Junos OS 10.4 Release NotesRelease 10.4R8 28 November 2011
Revision 18
These release notes accompany Release 10.4R8 of the Junos
operating system (Junos OS). They describe device documentation and
known problems with the software. Junos OS runs on all Juniper
Networks M Series, MX Series, and T Series routing platforms, SRX
Series Services Gateways, J Series Services Routers, and EX Series
Ethernet Switches. For the latest, most complete information about
outstanding and resolved issues with the Junos OS software, see the
Juniper Networks online software defect search application at
http://www.juniper.net/prsearch. You can also find these release
notes on the Juniper Networks Junos OS Documentation Web page,
which is located at
http://www.juniper.net/techpubs/software/junos.
Contents
Junos OS Release Notes for Juniper Networks M Series
Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and
T Series Core Routers . . . . . . . . . . 7 New Features in Junos
OS Release 10.4 for M Series, MX Series, and T Series Routers . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 7 Class of Service . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 7 Interfaces and Chassis . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 10 Junos OS XML API
and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 16 Layer 2 Ethernet Services . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 19 MPLS
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 20 Multicast . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 20 MX Series . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Routing
Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 22 Routing Protocols . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Services Applications . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 24 Subscriber Access Management .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 40 VPNs . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 42 Changes in Default Behavior and Syntax in
Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
. . . . . . . . . . . . . . . . . . . . . . . . . . 44 Class of
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 44 Forwarding and Sampling . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 45 Junos OS XML API and Scripting
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
Copyright 2011, Juniper Networks, Inc.
1
Junos OS 10.4 Release Notes
MPLS Application . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 49 Platform and
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 50 Routing Protocols . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Services Applications . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 51 Software Installation and
Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53 Subscriber Access Management . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 53 User Interface and Configuration . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 VPNs .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 57 Issues in Junos OS Release
10.4 for M Series, MX Series, and T Series Routers . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 58 10.4R8 Software Release . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Previous
Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 79 Errata and Changes in Documentation
for Junos OS Release 10.4 for M Series, MX Series, and T Series
Routers . . . . . . . . . . . . . . . . . . . . . . . . . 136
Changes to the Junos OS Documentation Set . . . . . . . . . . . . .
. . . . . . . 136 Errata . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M
Series, MX Series, and T Series Routers . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 145 Basic Procedure for Upgrading
to Release 10.4 . . . . . . . . . . . . . . . . . . . . 145
Upgrading a Router with Redundant Routing Engines . . . . . . . . .
. . . . . 148 Upgrading Juniper Network Routers Running Draft-Rosen
Multicast VPN to Junos OS Release 10.1 . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 148 Upgrading the Software for a
Routing Matrix . . . . . . . . . . . . . . . . . . . . . 150
Upgrading Using ISSU . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 151 Upgrading from Junos OS
Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
151 Upgrade Policy for Junos OS Extended End-Of-Life Releases . . .
. . . . . 152 Downgrade from Release 10.4 . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 153 Junos OS Release Notes
for Juniper Networks SRX Series Services Gateways and J Series
Services Routers . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 154 New Features in Junos OS Release 10.4
for SRX Series Services Gateways and J Series Services Routers . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Release 10.4R4 Chassis Cluster Improvements . . . . . . . . . . . .
. . . . . . . 155 Software Features . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 157 Hardware
FeaturesSRX210, SRX220, and SRX240 Services Gateways . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 177 Hardware FeaturesSRX220 Services Gateway with Power
Over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 179 Hardware
FeaturesSRX1400 Services Gateway . . . . . . . . . . . . . . . . .
182 Hardware FeaturesSRX3400 and SRX3600 Services Gateways . . . .
185 Advertising Bandwidth for Neighbors on a Broadcast Link Support
. . . . . . . 186 Group VPN Interoperability with Ciscos GET VPN .
. . . . . . . . . . . . . . . . . . . 186 Changes in Default
Behavior and Syntax in Junos OS Release 10.4 for SRX Series
Services Gateways and J Series Services Routers . . . . . . . . . .
. . 187 Application Identification . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 188 Application Layer
Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 189 AppSecure . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 189 Chassis Cluster .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 189 Class of Servcice (COS) . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
2
Copyright 2011, Juniper Networks, Inc.
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 191 Configuration . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 193 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 194 Flow and Processing .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 194 General Packet Radio Service (GPRS) . . . . . . . . .
. . . . . . . . . . . . . . . . . 197 Hardware . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 197 Installation . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 198 Intrusion Detection and
Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . .
198 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 199 Management and
Administration . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 201 Multilink . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Network
Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 203 Power over Ethernet (PoE) . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 203 Security . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 203 Virtual LANs (VLANs) . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 204 Unsupported CLI . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 204 Accounting-Options Hierarchy . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 204 AX411 Access Point
Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 204 Chassis Hierarchy . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 204 Class-of-Service
Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 205 Ethernet-Switching Hierarchy . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 205 Firewall Hierarchy
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 205 Interfaces CLI Hierarchy . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 205 Protocols
Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 210 Routing Hierarchy . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Services Hierarchy . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 210 SNMP Hierarchy . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 210 System Hierarchy . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 211 IPv6 and MVPN
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 211 Known Limitations in Junos OS Release 10.4
for SRX Series Services Gateways and J Series Services Routers . .
. . . . . . . . . . . . . . . . . . . . . . . 213 Application Layer
Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 213 AppSecure . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 213 Authentication .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 213 AX411 Access Point . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 213 Class of Service (CoS) .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 215 Command-Line Interface (CLI) . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 215 DOCSIS Mini-PIM . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 216 Dynamic Host Configuration Protocol (DHCP) . . . . . .
. . . . . . . . . . . . . . 216 Dynamic VPN . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
216 Enhanced Switching . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 217 Flow and Processing . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 217 Hardware . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 218 In-Service
Software Upgrade (ISSU) . . . . . . . . . . . . . . . . . . . . . .
. . . . . 219 Interfaces and Routing . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 219 Intrusion
Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . .
. . . . . . 221
Copyright 2011, Juniper Networks, Inc.
3
Junos OS 10.4 Release Notes
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 222 IPv6 . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 222 J-Web . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 223 Management and Administration . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 224 Memory Requirements for J Series
Devices . . . . . . . . . . . . . . . . . . . . . . 224
NetScreen-Remote . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 224 Network Address Translation
(NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Point-to-Point Protocol over Ethernet (PPPoE) . . . . . . . . . . .
. . . . . . . . 225 Power over Ethernet (PoE) . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 225 Security . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 225 SNMP . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 226 Switching . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 226 Upgrade and
Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 226 USB Modem . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 226 System .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 227 Unified Threat Management (UTM)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Virtual
LANs (VLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 227 VPNs . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 227 Issues in Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 228 Outstanding
Issues In Junos OS Release 10.4R8 for SRX Series Services Gateways
and J Series Services Routers . . . . . . . . . . . . . . . . . . .
. . 228 Resolved Issues in Junos OS Release 10.4 for SRX Series
Services Gateways and J Series Services Routers . . . . . . . . . .
. . . . . . . . . . . 235 Errata and Changes in Documentation for
Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers . . . . . . . . . . . . 254 Changes to the Junos
OS Documentation Set . . . . . . . . . . . . . . . . . . . . 254
Errata for the Junos OS Documentation . . . . . . . . . . . . . . .
. . . . . . . . . . 254 Errata for the Junos OS Hardware
Documentation . . . . . . . . . . . . . . . . 263 Hardware
Requirements for Junos OS Release 10.4 for SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . .
. . . . . . . . . . . 267 Transceiver Compatibility for SRX Series
and J Series Devices . . . . . . . 267 Power and Heat Dissipation
Requirements for J Series PIMs . . . . . . . . . 267 Supported
Third-Party Hardware . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 268 J Series CompactFlash and Memory Requirements . .
. . . . . . . . . . . . . 268 Maximizing ALG Sessions . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
269 Integrated Convergence Services Not Supported . . . . . . . . .
. . . . . . . . . . . . 270 Upgrade and Downgrade Instructions for
Junos OS Release 10.4 for SRX Series Services Gateways and J Series
Services Routers . . . . . . . . . . . . 270 Upgrade Policy for
Junos OS Extended End-Of-Life Releases . . . . . . . 270 Junos OS
Release Notes for EX Series Switches . . . . . . . . . . . . . . .
