interface interface-name

egress-protection] hierarchy level.

[VPNs]

•

Local switching support for the ignore-encapsulation-mismatch statement—The

ignore-encapsulation-mismatch statement has been extended to support local

switching. You can now configure this statement at the [edit protocols l2circuit

local-switchinginterface interface-name] hierarchy level. This statement allows a Layer

2 circuit to be established even though the encapsulation configured on the CE device interface does not match the encapsulation configured on the Layer 2 circuit interface. Local switching allows you to configure a Layer 2 circuit entirely on the local router, terminating the circuit on a local interface.

[VPNs]

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX

•

Series, and T Series Routers on page 39

• Issuesin Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 51

Page 39

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• Errata and Changes in Documentation for Junos OS Software Release10.4for M Series,

MX Series, and T Series Routers on page 73

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Class of Service

•

Changestothe output of the show interfaces queue command—Previously, the output of the show interfaces queue interface-name displayed the max-queues-per-interface information HW supported queues, as shown below:

Egress queues: 4 supported, 4 in use

The first value indicates either the default or the value specified through the

max-queues-per-interface statement. Now this is changed to HW supported queues.

The first value does not change with respect to the changes to max-queues-per-interface as before.

[Class of Service]

Forwarding and Sampling

•

APR packet policing on TCC Ethernet interfaces—In Junos OS Release 10.4, the APR packet policing is effective on the TCC Ethernet interfaces.

•

High CPU utilization of the DFWD process—You might notice a high CPU utilization by the DFWD process if the interface lo0 is configured as part of the interface group

•

Bridge domain naming (Layer 2 platforms)—You cannot include the slash mark (/) in a bridge domain name at the [edit bridge-domains bridge-domain-name] hierarchy level.

[Layer 2]

Interfaces and Chassis

•

SFC and LCC Routing Engine (RE) name changes—The SFC Routing Engine name is changed from RE-TXP-SFC to RE-DUO-2600, and the LCC Routing Engine name is changed from RE-TXP-LCC to RE-DUO-1800.

[Software Installation and Upgrade]

•

Enhancement to show oam ethernet link-fault-management detail command—The output of the showoamethernetlink-fault-management detail command now includes the following two new fields: OAM total symbol error event information and OAM total

frame error event information. These fields display the total number of errored symbols

and errored frames, respectively, and are updated at every interval regardless of whether the threshold for sending event TLVs has been crossed. Previously, the show oam

ethernet link-fault management detail command displayed only the number of errored

symbols reported in TLVeventstransmitted since the OAM layerwasresetand displays the number of errored frames detected since the OAM layer was reset.

Page 40

JUNOS OS 10.4 Release Notes

[Interfaces Command Reference]

•

Enhancement to show oam ethernet connectivity-fault-management commands—The output of the show oam ethernet connectivity-fault-management mep-statistics, show

oam ethernet connectivity-fault-management interfaces, and show oam ethernet connectivity-fault-management mep-databasecommands includes the following three

new fields: Out of sync 1DMs received,which displaysthe number of out-of-sync one-way delay measurement packetsreceived;Valid DMMs received, which displaysthe number of valid two-way delay measurement request packets received, and Invalid DMMs

received, which displays the number of invalid two-way delay measurement request

packets received.

[Interfaces Command Reference]

•

New command to clear ETH-DM delay-statistics (MX Series routers)—A new command, clear oam ethernet connectivity-fault-management delay-statistics,enables you to clear ITU-T Y.1731 Ethernet frame delay measurement (ETH-DM) delay-statistics and ETH-DM frame counts. Use the maintenance-association

maintenance-association-name and maintenance-domain maintenance-domain-name

options to clear delay-statistics and frame counts for specific maintenance associations and maintenance domains. You can also use the one-way and two-way options to clear only one-way delay statistics or two-way delay statistics, respectively.

[Interfaces Command Reference]

•

Circuit Emulation (CE) interfaces firmware compatibility for ATM IMA on M7i, M10i, M40e, M120, and M320 routers—Provides a Firmware mismatch syslog message and

a show interface command output message in the IMA Group state and IMA Link state if the PIC's firmware is not compatible in Junos OS Release 10.0 and later releases.

NOTE: CE PICs requirefirmwareversion rom-ce-9.3.pbin or rom-ce-10.0.pbin

for ATM IMA functionality on M7i, M10i, M40e, M120, and M320 routerswith Junos OS Release 10.0R1.

CE PICs manufactured with the 560-028081.pbin firmware will produce the following entry in /var/log/messages when Junos OS is upgraded to Release 10.0R1 or newer releases:

Firmware mismatch. Need to upgrade PIC PROM Binary CPU firmware for IMA.

If you configure IMA with this combination of Junos OS and CE PIC firmware, the following entry will be seen.

Firmware error. Need to upgrade PIC PROM Binary CPU firmware for IMA.

The show interfaces ce-fpc/pic/port command output will show the following:

Physical link is Down IMA Group state : NE: Firmware Error IMA Link state : Line: Firmware Error

The customer must contact JTAC for a PIC firmware upgrade to proceed with IMA.

[Interfaces Command Reference, System Log Messages Reference]

Page 41

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

Support for configuring shaping overhead—Support for CLI based configuration of shaping overhead has been added to the PD-5-10XGE-SFPP Type 4 PIC.

•

Set bandwidth value on aggregated Ethernet interfaces—You can now set the bandwidth value by using the bandwidth value statement at the [edit interfaces

aggregate-interface unit number] hierarchy level.

Additionally, the show interfaces aggregate-inteface extensive and the show interfaces

aggregate.logical-interface commands now show the bandwidth of the aggregatewhen

it is configured. Also, the SNMP OID ifSpeed/ifHighSpeed of the aggregate logical interface shows the corresponding bandwidth, when it is configured. When it is not configured, the command shows it as the sum of the bandwidths of the member links of the aggregate, as before.

•

Network interfaces show command output (All platforms)—The output of the show

interfaces detail/extensive command now adds a table that shows complete (not

truncated) names of the forwarding classes associated with queues.

[Network Interfaces]

•

Negotiate IP address option removed—The negotiate IP address option is no longer allowed in the MLFR and MFR encapsulations.

•

Hardware restrictions in the output of the show interfaces extensive command—When

using the show interfaces extensive command with a 100-Gigabit Ethernet PIC, the “Filter statistics” section will not be displayed because the hardware does not include those counters.

•

New command to clear Link Aggregation Control Protocol statistics—A new command, clear lacp statistics, enables you to clear Link Aggregation Control Protocol (LACP) statistics. Use the interfaces option to clear interface statistics. You can also clear interface statistics for a specific interface only by using the interfaces

interface-name option.

[Interfaces Command Reference]

•

Change to the show interfaces aenumber extensive command—The output of the show

interfaces aenumber command no longer displays Link Aggregation Control Protocol

(LACP) statistics. To display LACP statistics, use the show lacp statistics interfaces command.

[Interfaces Command Reference]

•

Increase in unit numbering for demux0 and pp0 interfaces—The unit numbering for demux0 and pp0 interfaces has been increased to 1,073,741,823.

•

Diffie-Helman 2048-bit encryption is now supported—You can now configure Diffie-Helman 2048-bit encryption (group14) for IPSec communications on MultiServices PICs.

To use Diffie Helman 2048-bit encryption include the dhgroup group14 statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level.

To configure 2048-bit encryption for an IPSec policy, include the keys group14 option at the [edit services ipsec-vpn ipsec policy policy-name perfect-forward-secrecy] hierarchy level.

Page 42

JUNOS OS 10.4 Release Notes

[Services Interfaces]

•

Show chassis environment cb command on MX80 routers—The show chassis environment cb command is now available for the MX80 routers.

Junos OS XML API and Scripting

•

The jcs:load-configuration templatenowacceptsthe$commit-optionsparameter—The

jcs:load-configuration template, included in the import file junos.xsl, now accepts the $commit-options parameter to customize the commit operation. The parameter must

be passed to the jcs:load-configuration template as a node-set.

The default value for $commit-options is null. Supported options are:

•

check—Check the correctness of the candidate configuration syntax, but do not

commit the changes.

•

force-synchronize—Force the commit on the other Routing Engine (ignore any

warnings).

•

log—Write the specified message to the commit log. This is identical to the CLI

configuration mode command commit comment.

•

synchronize—Synchronize the commit on both Routing Engines.

To specify commit options, include the desired options within the <commit-options> tag. Use the := operator to create a node-set and assign it to a variable. Pass this variable as the argument for the $commit-options parameter when you call the

jcs:load-configuration template.

For example, to commit the configuration with the synchronize and log options, use the following syntax for the node-set:

var $options := {

<commit-options> {

<synchronize>; <log> "synchronizing commit";

}

[Configuration and Operations Automation Guide]

•

Junos XML management protocol support for the interface-ranges attribute of the

<get-configuration> operation—By default, the Junos XML protocol operation <get-configuration> parallels the default behavior of the CLI configuration mode show

command, which displays the [edit interfaces interface-range] hierarchy as a separate hierarchy in the configuration. To display the inherited tag elements of each interface range as children of the interface elements that are members of that range, a client application combines the interface-ranges="interface-ranges" attribute with the

inherit="inherit" attribute in the <get-configuration> tag of a remote procedure call

(RPC).

If the inherit and interface-ranges attributes are included in the <get-configuration> tag and the client application requests Junos XML-tagged output (the format="xml" attribute is included or the format attribute is omitted), the Junos XML protocol server

Page 43

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

includes the junos:interface-range="source-interface-range" attribute in the opening tags of configurationelements that are inherited from an interface range. The attribute does not appear if the client application requests formatted ASCII output by including the format="text" attribute in the <get-configuration> tag.

[XML Management Protocol]

MPLS Application

•

Disable RSVP local revertive mode—Configure the no-local-reversion statement at the [edit protocols rsvp] hierarchy level to disable RSVP local revertive mode (local revertive mode as specified in RFC 4090, Fast Reroute Extensions to RSVP-TE for LSP). RSVP local revertive mode is supported on all Juniper Networks routers running the Junos OS software by default. If you configure the no-local-reversion statement, the Juniper Networks router uses global revertive mode instead. You might need to disable RSVP local revertive mode on Juniper Networks routers if your network includes equipment that does not support this mode.

[MPLS]

•

Enhancement to the show mpls lsp extensive command—In Junos OS Release 10.3 and later, the show mpls lsp extensive command displays more detailed Constrained Shortest Path First (CSPF) messages. You can now see the reason(s) for the CSPF path computation and rejection. The following list shows some of the enhanced CSPF messages (depending on your network configuration, the type of messages you see might be different):

•

17 Aug 3 13:17:33.601 CSPF: computation result ignored, new path less avail bw[3 times]

•

16 Aug 3 13:02:51.283 CSPF: computation result ignored, new path no benefit[2 times]

[Routing Protocols and Policies Command Reference]

•

Enhancement to CSPF traceoptions—In Junos OS Release 10.3 and later, the Constrained Shortest Path First (CSPF) trace messages have been updated to provide more detailed information about CSPF path computation and rejection. You configure the CSPF traceoptions by including the cspf flag at the [edit protocolsmplstraceoptions

flag] hierarchy level. The following list shows some of the enhanced CSPF trace

messages (depending on your network configuration, the type of messages you see might be different):

•

Aug 3 13:26:06.844628 New avail bw 0.91% 100.00% 100.00% 100.00% without rounding

•

Aug 3 13:26:06.844676 Old avail bw 0.91% 100.00% 100.00% 100.00% without rounding

•

Aug 3 13:26:06.844697 CSPF reoptimize: Avail bw gain on new path 0 (without rounding 0.00%)

•

Aug 3 13:26:06.844714 CSPF reoptimize: new path is safe but no benefit

Page 44

JUNOS OS 10.4 Release Notes

•

Aug 3 13:26:06.844731 CSPF reoptimize: result rejected, new path no benefit

•

Aug 3 13:26:06.844765 mpls lsp blue-to-green primary CSPF: computation result ignored, new path no benefit

[MPLS]

Platform and Infrastructure

•

Enhancement to show interfaces command—The show interfaces command includes a new field, INET6 Address flags, that displays a flag for any IPv6 address that is in a state other than “permanent” or “ready-to-use.”

[Interfaces Command Reference]

Routing Protocols

•

New community-count routing policy match condition for BGP routes—You can now configure the number of BGP community entries required for an incoming route to match. This allows you to accept BGP routes based on a specific number of or range of BGP community entries. To configure the number of community entries, specify the

from statement and include the community-count value (equal | orhigher | orlower)

match condition statement at the following hierarchy levels:

•

[edit policy-options policy-statement policy-name term term-name]

•

[edit logical-systems logical-system-name policy-options policy-statement policy-name term term-name]

If you configure multiple community-count match condition statements, the matching is effectively a logical AND operation. The following example accepts BGP routes with two, three, or four communities. If a route contains three communities, it is considered a match and is accepted. If a route contains one community, it is not considered a match and is rejected.

[edit] policy-options {

policy-statement import-bgp {

term community {

from {

community-count 2 orhigher;

community-count 4 orlower; } then {

accept; }

}

[Routing Policy]

•

Enhancement to the PIM system log messages—The RPD_PIM_NBRDOWN and the RPD_PIM_NBRUP system log messages have been updated to include the name of the routing instance. This enhancement is also applicable to Junos OS Release 10.0R4,

10.1R4, 10.2R2, and 10.3R1. The following sample shows the enhanced PIM system log

Page 45

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

messages (depending on your network configuration, the type of messages you see might be different):

Jun 15 21:54:43.831533 RPD_PIM_NBRDOWN: Instance PIM.master: PIM neighbor 11.1.1.2

(so-0/1/3.0) removed due to: the interface is purged

Jun 15 21:53:28.941198 RPD_PIM_NBRUP: Instance PIM.master: PIM new neighbor 11.1.1.2

interface so-0/1/3.0

[System Log Messages Reference]

Services Applications

•

New configuration to avoid IDP traffic loss (M120, M320, MX240, MX480, and MX960 routers)—When the Multiservices PIC or DPC configured for a service set is

either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit

services service-set service-set-name service-set-options] hierarchy level and (for TCP

traffic only) the ignore-errors tcp statement at the [edit interfaces interface-name

services-options] hierarchy level. When you configure these statements, the affected

packets are forwarded, in the event of a Multiservices PIC or DPC failure or offlining, as though interface-style services were not configured. This issue applies only to M120, M320, and MX Series routers.

[Services Interfaces]

•

Enhancements to the show services pgcp statistics extensive command—Two new fields have been added to the output of the show services pgcp statistics extensive command: the number of Add commands received that have emergency status, and the number of inactivity notifications (it/ito) on the root termination.

The following is a sample of the section of the output showing Add commands with emergency status:

Received Commands Total Wildcard Success Error

Add 0 0 0 0 Add (emergency) 0 0 0 0

AuditValue 1 0 1 0 Modify 1 0 1 0 ServiceChange 0 0 0 0 Subtract 0 0 0 0

The following is a sample of the section of the output showing inactivity notifications on the root termination:

ROOT Notify Total Wildcard Success Error

ocp/mg_overloaded 0 0 0 0 it/ito 1404 0 1404 0

[Border Gateway Function (BGF), System Basics and Services Command Reference]

Page 46

JUNOS OS 10.4 Release Notes

•

Support for softwire rules—The match direction output command is now supported for

softwire rules.

[Services Interfaces]

•

Summary option for the show services nat mapping command—You can now display summary statistics for NAT mapping by entering show services nat mapping summary. The following example shows the new output.

Total number of address mappings: 500000 Total number of endpoint independent port mappings: 500000 Total number of endpoint independent filters: 0

[System Basics and Services Command Reference]

•

Command to manage the behavior for reserved ports allocationand port parity—Port allocation in a NAT pool can now be controlled with the preserve-parity and

preserve-range commands. Preserve-parity allocates even ports for packets with even

destination ports, and odd ports for packetswith odd destination ports. Preserve-range allocates ports within a range of 0 through 1023 assuming the original packet contains a destination port in the reserved range. This behavior is applicable to control sessions and not to data sessions.