. . . . . . . . . . . 272 New Features in Junos OS Release 10.4 for
EX Series Switches . . . . . . . . . . 272 Resilient Dual-Root
Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 273 Hardware . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Class of
Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 279 Ethernet Switching and Spanning Trees .
. . . . . . . . . . . . . . . . . . . . . . . . 279 Fibre Channel
over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 279 High Availability . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 279
4
Copyright 2011, Juniper Networks, Inc.
Management and RMON . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 279 Packet Filters . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . 280 Virtual Chassis . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 280 Changes in
Default Behavior and Syntax in Junos OS Release 10.4 for EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 280 Class of Service . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 281 Ethernet Switching and Spanning Trees . . . . . . . . . . .
. . . . . . . . . . . . . . 281 Hardware . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 281 Management and RMON . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 281 Limitations in Junos OS
Release 10.4 for EX Series Switches . . . . . . . . . . . . 281
Access Control and Port Security . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 282 Class of Service . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
282 Ethernet Switching and Spanning Trees . . . . . . . . . . . . .
. . . . . . . . . . . . 282 Firewall Filters . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
282 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 283 High Availability .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 283 Infrastructure . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 284 J-Web Interface . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 284 Layer 2 and Layer 3 Protocols . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 286 Management and
RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 286 Multicast . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches
. . . . . 287 Access Control and Port Security . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 287 Ethernet Switching and
Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . .
287 Firewall Filters . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 287 Hardware . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 288 Infrastructure . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 289 J-Web Interface . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 289 Layer 2 and Layer 3 Protocols . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 292 Management and
RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 293 Multicast Protocols . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 293 Virtual Chassis
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 293 Resolved Issues in Junos OS Release 10.4
for EX Series Switches . . . . . . . . 294 Issues Resolved in
Release 10.4R1 . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 294 Issues Resolved in Release 10.4R2 . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 298 Issues Resolved in Release
10.4R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
299 Issues Resolved in Release 10.4R4 . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 300 Issues Resolved in Release 10.4R5 .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Issues
Resolved in Release 10.4R6 . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 307 Issues Resolved in Release 10.4R7 . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 308 Issues Resolved
in Release 10.4R8 . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 309 Errata in Documentation for Junos OS Release 10.4 for
EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 310 Access
Control and Port Security . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 311 Fibre Channel over Ethernet . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 311 J-Web Interface . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 311
Copyright 2011, Juniper Networks, Inc.
5
Junos OS 10.4 Release Notes
Layer 2 Protocols . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 312 Management and RMON . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 312 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 312 Upgrade and
Downgrade Instructions for Junos OS Release 10.4 for EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 313 Upgrading from Junos OS Release
10.4R3 or Later . . . . . . . . . . . . . . . . . 313 Upgrading
from Junos OS Release 10.4R2 or Earlier . . . . . . . . . . . . . .
. . 314 Downgrading Software to Release 10.4R2 or Earlier . . . . .
. . . . . . . . . . 323 Upgrade Policy for Junos OS Extended
End-Of-Life Releases . . . . . . . 324 Upgrading or Downgrading
from Junos OS Release 9.4R1 for EX Series Switches . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 324 Upgrading from Junos OS Release 9.3R1 to Release 10.4
for EX Series Switches . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 325 Junos OS
Documentation and Release Notes . . . . . . . . . . . . . . . . . .
. . . . . . . . . 326 Documentation Feedback . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Requesting Technical Support . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 326 Revision History . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 328
6
Copyright 2011, Juniper Networks, Inc.
Junos OS Release Notes for Juniper Networks M Series
Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and
T Series Core Routers
Junos OS Release Notes for Juniper Networks M Series
Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and
T Series Core Routers
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers on page 7 Changes in Default Behavior and
Syntax in Junos OS Release 10.4 for M Series, MX Series, and T
Series Routers on page 44 Issues in Junos OS Release 10.4 for M
Series, MX Series, and T Series Routers on page 58 Errata and
Changes in Documentation for Junos OS Release 10.4 for M Series, MX
Series, and T Series Routers on page 136 Upgrade and Downgrade
Instructions for Junos OS Release 10.4 for M Series, MX Series, and
T Series Routers on page 145
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series RoutersThe following features have been added to Junos
OS Release 10.4. Following the description is the title of the
manual or manuals to consult for further information.
Class of Service
Hierarchical policer functionality extended to Modular Interface
Cards (MICs) (MX Series routers)Provides hierarchical policer
feature parity with Enhanced Intelligent Queuing (IQE) PICs. This
is useful in provider edge applications using aggregate policing
for general traffic and when applying a separate policer for
premium traffic on a logical or physical interface. Hierarchical
policing on MICs supports the following features:
Ingress traffic is first classified into premium and non-premium
traffic before a policer is applied. The hierarchical policer
contains two policers: premium and aggregate.
Premium traffic is policed by both the premium policer and the
aggregate policer. While the premium policer rate-limits premium
traffic, the aggregate policer only decrements the credits but does
not drop packets. Non-premium traffic is rate-limited by the
aggregate policer only, resulting in the following behavior:
Premium traffic is assured to have the bandwidth configured for
the premium policer. Non-premium traffic is policed to the
specified rate limit.
For a list of supported MICs, refer
to:http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/
general/mic-mx-series-supported.html.
The logical-interface-policer and physical-interface-policer
statements provide additional hierarchical policer parameters
beyond those of the IQE PICs. You can apply the policer at the
inet, inet6, or mpls family level, as follows:[edit interfaces
ge-0/1/0 unit 0 family (inet | inet6 | mpls)]
input-hierarchical-policer Test-HP;
Copyright 2011, Juniper Networks, Inc.
7
Junos OS 10.4 Release Notes
By configuring a hierarchical policer as a
logical-interface-policer, you can achieve aggregation within a
logical interface. A hierarchical policer configured as a
physical-interface-policer supports aggregation within a physical
interface. Note that you still apply the hierarchical policer at
the interface and traffic of the families that do not have the
hierarchical policer. This is different from IQE PICs, where you
apply a hierarchical policer at the logical or physical interface.
For hierarchical policing of all traffic through a logical
interface, a hierarchical policer can be configured as a
logical-interface-policer and applied to all families in the
logical interface. Similarly, you can achieve aggregation at the
physical interface level. [Network Interfaces, Class of Service,
Policy]
DSCP classification for VPLS at the ingress PE router (M320
routers with Enhanced Type III FPC and M120 routers)Enables you to
configure DSCP classification for VPLS at an ingress PE router for
encapsulation types vlan-vpls (IQ2 or IQ2E PICs) or
ether-vpls-over-atm-llc (ATM II IQ PIC). To configure, define the
DSCP classifier at the [edit class-of-service classifiers dscp
dscp-name] hierarchy level and apply the DSCP classifier at the
[edit interfaces at-fpc-pic-port unit-logical-unit-number
classifiers] hierarchy level. The ATM interface must be included in
the routing instance. [Class of Service]
Traffic control profile support at the FRF.16 physical interface
levelFRF.16 bundle interfaces support multiple data-link connection
identifiers (DLCIs). The bandwidth of each of these DLCIs was
previously limited to one of the following:
An aggregate value based on the number of DLCIs under the FRF.16
interface A specific percentage through a traffic control profile
configuration applied at the logical interface level
When there is a small proportion of traffic or no traffic on an
individual DLCI, the respective member link interface bandwidth is
underutilized. Support for TCP features on the FRF.16 bundle
(physical) interface level in Junos OS Release 10.4R2 addresses
this limitation. The supported features include:
Peak information rate (PIR) Scheduler map Delay buffer
To enable traffic control profiles to be applied at FRF.16
bundle (physical) interface level, disable the per-unit scheduler,
which is enabled by default, by including the no-per-unit-scheduler
statement at the [edit interfaces interface-name] hierarchy level.
To specify traffic control profile features applicable to FRF.16
bundle physical interfaces, include the shaping-rate,
delay-buffer-rate, and scheduler-map statements at the [edit
class-of-service traffic-control-profiles profile-name] hierarchy
level. The shaping-rate and delay-buffer-rate must be specified as
a percentage. To apply the traffic control profile configuration to
an FRF.16 bundle (physical) interface, include the
output-traffic-control-profile statement at the [edit
class-of-service interfaces interface-name] hierarchy level.
8
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
To view the traffic control profile configuration for an FRF.16
bundle, enter the show class-of-service traffic-control-profile
command.user@host> show class-of-service
traffic-control-profileTraffic control profile: lsq-2/1/0:0, Index:
35757 Shaping rate: 30 percent Scheduler map: sched_0 Delay Buffer
rate: 30 percent
The following is a complete configuration example:interfaces {
lsq-0/2/0:0 { no-per-unit-scheduler; encapsulation
multilink-frame-relay-uni-nni; unit 0 { dlci 100; family inet {
address 18.18.18.2/24; } } } class-of-service {
traffic-control-profiles { rlsq_tc { scheduler-map rlsq;
shaping-rate percent 60; delay-buffer-rate percent 10; } }
interfaces { lsq-0/2/0:0 { output-traffic-control-profile rlsq_tc;
} } } scheduler-maps { rlsq { forwarding-class best-effort
scheduler rlsq_scheduler; forwarding-class expedited-forwarding
scheduler rlsq_scheduler1; } } schedulers { rlsq_scheduler {
transmit-rate percent 20; priority low; } rlsq_scheduler1 {
transmit-rate percent 40; priority high; } }
Copyright 2011, Juniper Networks, Inc.
9
Junos OS 10.4 Release Notes
[Class of Service]
Interfaces and Chassis
Extend support for 64-bit Junos OS to include RE-1800 Series
Routing Engines (M120, M320, MX960, MX480, and MX240
routers)Supported Routing Engines include:
RE-A-1800x2Supports 64-bit Junos OS on M120 and M320 routers.
RE-S-1800x2Supports 64-bit Junos OS on MX240, MX480, and MX960
routers. RE-S-1800x4Supports 64-bit Junos OS on MX240, MX480, and
MX960 routers.
[System Basics]
Ethernet encapsulation for ATM scheduler (M7i, M10i, M120, and
M320 [with Enhanced III FPC] routers)Enables support for the
configuration of an ATM scheduler map on an Ethernet VPLS over a
bridged ATM interface. [Network Interfaces]
Synchronous Ethernet on MX80 routers and MX Series routers with
MPCsSupports the Ethernet synchronization messaging channel (ESMC),
G.8264-like clock selection mechanism, and external clocking on
MX80 routers and MX Series routers with MPCs. Wireless backhaul and
wireline transport services are the primary applications for these
features. The following features are supported:
On MX80 routers and MX Series routers with MPCs based on G.8261
and G.8262. This feature does not work on the fixed configuration
version of the MX80 routers. All Ethernet type ports are supported
on MX80 routers and MX Series routers with MPCs. ESMC support as
per G.8264. CLI command selection of clock sources. Monitoring
clock sources (maximum of two clock sources can be monitored
simultaneously). Revertive and nonrevertive modes.
To configure Synchronous Ethernet, include the synchronization
statement and its substatements at the [edit chassis] hierarchy
level. [Network Interfaces, Interfaces Command Reference]
Enhanced container interface allows ATM children for containersM
Series and T Series routers with ATM2 PICs automatically copy the
parent container interface configuration to the child interfaces.
Container interfaces do not go down during APS switchovers, thereby
shielding upper layers. This feature allows the various ATM
features to work over the container ATM for APS.
10
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
To specify ATM child interfaces within a container interface,
use the container-list cin statement and the (primary | standby)
option at the [edit interface at-fpc/pic/slot container] hierarchy
level. To configure a container interface, including its child
interfaces, use the cin statement and its options at the [edit
interface cin] hierarchy level. Container ATM APS does not support
interchassis APS. MLPPP over ATM CI is also not supported. [Network
Interfaces]
Fabric down signaling to neighboring routers (T1600 and T640
routers)The signaling of neighboring routers is supported when a
T640 or T1600 router is unable to carry traffic due to all fabric
planes being taken offline for one of the following reasons:
CLI or offline button pressed. Automatically taken offline by
the SPMB due to high temperature. PIO errors and voltage errors
detected by the SPMB CPU to the SIBs.
The following scenarios are not supported by this feature:
All PFEs get destination errors on all planes to all
destinations, even with the SIBs staying online. Complete fabric
loss caused by destination timeouts, with the SIBs still
online.
When chassisd detects that all fabric planes are down, the
router reboots all FPCs in the system. When the FPCs come back up,
the interfaces are not created again, because all fabric planes are
down. After you diagnose and fix the cause of all fabric planes
going down, you must then bring the SIBs back online. Bringing the
SIBs back online brings up the interfaces. Fabric down signaling to
neighboring routers offers the following benefits:
FPCs reboot when the control plane connection to the Routing
Engine times out. Extends a simple approach to reboot FPCs when the
data plane fails.
When the router transitions from a state where SIBs are online
or spare to a state where there are no SIBs are online, all the
FPCs in the system are rebooted. An ERRMSG message indicates that
all fabric planes are down, and the FPCs will reboot if any fabric
planes do not come up in 2 minutes. An ERRMSG message indicates the
reason for FPC reboot on fabric connectivity loss. The chassisd
daemon traces when an FPC comes online, but a PIC attach is not
done because no fabric plane is present. A CLI warning that the
FPCs will reboot is issued when the last fabric plane is taken
offline.
Copyright 2011, Juniper Networks, Inc.
11
Junos OS 10.4 Release Notes
You will need to bring the SIBs online after determining why the
SIBs were not online. When the first SIB goes online, and link
training with the FPCs completes, the interfaces are created.
Fabric down signaling to neighboring routers functionality is
available by default, and no user configuration is required to
enable it. No new CLI commands or alarms are introduced for this
feature. Alarms are already implemented for when the SIBs are not
online. [Network Interfaces, System Basics]
New enterprise-specific MIB to support digital optical
monitoring (MX960, MX480, and MX240 routers, and T640 and T1600
routers with 10-Gigabit Ethernet LAN/WAN PIC with XFP))Junos OS
Release 10.4 introduces JUNIPER-DOM-MIB, a new enterprise-specific
MIB to extend MIB support for digital optical monitoring.
JUNIPER-DOM-MIB supports the SNMP Get request for statistics and
SNMP Trap notifications for alarms.JUNIPER-DOM-MIB is part of the
JUNIPER-SMI MIB hierarchy level.
The following MIB objects are supported by JUNIPER-DOM-MIB for
digital optical monitoring:
jnxDomCurrentTable jnxDomAlarmSet jnxDomAlarmCleared
[SNMP MIBs and Traps Reference]
Logging improvementsYou can now control logging speed at the
interface level. To rate-limit the system log messages generated
from a service PIC, include the message-rate-limit statement at the
[edit interfaces interface-name services-options syslog] hierarchy
level. This option configures the maximum number of system log
messages per second that can be formatted and sent from the PIC to
either the Routing Engine (local) or to an external server
(remote). The default rates are 10,000 for the Routing Engine and
200,000 for an external server. [Network Interfaces]
Support for SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP
(M320, MX240, MX480, MX960, T640, and T1600 routers)Supports a
4-port SONET/SDH OC48 Enhanced IQ (IQE) PIC (Type 3) with per
data-link connection identifier (DLCI) queuing. Supported FPCs
include T640-FPC3-ES, M320-FPC3-E3, and MX-FPC3. Class of service
(CoS) enables enhanced egress queuing, buffering, and traffic
shaping. CoS supports eight queues per logical interface, a
per-unit scheduler, and two shaping rates: a committed information
rate (CIR) and a peak information rate (PIR) per data-link
connection identifier (DLCI). Other CoS features include, but are
not restricted to, sharing of excess bandwidth among logical
interfaces, five levels of priorities (including Strict High),
ingress behavior aggregate (BA) classification, queue rate-limit
policer, ingress rewrite, egress rewrite, and a forwarding class to
queue remapping per DLCI.
12
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
The SONET/SDH OC48/STM16 PIC supports CoS features similar to
those in IQ2E PICs, in terms of behavior and configuration
statements. This PIC supports the following Layer 2 protocols: PPP,
Frame Relay, and Cisco HDLC encapsulations. For more information,
see the PC-4OC48-STM16-IQE-SFP documentation for your router:
SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T1600
Router) SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T640
Router) SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (MX
Series Routers) SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP
(M320 Router)
[PIC Guide, Network Interfaces, Class of Service]
IPv6 statistics from IQ2 and IQ2E PICs on M320 routers with
Enhanced III FPCs and T Series routersSupport statistical
accounting for IPv6 traffic traversing the IQ2 and IQ2E PICs on
M320 routers with Enhanced III FPCs and T Series routers. For IQ2
and IQ2E PIC interfaces, the IPv6 traffic that is reported is the
total statistics (sum of local and transit IPv6 traffic) in the
ingress and egress directions. The IPv6 traffic in the ingress
direction is accounted separately only if the IPv6 family is
configured for the logical interface. Statistics are maintained for
routed IPv6 packets in the egress direction. Byte and packet
counters are maintained in the ingress and egress direction.