[Services Interfaces]

•

Increase in address-only source dynamic pool addresses—The number of address ranges in a NAT pool has increased to 32. The total number of addresses in an address-only source dynamic NAT has increased to 16,777,216.

[Services Interfaces]

•

Border Gateway Function (BGF) apply implicit latching on TCP gates when the gate is created.—By default, latching of gates is done by explicit latch requests. You can

configure implicit latching of gates by entering the set implicit-tcp-latch and set

implicit-tcp-source-filter configuration statements at the [edit services pgcp gateway gateway-name h248-options] hierarchy level.

The new configuration statements result in the following actions:

•

implicit-tcp-latch—If explicit latching has been applied (using using ipnapt/latch)

on either gate of a gate pair, implicit latching is not applied. If explicit latching has not been applied on either gate:

•

Latching is applied to both gates of the gate pair.

•

When either of the gates latches, latching is automatically disabled on the other gate.

•

implicit-tcp-source-filter—Applies source address (but not source port) filtering on

incoming packets, using the current remote destination address under the following conditions:

•

[Border Gateway Function (BGF), Services Interfaces]

Explicit source filtering has not been applied by use of gm/saf.

Explicit latching has not been applied by use of ipnapt/latch.

Page 47

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Subscriber Access Management

•

Modification to the interface-description-format statement—The

interface-description-format statement has been modified for Junos OS Release 10.4.

As in previous releases, the router includes both the adapter and subinterface as part of the interface description by default. You can now optionally exclude either or both the adapter and subinterface from the description.

[Subscriber Access]

•

Modificationto the show pppoe interfaces command (M120, M320, MX Series, J Series routers)—In Junos OS Release 9.5 and above, the extensive option for the show pppoe

interfaces command is supported only for J Series routers, which can be configured as

PPPoE clients. The show pppoe interfaces command no longer supports the extensive option for M120, M320, and MX Series routers in Junos OS Release 9.5 and above. When an M120, M320, or MX Series router is configured as an access concentrator server, the statistics for the PPPoE server interfacesdo not increment. As a result, when you issue the showpppoe interfacesextensive command on a M120, M320, or MX Series router, the statistics are always displayed as zeros.

[Interfaces Command Reference]

•

Enhancement to the clear pppoe statistics command (M120, M320, MX Series, J Series routers)—The clear pppoe statistics command includes a new option,

underlying-interface-name, for M120, M320, and MX Series routers in Junos OS Release

9.5 and above. The option enables you to reset the statistics of the underlying PPPoE interface for static and dynamic PPPoE interfaces. In Junos OS Release 9.5 and above, the interface interface-name option for the clear pppoe statistics command is supported only for J Series routers. The clear pppoe statistics command no longer supports the

interface interface-name option for the M120, M320 and MX Series routers in Junos OS

Release 9.5 and above.

[Interfaces Command Reference]

•

Support for DSL Forum VSAs (MX Series routers)—Digital Subscriber Line (DSL) attributesare RADIUS VSAsthat are defined by the DSL Forum. The attributes transport DSL information that is not supported by standard RADIUS attributesand which convey information about the associated DSL subscriber and data rate. The attributes are defined in RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes. Junos OS uses the vendor ID 3561, which is assigned by the Internet Assigned Numbers Authority (IANA), for the DSL Forum VSAs.

Subscriber management supports DSL Forum VSAs in pass-through mode. In pass-through mode, the router does not process DSL values, but rather passes the values received from the subscriber to the RADIUS server, without performing any parsing or manipulation.

[Subscriber Access]

•

Required pppoe-options subhierarchy for configuring static and dynamic PPPoE interfaces(M120, M320, MX Series routers)—When you configure a static or dynamic

pp0 (PPPoE) logical interface,you must include the pppoe-options subhierarchy in the

Page 48

JUNOS OS 10.4 Release Notes

configuration. Failure to include the pppoe-options subhierarchy causes the commit operation to fail.

This requirement is in effect for configuration of static PPPoE logical interfaces as of Junos OS Release 10.2 and later, and has always been in effect for configuration of dynamic PPPoE subscriber interfaces in a PPPoE dynamic profile. For example, the following configuration now causes the commit operation to fail for both static and dynamic PPPoE logical interfaces:

pp0 {

unit 0 {

}

To configure a static PPPoE logical interface in Junos OS Release 10.2 and higher-numbered releases, you must include the pppoe-options subhierarchy at the

[edit interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit logical-systems logical-system-name interfaces pp0 unit logical-unit-number] hierarchy

level. At a minimum, the pppoe-options subhierarchy must include the name of the PPPoE underlying interface and the server statement, which configures the router to act as a PPPoE server. For example:

[edit interfaces] ... pp0 {

unit 0 {

pppoe-options {

underlying-interface ge-1/0/0.0; server;

} ...

}

To configure a dynamic PPPoE subscriber interface in a PPPoE dynamic profile, you must include the pppoe-options subhierarchy at the [edit dynamic-profiles profile-name

interfaces pp0 unit “$junos-interface-unit”] hierarchy level. At a minimum, the pppoe-options subhierarchy must include the name of the underlying Ethernet interface,

represented by the $junos-underlying-interface predefined dynamic variable, and the

server statement. For example:

[edit] dynamic-profiles {

pppoe-profile {

interfaces {

pp0 {

unit "$junos-interface-unit" {

pppoe-options {

underlying-interface "$junos-underlying-interface";

server; } ...

}

Page 49

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

}

[Network Interfaces, Subscriber Access]

•

Subscriber access statistics—RADIUS reports subscriber statistics as an aggregate of both IPv4 statistics and IPv6 statistics.

•

For an IPv4-only configuration, the standard RADIUS attributes report the IPv4 statistics and the IPv6 VSA results are all reported as 0.

•

For an IPv6-only configuration, the standard RADIUS attributes and the IPv6 VSA statistics are identical, both reporting the IPv6 statistics.

•

When both IPv4 and IPv6 are configured, the standard RADIUS attributes report the combined IPv4 and IPv6 statistics. The IPv6 VSAs report IPv6 statistics.

[Subscriber Access]

•

Change to operation of RADIUS attribute Framed-IPv6-Prefix [97] (M120, M320, MX Series routers)—The operation of the standard RADIUS attribute

Framed-IPv6-Prefix [97] has been modified in Junos OS Release 10.4 and later. In these releases, the Framed-IPv6-Prefix attribute communicates the router advertisement prefix from RADIUS to the network access server (NAS). In Junos OS Release 10.3 and earlier, the Framed-IPv6-Prefixattribute communicated the DHCPv6 delegated prefix from RADIUS to the NAS.

[Subscriber Access]

User Interface and Configuration

•

Change in the commit | display detail option—If the number of commit messages exceeds a pagewhen the commit command is used with the | display detail pipe option, the more pagination option on the screen is no longer available. Instead, the messages roll up on the screen by default, just like using the commit command with the | no more pipe option.

[CLI User Guide]

•

New configuration statement to configure retry attemptsfor checking the keepalive status of a Point-to-Point (PPP) protocol session—Junos OS introduces the

keepalive-retries number-of-retries statement at the [edit access profile profile-name client client-name ppp] hierarchy level. Include this statement in the configuration to

reduce the detection time for PPP client session timeouts or failures if you have configured the keepalive timeout interval (using the keepalive statement).

[System Basics]

•

New configuration statement to enable the processing of IPv4-mapped IPv6 addresses—JunosOSintroducesthe allow-v4mapped-packets configuration statement

at the [edit system] hierarchy level. By default, the Junos OS disables the processing of IPv4-mapped IPv6 packets to protect against malicious packets from entering the network. To enable the processing of such IPv4-mapped IPv6 packets, include the

allow-v4mapped-packets statement in the CLI configuration.

[System Basics]

Page 50

JUNOS OS 10.4 Release Notes

•

New option introduced for the show | display inheritance operational mode command—Junos OS now provides the no-comments option for the show | display

inheritance command. This option enables you to view CLI configurationdetails without

inline comments marked with ##.

[CLI User Guide]

•

Enhancement to the show chassis sibs command—The show chassis sibs command now displays an appropriate reason when a SIB transitions to the Offline state. For instance, if ths SIB is taken offline using the request chassis sib command, the output of the show chassis sibs command displays---Offlinedbyclicommand---in the output.

[System Basics and Services Command Reference]

•

New option for the ping mpls l2vpn and ping mpls l2circuit commands—The ping mpls

l2vpn and ping mpls l2circuit commands provide a new option reply-mode that enables

you to specify the reply mode for the ping request. The reply-mode option provides the

application-level-control-channel, ip-udp, and no-reply options.

[System Basics and Services Command Reference]

•

Enhancementto the output of the showchassishardware detail command—Theshow

chassis hardware detail command now displays DIMM information for the following

Routing Engines:

Table 2: Routing Engines Displaying DIMM Information

RoutersRouting Engines

MX240, MX480, and MX960 routersRE-S-1800x2 and RE-S-1800x4

M120 and M320 routersRE-A-1800x2

[System Basics and Services Command Reference]

•

Enhancement to the show chassis fpc command—The show chassis fpc command now displays accurate temperature readings for the FPC.

[System Basics and Services Command Reference]

VPNs

•

SCU support for VRF routing instances with vrf-table-label configured—You can now configure source class usage (SCU) to count packets on Layer 3 VPNs configured with the vrf-table-label statement. Include the source-class-usage statement at the

[edit routing-instances routing-instance-name vrf-table-label] hierarchy level. The source-class-usage statement at this hierarchy level is supported only for the virtual

routing and forward (VRF) instance type. Previously, you could not enable SCU when the vrf-table-label statement was configured. Destination class usage (DCU) is not supported when the vrf-table-label is configured.

[VPNs, Network Interfaces]

Documentation

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

on page 6

Page 51

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• Issuesin Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 51

• Errata and Changes in Documentation for Junos OS Software Release10.4for M Series,

MX Series, and T Series Routers on page 73

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,

and T Series Routers on page 78

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The current software release is Release 10.4R2. For information about obtaining the software packages, see “Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers” on page 78.

•

Current Software Release on page 51

•

Previous Releases on page 63

Current Software Release

Outstanding Issues in Junos OS Release10.4for M Series, MX Series, and T Series Routers

Class of Service

•

When a valid rate-limit is configured on an interface from a DPCE-R-Q-20GE-2XGE card,the router might log a message incorrectly that the configuration is not supported. The rate-limit functionality is however correctly implemented in the hardware. [PR/574764]

Forwarding and Sampling

•

A high CPU utilization by the DFWD process might occur if the interfacelo0 is configured as part of the interface group 0. [PR/497242]

•

When a VPN routing and forwarding table (VRF) is configured in a logical system, and there is no loopback filter configured in the VRF while it is configured on the logical system and the default router, the packets destined for the VRF reach the filter configured in the logical system. However, they are expected to reach the filter configured in the default route table. [PR/575060]

•

On M Series, T Series, and J Series routers, when the installation of a filter that contains a logical-interface-policer or a physical-interface-policer fails (For example, due to insufficient jtree memory), the FPC might crash. [PR/579271]

High Availability

•

The SSH keys are not in sync between the master and backup Routing Engine when SSH is enabled after a graceful Routing Engine switchover (GRES). [PR/455062]

Interfaces and Chassis

•

When the Rx power level is a negative value, the SFP diagnostics output displays an invalid receiver power level reading. [PR/235771]

•

Upon a link up event, old packets from the previous link down are still dequeued. This leads to huge latency reports. [PR/515842]

Page 52

JUNOS OS 10.4 Release Notes

•

Discrepancies exist in MAC and filter statistics between Trio MPC and I+EZ DPCs. [PR/517926]

•

The multipoint-destination configurationstatementis not supported on IQE PICs. While the configuration of this statement is accepted without problems initially, subsequent reconfiguration of the interface might cause the FPC and Packet Forwarding Engine to reboot. [PR/529423]

•

During a process restart, the jpppd process does not rollback the active subscriber when the pp0 logical interface's L1_READY flag is cleared. [PR/540745]

•

When the show interfaces command is used, no service set attachment information is displayed. This information is visible under the interfaces hierarchy (configuration). [PR/541574]

•

On a DPCE 20x 1 Gigabit Ethernet and 2x 10 Gigabit Ethernet, the link status of the interface goes down when the TX router towards the peer is removed. [PR/542668]

•

When neither the per-unit scheduler nor the hierarchical-scheduler is configured on a physical interface, and the physical interface has the overhead-accounting bytes configured, it does not take effect. [PR/544608]

•

On MX Seriesrouters,the followingsyslogerror messagesappear when a configuration change is made and committed:

UI_DBASE_LOGIN_EVENT: User 'regress' entering configuration mode UI_COMMIT: User 'regress' requested 'commit synchronize' operation (comment: none) Shared memory release vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state 5123 vcdb_extract_db_from_file reading file /config/vchassis/vc.tlv.db vcdb_extract_db_from_file Error opening file. errno = 2 vcdb_extract_db_from_file reading file /config/vchassis/vc.db vcdb_extract_db_from_file: DB Files couldn't be read. vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state 7171 Shared memory release sysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of param

[PR/548853]

•

After MX80 router is upgraded to Junos OS Release 10.3, the "Front Panel Alarm Indicators"LEDs do not show any status in the output of the show chassis craft-interface command, even when there is chassis alarm set on the router. [PR/558046]

•

Under certain conditions, both the primary and the secondary sections of the interface might get disabled. To recoverfromthis condition, deactivateand activatethe interface configuration. [PR/559656]

Page 53

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

On MPC-3D FPCs, the following IDMEM parity error messages appear:

MX960-LAB fpc3 LU 2 RD_NACK 2 AP[0x04] TOE Write 0x002913a0 MX960-LAB fpc3 LU 2 IDMEM Parity error in Bank 3, Count 10, IDMEM Bank 3 Offset 0x00014899 IDMEM[0x00052274]

These messages repeat as long as the software encounters the error. These error messages occur within uninitialized memory locations. [PR/569887]

•

Incorrect K2 bytes might be transmitted if the mode bits are not set correctly by the apsd process. [PR/569903]

Layer 2 Ethernet Services

•

The release message is not sent to the DHCP server even though the

send-release-on-delete flag is set under the DHCP relay configuration. As a workaround,

to deactivate or deconfigure an interface, clear all the bindings on the interface before you deactivate or delete the interface. To deactivate or deconfigure the relay, clear all the bindings before you deactivate or delete the relay. [PR/498920]

MPLS Applications

•

On M Series and T Series routers, the MPLS label-switched path (LSP) log messages are not logged for non-standby secondary MPLS LSPs. [PR/560069]

•

The routing protocol process crashes when an MVPN routing instance is activated and deactivated. [PR/571131]

Network Management

•

The value of IfHighSpeed for the current bandwidth of an interface is in units of 1,000,000 bits per seconds. According to RFC 2683, the ifHighSpeed must be rounded to the nearest whole value on both the physical interfaces and logical interfaces. [PR/507004]

Platform and Infrastructure

•

The SFC management interface em0 is often displayed as fxp0 in several warning messages. [PR/454074]

•

On restarting with a large-scale configuration (16,000 logical interfaces per MPC), the MPC-3D-16XGE-SFPP card may take up to 15 minutes to come up. [PR/478548]

•

The dynamic auto-sensed VPLS interfaces fail after modifications are made to the routing instance. Before making configuration changes to any routing instance, clear any active logical interfaces that are part of the routing instance using the clear

auto-configuration interfaces operational command. Modifying a routing instance

configuration when the configuration is actively being used by subscribers can result in an unpredictable behavior. [PR/512902]

•

An NTP server might not reply to clients with a source address that is explicitly configured. [PR/540430]

•

The IPv6 BGP neighbors might not come back to the up state when an FPC associated with that session is manually taken offline, removed, and re-inserted. [PR/552376]

Page 54

JUNOS OS 10.4 Release Notes

•

No ICMP host redirect messages are generated when there are multiple VLANs configured on an interface (multiple logical interfaces on a single physical interface). [PR/559317]