Differences in IPv6 statistics for IQ2 interfaces and all other
interfaces are as follows:
IQ2 and IQ2E PIC interfaces report the total statistics for the
IPv6 traffic. For other interfaces, the transit statistics are
reported. IQ2 and IQ2E PIC interfaces report all IPv6 traffic
received on the logical interface. For all other interfaces, only
the routed traffic is accounted. IQ2 and IQ2E PIC interfaces report
IPv6 statistics for the Layer 2 frame size. For all other
interfaces, the Layer 3 packet size is accounted.
The IPv6 statistics can be viewed by logging in to the
individual IQ2 PIC or IQ2E PIC, or by using the CLI. Local
statistics are not accounted separately. To display total IPv6
statistics for IQ2 and IQ2E PICs, use the show interfaces extensive
command.
NOTE: The reported IPv6 statistics do not account for the
traffic manager drops in egress direction or the Packet Forwarding
Engine/traffic manager drops in the ingress direction. Transit
statistics are not accounted separately because the IQ2 and IQ2E
PICs cannot differentiate between transit and local statistics.
Copyright 2011, Juniper Networks, Inc.
13
Junos OS 10.4 Release Notes
[Network Interfaces]
100-Gigabit Ethernet PIC interoperability with VLAN
steeringSupports interoperability with similar PICs from other
vendors using a VLAN steering forwarding option. Previously, the
PICs required interconnection to the same model PIC.
Interoperability with interfaces from other vendors was not
supported. Junos OS Release 10.4 introduces a new VLAN steering
algorithm to configure 100-Gigabit Ethernet PIC interoperation with
similar interfaces from other vendors. Two packet forwarding modes
exist under the forwarding-mode statement. SA multicast mode, for
proprietary connection of two Juniper Networks 100-Gigabit Ethernet
PICs, uses the Ethernet header SA MAC address multicast bit to
steer the packets to the appropriate Packet Forwarding Engine. VLAN
steering mode allows the PIC to connect to non-Juniper Networks
equipment. On ingress, the PIC compares the outer VLAN ID against a
user-defined VLAN ID and VLAN mask combination and steers the
packet accordingly. Modifying the forwarding mode configuration
reboots the PIC. VLAN steering overview:
In VLAN steering mode, the SA multicast bit is not used for
packet steering. In SA multicast bit steering mode, VLAN ID and
VLAN mask configuration is not used for packet steering.
Configuration of packet forwarding mode and VLAN steering mode uses
CLI commands that result in a PIC reboot. There are three tag types
for ingress packets:
Untagged ingress packetThe packet is sent to PFE1. Ingress
packet with one VLANThe packet is forwarded based on the VLAN ID.
Ingress packet with two VLANsThe packet is forwarded based on the
outer VLAN ID.
VLAN rules describe how the router forwards packets. For VLAN
steering, you must use one of the two rules available in the
CLI:
Odd-even ruleOdd number VLAN IDs go to PFE1; even number VLAN
IDs go to PFE0. High-low rule1 through 2047 VLAN IDs go to PFE0;
2048 through 4096 VLAN IDs go to PFE1.
When configured in VLAN steering mode, the PIC can be configured
in two physical interface mode or in aggregated Ethernet mode (AE
mode):
Two physical interface modeWhen the PIC is in two physical
interface mode, it creates physical interfaces et-x/0/0:0 and
et-x/0/0:1. Each physical interface can configure its own logical
interface and VLAN. The CLI enforces the following restrictions on
commit:
The VLAN ID configuration must comply with the selected VLAN
rule.
14
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
The previous restriction implies that the same VLAN ID cannot be
configured on both physical interfaces.
AE modeIn AE mode, the two physical interfaces on the same PIC
are aggregated into one aggregated Ethernet physical interface. PIC
egress traffic is based on the aggregated Ethernet internal hash
algorithm. PIC ingress traffic steering is based on the customized
VLAN ID rule. CLI enforces the following restrictions on
commit:
The aggregated Ethernet PIC working in VLAN steering mode
includes both links of that PIC, and only the links of that PIC.
The aggregated Ethernet PIC working in SA multicast steering mode
can include more than one PIC to achieve more than 100-gigabit
capacity.
To configure the PIC forwarding mode, include the
forwarding-mode statement and its options at the [edit chassis fpc
number pic number] hierarchy level. [Network Interfaces]
New control queue disable feature (T Series routers with
10-Gigabit Ethernet PIC with oversubscription)Provides a new CLI
statement for disabling the control queue feature for the
10-Gigabit Ethernet PIC with oversubscription. To disable the
control queue, use the no-pre-classifier statement at the [chassis]
hierarchy level. When the no-pre-classifier statement is set, the
control queue feature will be disabled for all ports on that
10-Gigabit Ethernet PIC with oversubscription. Deleting this
configuration results in the control queue feature being re-enabled
on all the ports of that PIC.[edit chassis] fpc 2 { pic 0 {
no-pre-classifier; } }
NOTE: 1. This feature is applicable in both oversubscribed and
line-rate modes.2. The control queue feature is enabled by default
in both oversubscribed
and line-rate modes, which can be overridden by the user
configuration.3. CLI show commands remain unchanged. When the
control queue is
disabled, various show queue commands continue to show the
control queue in the output. However, all control queue counters
are reported as zeros.4. Enabling or disabling the control queue
feature results in the PIC being
bounced (offline/online).
Copyright 2011, Juniper Networks, Inc.
15
Junos OS 10.4 Release Notes
When the control queue feature is disabled, the Layer 2 and
Layer 3 control packets are subject to queue selection based on the
BA classification. However, the following control protocol packets
are not classified using BA classification, as they might not have
a VLAN, MPLS, or IP header:
Untagged ARP packets Untagged Layer 2 control packets such as
LACP or Ethernet OAM Untagged IS-IS packets
When the control queue feature is disabled, untagged ARP/IS-IS
and other untagged Layer 2 control packets go to the restricted
queue corresponding to the forwarding class associated with queue
0. [Network Interfaces]
Microcode remap (M320 and M120 routers)M320 routers with E3
type-1 FPCs and M120 routers with a single type-1 FPC mapped to an
FEB support a new microcode map to resolve microcode overflow
resulting in bad PIC combinations. On M320 routers, the new
microcode map is enabled by default and is the only option
available. On M120 routers, you can enable the new microcode map by
using the ucode-imem-remap statement at the [edit chassis feb slot
number] hierarchy level. On M120 routers, the default microcode map
remains configured if the ucode-imem-remap statement is not
configured.[edit chassis] feb slot number ucode-imem-remap { }
NOTE: On M120 routers, the FEB is automatically restarted after
the ucode-imem-remap statement is configured and committed.
[System Basics]
Junos OS XML API and ScriptingNew Junos OS XML API operational
request tag elementsTable 1 on page 17 shows the Junos OS
Extensible Markup Language (XML) operational request tag elements
that are new in Junos OS Release 10.4 along with the corresponding
CLI command and response tag element for each one.
16
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents
New in Junos OS Release 10.4Request Tag Elementrequest_dhcpv6_
server_reconfigure_information request_license_update
request_package_nonstop_upgrade get_amt_statistics get_amt_summary
get_amt_tunnel_information get_rps_chassis_information
get_bios_version_information
get_cos_congestion_notification_information
get_firewall_log_information get_interface_information
get_isis_context_ identifier_origin_information
get_isis_database_information get_mpls_cspf_information
get_authentication_pending_table
CLI Commandrequest dhcpv6 server reconfigure
Response Tag ElementNONE
request system license update
NONE
request system software nonstop-upgrade
NONE
show amt statistics show amt summary show amt tunnel
show chassis redundant-power-supply
show chassis routing-engine bios
NONE
show class-of-service congestion-notification
show firewall filter version
show ingress-replication
show isis context-identifier
show isis context-identifier identifier
show mpls context-identifier
show network-access domain- map statistics
Copyright 2011, Juniper Networks, Inc.
17
Junos OS 10.4 Release Notes
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents
New in Junos OS Release 10.4 (continued)Request Tag Element
get_ospf_database_information get_rps_power_supply_information
get_rps_status_information get_rps_version_information
get_rip_general_statistics_information
get_idp_policy_template_information get_service_border_signaling_
gateway_charging_status get_service_bsg_denied_messages
get_services_l2tp_radius_acco unting_statistics_information
get_service_softwire_statistics _information
get_service_sfw_conversation _information
get_service_sfw_flow_analysi s_information
get_service_sfw_flow_table_i nformation
CLI Commandshow ospf context-identifier
Response Tag Element
show redundant-power-supply led
show redundant-power-supply power-supply
show redundant-power-supply status
show redundant-power-supply version
show security idp policy-commit-status
show services border-signaling-gateway charging statistics
show services border-signaling-gateway charging status show
services l2tp destination
show services sessions
show services softwire
show services softwire flows
show services softwire statistics
18
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents
New in Junos OS Release 10.4 (continued)Request Tag Element
get_service_sfw_sip_register_i nformation
get_synchronous_ethernet_esmc-statistics
get_synchronous_ethernet_esmc_transmit
get_-synchronous_ethernet_global_information
get_system_resource_cleanup_ processes_information
get_rollback_information get_dhcp_binding_information
clear_synchronous_ ethernet_e smc_ statistics
CLI Commandshow services stateful-firewall flow-analysis
Response Tag Element
show synchronous-ethernet esmc statistics
show synchronous-ethernet esmc transmit
NONE
show synchronous-ethernet global-information show system relay
group
show system relay member
show system relay summary
clear synchronousethernet esmc statistics
Layer 2 Ethernet Services
Feature support for Trio MPCs and MICs (MX Series 3D Universal
Edge Routers)Enables you to configure the following features
through Junos OS Release 9.1: load balancing, Ethernet OAM IEEE
802.1ag Phase 4 MIP support, LLDP, BPDU guard and loop guard, IRB
support for interworking of LDP-VPLS and BGP-VPLS, BGP multihoming
for Inter-AS VPLS, VPLS Ethernet as a core-facing interface, and
limitations on next-hop flooding. [Layer 2 Configuration]
Ethernet CFM support on Trio MPCs and MICs (MX Series 3D
Universal Edge Routers)Enables support for Ethernet connectivity
fault management (CFM) defined by IEEE 802.1ag for family bridge
interfaces. However, MEP configuration is not supported on
aggregated Ethernet interfaces. [Layer 2 Configuration]
Copyright 2011, Juniper Networks, Inc.
19
Junos OS 10.4 Release Notes
MPLS Applications
MPLS support on services PICsAdds MPLS label pop support for
services PICs on Junos OS routers. Previously, all MPLS traffic
would be dropped at the services PIC. No changes are required to
CLI configurations for this enhancement. In-service software
upgrade (unified ISSU) is supported for tag next hops for MPLS on
services PIC traffic, but no support is provided for tags over IPv6
packets or labels on multiple gateways. [MPLS]
Adding descriptions for bypass LSPYou can now add a text
describing a bypass LSP using the description option at the [edit
protocols rsvp interface interface-name link-protection bypass
bypass-lsp-name] hierarchy level. Enclose any descriptive text that
includes spaces in quotation marks (" "). Any descriptive text you
include is displayed in the output of the show rsvp session bypass
command and has no effect on the operation of the bypass LSP.
[MPLS]
Multicast
Nonstop active routing PIM support for IPv6Starting with Release
10.4, Junos OS extends the nonstop active routing support for
Protocol Independent Multicast (PIM), which is already supported on
IPv4, to include the IPv6 address families. The extension of
nonstop active routing PIM support to IPv6 enables IPv6 routers to
maintain self-generation IDs, multicast session states, dynamic
interface states, list of neighbors, and RP sets across Routing
Engine switchovers. The nonstop active routing support for PIM on
IPv6 is similar to the nonstop active routing PIM support on IPv4
except for the following:
Nonstop active routing support for PIM on IPv6 supports an
embedded rendezvous point (RP) on non-RP routers. Nonstop active
routing support for PIM on IPv6 does not support auto-RP, because
auto-RP is not supported on IPv6.
For more information about nonstop active routing PIM support on
IPv4 and IPv6, see the Junos OS High Availability Configuration
Guide. [High Availability, Multicast]
MX Series
Support for MX Series routersWhile these features have been
available on the MX Series routers in the past, the following
features are now qualified on the Trio chipset. For MPLS, RSVP, and
LDP:
BFD session failure action for LDP LSPs (including ECMP) RSVP
Graceful Restart interop with Cisco using Nodal Hello support
Failure action on BFD session down of RSVP LSPs in JUNOS
20
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
RSVP transit L3VPN testing using RSVP NSR: RSVP ingress BFD via
LDP
For Multicast:
OSPF OSPF Database Protection RFC 4136 OSPF Refresh and Flooding
Reduction in Stable Topologies PIM SSM in provider space
(Draft-Rosen 7) NG MVPN - PIM-SSM I-PMSI and deployment scenario
testing MVPN C-PIM in plain ASM mode NGEN MVPN hub and spoke
support with GRE S-PMSI transport PIM Join suppression support
Translating PIM states to IGMP/MLD messages Disable PIM for IPv6
via CLI IPv6 multicast support over L3VPNs PIM neighbor should be
maintained wherever possible Data MDT SAFI
(draft-rosen-l3vpn-mvpn-profiles) Inter-provider Option A support
with Rosen 7 Rosen 7 interoperability with Cisco IOS
For VPNs:
VPLS: Configurable label block size (min 2) Interoperate
LDP-VPLS and BGP-VPLS with FEC 128 LDP-VPLS Interprovider VPLS
Option "E": EBGP redistribution of labeled routes
Miscellaneous:
Support to commit configuration from op/event scripts Per PFE
per packet load balancing Next Hop Handling Enhancements (Phase
3)
Copyright 2011, Juniper Networks, Inc.
21
Junos OS 10.4 Release Notes
Support local-as alias hidden command MIB Enhancements for
Manual Bypass Tunnel Management ISIS LFA Improve IGMPv3 performance
using bulk updates Improve IGMPv3 performance using bulk updates -
with snooping Allow ASM group override of SSM ranges
Routing Policy and Firewall Filters
Point-to-multipoint LSP load balancing across aggregated
Ethernet links (M Series routers except M320)Enables you to
load-balance VPLS multicast and point-to-multipoint multicast
traffic again over link aggregation. This feature also
load-balances traffic after a change in the next-hop topology.
Next-hop topology changes might include but are not limited to:
Layer 2 membership change in the link aggregation Indirect
next-hop change Composite next-hop change
No new configuration is required to configure this feature. The
load balancing over aggregated links is automatically enabled with
Junos OS Release 10.4. For a sample topology and configuration
example, see the Junos OS Policy Framework Configuration Guide.
[Policy]
New routing policy system log messageJunos OS Release 10.3
supports a new routing policy system log message. The
RPD_PLCY_CFG_NH_NETMASK system log message provides information
about ignored netmasks. If you have a policy statement with a term
that contains a next-hop address with a netmask, the netmask is
ignored. The following sample shows the new system log message
(depending on your network configuration, the type of message you
see might be different):Jun 18 11:22:43 pro5-d rpd[1403]:
RPD_PLCY_CFG_NH_NETMASK: Netmask ignored for next hop:
10.0.0.1/24.
[System Log Messages Reference]
Support for displaying the firewall filter version
informationYou can display the version number of the firewall
filter installed in the Routing Engine. The initial version number
is 1, which increments by one when you modify the firewall filter
settings or an associated prefix action. To show the version number
of the installed firewall filter, use the show firewall filter
version operational mode command. [Routing Protocols and Policies
Command Reference]
22
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
Routing Protocols
Support for disabling traps for passive OSPFv2 interfacesYou can
now disable interface state change traps for passive OSPF
interfaces. Passive OSPF interfaces advertise address information
as an internal OSPF route, but do not run the actual protocol. If
you are only interested in receiving notifications for active OSPF
interfaces, disabling traps for passive OSPF interfaces reduces the
number of notifications received and processed by the SNMP server.