•

When the same local link address is configured on two interfaces, the message "/kernel: ip6_getpmtu: Invalid Stored MTU" is displayed continuously. [PR/560079]

Routing Protocols

•

When aggregate interfaces are used for VPN applications, load balancing may not occur with a Layer 2 circuit configuration. [PR/471935]

•

Under certain circumstances, the BGP path selection does not follow the local preference. This might lead to incorrect BGP path selections. [PR/513233]

•

When the received next hop for a route has the same address of the EBGP peer to which the route is readvertised, the next hop is erroneously set to the peer's address instead of the next hop to self. [PR/533647]

•

When an interface is added to a routing instance with rpf-check enabled, the routing protocol process might crash if a route-distinguisher is also changed at the same time. [PR/539321]

•

In Junos OS Release 10.0 and later, a direct route to a VRF with a rib-group is not advertised as an inet-vpn route to the IBGP neighbor due to the error "BGP label allocation failure: Need a nexthop address on LAN." [PR/552377]

•

In some cases, the MX Series routers might not send the Link Layer Discovery Protocol (LLDP) notification trap when the LLDP is disabled on the remote neighbor. [PR/560855]

•

Once a routing protocol process is restarted due to a crash or a mastership switch, the kernel and the routing protocol process flood branch nh reference counters might not be in sync anymore. The exposure is high in NGEN-MVPN with many local receivers and constant churn of join and prunes of multicast groups. The routing protocol process might assert and restart while deleting a flooded nexthop. As a workaround, restart the system, or deactivateall MVPN instances to get the kernel and the routing protocol process to be in sync upon a routing protocol process restart. [PR/561127]

•

The 3D Packet Forwarding Engines might experience a rare transient error that temporarily corrupts one of the lookup engines, resulting in packet loss. A set of messages similar to the following is displayed:

fpc0 LU 0 PPE_7 Errors ucode data error 0x00000184 fpc0 PPE Thread Timeout Trap: Count 3, PC 20, 0x0020: entry_index_nh 0x0020: entry_index_nh PPE PPE HW Fault Trap: Count 10831395, PC 2c, 0x002c: entry_policer_nh

Reboot the Packet Forwarding Engine to clear this error state. [PR/564998]

•

The configuration of DSCP ReWrite rules on a 10-port 10-Gigabit Ethernet LAN/WAN PIC with SFP+ might overwrite the DSCP value coming from the Routing Engine for a host generated traffic. [PR/575259]

•

When a core-facing DPC is restarted, the message "mcsn: cannot perform nh operation ADDANDGET nhop (null) type indirect index 0 errno 22" appears. A trigger also moves

Page 55

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

the interfaces from bridge domains to VPLS instances. To clear this issue, restart multicast snooping. [PR/576058]

Services Applications

•

The output of the show services ids destination-table command might not display any flow and related statistics in the IDS anomaly table for a certain period of time after the flows are activated. [PR/490584]

•

The data channel applications for protocols such as FTP, TFTP, RTSP, and SIP are not in the same application group as their control channel applications. For example, control channel application junos:ftp is in the group junos:file-server, but the corresponding data application junos:system:ftp-data is not in any group. [PR/507865]

•

On M Series and MX Series routers, after a hot-standby RMS, all existing flows are dropped and it takes some time for new flows to appear with the state. This is due to the limitation of the RMS. All existing traffic is dropped, and RPC is most impacted as it has a long retry timer and takes a long time to recover. [PR/535597]

•

When unit 0 of the Multiservices PIC interface is not specified, the monitor interface

traffic command does not display the input packet’snumber properly for that particular

ms-I/F interface. [PR/544318]

•

When an snmpwalk is performed on the jnxSpSvcSetSvcType object or any of its subobjects, the “SPD_DB_SVC_SET_ADD_FAILURE” log message displays. [PR/546808]

•

FTP sessions that last long periods (several minutes or hours) are suddenly disconnected when traffic is still flowing on the data channel. [PR/579475]

User Interface and Configuration

•

In the J-Web interface , the “Generate Report” option under Monitor Event and Alarms opens the report in the same web page. [PR/433883]

•

Selectingthe monitor port for any port in the Chassis Viewer page displays the common Port Monitoring page instead of the corresponding Monitoring page of the selected port. [PR/446890]

•

On MX Series routers, J-Web does not display the USB-related information under Monitor>SystemView>System Information>Storage. [PR/465147]

•

When a new-line character (\n) is used within the op script argument descriptions, the help output might display incorrectly, and could result in extra output being displayed when the op script executes. [PR/485253]

•

In the J-Webinterface, the options Access Concentrator, Idle Timeout, and Service Name for PPPoE logical interfaces are not supported on MX Series routers. [PR/493451]

•

The J-Web interfacedoes not display the drop-profile-map, excess-priority, excess-rate, and rate-limit (transmit rate) parameters which are supported for the schedulers configuration. Use these parameters using the CLI. [PR/495947]

•

Warning messages related to pending commits are not triggered when the following operations are performed:

•

Software->Upload

Page 56

JUNOS OS 10.4 Release Notes

•

Software->Install Package

•

Maintain->Reboot

As a workaround, commit all pending commits beforeperforming the operations listed above. [PR/514853]

•

The annotate option does not appear when it is used with the edit private command for class of service. [PR/535574]

•

When a HTTPS connection is used for the J-Web interface in the Internet Explorer to savea report from the View Events page (Monitor->Events and Alarms->View events), the following error message is displayed “Internet Explorer was not able to open the Internet site.”

This issue also appears in the following places on the J-Web interface:

•

maintain->config management->history

•

maintain->customer support->support information->Generate Reports

•

Troubleshoot port->Generate Reports

•

maintain->files

•

Monitor->Routing->Route Information->Generate Reports

[PR/542887]

•

The J-Web pages loads inconsistently when Add IPv4 or IPv6 filters are used in the Internet Explorer and Firefox Web browsers. [PR/543607]

•

After the "delete:" action is performed, the "replace" actions do not take effect in the "load replace terminal" operation. [PR/556971]

•

The javascript error, "Object Expected" occurs when J-Web pages are navigated before the page loads completely. [PR/567756]

•

A commit script that activates an apply-group might fail to pass the commit check logic. [PR/576384]

VPNs

•

On a routerconfiguredfornonstop active routing (NSR) (the nonstop-routing statement is included at the [edit routing-options] hierarchy level), if a nonstop active routing switchoveroccursafterthe configuration for routing instances changes in certain ways, the BGP sessions between PE and CE routers might not be established after the switchover. [PR/399275]

•

The routing protocol process crashes when the rd value of an old instance is different from the rd value of a new instance in the VLAN ID. [PR/512499]

Resolved Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Class of Service

•

On T Series routers, when the class of service scheduling or queueing parameters on an interface with a high traffic utilization (close to the line rate or oversubscribed) is

Page 57

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

changed, the FPC which hosts the interface might restart. This issue is specific to non-ES type FPCs. [PR/565307: This issue has been resolved.]

•

When a firewall filter containing the packet loss priority (PLP) rewrite references a policer that also contains the PLP rewrite, a two time PLP rewrite occurs with the PLP bits of the packets matching the filter condition set on the PLP set action in the policer, and later the PLP set action is set on the firewall filter. [PR/566896: This issue has been resolved.]

Forwarding and Sampling

•

When a Routing Engine sampling is configured, and each flow server corresponds to a different autonomous system type, the packet size of the exported cflowd v5/8/500 packets might increase. [PR/530008: This issue has been resolved.]

•

On a sampled traffic on a multi services PIC, the multicast convergence slows down with the message "RPD_KRT_Q_RETRIES: Indirect Next Hop Update: No buffer space available." [PR/554363: This issue has been resolved.]

•

Making any circuit cross-connect (CCC) filter changes might render the Packet Forwarding Engine busy which might cause a slow statistics response. [PR/554722: This issue has been resolved.]

•

When a loopback filter is configured, packets sent by the ASICtothe PacketForwarding Engine’s CPU for generation of TTL expiry notification are dropped. [PR/555028: This issue has been resolved.]

•

The mib2d process might crash when a race condition exists between the mib2d process and the dfwd process. [PR/563419]

•

When a firewall filter with multiple terms references the same three color policer and has the same count variable configured, any IP packets that match the second or later terms might get corrupted. Use different count variables in each term to prevent this issue. [PR/567546: This issue has been resolved.]

•

The Radius Accounting Interim message might not be sent immediately after a Change of Authorization (CoA), even if the CoA is successfully processed and the

coa-immediate-update option is present in the configuration. [PR/570058: This issue

has been resolved.]

High Availability

•

When a container interface (used in AE interfaces) is freed in the memory, the child nexthop (member link) on the master Routing Engine is also freed. However, in some cases, the child nexthop on the backup Routing Engine is not freed resulting in a crash. [PR/562295: This issue has been resolved.]

Interfaces and Chassis

•

On TX Matrix Plus routers, the message "fru_is_present: out of range slot 1 for CIP" is continuously sent on all the LCCs. [PR/48311: This issue has been resolved.]

•

During initialization, some garbage data can flow into the unused SONET interface. This data is small in size and does not contain any SOP or EOP information. This data consumes some D4P buffer memory. The D4P buffer does not remove this data until more data comes into the buffer. Periodic health check reports the following status:

Page 58

JUNOS OS 10.4 Release Notes

“D4P-10/1: FROML tx48 stream 1 data path stuck”. To resolve this issue, purge the D4P buffer. [PR/424326: This issue has been resolved.]

•

The queue counter of the aggregated Ethernet is counted up after the statistics are cleared and the FPC is restarted. [PR/528027: This issue has been resolved.]

•

On an MX Series router with a mixed MPC and DPC environment, first and non first cell drops occur at the DPC. [PR/540283: This issue has been resolved.]

•

When a large OID registration traffic exists from the sub agent to the master agent, the registration packets encounter random errors during transmission. This affects the registration process. [PR/555345: This issue has been resolved.]

•

When a member link is added to an existing aggregated interface, a multicast distribution tree (MDT) mismatch might occur among the FPCs. This issue occurs only when graceful Routing Engine switchover (GRES) is enabled. [PR/558745: This issue has been resolved.]

•

A Layer 2 instability and rapid VRRP mastership change might cause MPC-3D-16XGE-SFPP to restart. [PR/560716: This issue has been resolved.]

•

When a MAC is moved, the resulting flush process might be interrupted when the list is processed. [PR/560730: This issue has been resolved.]

•

If the cable of a TX router is removed from the interface on an MIC-3D-20GE-SFP, the state of the interface remains in the "up up" state. [PR/561254: This issue has been resolved.]

•

When multiple physical interfaces exist in a 4xChDS3 PIC, errors might occur when each controller physical interface is deleted while the PIC is taken offline. [PR/561841: This issue has been resolved.]

•

When a change in the bridge domain membership occurs, and the bridge domain has an IRB interface and a vt-x/y/z interface, the Packet Forwarding Engine that does not have any local interfaces on that bridge domain might restart. [PR/566878: This issue has been resolved.]

•

When the chassisd process receives a temporary error code (such as Device Busy, Try Again, No Buffer Space, or No Memory), while trying to add both the PIC and physical interfaces present in the PIC to the kernel, the chassisd process may not retry adding the physical interface back to the kernel until it succeeds. The device or physical interface will not come back up. It is recommended to reboot the router or restart the FPC when this issue is encountered. [PR/570206: This issue has been resolved.]

•

On TX MatrixPlus routers, the set craft-lockout command might cause an FPM interrupt flooding. [PR/571270: This issue has been resolved.]

•

On any Junos OS device that supports Ethernet OAM, the cfmd process might crash when a malformed delay measurement message (DMM) is received. [PR/571673: This issue has been resolved.]

Page 59

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Layer 2 Ethernet Services

•

The PIM neighborship does not appear over the IRB interface after the dense port concentrator (DPC) is restarted. [PR/559101: This issue has been resolved.]

MPLS Applications

•

Under certain circumstances, the routing protocol process might crash when configurationchanges aremade to label-switchedpaths under the [edit protocol mpls] hierarchy level. [PR/550699: This issue has been resolved.]

•

When the no-decrement-ttl statement is included at the [edit protocols mpls] or the

[edit protocols mpls label-switched-path path-name] hierarchy level, the VPN Label TTL action field in the output of the show route extensive command displays vrf-propagate-ttl as the action. This is a display issue only and has no operational

impact on the forwarding behavior. This is relevant to Layer 3 VPN scenarios where BGP routes resolve over RSVP LSPs and the no-propagate-ttl statement is not configured at the [edit protocols mpls] hierarchy level. [PR/563505: This issue has been resolved.]

•

A point-to-multipoint LSP with bandwidth requirement might fail to retrace the original path aftera graceful restart, and might not come up until the end of the recoveryperiod. [PR/574308: This issue has been resolved.]

Network Management

•

SNMP might stop working after a routerreboot, a DPC, FPC, or MPC restart, or a graceful Routing Engine switchover. [PR/525002: This issue has been resolved.]

Platform and Infrastructure

•

Under certain circumstances, the message “NH: Failed to find nh (xxxx) for deletion” appears for the child links of an aggregate interface. However, this message should appear only when the child next hop is not found. This message is only cosmetic. [PR/494528: This issue has been resolved.]

•

In a Layer 2 circuit setup with a link services intelligent queuing interface (LSQ) in the core, and the control-word option enabled, a ping between two CE interfaces fails. As a workaround, use the no-control-word option. [PR/551207]

•

• A DPC or an MPC may reset when Aggregate Ethernet (AE) interfaces are provisioned with IRB. In some case, a DPC may also reset when a member link of an AE interface flaps. [PR/559887: This issue has been resolved.]

•

With the IRB and AE interfaces in a bridge-domain, the old nexthop data is not cleared from the Packet Forwarding Engines when they are updated. This causes the Packet Forwarding Engine to crash when that nexthop is later referenced. [PR/560813: This issue has been resolved.]

•

On an MX960 router, when an MPC is installed and OSPF and IS-IS is activated simultaneously, the "jtree memory free using incorrect value 8 correct 0" message is displayed for all DPCs. [PR/562719: This issue has been resolved.]

•

On standalone routers with GRES enabled (using the set chassis redundancy

graceful-switchover command), or on multichassis platforms (TX and TXP routers),

Page 60

JUNOS OS 10.4 Release Notes

FPCs can crash creating a core file when interfaces are moved from one aggregate bundle to another aggregate bundle in a single configuration commit operation. As a workaround, split the operation into two commits. Remove the interface from one bundle and perform a commit, and later add it to another bundle and perform another commit. [PR/563473: This issue has been resolved.]

•

The MPC might crashwhen multicast trafficis forwarded and interfaces are deactivated. [PR/565454: This issue has been resolved.]

•

In Junos OS Release 10.2 and above, the Packet Forwarding Engine process tracing is enabled by default. This results in the MIB2D process not being able to communicate with the Packet Forwarding Engine process. [PR/566681: This issue has been resolved.]

•

On MX Series routers running Junos OS Release 10.2 and later, when a new link from a newly inserted FPC (DPC-x or MPC-3D-x) is configured to an existing aggregate configuration,the newly added link informationmight not appear in the under the Link:,

LACP info:, LACP Statistics:, and Marker Statistics: fields in the output of the show interfaceaex extensive command. Deactivateand then activate the aggregateinterface

to resolve this issue. [PR/571245: This issue has been resolved.]

Routing Protocols

•

In rare situations, the routing protocol process might restart due to a software validation failure. [PR/476143: This issue has been resolved.]

•

With a large number of peers in a single BGP group, continuous large route churn may trigger scheduler slips in the routing protocolprocess.[PR/544573: This issue has been resolved.]

•

In instances with scaledLACPconfigurations, the periodic packet management process (ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.]

•

When a policy matching an extended community using a 4-byte AS and a wildcard is configured, the match condition might fail to match the relevant communities. As a workaround, configure exact matches. [PR/550539: This issue has been resolved.]

•

A rare race condition might cause the routing protocol process to crash when an (s,g)/(*,g) entry is removed. [PR/551949: This issue has been resolved.]