This allows you to more quickly and easily scan the logs for
potential issues on active OSPF interfaces. To disable and stop
receiving notifications for state changes in a passive OSPF
interface, include the no-interface-state-traps statement at the
following hierarchy levels:
[edit logical-systems logical-system-name protocols ospf area
area-id interface interface-name] [edit logical-systems
logical-system-name routing-instances routing-instance-name
protocols ospf area area-id interface interface-name] [edit
protocols ospf area area-id interface interface-name] [edit
routing-instances routing-instance-name protocols ospf area area-id
interface interface-name]
[Routing Protocols]
Behavior change for BGP-independent autonomous system (AS)
domainsIndependent domains use the transitive path attribute 128
(attribute set) messages to tunnel the independent domains BGP
attributes through the internal BGP (IBGP) core. In Junos OS
Release 10.3 and later, if you have not configured an independent
domain in any routing instance, BGP treats the received attribute
128 message as an unknown attribute. The autonomous system (AS)
path field in the show route command has been updated to display an
unrecognized attribute and associated hexadecimal value if you have
not configured an independent domain. The following is a sample
output of the AS path field (depending on your network
configuration, the output might be different):AS path: [12345] I
Unrecognized Attributes: 40 bytes AS path: Attr flags e0 code 80:
00 09 eb 1a 40 01 01 00 40 02 08 02 03 fd e9 fd e9 01 2d 40 05 04
00 00 00 64 c0
[Routing Protocols]
Support for disabling the attribute set messages on independent
AS domains for BGP loop detectionBGP loop detection for a specific
route uses the local autonomous system (AS) domain for the routing
instance. By default, all routing instances belong to a single
primary routing instance domain. Therefore, BGP loop detection uses
the local ASs configured on all of the routing instances. Depending
on your network configuration, this default behavior can cause
routes to be looped and hidden. To limit the local ASs in the
primary routing instance, configure an independent AS domain for a
routing instance. Independent domains use the transitive path
attribute 128 (attribute set) messages to tunnel the independent
domains BGP attributes through the internal BGP (IBGP) core. If you
want to configure independent domains
Copyright 2011, Juniper Networks, Inc.
23
Junos OS 10.4 Release Notes
to maintain the independence of local ASs in the routing
instance and perform BGP loop detection only for the specified
local ASs in the routing instance, disable attribute set messages
on the independent domain. To disable attribute set messages,
include the independent-domain no-attrset statement at the
following hierarchy levels:
[edit logical-systems logical-system-name routing-instances
routing-instance-name routing-options autonomous-system
autonomous-system] [edit routing-instances routing-instance-name
routing-options autonomous-system autonomous-system]
[Routing Protocols]
Services Applications
NAT-PT with DNS ALG support (M Series and T Series routers)You
can configure Domain Name Service (DNS) application-level gateways
(ALGs) using Network Address TranslationProtocol Translation
(NATPT) for IPv6 to IPv4. The implementation is described in RFC
2766 and RFC 2694. When you configure NAT-PT with DNS ALG support,
you must configure two NAT rules. The first NAT rule ensures that
the DNS query and response packets are translated correctly. For
this rule to work, you must configure a DNS ALG application and
reference it in the rule. The second rule is required to ensure
that NAT sessions are destined to the address mapped by the DNS ALG
application.
To configure the correct translation of the DNS query and
response packets, include the dns-alg-pool dns-alg-pool or
dns-alg-prefix dns-alg-prefix statement at the [edit services nat
rule rule-name term term-name then translated] hierarchy level. To
configure the DNS ALG application, include the application
application-name statement at the [edit applications] hierarchy
level, then reference it at the [edit services nat rule rule-name
term term-name from] hierarchy level. To configure destination
translation with the DNS ALG address map, use the
use-dns-map-for-destination-translation statement at the [edit
services nat rule rule-name term term-name then translated]
hierarchy level. This statement correlates the DNS query or
response processing done by the first rule with the actual data
sessions processed by the second rule.
You can also control the translation of IPv6 and IPv4 DNS
queries in the following ways:
For translation control of IPv6 DNS queries, use the
do-not-translate-AAAA-query-to-A-query statement at the [edit
applications application application-name] hierarchy level. For
translation control of IPv4 queries, use the
do-not-translate-A-query-to-AAAA-query statement at the [edit
applications application application-name] hierarchy level.
24
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
NOTE: The two statements above cannot be configured together.
You can configure only one at a time, but not both.
To check that the flows are established properly, use the show
services stateful-firewall flows command or the show services
stateful-firewall conversations command. [Services Interfaces]
Enhancements to active flow monitoringAdd support for extraction
of bandwidth usage information for billing purposes in PIC-based
sampling configurations. This capability is supported on M Series,
MX Series, and T Series routers and applies only to IPv4 and IPv6
traffic. It is enabled only at the global instance hierarchy level
and is not available for per Packet Forwarding Engine instances. To
configure the sampling of traffic for billing purposes, include the
template as-peer-billing-template-name statement at the [edit
forwarding-options sampling family (inet | inet6) output
flow-server server-name version version-number] hierarchy level. To
define the peer-AS billing functionality, include the
peer-as-billing-template statement at the [edit services
flow-monitoring version9 template template-name] hierarchy level.
For a list of the template fields, see the Junos OS Services
Interfaces Configuration Guide. You can apply the existing
destination class usage (DCU) policy option configuration for use
with this feature. In addition, the MPLS top label IP address is
added as a new field in the existing MPLS-IPv4 flow template. You
can use this field to gather MPLS forwarding equivalence class
(FEC)-based traffic information for MPLS network capacity planning.
These ALGs that use Junos OS Services Framework (JSF) (M Series
routers) are a PIC-only feature applied on sampled traffic and
collected by the services PIC or DPC. You can define it for either
global or per Packet Forwarding Engine instances for MPLS traffic.
The show services accounting aggregation template operational
command has been updated to include new output fields that reflect
the additional functionality. [Services Interfaces, System Basics
and Services Command Reference]
Support for the RPM timestamp on the Services SDK (M Series, MX
Series, and T Series routers)Real-time performance monitoring
(RPM), which has been supported on the Adaptive Services (AS)
interface, is now supported by the Services SDK. RPM is supported
on all platforms and service PICs that support the Services SDK.
RPM timestamping is needed to account for any latency in packet
communications. You can apply timestamps on the client, on the
server, or on both client and server. RPM timestamping is supported
only with the icmp-ping, icmp-ping-timestamp, udp-ping, and
udp-ping-timestamp probe types. To specify the Services SDK
interface, include the destination-interface statement at the [edit
services rpm probe probe-owner test test-name] hierarchy
level:destination-interface
ms-fpc/pic/port.logical-unit-number;
To specify the RPM client router and the RPM server router,
include the rpm statement at the [edit interfaces interface-name
unit logical-unit-number] hierarchy level:
Copyright 2011, Juniper Networks, Inc.
25
Junos OS 10.4 Release Notes
rpm (client | server);
To enable RPM on the Services SDK on the AS interface, configure
the object-cache-size, policy-db-size, and package statements at
the [edit chassis fpc slot-number pic pic-number adaptive-services
service-package extension-provider] hierarchy level. For the
Services SDK, package-name in the package package-name statement is
jservices-rpm.user@host# show chassis fpc 1 { pic 2 {
adaptive-services { service-package { extension-provider {
control-cores 1; data-cores 1; object-cache-size 512;
policy-db-size 64; package jservices-rpm; syslog daemon any; } } }
} }
[Services Interfaces]
ALGs using Junos Services Framework (JSF) (M Series routers with
Multiservices PICs and MX Series routers with Multiservices
DPCs)Application-level gateways (ALGs) intercept and analyze
specified traffic, allocate resources, and define dynamic policies
to permit traffic to pass securely through a device. Beginning with
Junos OS Release 10.4 on the specified routers, you can use JSF
ALGs with the following services:
Stateful firewall Network Address Translation (NAT)
To use JSF to run ALGs, you must configure the jservices-alg
package at the [editchassis fpc slot pic slot adaptive-services
service-package extension-provider package]
hierarchy level. In addition, you must configure the ALG
application at the [edit applications application application-name]
hierarchy level, and reference the application in the stateful
firewall rule or the NAT rule in those respective configurations.