•

On an NSR LDP, an LDP database entry mismatch exists between the master and the backup Routing Engines. The backup Routing Engine does not replicate the LDP socket with the error "jsr_sdrl_set_data: No space dlen." [PR/552945: This issue has been resolved.]

•

When a default route target is sent by a BGP peer, th eBGP does not track the VPN routes covered by this route target. When the default route target goes away, the BGP does not withdraw the VPN routes that were previously covered by that default route target. [PR/556432: This issue has been resolved.]

•

On a 3D MPC, the load balance might be broken when a BGP multipath is configured. [PR/557099: This issue has been resolved.]

•

On M Series, MX Series, and T Series routers, the Virtual Router Redundancy Protocol (VRRP) process might become unresponsive when processing is delegated to the

Page 61

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Packet Forwarding Engine. As a workaround, remove the delegate-processing option from the [protocols vrrp] hierarchy level. [PR/559033: This issue has been resolved.]

•

When the advertise-default option is used with the route-target family, and a new VPN is added, the necessary route refresh is not sent. [PR/561211: This issue has been resolved.]

•

When the Link Layer DiscoveryProtocol (LLDP) advertisement interval value is changed from 30 seconds to 60 seconds, and the show lldp detail command is executed, the output shows 60 seconds. However, the Routing Engine forwards the LLDP packet every 30 seconds. When the interface is deactivated and activated again, the LLDP packets are forwarded every 60 seconds correctly. [PR/560857: This issue has been resolved.]

•

Under certain circumstances, the routing protocol process crashes while receiving the IGMP SNMP GetNext request. [PR/561842: This issue has been resolved.]

•

The multicast snooping process might crash and prevent a commit when the

apply-group statement is used at the bridge-domain <*> hierarchy level. [PR/562776:

This issue has been resolved.]

•

The routing protocol process might crash in the following environments:

•

Auto-export is configured for route leaking between VRFs.

•

Communities are added in the import policy of the second VPN routing and forwarding (VRF) table.

[PR/563231: This issue has been resolved.]

•

Packets might not be correctly evaluated by a filter in an MPC that contains non-contiguous prefixes. As a workaround, replace the non-contiguous prefixes with equivalent sets of contiguous prefixes. [PR/564286: This issue has been resolved.]

•

On M10i and M7i routers, the distributed PPMD process is disabled by default. However, it should be enabled by default since it is supported by the Enhanced CFEB (CFEB-E). [PR/565957: This issue has been resolved.]

•

IS-IS might not use the MPLS label-switched paths (LSPs) if the names of the label-switched paths are similar in the first 32 characters. [PR/568093: This issue has been resolved.]

•

If the always-compare-med option is configuredwhen a route change occurs,the routing protocol process might occasionally crash due to a soft assertion. However, the soft assertion does not impact the user traffic. [PR/568725]

•

During a nonstop active routing (NSR) switchoverwith a large number of remote Layer 3 VPN prefixes, and a local eBGP session with short hold-timers, routing protocol process scheduler slips might occur, which causes the BGP session to flap.[PR/568756: This issue has been resolved.]

•

Under certain circumstances, processing of links with maximum metric set by IS-IS shortest path first (SPF) computation algorithm might lead to suboptimal routing decisions. [PR/569649: This issue has been resolved.]

Page 62

JUNOS OS 10.4 Release Notes

Services Applications

•

In scaled environments, the thread in the Multiservices PIC or DPC for cflow might run too long. This causes the PIC or DPC to crash. [PR/494457: This issue has been resolved.]

•

On Multiservices 500 PICs with graceful Routing Engine switchover, wrong record values are seen for the IPv4 netflow export packets. This error occurs when the route records does not get installed. [PR/545422: This issue has been resolved.]

•

The MS400 PIC crashes due to a memory allocation failure when the PIC tries to respond to a Routing Engine CLI request. [PR/558237: This issue has been resolved.]

•

The MultiServices PIC might crash when traffic is received on a Layer 2 Tunneling Protocol (L2TP) session (MLPPP bundle), and a teardown request is also received at the same time. [PR/561039: This issue has been resolved.]

•

If Bidirectional Forwarding Detection protocol (BFD) protection for BGP sessions is configured on a BGP session in a nonmaster routing instance, the BFD might start for that session before the kernel ID of the routing instance is set. This might cause the BFD session to freeze. As a workaround, if the BFD session has the routing table value of 4294967295, use the clear bfd session command to start a new session that will address the issue as long as the routing instance's kernel table has been allocated. [PR/563161]

•

If a class-of-service rule is applied to a service set , the inactive timeout under the user-configured application does not take effect. As a workaround, match the application in the class-of-service rule. [PR/571304: This issue has been resolved.]

User Interface and Configuration

•

Under certain circumstances, a nested Junos OS configuration group with a wildcard match might not have the desired effect. [PR/556379: This issue has been resolved.]

•

When a "validate" RPC is executed using a NETCONF session, some essential information about the session is not populated in the configuration database. [PR/570778]

VPNs

•

In MVPN routing-instances with local-receivers, a flood nexthop is created for each S,G entry for multicast traffic received from the CE. Once the local-receivers are joined or pruned, a new flood nh is created. However, old flood nexthops are not deleted. This leads to a memory leak within the routing protocol process. Once this routing protocol process reaches a size of 2GB, it will trigger an assertion and restart. [PR569621: This issue has been resolved.]

•

In local-switched l2circuit scenario, the control and forwarding plane might not be properly updated by the routing protocol process when one of the logical interfaces forming an l2ckt is down. [PR/572780: This issue has been resolved.]

Page 63

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Previous Releases

Release 10.3R2

The following issues have been resolved since Junos OS Release 10.3R2. The identifier following the description is the tracking number in our bug database.

Class of Service

•

When a VLAN ID is changed, the following message appears in the messages log: "COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL 74. Reason: File exists.” This log message appears when the configuration is committed with VPLS configured on the Gigabit Ethernet interface,and a class-of-service classifier or rewrite rules that contain IEEE 802.1P on the interface are used. [PR/408552: This issue has been resolved.]

•

When a logical interface set has a shaping-rate less than the sum of transmit-rates of its queues and when the configurationis corrected so that the logical interface set gets the correct shaping-rate,ADPC might crash. [PR/523507: This issue has been resolved.]

•

During a graceful Routing Engine switchover, the traffic control profile might not be applied on the interfaces. As a workaround, deactivate and reactivate class of service. [PR/533862: This issue has been resolved.]

•

When per-unit-scheduler is applied under the interfaces hierarchy level, and shaping rate is applied under the class-of-service interface hierarchy level in the same commit operation, port shaping rate does not work and the total logical interface transmitted byte rate exceeds the physical interface shaping rate. As a workaround, configure

shaping-ratewithin a traffic-control-profile and apply that to an interface, or deactivate

and activate shaping-rateusing the class-of-service interfaceinterface-nameshaping-rate command. [PR/539590: This issue has been resolved.]

•

Under certain conditions, the class of service configuration might not take effect on an IQ2 PIC. [PR/541814: This issue has been resolved.]

•

When the rate-limit option is configured on a physical interface on IQ2 PICs, the show

interface queue command might not display the RL-dropped counters. [PR/547218:

This issue has been resolved.]

•

The egress rate limit over a logical interface may drop large packets. [PR/547506: This issue has been resolved.]

•

In Junos OS Release 10.2 and later, the cosd process might crash while a configured commit is processed, as this process accesses a memory location that has already been freed. However, this issue is encountered rarely. [PR/548367: This issue has been resolved.]

Forwarding and Sampling

•

Port mirroring does not work under the bridge-domain forwarding-option filter. [PR/529272: This issue has been resolved.]

•

The policer counter might be missing in the SNMP walk. Reboot the router to solve this problem. [PR/535715: This issue has been resolved.]

Page 64

JUNOS OS 10.4 Release Notes

•

When logical systems are configured, the show bridge-domains command might time out and return the following error message: “error: timeout communicating with l2-learning daemon.” [PR/536604: This issue has been resolved.]

•

A scheduler is associated with a forwarding class, and when a forwarding class is mapped to a differentqueue, the associated scheduler is not applied to the new queue. [PR/540568: This issue has been resolved.]

•

In Junos OS Release 10.2, the Routing Engine-based sampling might not work if the routing table inet.0 has a route for 128.0.0.1. The issue occurs when this route points to an external interface. [PR/540891: This issue has been resolved.]

•

A GRE interface might experience an incoming packetloss if a firewall filter is configured on the forwarding table. [PR/541901: This issue has been resolved.]

High Availability

•

On M120 routers, the message: "stream blocked detected message" displays when an FEB is switched from the backup to the primary. [PR/540644: This issue has been resolved.]

Interfaces and Chassis

•

The output of the monitor interface interface-namecommand is misaligned. [PR/70077: This issue has been resolved.]

•

An OAM trace displays an incorrect next-hop MAC value. [PR/494588: This issue has been resolved.]

•

When traffic flows into the MPC on which a bridge-domain configuration is being changed or the card is booting up, the forwarding software tries to access uninitialized memory for a short duration. This is a cosmetic issue and does not have any functional impact. [PR/506344: This issue has been resolved.]

•

On M7i routers with Junos OS Release 8.5 or later, the output of the show interfaces

fxp0 command shows the fxp0 interface to be in the link up state even when the

interface is disabled with no cables connected. [PR/508261: This issue has been resolved.]

•

When the VRRP6 master changes, there is no log output for VRRP IPv6. [PR/514821: This issue has been resolved.]

•

When the PIC is configured with encapsulation atm-ccc-cell-relay psuedowires, and the PIC throughput exceeds152 Mbps, data loss occursand the following error message is displayed: “[Warning] ce_wp_poll_hspi_stats:2006: PF/Winpath SPI interface error, rx_err_sm 243.” This error message is not seen when encapsulation atm-ccc-vc-mux is used.

As a workaround, use the atm-ccc-vc-mux encapsulation (AAL5 ATM PW), or use atm-ccc-cell-relay and configure a larger cell bundle size. When the cell bundle size is 5, the PIC passes 190 Mbps without error. [PR/515632: This issue has been resolved.]

•

When a SIB is taken offline via a CLI command, the output of the show chassis sibs command does not display the message “Offlined by cli command.” However, this message is correctly displayedfor the FPCs. [PR/519842: This issue has been resolved.]

Page 65

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

The statistics get for LSQ interfaces fails in a scaled LSQ configuration when the show

interfaces queue lsq-w/x/y:z command is executed. [PR/523260: This issue has been

resolved.]

•

When MLPPP interfaces of an MS-PIC are taken offline, the following syslog message displays: “RT: itable unset idx 372 to proto MLPPP iftable failed (Invalid arguments) on FE -1.” [PR/528649: This issue has been resolved.]

•

In Junos OS Release 10.0 and later, a significantly large number of the following messages appear on the MX960 and SRX5800 routers:

MX960 /kernel: PCF8584(WR): transmit failure on byte 1 MX960 /kernel: PCF8584(WR): (i2c_s1=0x80, group=0xe, device=0x54) MX960 /kernel: PCF8584(WR): busy at start, attempting to clear MX960 /kernel: PCF8584(WR): (i2c_s1=0x00, group=0xe, device=0x54) MX960 /kernel: PCF8584(RD): ack failure on 2nd last byte

These messages are not an indication of a fan failure. They are cosmetic and can be ignored. [PR/531253: This issue has been resolved.]

•

On Trio MPCs, multiple changes to a single term in quick succession results in an incorrect filter state in the Packet Forwarding Engine. This causes the MPC to crash. [PR/532791: This issue has been resolved.]

•

An XE circuit on the MPC-3D-16XGE-SFPP might cause a high CPU utilization on the MPC. [PR/535057: This issue has been resolved.]

•

On MX960 routers, the link status stays in the "Link ok" state when the SCB is removed without taking it offline using the CLI or switch. [PR/536860: This issue has been resolved.]

•

The SCB displays an incorrect state when it is removed without taking it offline using the CLI or buttons. This is not a cosmetic error and might impact the traffic. [PR/536866: This issue has been resolved.]

•

The "frame-relay-ether-type" encapsulation is not programmed to the hardware properly. Because of this, the incoming packet parsing fails and the packets are discarded. [PR/539484: This issue has been resolved.]

•

On MX Series routers with 10.x Power Budget, after a “Power Budget: Chassis experiencing power shortage” alarm occurs, the alarm does not clear even after the power budget problem is cleared. [PR/540522: This issue has been resolved.]

•

The MX-MPC1-3D-Q accepts VLAN tagged packets even when the interface is not configured with VLAN tagging. [PR/540620: This issue has been resolved.]

•

The link-up time on a 16x 10-Gigabit Ethernet MPC is not less than the other platforms (ADPC and other MPCs) due to the emission dispersion compensation (EDC) functionality of the PHY device on the MPC. This causes a delay of 50 mS to 150 mS and cannot be changed. [PR/540694: This issue has been resolved.]

•

The sonet-options raise-rdi-on-rei and trigger options do not work well together. Turning the raise-rdi-on-rei option on and off again requires the trigger option to flap in order to assert or clear the RDI-L alarm. As a workaround, when both sonet-options

raise-rdi-on-reiand trigger options are configured,flapthe sonet-options trigger as well.

[PR/540745: This issue has been resolved.]

Page 66

JUNOS OS 10.4 Release Notes

•

With Junos OS Release 10.2 and later, when a logical interface on an ATM-II IQ PIC is disabled, the FPC is taken offline and brought back online, and the PIC is reenabled, the logical interface stays down with atm_maker_check_indq error messages. [PR/541688: This issue has been resolved.]

•

When a Gigabit Ethernet or an XE interface on IQ2 PICs is disabled, and the link status is up, the traffic received from the interface might still be forwarded. [PR/543388: This issue has been resolved.]

•

When neither the per-unit scheduler nor the hierarchical-scheduler is configured on a physical interface and the physical interface has the overhead-accounting bytes configured, it does not take effect. [PR/544608: This issue has been resolved.]

•

When logical interfaces are created, the NPC crashes and the FPC goes down. [PR/545314: This issue has been resolved.]

•

Chassisd crashes when the show chassis clocks command is executed. [PR/545510: This issue has been resolved.]

•

When configuration changes are made that are unrelated to the interfaces, interface sets, or PICs, a commit failure occurs with the following error message: "error: iflset xxxx configured for nonexisting ifd ge-x/x/x." [PR/546184: This issue has been resolved.]

•

On a 10-Gigabit Ethernet PIC, a log is generated when the SFP is plugged in. However, no log is generated when the SFP is not plugged in. [PR/548251: This issue has been resolved.]

•

A CFM ping commandfailswhen the maintenance domain or maintenance association is longer than 32 characters. [PR/550014: This issue has been resolved.]

•

If a bridge-domain contains more than one AggregatedEthernet, and the IRB interfaces experiences the right sequence of MAC moves, the FPC might restart. [PR/550824: This issue has been resolved.]

•

On a 10-port oversubscribed 10-Gigabit Ethernet PIC for T Series routers (PD-5-10XGE-SFPP), the reactions configured under the [optics-options] stanza do not take effect for "low-light" conditions. [PR/550851: This issue has been resolved.]

•

If the number of VPLS connection exceeds 31, frequent FPC and NPC crashes might occur. [PR/552099]

•

The EOA family configurations over a container ATM interface might be deleted and added again upon every commit (including unrelated commits). [PR/553077: This issue has been resolved.]

•

When a remote PE's address is configured on a local loopback interface, the MVPN PIM neighborship to that PE in a different VRF might be affected. [PR/558584]

•

On MX960 routers with PWR-MX960-4100-AC PEMs (high capacity AC PEMs), the MPCs and DPCs do not power up when the system boots with only HC-AC PEM2,PEM3 being switched on, and PEM0,PEM1 being present but switched off. [PR/562125]

Page 67

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Layer 2 Ethernet Services

•

On MX Series routers, when both the top and bottom fan trays are enhanced and a mastership switch is performed, the alarm "craftd[1337]: Minor alarm set, Mix of FAN-TRAYS" displays. This only occurs after a switchover or an upgrade. This alarm is temporary, is cleared within a few seconds, and does not cause any routing or forwarding issues on the chassis. [PR/541617: This issue has been resolved.]

•

The AE interface does not show the system identifier for the attached interfaces in actor role. Because of this, the AE interface gets stuck in the detached state after it is rebooted from both ends. Additionally,the AE interface flaps when the backup Routing Engine is rebooted and a graceful Routing Engine switchover (GRES) is performed. [PR/547739: This issue has been resolved.]

•

The DHCP relay bindings remain in a release state with a negative lease time. [PR/549520: This issue has been resolved.]

•

The L2CPD might have a memory leak when LLDP is enabled. [PR/549531: This issue has been resolved.]

MPLS Applications

•

With BFD enabled over IGP and an RSVP session built across it, when the RSVP peer does not support RSVP Hello (or is disabled), the BFD session down event triggers only the IGP neighbor to go down. The RSVP session remains up until a session timeout occurs. [PR/302921: This issue has been resolved.]

•

The rlist entry corresponding to the previouslyexisting rlist is not removed, which causes the routing protocol process to crash. [PR/513160: This issue has been resolved.]

•

When a protected link flaps, certain RSVP routes do not lose association with the p2mp_nh. [PR/530750: This issue has been resolved.]

•

Under NGEN-MVPN with vrf-table-label configured on the provider edge, the provider router connecting to that provider edge might keep an old P2MP MPLS label entry upon label-switched path optimization or reroute.Thereis no workaround. [PR/538144: This issue has been resolved.]

•

An LSP with auto-bw might stay down for approximately 30 minutes after a Routing Engine switchover or a Routing Engine restart when graceful restart fails. As a workaround, disable and reenable the MPLS or OSPF stanza. [PR/539524: This issue has been resolved.]

•

When RSVP path-mtu allow-fragmentation is configured,trafficredirection away from its intended destination might occur. [PR/544365: This issue has been resolved.]

•

On a P2MP LSP setup, the routing protocol process of the transit router might core when the topology changes with respect to the ingress sub-LSP router. There is no workaround. [PR/549778: This issue has been resolved.]

•

In Junos OS Release 10.2, when the clear mpls lsp autobandwidth command is executed at the ingress router, the updated Maximum AvgBW Utilization field displays a value that is much higher than the actual bandwidth. [PR/550289: This issue has been resolved.]

Page 68

JUNOS OS 10.4 Release Notes

•

On MX80 routers, the MPLS LSP statistics do not record the transit traffic on a single-hop LSP with an implicit NULL label. [PR/551124: This issue has been resolved.]

•

When a large number of P2MP LSPs exist during periods of high network instability with many links flapping, and MBB re-routing of a P2MP LSP occurs, an MPLS route can become stale. This can cause a routing protocol process assertion failure on a transit router. [PR/555219: This issue has been resolved.]

Network Management

•

The SNMP process might restart when a core dump is generated. [PR/517230: This issue has been resolved.]

•

In Junos OS Release 10.2 and later, the size of the MIB2D process might increase as a result of memory leaks. This causes the MIB2D process to crash as it reaches its maximum permitted size. [PR/546872: This issue has been resolved.]

•

In Junos OS Release 9.2 and later, a memory leak occurs in the subagent in a scenario where the snmpd process is not running, or there are issues in communication with a subagent and traps are being generated by the subagent. [PR/547003: This issue has been resolved.]

•

When the firewall filter policer configuration is changed, the SNMP MIBs might not update correctly. As a result, the counters are inaccessible. [PR/555719: This issue has been resolved.]

Platform and Infrastructure

•

Redirect drops that are not real errors is taken into account for "Iwo HDRF" error statistics that is reported in the output of the show pfe statistics errors command on I-chip based routers. Since redirect drops are expected in a VPLS (and Ethernet in general) environment, this behavior could be misleading. [PR/430344: This issue has been resolved.]

•

After an 8216 Routing Engine upgrade to Junos OS Release 9.6 with "chassis" deactivated, the backup RoutingEngine starts to reboot with the panic message "panic: filter_idx_alloc: invalid filter index," and crashes when the chassis configuration is enabled and committed. After the Routing Engine finally comes online, the CLI response is slow and the Routing Engine reboots again after approximately three minutes. To stop these reboots, deactivate the chassis on the backup Routing Engine. [PR/489029: This issue has been resolved.]

•

On T Series routers, the FPC might continuously reboot upon installation. [PR/510414: This issue has been resolved.]

•

When the system default-router a.b.c.d command is used, the default route is not installed in the Packet Forwarding Engine. [PR/523663: This issue has been resolved.]

•

In an MPLS environment, the source NAT or PAT for traffic between two remote VPNs does not work when the vrf-table-label option is removed from the VRF where the inside-service interfaces are located. [PR/524294: This issue has been resolved.]

•

When VPLS is configured on the router, the following log messages will appear when the interface goes down:

RT-HAL,rt_entry_delete_msg_proc,XXX: route add posthandler failed

Page 69

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

RT-HAL,rt_msg_handler,XXX: route process failed

These messages can be ignored. [PR/524548: This issue has been resolved.]

•

After the MS-PIC’s homing PE interfaces used for MVPN are taken offline and brought back online, the following message may be logged: “flip-re0 fpc3 SLCHIP(0): %PFE-3: Channel 8189 (iif=701) on stream 32 already exists.” [PR/527813: This issue has been resolved.]

•

The Packet Forwarding Engine incorrectly imposes a rate limit function for the host-bound virtual LAN tagged packets with IEEE 802.1p value of 1. There is no workaround. [PR/529862: This issue has been resolved.]

•

A router might send raw IPv6 host-generated packets over the Ethernet towards its BGP IPv6 peers. [PR/536336: This issue has been resolved.]

•

BGP authentication does not work with the 64-bit Junos OS BGP route reflector on a JCS platform. BGP sessions fail to establish, and the following error message is observed: "... /kernel: tck_auth_ok Packet from XXX.XXX.XXX.XXX:XXXXX wrong MD5 digest." [PR/538076: This issue has been resolved.]

•

On M10i routers, an upgrade to Junos OS Release 10.2 fails and aborts when the PIC combinations are verified. As a workaround, first verify the PIC combinations manually against PSN-2010-06-777, then use the force option to override the warnings and force the upgrade. [PR/540468: This issue has been resolved.]

•

In Junos OS Release 10.3, the following messages may be seen in the syslog: “/kernel: sysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of param /kernel: sysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of param.” These messages are cosmetic. [PR/540808: This issue has been resolved.]

•

During SNMP queries in Junos OS Release 10.2 and later, the size of the MIB2D process might increase as a result of memory leaks in a statistics-associated library routine (libstats).This causes the MIB2D process to crash as it reachesits maximum permitted size. [PR/541251: This issue has been resolved.]

•

During router bootup, the error messages: "can't re-use a leaf (nd6_prune)!" and "can't re-use a leaf (nd6_mmaxtries)!" display. [PR/543422: This issue has been resolved.]

•

The backup Routing Engine might cause the kernel to crash when a configuration change occurs on the AE bundle during a next-hop index allocation. [PR/544092: This issue has been resolved.]

•

On TX Matrix routers with T640-FPC3 FPCs and a large number of routes, when an AE interface in an ECMP path is taken down, small packet drops might occur in the traffic on the other ECMP link. This issue does not occur when an indirect next hop is used. [PR/545166: This issue has been resolved.]

Page 70

JUNOS OS 10.4 Release Notes

•

In Junos OS Release 10.0 and later, the FPCs in M320 and T Series routers might crash when the error “PFE: Detected error next-hop” (corrupted next-hop) is encountered. [PR/546606: This issue has been resolved.]

•

On M120 routers, multicast packet drops occur when both the Fast Ethernet and the SFP Gigabit Ethernet PICs are located on the same Packet Forwarding Engine. [PR/546835: This issue has been resolved.]

•

In Junos OS Release 9.3 and later, when routers using Enhanced FPCs (T640-FPCx-ES or T1600-FPC4-ES FPCs) have a configuration involving CBF LSPs and aggregate interfaces, a jtree corruption might occur when a flap from a member link in the aggregate occurs on the remote end, or the FPC of the remote router is rebooted. To avoid this issue, use the indirect-next-hop option (routing-options forwarding-table

indirect-next-hop). The error message “PFE: Detected error nexthop:" indicates a jtree

corruption. [PR/548436: This issue has been resolved.]

•

In a multicast VPN scenario, if the default-vpn-source is configured under protocol PIM, then the FPC holding is configured, the MS-PIC might core when it is taken offline. [PR/550061: This issue has been resolved.]

•

A kernel core is generated when a logical interface that is a member of an AE bundle is activated and deactivated. [PR/553392: This issue has been resolved.]

Routing Protocols

•

The output of the show ospf statistics command does not display the hello packet statistics. [PR/427725: This issue has been resolved.]

•

The mirror receive task variable may not be cleared when the routing protocol process is heavily scaled. Hence, the NSR replication for RIP status stays in the "InProgress" state indefinitely. [PR/516003: This issue has been resolved.]

•

Under rare circumstances, multiple commits might crash both Routing Engines. The routing protocol process dumps core and restarts only on the master Routing Engine. This issue occurs when commits are executed within one minute. [PR/516479: This issue has been resolved.]

•

Upon an NSR mastership switch or ISSU upgrade, the multicast resolve route for IPv4 224/4 or inet6 ff00::/8 might be missing within the forwarding-table. To recover from this condition, deactivate and activate the protocol pim stanza, or restart the routing protocol process. [PR/522605: This issue has been resolved.]

•

For Junos OS Release 9.5 and above, the BGP parse community begins with “0” as the octal value. This behavior is different in earlier releases. [PR/530086: This issue has been resolved.]

•

The overload bit in the ISIS LSP MT-TLV may trigger the IS-IS to install a default route to the overload bit advertiser. And the output of the show isis database extensive command displays an unknown TLV. [PR/533680: This issue has been resolved.]

•

The routing protocol process might crash due to an invalid prefix-length value in one of the flow-spec routes. [PR/534757: This issue has been resolved.]

Page 71

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

If there is enough join state associated with a neighbor and that neighbor goes down and comes back up quickly, then that join state may be stranded in an unresolved state until the clear pim join command is issued. [PR/539962: This issue has been resolved.]

•

On Type 2 Trio MPC, multiple changes to a single term in quick succession can cause an incorrect filter state in the Packet Forwarding Engine. This causes the MPC to crash. [PR/540674: This issue has been resolved.]

•

The routing protocol process might crash when a BGP connection attempt meets with an RST from the peer. This is due to an unlikely race condition. [PR/540895: This issue has been resolved.]

•

Under certain timing conditions, an interior gateway protocol topology change can result in the BGP routes referencing an incorrect egress interface. This problem can occur when active and inactive BGP routes are learned from the same peer and the inactive BGP routes are deleted at the time of the topology change. [PR/543911: This issue has been resolved.]

•

In instances with scaledLACPconfigurations, the periodic packet management process (ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.]

•

When two identical local interface addresses are shared between two VRFs via auto-export, the routing protocol process might cause a high CPU utilization. [PR/547897: This issue has been resolved.]

•

When the primary loopback address changes, the routing protocolprocessmight crash when a new data mdt is created. [PR/549483: This issue has been resolved.]

•

If a PIM <S, G> join arrives when there is no route to the source, PIM RPF checking is disabled, and a matching multicast route is present, the output interfaces associated with the PIM <S, G> join are not added to the multicast route. [PR/550703: This issue has been resolved.]

•

The IPv6 entries are removed from the output of the show pim interfaces command when the corresponding interface is in the down state. This is a cosmetic issue. [PR/550799: This issue has been resolved.]

•

On MX80 routers, even when static routes are configured, the management port does not forward traffic to the user ports. [PR/552952: This issue has been resolved.]

•

When an interface-basedIPv6 BGP session with a 2-byte AS format is used, the system might crash. [PR/553772: This issue has been resolved.]

•

An IS-IS adjacency flap at a precise interval can cause the routing protocol process to restart on a neighbor, as it is in the process of purging the LSAs of the previously down node from the local database. [PR/554233: This issue has been resolved.]

Services Applications

•

In Junos OS Release 10.0 and later, the routing instance name is restricted to 63 characters. [PR/533882: This issue has been resolved.]

•

The BGP_IPV4_NEXT_HOP field on the jflow v9 record matches the originatorID instead of the BGP next hop. [PR/534598: This issue has been resolved.]

Page 72

JUNOS OS 10.4 Release Notes

•

When traffic is forwarded in an L2TP session and a teardown request is received, the ASPIC crashes with a memory access violation in mlppp_output. [PR/537225: This issue has been resolved.]

•

On M Series routers configured for L2TP tunneling with several thousands of PPP connections, when all the PPP sessions expire at the same time, the MS-PIC might hang and become unusable. To recover the service, restart the PIC. [PR/541793: This issue has been resolved.]

•

On SG3 PICs (Multiservices 500) with graceful Routing Engine switchover (GRES), wrong record values are seen for the IPv4 netflow export packets. This error occurs when the route records are not installed. [PR/545422: This issue has been resolved.]

•

The IPv6 and MPLS route counts are not reflected in the output of the show service

accounting status command. [PR/550793: This issue has been resolved.]

User Interface and Configuration

•

In a router configured with a large number of interfaces, when few interfaces are constantly added and deleted, a minor memory leak may be observed in the "pfed" process. [PR/522346: This issue has been resolved.]

•

While a configuration with a long as-path is displayed in XML format using the show

configuration | display xml | no-more command, the closing tag for the as-path <path>

is wrongly displayed as </path instead of </path>. [PR/525772: This issue has been resolved.]

•

The xnm service currentlydoes not support logging of remote-host addresses in system accounting. [PR/535534: This issue has been resolved.]

•

It is possible to login to J-Web from a web browser having a cipher strength of 40 and 56 bits. This could create a security issue. As a workaround, use a web browser that supports 128 bit of cipher strength. [PR/539477: This issue has been resolved.]

•

The system continues to use the TACACS server configuration even after it is removed. As a workaround, deactivateand reactivate the accounting configuration.[PR/544770: This issue has been resolved.]

•

When the load set command is used to refresh a script file, the script does not refresh, and exits from the CLI after displaying the rpc-related errors. [PR/555316: This issue has been resolved.]

VPNs

•

When two MVPN routing instances and at least one L2VPN routing instance are configured, the commit fails with the following message: “RPD_RT_DUPLICATE_RD: routing-instance xxx has duplicate route-distinguisher." As a workaround, configure the route-distinguisher-id for each instance manually. [PR/511514: This issue has been resolved.]

•

If a VPN routing and forwarding (VRF) instance contains a static route that is resolved via a route that is auto-exported from another routing instance, the static route may not be removed when the physical interface goes down. [PR/531540: This issue has been resolved.]

Page 73

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

When a CE-facing interface in a VPLS instance is deactivated, the routing protocol process may get into a loop leading to a high CPU utilization. [PR/531987: This issue has been resolved.]

•

Under certain circumstances, the containerinterfaces might not send the proper martini modes to the routing protocol process. This results in incorrect control-word-related information sent to the Packet Forwarding Engine. [PR/541998: This issue has been resolved.]

•

In a Live/Standby MVPN extranet setup, with the primary provider on PE1, the backup provider on PE2, and a receiver on PE3 and receivers also on PE1 and PE2, traffic drops occur for 25 seconds afterevery35 seconds. [PR/542984: This issue has been resolved.]

Documentation

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

on page 6

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX

Series, and T Series Routers on page 39

• Errata and Changes in Documentation for Junos OS Software Release10.4for M Series,

MX Series, and T Series Routers on page 73

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,

and T Series Routers on page 78

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Changes to the Junos OS Documentation Set

The following are the changes made to the Junos OS documentation set:

•

The new index pages launched for Junos OS technical documentation present documentation links in categoriesand include brief descriptions of the content of each link. Related links to platform documentation pages are included in the right-hand navigation. The new pages contain all of the content on previous versions of the pages, only the formatting has changed.