[Services Interfaces]
Enhancements to port mirroring with next-hop groups (MX Series
routers only)Add support for binding up to two port-mirroring
instances to the same MX Series Packet Fowarding Engine. This
enables you to choose multiple mirror destinations by specifying
different port-mirroring instances in the filters. Filters must
include the port-mirror-instance instance-name statement at the
[edit firewall filter filter-name term term-name then] hierarchy
level. You must also include the port-mirror-instance instance-name
statement at the [edit chassis fpc number] hierarchy level to
specify the FPC to be used.
26
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
Inline port mirroring allows you to configure instances that are
not bound to the FPC specified in the firewall filter then
port-mirror-instance instance-name action. Instead, you can define
the then next-hop-group action. Inline port mirroring aims to
decouple the port-mirror destination from the input parameters,
such as rate. While the input parameters are programmed in the
Switch Interface Board (SIB), the next-hop destination for the
mirrored packet is available in the packet itself. A port-mirroring
instance can now inherit input parameters from another instance
that specifies it. To configure this option, include the
input-parameters-instance instance-name statement at the [edit
forwarding-options port-mirror instance instance-name] hierarchy
level. You can also now configure port mirroring to next-hop groups
using a tunnel interface. [Services Interfaces]
Multiple IDP detector support (MX Series routers, M120 routers,
and M320 routers with Enhanced III FPCs)The IDP detector provides
information about services, contexts, and anomalies that are
supported by the associated protocol decoder. The specified routers
now support loading multiple IDP detectors simultaneously. When a
policy is loaded, it is also associated with a detector. If the new
policy being loaded has an associated detector that matches the
detector already being used by the existing policy, the new
detector is not loaded and both policies use a single associated
detector. However, if the new detector does not match the current
detector, the new detector is loaded along with the new policy. In
this case, each loaded policy will then use its own associated
detector for attack detection. Note that with the specified
routers, a maximum of four detectors can be loaded at any given
time. Multiple IDP detector support for the specified routers
functions in a similar way to the existing IDP detector support on
J Series and SRX Series devices, except for the maximum number of
decoder binary instances that are loaded into the process space. To
view the current policy and the corresponding detector version, use
the show security idp status detail command. For more information,
see the Junos OS Security Configuration Guide. [Services
Interfaces]
NAT using Junos OS Services Framework (JSF) (M Series and T
Series routers with Multiservices PICs and MX Series routers with
Multiservices DPCs)Junos OS Services Framework (JSF) is a unified
framework for Junos OS services integration. JSF services
integration allows the option of running Junos OS services on
services PICs or DPCs in any M Series, MX Series, or T Series
routers. Beginning with Junos OS Release 10.4, you can use JSF to
run NAT on the specified routers. To use JSF to run NAT, you must
configure the jservices-nat package at the [edit chassis fpc slot
pic slot adaptive-services service-package extension-provider
package] hierarchy level. In addition, you must configure NAT rules
and a service set with a Multiservices interface. To check the
configuration, use the show configuration services nat command. To
show the run-time (dynamic state) information about the interface,
use the show services sessions and show services nat pool commands.
[Services Interfaces]
Copyright 2011, Juniper Networks, Inc.
27
Junos OS 10.4 Release Notes
Stateful firewall using Junos Services Framework (JSF) (M Series
routers with Multiservices PICs, MX Series routers with
Multiservices DPCs, and T Series routers)Junos Services Framework
(JSF) is a unified framework for Junos OS services integration. JSF
services integration allows the option of running Junos OS services
on services PICs or DPCs in any M Series, MX Series, or T Series
routers. Beginning with Junos OS Release 10.4, you can use JSF to
run stateful firewall on the specified routers. To use JSF to run
stateful firewall, you must configure the jservices-sfw package at
the[edit chassis fpc slot pic slot adaptive-services
service-package extension-provider package] hierarchy level. In
addition, you must configure stateful firewall rules and a
service set with a Multiservices interface. To check the
configuration, use the show configuration services
stateful-firewall command. To show the run-time (dynamic state)
information about the interface, use the show services sessions
command. [Services Interfaces]
Transition of IPv4 traffic to IPv6 addresses using Dual-Stack
Lite (DS-Lite)Adds support for DS-Lite, a means for transitioning
IPv4 traffic to IPv6 addresses. This transition will become
necessary as the supply of unique IPv4 addresses nears exhaustion.
New subscriber homes are allocated IPv6 addresses and IPv6-capable
equipment; DS-Lite provides a method for the private IPv4 addresses
behind the IPv6 equipment to reach the IPv4 network. An IPv4 host
communicates with a NAT endpoint over an IPv6 network using
softwires. DS-Lite creates the IPv6 softwires that terminate on the
services PIC. Packets coming out of the softwire can then have
other services such as NAT applied on them. [Services Interfaces,
System Basics and Services Command Reference]
Round-robin allocation for NAPT addressesYou can now specify
round-robin address allocation from NAT pools when you use NAPT. In
the default method of address allocation, NAT addresses are
allocated sequentially. All of the addresses in a given range must
be allocated before addresses from a different range are allocated.
The following example illustrates the sequential (legacy)
implementation, which is still available to provide backward
compatibility.pool napt { address-range low 9.9.99.1 high 9.9.99.3;
address-range low 9.9.99.4 high 9.9.99.6; address-range low
9.9.99.8 high 9.9.99.10; address-range low 9.9.99.12 high
9.9.99.13; port { range low 3333 high 3334; } }
In this example, for each unique source address, a new address
range is used for allocation only when there are no ports available
in the previous address range. Address 9.9.99.4:3333 is picked only
when all ports for addresses in the first range are exhausted.
The first connection is allocated NAT address 9.9.99.1:3333. The
second connection is allocated 9.9.99.1:3334.
28
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
The third connection is allocated 9.9.99.2:3333. The fourth
connection is allocated 9.9.99.2:3334, and so on.
To configure round-robin allocation for NAT pools, include the
address-allocation round-robin configuration statement at the [edit
services nat pool pool-name] hierarchy level. When you use
round-robin allocation, one port is allocated from each address in
a range before repeating the process for each address in the next
range. After ports have been allocated for all addresses in the
last range, the allocation process wraps around and allocates the
next unused port for addresses in the first range.
The first connection is allocated NAT address 9.9.99.1:3333. The
second connection is allocated 9.9.99.2:3333. The third connection
is allocated 9.9.99.3:3333. The fourth connection is allocated
9.9.99.4:3333. The fifth connection is allocated address
9.9.99.5:3333. The sixth connection is allocated address
9.9.99.6:3333. The seventh connection is allocated address
9.9.99.7:3333. The eighth connection is allocated address
9.9.99.8:3333. The ninth connection is allocated address
9.9.99.9:3333. The tenth connection is allocated address
9.9.99.10:3333. The eleventh connection is allocated address
9.9.99.11:3333. The twelfth connection is allocated address
9.9.99.12:3333. Wraparound occurs and the thirteenth connection is
allocated address 9.9.99.1:3334.
[Services Interfaces]
Subscriber Access Management
Enhancement to the show services l2tp destination commandThe
show services l2tp destination command has been extended to display
the lockout state of the destination from the L2TP access
concentrator (LAC). A destination that is reachable is not locked.
An unreachable destination is locked out. L2TP makes no further
attempts to connect to this destination until the timeout period
(300 seconds) expires, unless the unreachable destination is the
only destination in the tunnel configuration list. In that case,
L2TP ignores the lockout and continues trying to connect to the
destination. [Subscriber Access]
Support for Diameter transport layer source address (MX Series
3D Universal Edge Routers)You can now define transport layer
connections to be used for establishing active connections to
Diameter peers. Include the transport transport-name statement at
the [edit diameter] hierarchy level. Then specify the source
(local) address of the
Copyright 2011, Juniper Networks, Inc.
29
Junos OS 10.4 Release Notes
transport connection at the [edit diameter transport
transport-name] hierarchy level. You can optionally configure a
logical system or a routing instance, or both, for the connection.