Here are the URLs:

•

Software documentation for Junos M, MX, and T Series: http://www.juniper.net/techpubs/en_US/junos10.4/information-products/pathway-pages/product/m-t-mx/10.4/index.html

•

Hardware documentation for M Series Multiservice Edge Routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/m-series/

•

Hardware documentation for MX Series 3D Universal Edge Routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/mx-series/

Page 74

JUNOS OS 10.4 Release Notes

•

Hardware documentation for T Series Core Routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/t-series/

•

Hardware documentation for the JCS 1200 platform: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/jcs/

•

The term “Multiplay” has been replaced with “Session Border Control” in the Junos OS Release Notes.

•

The Integrated Multi-Service Gateway (IMSG) pathway page now includes three complete configuration examples:

•

IMSG—Basic Configuration

•

IMSG—Dual BGFs

•

IMSG—Server Clusters

The configuration examples are applicable to Junos OS Release 10.2 and later.

•

The Junos OS Layer 2 Configuration Guide provides an overview of the Layer 2 functions supported on Juniper Networks routers, including configuring bridge domains, MAC addresses and VLAN learning and forwarding, and spanning-tree protocols. It also details the routing instance types used by Layer 2 applications. This material was formerly covered in the Junos OS MX Series Ethernet Services Routers Layer 2 Configuration Guide.

•

Documentation for the extended DHCP relay agent feature is no longer included in the

Policy Framework Configuration Guide. For DHCP relay agent documentation, see the Subscriber Access Configuration Guide or the documentation for subscriber access

management.

•

In Junos OS Release 10.3R1 and later, PDF files are not available for individual HTML pages in the Junos OS documentation set. PDF files are available for the complete Junos OS Release 10.3 configuration guides at

http://www.juniper.net/techpubs/software/junos/junos103/index.html. PDF files for the

complete hardware guides are accessible at the following URLs:

•

For M Series routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/m-series/

•

For MX Series routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/mx-series/

•

For T Series and TX Matrix routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/t-series/

In addition, individual HTML pages have a Print link in the upper left corner of the text area on the page.

Page 75

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Errata

This section lists outstanding issues with the documentation.

High Availability

•

TX Matrix Plus routers and T1600 routers that are configured as part of a routing matrix do not currently support nonstop active routing. [High Availability]

Interfaces and Chassis

•

For the T320, T640, and T1600 routers, external clock synchronization is not supported on sonic clock generators (SCG) with DB-9 external clock interfaces.

[System Basics, Hardware Guides]

•

The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces Configuration Guide states the following:

•

For Layer 2 circuit cell relay and Layer 2 trunk modes, include the atm-l2circuit-mode

cell statement at the [edit chassis fpc slot pic slot] hierarchy level and the encapsulation atm-ccc-cell-relay statement at the [edit interfaces interface-name]

hierarchy level.

This configurationis correct and interoperates with routers running all versions of Junos OS.

However, the chapter does not mention that you can also include the encapsulation

atm-ccc-cell-relay statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level. when you include the statement at the [edit interfaces interface-name unit logical-unit-number]] hierarchy level, keep the following

points in mind:

•

This configuration interoperates only between Juniper Networks routers running Junos OS Release 8.2 or earlier.

•

This configuration does not interoperate with other network equipment, including a Juniper Networks router running Junos OS Release 8.3 or later, unless it is also configured with the same use-null-cw statement.

•

For a Juniper Networks router running Junos OS Release 8.3 or later to interoperate with another Juniper Networks router running Junos OS Release 8.2 or earlier, on the router running Junos OS Release 8.3 or later, include the use-null-cw statement at the [edit interfaces interface-name atm-options] hierarchy level.

•

The use-null-cw statement inserts (for sending traffic) or strips (for receiving traffic) an extra null control word in the MPLS packet.

•

The use-null-cw statement is not supported on a router running Junos OS Release

8.2 or earlier.

[Network Interfaces]

•

With Junos OS Release 10.1 and later, you need not include the tunnel option or the

clear-dont-fragment-bit statement when configuring allow-fragmentation on a tunnel.

Page 76

JUNOS OS 10.4 Release Notes

[Services Interfaces]

J-Web Interface

•

To access the J-Web interface, your management device requires the following software:

•

Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version

3.0

•

Language support—English-version browsers

•

Supported OS—Microsoft Windows XP Service Pack 3

MX Series 3D Universal Edge Routers

•

Some features marked as supported on MX Series 3D Universal Edge Routers are not currentlysupportedon MX80 routers. For a complete list of available features on MX80 routers please contact your sales engineer or the Juniper Technical Assistance Center.

•

The MX Series 3D Universal Edge Routers are sometimes referred to as MX Series Ethernet Services Routers. Both names refer to the same MX Series routers. This will be standardized to MX Series 3D Universal Edge Routers in the documentation in later releases.

Subscriber Access Management

The Subscriber Access ConfigurationGuide contains the followingdynamic variable errors:

•

The Configuring a Dynamic Profile for Client Access topic erroneously uses the

$junos-underlying-interface variable when a IGMP interface is configured in the client

access dynamic profile. The following example provides the appropriate use of the

$junos-interface-name variable:

[edit dynamic-profiles access-profile] user@host# set protocols igmp interface $junos-interface-name

•

Table 25 in the Dynamic Variables Overview topic neglects to define the

$junos-igmp-version predefined dynamic variable. This variable is defined as follows:

$junos-igmp-version—IGMP version configured in a client access profile. The Junos OS

obtains this informationfrom the RADIUS server when a subscriber accesses the router. The version is applied to the accessing subscriber when the profile is instantiated. You specify this variable at the [dynamic-profiles profile-name protocols igmp] hierarchy level for the interface statement.

In addition, the Subscriber Access Configuration Guide erroneously specifies the use of a colon (:) when you configure the dynamic profile to define the IGMP version for client interfaces. The followingexampleprovides the appropriate syntax for setting the IGMP interface to obtain the IGMP version from RADIUS:

[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name] user@host# set version $junos-igmp-version

•

The Subscriber Access Configuration Guide and the System Basics Configuration Guide contain information about the override-nas-information statement. This statement does not appear in the CLI and is not supported.

Page 77

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

[Subscriber Access, System Basics]

•

When you modify dynamic CoS parameters with a RADIUS change of authorization (CoA)message,the Junos OS acceptsinvalid configurations.For example,if you specify that a transmit rate that exceeds the allowed 100 percent, the system does not reject the configuration and returns unexpected shaping behavior.

[Subscriber Access]

•

We do not support multicast RIF mapping and ANCP when configured simultaneously on the same logical interface. For example, we do not support when a multicast VLAN and ANCP are configured on the same logical interface, and the subscriber VLANs are the same for both ANCP and multicast.

[Subscriber Access]

•

The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the Subscriber Access Configuration Guide erroneously states that dynamic CoS is supported for

dynamic VLANs on the Trio MPC/MIC family of products.In the current release, dynamic CoS is supported only on static VLANs on Trio MPC/MIC interfaces.

[Subscriber Access]

•

The Subscriber Access ConfigurationGuide incorrectlydescribes the authentication-order statement as it is used for subscriber access management. When configuring the

authentication-order statement for subscriber access management, you must always

specify the radius method. Subscriber access management does not support the

password keyword (the default), and authentication fails when you do not specify an

authentication method.

[Subscriber Access]

•

In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by the AAA Service Framework topic and the Specifying an Address Pool in a Domain Map

topic incorrectlyindicatethatVSA 26-2 (Local-Address-Pool) is supported. Subscriber management does not support this VSA.

[Subscriber Access]

User Interface and Configuration

•

The show system statistics bridge command displays system statistics on MX Series routers. [System Basics Command Reference]

VPNs

•

In Chapter 19, Configuring VPLS of the VPNs Configuration Guide, an incorrect statement that caused contradictory information about which platforms support LDP BGP interworking has been removed. The M7i router was also omitted from the list of supported platforms. The M7i router does support LDP BGP interworking.

[VPNs]

Documentation

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

on page 6

Page 78

JUNOS OS 10.4 Release Notes

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX

Series, and T Series Routers on page 39

• Issuesin Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 51

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,

and T Series Routers on page 78

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series,

and T Series Routers on page 78

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

This section discusses the following topics:

•

Basic Procedure for Upgrading to Release 10.4 on page 78

•

Upgrading a Router with Redundant Routing Engines on page 81

•

Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1 on page 81

•

Upgrading the Software for a Routing Matrix on page 83

•

Upgrading Using ISSU on page 84

•

Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR on page 84

•

Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 85

•

Downgrade from Release 10.4 on page 86

Basic Procedure for Upgrading to Release 10.4

In order to upgrade to Junos OS 10.0 or later, you must be running Junos OS 9.0S2, 9.1S1,

9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or you must specify the no-validate option on the request system software install command.

When upgrading or downgradingthe Junos OS,always use the jinstall package. Use other packages (such as the jbundle package) only when so instructed by a Juniper Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the Junos OS Installation and Upgrade Guide.

NOTE: With Junos OS Release 9.0 and later, the compact flash disk memory

requirement for Junos OS is 1 GB. For M7i and M10i routers with only 256 MB memory, see the Customer Support Center JTAC Technical Bulletin PSN-2007-10-001 at

https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001&actionBtn=Search.

Page 79

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

NOTE: Before upgrading, back up the file system and the currently active

Junos configuration so that you can recover to a known, stable environment in case the upgrade is unsuccessful. Issue the following command:

user@host> request system snapshot

The installation process rebuilds the file system and completely reinstalls the Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the routing platform,such as configurationtemplates and shell scripts (the only exceptions are the juniper.conf and ssh files) might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the Junos OS System Basics Configuration Guide.

Page 80

JUNOS OS 10.4 Release Notes

The download and installation process for Junos OS Release 10.4 is the same as for previous Junos OS releases.

If you are not familiar with the download and installation process, follow these steps:

1. Using a Web browser, follow the links to the download URL on the Juniper Networks

Web page. Choose either Canada and U.S. Version or Worldwide Version:

•

https://www.juniper.net/support/csc/swdist-domestic/ (customers in the United

States and Canada)

•

https://www.juniper.net/support/csc/swdist-ww/ (all other customers)

2. Log in to the Juniper Networks authentication system using the username (generally

your e-mail address) and password supplied by Juniper Networks representatives.

3. Download the software to a local host.

4. Copy the software to the routing platform or to your internal software distribution

site.

5. Install the new jinstall package on the routing platform.

NOTE: We recommend that you upgrade all software packages out of

band using the console because in-band connections are lost during the upgrade process.

Customers in the United States and Canada use the following command:

user@host> request system software add validate reboot

source/jinstall-10.4R1.9-domestic-signed.tgz

All other customers use the following command:

user@host> request system software add validate reboot

source/jinstall-10.4R1.9-export-signed.tgz

Replace source with one of the following values:

•

/pathname—For a software package that is installed from a local directory on the

router.

•

For software packages that are downloaded and installed from a remote location:

•

ftp://hostname/pathname

•

http://hostname/pathname

•

scp://hostname/pathname (available only for Canada and U.S. version)

The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release.

Page 81

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process can take 5 to 10 minutes.

Rebooting occurs only if the upgrade is successful.

NOTE: After you install a Junos OS Release 10.4 jinstall package, you cannot

issue the request system software rollback command to return to the previously installed software. Instead you must issue the request system software add

validate command and specify the jinstall package that corresponds to the

previously installed software.

NOTE: Before you upgrade a router that you are using for voice traffic, you should monitor call traffic on each virtual BGF. Confirm that no emergency calls are active. When you have determined that no emergency calls are active, you can wait for nonemergency call traffic to drain as a result of graceful shutdown, or you can force a shutdown. For detailed information on how to monitor call traffic before upgrading, see the Junos OS Multiplay Solutions Guide.

Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform a Junos OS installation on each Routing Engine separately to avoid disrupting network operation as follows:

1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine

and save the configuration change to both Routing Engines.

2. Install the new Junos OS release on the backup Routing Engine while keeping the

currently running software version on the master Routing Engine.

3. After making sure that the new software version is running correctly on the backup

Routing Engine, switch over to the backup Routing Engine to activatethe new software.

4. Install the new software on the original master Routing Engine that is now active as

the backup Routing Engine.

For the detailed procedure, see the Junos OS Installation and Upgrade Guide.

Upgrading Juniper Network RoutersRunning Draft-Rosen Multicast VPN to Junos OS Release 10.1

In releases prior to Junos OS Release 10.1, the draft-rosen multicast VPN feature implements the unicast lo0.x address configured within that instance as the source address used to establish PIM neighbors and create the multicast tunnel. In this mode, the multicast VPN loopback address is used for reverse path forwarding (RPF) route resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN loopback address is also used as the source address in outgoing PIM control messages.

Page 82

JUNOS OS 10.4 Release Notes

In Junos OS Release 10.1 and later, you can use the router’s main instance loopback (lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM state for the multicast VPN. We strongly recommend that you perform the following procedure when upgrading to Junos OS Release 10.1 if your draft-rosen multicast VPN network includes both Juniper Network routers and other vendors’ routers functioning as provider edge (PE) routers. Doing so preservesmulticastVPN connectivity throughout the upgrade process.

Because Junos OS Release 10.1 supports using the router’s main instance loopback(lo0.0) address, it is no longer necessary for the multicast VPN loopback address to match the main instance loopback adddress lo0.0 to maintain interoperability.

NOTE: You might want to maintain a multicast VPN instance lo0.x address

to use for protocol peering (such as IBGP sessions), or as a stable router identifier, or to support the PIM bootstrap server function within the VPN instance.

Complete the following steps when upgrading routers in your draft-rosen multicast VPN network to Junos OS Release 10.1 if you want to configure the routers’s main instance loopback address for draft-rosen multicast VPN:

1. Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the

loopback address for draft-rosen Multicast VPN.

NOTE: Do not configure the new feature until all the M7i and M10i routers

in the network have been upgraded to Junos OS Release 10.1.

2. After you have upgraded all routers, configure each router’s main instance loopback

address as the source address for multicast interfaces. Include the default-vpn-source

interface-name loopback-interface-name] statement at the [edit protocols pim]

hierarchy level.

3. After you have configured the router’s main loopback address on each PE router,

delete the multicast VPN loopback address (lo0.x) from all routers.

We also recommend that you remove the multicast VPN loopback address from all PE routers from other vendors. In Junos OS releases prior to 10.1, to ensure interoperability with other vendors’ routers in a draft-rosen multicast VPN network, you had to perform additional configuration. Remove that configuration from both the Juniper Networks routers and the other vendors’ routers. This configuration should be on Juniper Networks routers and on the other vendors’ routers where you configured the lo0.mvpn address in each VRF instance as the same addressasthe main loopback (lo0.0) address.

This configuration is not required when you upgrade to Junos OS Release 10.1 and use the main loopback address as the source address for multicast interfaces.

Page 83

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

NOTE: To maintain a loopback address for a specific instance, configure

a loopback address value that does not match the main instance address (lo0.0).

For more information about configuring the draft-rosen Multicast VPN feature, see the Junos OS Multicast Configuration Guide.

Upgrading the Software for a Routing Matrix

A routing matrix can use either a TX Matrix router as the switch-card chassis (SCC) or a TX Matrix Plus router as the switch-fabric chassis (SFC). By default, when you upgrade software for a TX Matrix router or a TX Matrix Plus router, the new image is loaded onto the TX Matrix or TX Matrix Plus router (specified in the Junos OS CLI by using the scc or

sfc option) and distributed to all T640 routers or T1600 routers in the routing matrix

(specified in the Junos OS CLI by using the lcc option). To avoid network disruption during the upgrade, ensure the following conditions before beginning the upgrade process:

•

A minimum of free disk spaceand DRAM on each Routing Engine. The software upgrade will fail on any Routing Engine without the required amount of free disk space and DRAM. To determine the amount of disk space currentlyavailable on all Routing Engines of the routing matrix, use the CLI show system storage command. To determine the amount of DRAM currently available on all the Routing Engines in the routing matrix, use the CLI show chassis routing-engine command.

•

The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and T640 routers or T1600 routers (LCC) are all re0 or are all re1.

•

The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and T640 routers or T1600 routers (LCC) are all re1 or are all re0.

•

All master Routing Engines in all routers run the same version of software. This is necessary for the routing matrix to operate.

•

All master and backup Routing Engines run the same version of software before beginning the upgrade procedure. Different versions of the Junos OS can have incompatible message formats especially if you turn on GRES. Because the steps in the process include changing mastership, running the same version of software is recommended.

•

For a routing matrix with a TX Matrix router, the same Routing Engine model is used within a TX Matrix router (SCC) and within a T640 router (LCC) of a routing matrix. For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using two RE-1600s is supported. However, an SCC or an LCC with two different Routing Engine models is not supported. We suggest that all Routing Engines be the same model throughout all routers in the routing matrix. To determine the Routing Engine type, use the CLI show chassis hardware | match routing command.

•

For a routing matrix with a TX Matrix Plus router, the SFC contains two model RE-DUO-C2600-16G Routing Engines, and each LCC contains two model RE-DUO-C1800-8G Routing Engines.

Page 84

JUNOS OS 10.4 Release Notes

NOTE: It is considered best practice to make sure that all master Routing

Engines are re0 and all backup Routing Engines are re1 (or vice versa). For the purposes of this document, the master Routing Engine is re0 and the backup Routing Engine is re1.

To upgrade the software for a routing matrix, perform the following steps:

1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine

(re0) and save the configuration change to both Routing Engines.

2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping

the currently running software version on the master Routing Engine (re0).

3. Load the new Junos OS on the backup Routing Engine. After making sure that the new

software version is running correctly on the backup Routing Engine (re1), switch mastership back to the original master Routing Engine (re0) to activate the new software.

4. Install the new software on the new backup Routing Engine (re0).

For the detailed procedure, see the Routing Matrix with a TX Matrix Feature Guide or the

Routing Matrix with a TX Matrix Plus Feature Guide.

Upgrading Using ISSU

Unified in-service software upgrade (ISSU) enablesyou to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic. Unified in-service software upgrade is only supported by dual Routing Engine platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) must be enabled. For additional information about using unified in-service software upgrade, see the Junos High Availability Configuration Guide.

Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR

Junos OS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the following PIM features are not currently supported with NSR. The commit operation fails if the configuration includes both NSR and one or more of these features:

•

Anycast RP

•

Draft-Rosen multicast VPNs (MVPNs)

•

Local RP

•

Next-generation MVPNs with PIM provider tunnels

•

PIM join load balancing

Junos OS 9.3 Release introduced a new configuration statement that disables NSR for PIM only, so that you can activate incompatible PIM features and continue to use NSR for the other protocols on the router: the nonstop-routing disable statement at the [edit

protocolspim] hierarchy level. (Note that this statementdisablesNSR for all PIM features,

not only incompatible features.)

Page 85

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

If neither NSR nor PIM is enabledon the routerto be upgraded or if one of the unsupported PIM features is enabled but NSR is not enabled, no additional steps are necessary and you can use the standard upgrade procedure described in other sections of these instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use the standard reboot or ISSU procedures described in the other sections of these instructions.

Because the nonstop-routing disable statement was not available in Junos OS Release

9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to be upgraded from Junos OS Release 9.2 or earlier to a later release, you must disable PIM before the upgrade and reenable it after the router is running the upgraded Junos OS and you have entered the nonstop-routing disable statement. If your router is running Junos OS Release 9.3 or later, you can upgrade to a later release without disabling NSR or PIM–simply use the standard reboot or ISSU procedures described in the other sections of these instructions.

To disable and reenable PIM:

1. On the router running Junos OS Release 9.2 or earlier, enter configuration mode and

disable PIM:

[edit]

user@host# deactivate protocols pim

user@host# commit

2. Upgrade to Junos OS Release 9.3 or later software using the instructions appropriate

for the router type. Youcan either use the standard procedure with reboot or use ISSU.

3. After the router reboots and is running the upgraded Junos OS, enter configuration

mode, disable PIM NSR with the nonstop-routing disable statement,and then reenable PIM:

[edit]

user@host# set protocols pim nonstop-routing disable

user@host# activate protocols pim

user@host# commit

Upgrade Policy for Junos OS Extended End-Of-Life Releases

An expanded upgrade and downgrade path is now available for the Junos OS Extended End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of two adjacent later EEOL releases.You can also downgrade directly from one EEOL release to one of two adjacent earlier EEOL releases.

For example, Junos OS Releases 9.3, 10.0,and 10.4 are all EEOL releases. Youcan upgrade from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to

10.4,you first need to upgrade to Junos OS release 9.3 or 10.0, and then upgrade a second time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either

10.0 or 9.3. To downgrade from release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5.

Page 86

JUNOS OS 10.4 Release Notes

For upgrades and downgrades to or from a non-EEOL release, the current policy is that you can upgrade and downgrade by no more than three releases at a time. This policy remains unchanged.

For more information on EEOL releases and to review a list of EEOL releases, see

http://www.juniper.net/support/eol/junos.html.

Downgrade from Release 10.4

To downgrade from Release 10.4 to another supported release, follow the procedure for upgrading, but replace the 10.4 jinstall package with one that corresponds to the appropriate release.

For more information, see the Junos OS Installation and Upgrade Guide.

Documentation

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

•

on page 6

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX

Series, and T Series Routers on page 39

• Issuesin Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 51

• Errata and Changes in Documentation for Junos OS Software Release10.4for M Series,

MX Series, and T Series Routers on page 73

Page 87

Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers

Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust networking and security services. SRX Series Services Gateways range from lower-end devices designed to secure small distributed enterprise locations to high-end devices designed to secure enterprise infrastructure, data centers, and server farms. The SRX Series Services Gateways include the SRX100, SRX210, SRX220, SRX240, SRX650, SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Juniper Networks J Series Services Routers running Junos OS provide stable, reliable, and efficient IP routing, WAN and LAN connectivity, and management services for small to medium-sized enterprise networks. These routers also provide network security features, including a stateful firewall with access control policies and screens to protect against attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320, J2350, J4350, and J6350 devices.

•

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 87

•

Advertising Bandwidth for Neighbors on a Broadcast Link Support on page 117

•

Group VPN Interoperability with Cisco’s GET VPN on page 117

•

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 118

•

Unsupported CLI on page 133

•

Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 142

•

Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 152

•

Errataand Changes in Documentationfor Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 172

•

Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 183

•

Maximizing ALG Sessions on page 185

•

Integrated Convergence Services Not Supported on page 185

•

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 186

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The following features have been added to Junos OS Release 10.4. Following the description is the title of the manual or manuals to consult for further information.

•

Software Features on page 88

•

Hardware Features—SRX210, SRX220, and SRX240 Services Gateways on page 109

Page 88

JUNOS OS 10.4 Release Notes

•

Hardware Features—SRX220 Services Gateway with Power Over Ethernet on page 110

•

Hardware Features—SRX1400 Services Gateway on page 113

•

Hardware Features—SRX3400 and SRX3600 Services Gateways on page 116

Software Features

Application Layer Gateways (ALGs)

•

Rewrite rule for DSCP at VoIP ALGs—This feature is supported on all SRX Series and J Series devices.

Differentiated Services Code Point (DSCP) is a modification of the type-of-service byte for class of service (CoS). Six bits of this byte are reallocated for use as the DSCP field, where each DSCP specifies a particular per-hop behavior that is applied to a packet.

A rewrite rule modifies the appropriate CoS bits in an outgoing packet to meet the requirements of the targeted peer. Each rewrite rule reads the current CosS value that is configured at the voice over IP (VoIP) Application Layer Gateway (ALG) level. Every packet that hits the VoIP ALG is marked by this CoS value.

You can configure a rewrite rule for a DSCP Differentiated Services (DiffServ) marker at the VoIP ALG level to address VoIP signaling and its respective Real-Time Transport Protocol (RTP) streams. You can configure the rewrite rule such that all VoIP traffic hitting the ALG gets a rewrite marker while its respective RTP/Real-Time Control Protocol (RTP/RTCP) traffic gets a different rewrite marker.

[Junos OS CLI Reference, Junos OS Integrated Convergence Services Configuration and Administration Guide]

Chassis Cluster

Increasing the number of zones and virtual routers—This feature is supported on SRX5600 and SRX5800 devices.

The maximum number of zones, virtual routers, and IFLs (IFLs only for chassis cluster mode) that can be configured on an SRX5800 device has been increased to 2000.

In a chassis cluster environment, as the number of logical interfaces is scaled upward, the time before triggering a failover needs to be increased accordingly. At maximum capacity on an SRX5600 or SRX5800 device, we recommend that you increase the configured time for failover detection to at least 5 seconds. [Junos OS CLI Reference]

Configuration Wizards

This feature is supported on SRX100, SRX210, SRX240, and SRX650 devices.

The J-Web interface now has a set of wizards that simplify the basic configuration of the SRX Series devices. The Setup wizard automatically appears when you first start the device or when it is in factory default mode and you point to the Web management URL. Three other wizards in the J-Web interface enable you to configure basic firewall policies, basic IPsec VPN settings, and basic NAT settings.

Page 89

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Flow and Processing

•

J-Flow V9 support —This feature is supported on SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices.

J-FlowServicesExport Version9 (J-Flow V9) provides an extensible and flexible method for using templates to observe packets on a router. Each template indicates the format in which the device exports data.

In Junos OS Release 10.4, PIC-based J-Flow V9 is introduced along with J-Flow V5 and V8, which were disabled in Junos OS Release 9.4.

[Junos OS CLI User Guide, Junos OS Interfaces Configuration Guide for Security Devices]

•

Packet capture—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Packet capture is a datapath-debugging feature that helps you effectively create a filter for specific traffic and apply an action profile to the traffic. The action profile specifies a variety of actions at different processing units. One of the supported actions is packet dump, which sends the packet to the Routing Engine and stores it in propriety form. You can view the packets by entering the show security datapath-debug capture command.

The performance of packet capture is improved and is comparable to the trace performance.

[Junos OS Security Configuration Guide]

•

Screen logs—Screen log enhancement is supported on all SRX Series and J Series devices.

The new log format captures all required information in the screen log. This allows you to view all log information for a device instead of having to search through device-specific logs.

The new log structureis as follows:<67>1 2009-08-18T19:47:23.191srx5800-00 RT_IDS

- RT_SCREEN_TCP [junos@2636.1.1.1.2.26 attack-name="SYN flood Src-IP based!" source-address="112.0.0.110" source-port="80" destination-address="111.0.0.113" destination-port="3033" source-zone-name="mobiles" interface-name="reth1.112" action="alarm-without-drop"]

[Junos OS Security Configuration Guide]

Page 90

JUNOS OS 10.4 Release Notes

Integrated Convergence Services

The Integrated Convergence Services features listed in this section are supported on SRX210 and SRX240 devices with Voice capability.

•

Accounting feature—You can configure Integrated Convergence Services to collect and generate accounting information for successful and unsuccessful voice subscriber transactions. The voice daemon generates and collects accounting data about calls made and received between Session Initiation Protocol (SIP), Foreign Exchange Station (FXS), and Foreign Exchange Office (FXO) stations.

You can use the accounting feature for calls made when the SRX Series media gateway (SRX Series MGW) is in control or when the SRX Series survivable call server (SRX Series SCS) is in control.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Call park—The call park feature allows users to park an active call and pick up their call or that of another user later. To use the call park feature, you configure a primary logical extension, which you can think of as a parking lot. You must also configure a range of logical extensions following the primary one that are used to park individual calls.

When you handle a call, you can transfer it to the parking lot without the caller hearing the transfer process. When you park the call, you are told the logical extension number of the parking slot before your connection to the call is dropped. You or another user can pick up the call and resume the conversation from any phone by calling the extension number of the parking slot.

This featureis supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Defining a SIP registrar address separate from the peer call server—By default, the SIP registrar and the peer call server (SIP server) are handled by the same service and therefore have the same address. Under these circumstances, the SRX Series MGW sends SIP REGISTRAR and INVITE messages to the IP address configured for the peer call server.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Direct inward dialing lists—You can associate a list of direct inward dialing (DID) numbers with a trunk to be used for assignment to stations. You do not need to assign these DIDs to stations directly. The software assigns a DID number to a single station exclusively. If an incoming call is made to an unassigned DID number, it is directed to and handled by auto-attendant.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Disabling SIP registration to the peer call server—The SRX Series MGW sends registration messages to the peer call server. For some network environments in which all media gateways are known to the peer call server, the SRX Series MGW is not required to register to it. To do so could cause complications. For example, the peer call server could drop the registration message “silently,” that is, without informing the

Page 91

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

SRX Series MGW. In this case, the SRX Series MGW might retransmit the message, incurring unnecessary processing and adding to the network load.

When you configure peer call server information, you can disable transmission of the registration message to the peer call server to avoid these problems.

NOTE: Disabling transmission of the SRX Series MGW registration to the

peer call server does not disable registration of an FXS station to the SRX Series MGW on the device running Integrated Convergence Services.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Disabling SIP registration to the proxy server—By default, Integrated Convergence Services SIP trunks register to the SIP service provider’s peer proxy server. For some SIP networks, the peer proxy server is informed about all SIP trunks that communicate with it. In such network environments, the SIP trunk does not need to send a REGISTER message to the peer proxy server. To do so would increase network load unnecessarily. To accommodate these network environments, you can configure the SIP trunk not to register to the peer proxy server.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

DSCP marking for RTP packets generated by SRX Series Integrated Convergence Services—Configure DSCP marking to set the desired DSCPbits for Real-Time Transport

Protocol (RTP) packets generated by SRX Series Integrated Convergence Services.

Differentiated Services code point (DSCP) bits are the 6-bit bitmap in the IP header used by devices to decide the forwarding priority of packet routing. When the DSCP bits of RTP packets generated by Integrated Convergence Services are configured, the downstream device can then classify the RTP packets and direct them to a higher priority queue in order to achieve better voice quality when packet traffic is congested. Juniper Networks devices provide classification, priority queuing, and other kinds of class-of-service (CoS) configuration under the CoS configuration hierarchy.

Note that the Integrated Convergence Services DSCP marking feature marks only RTP packets of calls that it terminates, which include calls to peer call servers and to peer proxy servers that provide SIP trunks. If a call is not terminated by Integrated Convergence Services, then DSCP marking does not apply.

To configure the DSCP marking bitmap for calls terminated by Integrated Convergence Services and the address of the peer call server or peer proxy server to which these calls are routed, use the media-policy statement at the [editservicesconverged-services] hierarchy level.

set services convergence-service service-class < name > dscp < bitmap > set services convergence-service service-classmedia-policy<name > term < term-name > from peer-address [< addresses >] set services convergence-service service-class media-policy < name > term then service-class < name >

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

Page 92

JUNOS OS 10.4 Release Notes

•

Hunt group—A hunt group enables a group of users to handle calls collectively. A hunt group specifies a logical extension that outside parties can call. Member stations belonging to the hunt group are specified in a preconfigured station group. When a call comes in on the logical extension, the call is directed to the phone whose station is specified first in the preconfigured station group, and that phone rings. The next incoming call is directed to the second station specified in the station group and its phone rings, and so on.

To connect the call, the system hunts through the configured stations in order one at a time. It rings a phone up to the time limit that you specify beforeit tries the next phone in the configured order

This featureis supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Interoperability with Microsoft and Cisco call servers and IP phones—This feature addresses SRX Series media gateway (SRX Series MGW) interoperability with Microsoft and Cisco call servers and IP phones, in addition to the current support for Avaya call servers and IP phones. This feature helps to provide a comprehensive joint enterprise communications offering.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Pickup group—Pickup groups enable users to handle incoming calls collectively, as a group. Members of the same pickup group can answer incoming calls directed at any phone extension number within the group. When a phone is called, the first available agent takes the call, whether it comes in on their phone or another phone within the group. To pick up a call, the user dials the digits *8. After the user takes the call, the phone whose number was called no longer rings. Users can belong to one or more pickup groups concurrently.

The pickup group feature rings only one phone at a time. If the first phone tried is busy, the next one is tried, and so on. A pickup group can include up to 20 members, whose phones can be either analog or SIP, but not a mix of both.

This feature is supported when the SRX Series survivable call server (SRX Series SCS) is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

•

Ring group—A ring group can include up to five members. A ring group allows incoming calls to be handled by any member of the group. You configure a ring group with a logical extension that outside parties can call. Calls coming into the logical extension are forwarded to all phones simultaneously. The first member to answer the call takes it, and the phones of other members of the group stop ringing. A ring group can include both SIP and analog stations.

This featureis supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

Page 93

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Interfaces and Routing

•

1-Port Gigabit Ethernet SFP Mini-PIM—This feature is supported on SRX210, SRX220, and SRX240 devices.

Small form-factorpluggables (SFPs) are hot-pluggablemodularinterface transceivers for Gigabit and FastEthernet connections. Gigabit Ethernet SFP Mini-PIMs can be used in copper and optical environments.

The 1-Port Gigabit Ethernet SFP Mini-PIM interfaces a single Gigabit Ethernet device or a network. It supports a variety of transceivers with data speeds of 10 Mbps/100 Mbps/1 Gbps with extended LAN or WAN connectivity.

The 1-Port SFP Gigabit Ethernet mini-PIM supports the following features:

•

10 Mbps/100 Mbps/1 Gbps link speed

•

Half-duplex/full-duplex support

•

Autonegotiation

•

Encapsulations

•

MTU size of 1514 bytes (default) and 9010 bytes (jumbo frames)

•

Loopback

•

Online insertion and removal of transceivers

[Junos OS Interfaces Configuration Guide for Security Devices]

IPsec

•

Virtual router support for route-based VPNs—This feature is supported on all SRX Series and J Series devices.

This feature includes routing-instance support for route-based VPNs. You can now configure different subunits of the st0 interface in different routing instances. The following functions are supported for nondefault routing instances:

NOTE: IKE is not supported in a custom VR (virtual router).The IKE gateway

external interface must reside in the default virtual router (inet.0).

•

Manual key management

•

Transit traffic

•

Self-traffic

•

VPN monitoring

•

Hub-and-spoke VPNs

•

Encapsulating Security Payload (ESP) protocol

•

Authentication Header (AH) protocol

Page 94

JUNOS OS 10.4 Release Notes

•

Aggressive mode or main mode

•

st0 anchored on the loopback (lo0) interface

•

Maximum number of virtual routers supported on an SRX Series device

•

Applications such as Application Layer Gateway (ALG), Intrusion Detection and Prevention (IDP), and Unified Threat Management (UTM)

•

Dead peer detection (DPD)

•

Chassis cluster active/backup

•

OSPF over st0

•

RIP over st0

[Junos OS Administration Guide for Security Devices, Junos OS CLI Reference, Junos OS Security Configuration Guide]

IPv6 Support

•

Active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6) can be deployed in active/active (failover) chassis cluster configurations in addition to the existing support of active/passive (failover) chassis cluster configurations. [Junos OS Security Configuration Guide]

•

Address books and address sets in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

This feature is supported in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

SRX Series and J Series devices running IP version 6 (IPv6) deployed in active/active (failover) chassis cluster configurations, the address book entries can include any combination of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS) names.

To configure IPv6 address entries, specify an IPv6 address when you use the address statement at the [edit security zones security-zone name address-book] hierarchy level.

The address set configuration considers names of the address book entries, and not the IP addresses, so there are no additional considerationsrelated to IPv6 traffic. [Junos OS Security Configuration Guide]

•

Advanced flow—This feature is supported on all SRX Series and J Series devices.

IPv6 advanced flow adds IPv6 support for firewall, NAT, NAT-PT, multicast (local link and transit), IDP, Junos framework, TCP proxy, and session manager on SRX Series and J Series devices. MIBs are not used in the IPv6 flow.

IPv6 security is available to avoid impact on the existing IPv4 system. If IPv6 security is enabled, extended sessions and gates are allocated. The existing address fields and

Page 95

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

gates are used to store the index of extended sessions or gates. If IPv6 security is disabled, the IPv6 security related resources are not allocated.

New logs are used for IPv6 flowtrafficto prevent impact on performancein the existing IPv4 system.

The behavior and implementation of the IPv6 advanced flow are the same as those of the IPv4 flow.

Some of the differences are as follows:

•

Header parse—IPv6 advanced flow stops parsing the headers and interprets the packet as the corresponding protocol packet if it encounters the following extension headers:

•

TCP/UDP

•

ESP/AH

•

ICMPv6

IPv6 advanced flow continues parsing headers if it encounters the followingextension headers:

•

Hop-by-Hop

•

Routing and Destination, Fragment

IPv6 advanced flow interprets the packets as an unknown protocol packet if it encounters the extension header No Next Header.

•

Sanity checks—IPv6 advanced flow supports the following sanity checks:

•

TCP Length

•

UDP Length

•

Hop-by-Hop

•

IP data length error

•

Layer 3 sanity checks (for example, IP version and IP length)

•

ICMPv6 packets—In IPv6 advanced flow, the ICMPv6 packets share the same behavior as normal IPv6 traffic with the following exceptions:

•

Embedded ICMPv6 Packet

•

Path MTU message

•

Host inbound and outbound traffic—IPv6 advanced flow supports all route and management protocols running on the Routing Engine, including OSPF v3, RIPng, Telnet, and SSH. Note that flow label is not used in the flow.

•

Tunnel traffic—IPv6 advanced flow supports the following tunnel types:

Page 96

JUNOS OS 10.4 Release Notes

•

IPv4 IPIP

•

IPv4 GRE

•

IPv4 IPsec

•

Dual-stack lite

[Junos OS Security Configuration Guide]

•

DNS ALG for routing, NAT, and NAT-PT—This feature is supported on all SRX Series and J Series devices.

Domain Name System (DNS) is the part of the ALG that handles DNS traffic. The DNS ALG module has been working as expected for IPv4. In Junos OS Release 10.4, this feature implements IPv6 support on DNS ALG for routing, NAT, and NAT-PT.

When the DNS ALG receives a DNS query from the DNS client, a security check is done on the DNS packet. When the DNS ALG receives a DNS reply from the DNS server, a similar security check is done, and then the session for the DNS traffic closes.

When the DNS traffic works in NAT mode, the DNS ALG translates the public address in a DNS reply to a private address when the DNS client is on a private network, and similarly translates a private address to a public address when the DNS client is on a public network. When DNS traffic works in NAT-PT mode, the DNS ALG translates the IP address in a DNS reply packetbetween the IPv4 address and the IPv6 address when the DNS client is in an IPv6 network and the server is in an IPv4 network, and vice versa.

To support NAT-PT mode in a DNS ALG, the NAT module should support NAT-PT. [Junos OS Security Configuration Guide]

•

Dual-stack lite—This featureis supported on SRX650,SRX3400,SRX3600, SRX5600, and SRX5800 devices.

IPv6 dual-stack lite (DS Lite) is a technology for maintaining connectivity between legacyIPv4 devices and networks despite a depleted IPv4 address pool and as a service provider networks transition to IPv6-only deployments.

DS Lite allows IPv4 customers to continue accessing IPv4 internet content with minimum disruption to their home networks, while enabling IPv6 customers to access IPv6 content.

The DS Lite deployment model consists of the following components:

•

Softwire Initiator (SI) in the DS Lite home router (SI is not available in Junos release

10.4)

•

Softwire Concentrator (SC) in the DS Lite carrier-grade Network Address Translation (NAT)

A softwire is a tunnel-over-IPv6 network. The SI finds the SC address, encapsulates an IPv4 packet, and transmits it across the softwire. The SC receives an IPv4 packet in the IPv6 softwire packet and decapsulates the IPv6 software packet to retrieve the inner IPv4 packet. Multiple SIs can have the same SC as the endpoint of the softwires.

Page 97

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The DS Lite carrier-grade NAT performs IPv4-IPv4 address translations to multiple subscribers through a single global IPv4 address. Overlapping address spaces used by subscribers are disambiguated through the identification of tunnel endpoints.

A new command for displaying information on softwires, show security softwires, is available in Junos OS Release 10.4.

[Junos OS Security Configuration Guide Junos OS CLI Reference]

•

Firewall security policy in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

This feature is now supported in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

The matching criteria for security policy rules is based on zones, address objects, and applications. To support security policy rules for IPv6 traffic, you have to configure zone and address objects with IPv6 values. You can also select IPv6 applications.

Note that in security policy rules, the meaning of the wildcard any has changed. When flow support is enabled for IPv6 traffic, the wildcard any matches any IPv4 or IPv6 address. In Junos OS Release 10.4, new wildcards are introduced to match any IPv4 or any IPv6 address: any-ipv4 and any-ipv6 in active/active chassis cluster. When flow support is not enabled for IPv6 traffic, any matches IPv4 addresses.

IPv6 support for IDP and UTM are not included in Junos OS Release 10.4.If your current security policy uses rules with any IP address wildcards and IDP and UTM features enabled,you will encounter configuration commit errors because IDP and UTM features do not support IPv6 addresses. To resolve these errors, modify the rule returning the error so that it uses the any-ipv4 wildcard, and create separate rules for IPv6 traffic that do not include IDP or UTM features. [Junos OS Security Configuration Guide]

•

Flow-based processing in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

In Junos OS Release 10.4, we support IPv6 flow-based processing in active/active (failover) chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

IPv6 flow support enables processing of IPv6 traffic by the security features of SRX Series and J Series devices. IPv6 flow support is disabled by default, and IPv6 packets are dropped.

To enable flow-based processing for IPv6 traffic, modify the mode statement at the [edit security forwarding-options family inet6] hierarchy level.

The [show security flow session source-prefix] and [show security flow session

destination-prefix] commands you use to monitor session statistics now take IPv6

address arguments. In addition, the [show security flow session family (inet|inet6)] option is added to filter session statistics by protocol family.

[Junos OS CLI Reference, Junos OS Interfaces Configuration Guide for Security Devices, Junos OS Security Configuration Guide]

•

FTP ALG for routing—This feature is supported on all SRX Series and J Series devices.

Page 98

JUNOS OS 10.4 Release Notes

File Transfer Protocol (FTP) is the part of the ALG that handles FTP traffic. The PORT/PASV requests and corresponding 200/227 responses in FTP are used to announce the TCP port, which the host listens to for the FTP data connection.

EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG supports EPRT/EPSV/229 already, but only for IPv4 addresses.

In Junos OS Release 10.4, EPRT/EPSV/229 commands are updated to support both IPv4 and IPv6 addresses.

[Junos OS CLI Reference, Junos OS Security Configuration Guide]

•

ICMP ALG for routing, NAT, and NAT-PT — This feature is supported on all SRX Series and J Series devices. ALGs support Internet Control Message Protocol version 6 (ICMPv6) an integral part of IPv6 that must be fully implemented by every IPv6 node. The ICMP ALG handles ICMP traffic by monitoring all ICMP messages and then performing the following actions:

•

Closes the session

•

Modifies the payload

In routing mode, the ICMP ALG closes a session if it receives one of the following message types:

•

Echo reply (type 129) message

•

Destination unreachable (type 1) error message

In Network Address Translation (NAT mode), the ICMP ALG performs the following actions:

•

Closes the session if it receives an echo reply (type 129) message or a destination unreachable (type 1) error message

•

Modifies the identifier or sequence number of the echo request

•

Retains the original identifier and sequence number for the echo reply

•

Translates the embedded IPv6 packet for the ICMPv6 error message

In a Network Address Translation-Protocol Translation (NAT-PT) environment, the ALG performs the following actions:

•

Closes the session if it receives an echo reply (type 129) message or a destination unreachable (type 1) error message

•

Translates an ICMPv4 ping message to an ICMPv6 ping message

•

Translates an ICMPv6 ping message to an ICMPv4 ping message

•

Translates an ICMPv4 error message to an ICMPv6 error message and translates its embedded IPv4 packet to an IPv6 packet

•

Translates an ICMPv6 error message to an ICMPv4 error message and translates its embedded IPv6 packet to an IPv4 packet

Page 99

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

ICMP ALG drops ICMP traffic when translation from IPv4 and IPv6 is not possible. Note that ICMP ALG is always enabled and cannot be disabled by means of the command-line interface (CLI).

[Junos OS Security Configuration Guide]

•

Interfacesin active/active chassis cluster—Thisfeature is supported on all SRX Series and J Series devices.

A logical interface can be configured with an IPv4 address, IPv6 address, or both in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

To configure an IPv6 address for a logical interface, use the inet6 statement at the [edit interfaces interface-name unit logical-unit family] hierarchy level. [Junos OS Interfaces Configuration Guide for Security Devices]

•

Multicast flow—This feature is supported on all SRX Series and J Series devices.

The IPv6 multicast flow adds or enhances the following features:

•

IPv6 transit multicast, which includes the following packet functions:

•

Normal packet handling

•

Fragment handling

•

Packet reordering

•

Protocol-Independent Multicast version 6 (PIMv6) flow handling

•

Other multicast routing protocols such as Multicast Listener Discover (MLD)

The structure and processing of IPv6 multicast data session are the same as that of IPv4. Each data session has the following:

•

One template session

•

Several sessions

The reverse path forwarding (RPF) check behavior for IPv6 is the same as that of IPv4. Incoming multicast data is accepted only if RPF check succeeds. In IPv6 multicast flow, incoming Multicast Listener Discovery (MLD) protocol packets are accepted only if MLD or PIM is enabled in the security zone for the incoming interface. Sessions for multicast protocol packets have a default timeout value of 300 seconds. This value cannot be configured. The null register packet is sent to the rendezvous point.

In IPv6 multicast flow, a mulitcast router has the following three roles:

•

Designated router

•

Intermediate router

•

Rendezvous point

[Junos OS Class of Service Configuration Guide]

•

NAT—This feature is supported on all SRX Series and J Series devices.

Page 100

JUNOS OS 10.4 Release Notes

IPv6 Network Address Translation (IPv6 NAT) provides address translation between IPv6 hosts. NAT between IPv6 hosts is done in a similar manner and forsimilar purposes as IPv4 NAT. IPv6 NAT in Junos OS provides the following NAT types:

•

Source NAT

•

Destination NAT

•

Static NAT

[Junos OS Security Configuration Guide]

•

NAT-PT—This feature is supported on all SRX Series and J Series devices.

IPv6 Network Address Translation-Protocol Translation (NAT-PT) provides address and protocol translation between IPv4 and IPv6 addressed network devices. IPv6 NAT-PT supports both traditional NAT-PT and bidirectional NAT-PT. IPv6 NAT-PT supports Internet Control Message Protocol (ICMP), TCP, and UDP protocol packets. [Junos OS Security Configuration Guide]

•

Packet filtering—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

The packet-filteringoptions for IPv6 addresses and IPv6 style source prefix, destination prefix, and interface is supported in addition to the existing functionality of IPv4 datapath-debug.

[Junos OS Security Configuration Guide, Junos OS CLI Reference]

•

Screens—This feature is now supported on all SRX Series and J Series devices.

IPv6 support is extended for the following screen features:

•

Syn-flood/syn-proxy/syn-cookie

•

Syn-ack-ack-proxy

•

Ip-spoofing

[Junos OS Security Configuration Guide]

•

Zone configuration in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6) can be deployed in active/active chassis cluster configurations with security zone configuration in addition to the existing support of active/passive chassis cluster configurations.

The security zone configuration considers names of the interfaces, and not the IP addresses, hence there are no additional considerations related to the zone interface configuration.

You can also use the zone configurationto explictlypermit inbound trafficfrom network system services and system protocols. Note that you can now use the host inbound traffic configuration to permit traffic from the following IPv6-related services and protocols: DHCPv6, neighbor discovery (ND) protocol, OSPF3, and RIPng. [Junos OS Security Configuration Guide]

Juniper JUNOS OS 10.4 - RELEASE NOTES REV 5, JUNOS OS 10.4 Release Note

Specifications and Main Features

Frequently Asked Questions

User Manual