By default, Diameter uses the default logical system and master
routing instance. The logical system and routing instance for the
connection must match those for the peer, otherwise a configuration
error is reported. When you configure Diameter peers, you can now
specify the transport layer connection for establishing active
connections to the peers. Include the transport transport-name
statement at the [edit diameter peer peer-name connect-actively]
hierarchy level. Multiple peers can share the same transport layer
connection. You can display information about the transport
connection by issuing the show diameter and show diameter peer
detail commands. [Subscriber Access]
Redirecting HTTP redirect requests (MX Series routers)Enables
support for HTTP traffic requests from subscribers to be aggregated
from access networks onto a BRAS router, where HTTP traffic can be
intercepted and redirected to a captive portal. A captive portal
provides authentication and authorization services for redirected
subscribers before granting access to protected servers outside of
a walled garden. A walled garden defines a group of servers where
access is provided to subscribers without reauthorization through a
captive portal. You can use a captive portal page as the initial
page a subscriber sees after logging in to a subscriber session and
as a page used to receive and manage HTTP requests to unauthorized
Web resources. An HTTP redirect remote server that resides in a
walled garden behind Junos OS routers processes HTTP requests
redirected to it and responds with a redirect URL to a captive
portal. To configure HTTP redirect, include the
captive-portal-content-delivery statement at the [edit services]
hierarchy level. [Subscriber Access]
Filter support for service packet countingYou can count service
packets, applying them to a specific named counter
(__junos-dyn-service-counter), for use by RADIUS. To enable service
packet accounting, specify the service-accounting action at the
[edit firewall family family-name filter filter-name term term-name
then] hierarchy level. [Policy Framework, Subscriber Access]
Support for domain maps that apply configuration options based
on subscriber domain names (MX Series and M Series routers)You use
domain maps to apply access options and session-specific parameters
to subscribers whose domain name corresponds to the domain map
name. You can also create a default domain map that the router uses
for subscribers whose username does not include a domain name or
has a non-matching domain name. Domain maps apply
subscriber-related characteristics such as profiles (access,
dynamic, and tunnel), target and AAA logical system mapping,
address pool usage, and PADN routing information. You configure
domain maps at the [edit access domain] hierarchy level.
[Subscriber Access]
30
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
L2TP LAC support for subscriber management (MX Series
routers)You can now configure an L2TP access concentrator (LAC) on
MPC-equipped MX Series routers. As part of the new L2TP LAC
support, you can configure how the router selects a tunnel for a
PPP subscriber from among a set of available tunnels. The default
tunnel selection method is to fail over between tunnel preference
levels. When a PPP user tries to log in to a domain, the router
attempts to connect to a destination in that domain by means of the
associated tunnel with the highest preference level. If the
destination is unreachable, the router then moves to the next lower
preference level and repeats the process. No configuration is
required for this tunnel selection method. You can include the
fail-over-within-preference statement at the [edit services l2tp]
hierarchy level to configure tunnel selection failover within a
preference level. With this method, when the router tries to
connect to a destination and is unsuccessful, it selects a new
destination at the same preference level. If all destinations at a
preference level are marked as unreachable, the router does not
attempt to connect to a destination at that level. It drops to the
next lower preference level to select a destination. If all
destinations at all preference levels are marked as unreachable,
the router chooses the destination that failed first and tries to
make a connection. If the connection fails, the router rejects the
PPP user session without attempting to contact the remote router.
By default, the router uses a round-robin selection process among
tunnels at the same preference level. Include the
weighted-load-balancing statement at the statement at the [edit
services l2tp] hierarchy level to specify that the tunnel with the
highest weight within a preference is selected until its maximum
sessions limit is reached. Then the tunnel with the next highest
weight is selected until its limit is reached, and so on. The
tunnel with the highest configured maximum sessions value has the
greatest weight. Another feature of L2TP LACs on MX Series routers
is the ability to control whether the LAC sends the Calling Number
AVP 22 to the LNS. The AVP value is derived from the
Calling-Station-Id and identifies the interface that is connected
to the customer in the access network. By default, the LAC includes
this AVP in ICRQ packets it sends to the LNS. In some networks you
may wish to conceal your network access information. To prevent the
LAC from sending the Calling Number AVP to the LNS, include the
disable-calling-number-avp statement at the [edit services l2tp]
hierarchy level. [Subscriber Access]
Support for dynamic interface sets (M120, M320, and MX Series
routers)Enables you to configure sets of subscriber interfaces in
dynamic profiles. Interface sets are used for providing
hierarchical scheduling. Previously, interface sets were supported
for interfaces configured in the static hierarchies only. Supported
subscriber interfaces include static and dynamic demux, static and
dynamic PPPoE, and static and dynamic VLAN interfaces. To configure
an interface set in a dynamic profile, include the interface-set
interface-set-name statement at the [edit dynamic-profiles
interfaces] hierarchy level. To add a subscriber interface to the
set, include the interface interface-name unit logical-unit-number
statement at the [edit dynamic-profiles interfaces interface-set
interface-set-name] hierarchy level. You apply traffic shaping and
scheduling parameters to the interface-set by including the
interface-set interface-set-name and
Copyright 2011, Juniper Networks, Inc.
31
Junos OS 10.4 Release Notes
output-traffic-control-profile profile-name statements at the
static [edit class-of-service interfaces] hierarchy level.
A new Juniper Networks VSA (attribute 26-130) is now supported
for the interface set name, and includes a predefined variable,
$junos-interface-set-name. The VSA is supported for RADIUS
Access-Accept messages only; change of authorization (CoA) requests
are not supported. [Subscriber Access]
Support for service session accounting statistics (MX Series
routers)You can now capture accounting statistics for subscriber
service sessions. Subscriber management supports service session
accounting based on service activation and deactivation, as well as
interim accounting. Time-based accounting is supported for all
service sessions. Time and volume-based accounting is supported for
classic firewall filter and fast update firewall filter service
sessions only. To provide volume service accounting, the well-known
accounting counter junos-dyn-service-counter must also be
configured for the classic firewall filter and fast update firewall
filter service. You define the counter at the [edit firewall family
family filter filter term term then] hierarchy level. The following
VSAs (vendor ID 4874) are used for service accounting:Attribute
Number26-69
Attribute NameService-Statistics
DescriptionEnable or disable statistics for the service.
Value
0 = disable 1 = enable time statistics 2 = enable time and
volume statistics
26-83
Acct-Service-Session
Name of the service. Amount of time between interim accounting
updates for this service.
string: service-name
26-140
Service-Interim-Acct-Interval
range = 60086400 seconds 0 = disabled
[Subscriber Access]
Subscriber secure policy traffic mirroring supported for L2TP
sessions on the LAC (MX Series routers)The L2TP access concentrator
(LAC) implementation supports RADIUS-initiated per-subscriber
traffic mirroring. Both subscriber ingress traffic (from the
subscriber into the tunnel) and subscriber egress traffic (from the
tunnel to the subscriber) is mirrored at the (subscriber-facing)
ingress interface on the LAC. The ingress traffic is mirrored after
PPPoE decapsulation and before L2TP encapsulation. The egress
traffic is mirrored after L2TP decapsulation. The mirrored packet
includes the complete HDLC frame sent to the LNS. [Subscriber
Access]
32
Copyright 2011, Juniper Networks, Inc.
New Features in Junos OS Release 10.4 for M Series, MX Series,
and T Series Routers
Support for static and dynamic CoS on L2TP LAC subscriber
interfaces (M120, M320, and MX Series routers)Enables you to
configure static and dynamic CoS for L2TP access concentrator (LAC)
tunnels that transport PPP subscribers at Layer 2 and Layer 3 of
the network. IP and L2TP headers are added to packets arriving at
the LAC from a subscriber before being tunneled to the L2TP network
server (LNS). Classifiers and rewrite-rules enable you to properly
transfer the type-of-service (ToS) value or the 802.1p value from
the inner IP header to the outer IP header of the L2TP packet. For
ingress tunnels, you configure fixed or behavior aggregate (BA)
classifiers for the PPP interface or an underlying VLAN interface
at Layer 2. You can configure Layer 3 classifiers for a family of
PPP interfaces. Layer 2 and Layer 3 classifiers can co-exist for a
PPP subscriber. For example, to classify incoming packets for a PPP
subscriber, include the classifier type classifier-name statement
at the [edit class-of-service interfaces pp0 unit
logical-unit-number] hierarchy level or at the [edit
dynamic-profiles class-of-service interfaces pp0 unit
logical-unit-number] hierarchy level. On egress tunnels, you
configure rewrite rules to set the ToS or 802.1p value of the outer
header. For example, to configure a rewrite-rule definition for an
interface with 802.1p encapsulation, include the [rewrite-rule
ieee-802.1 (rewrite-name | default) statement at the edit
class-of-service interfaces interface-name unit
logical-unit-number] hierarchy level or the [edit dynamic-profiles
class-of-service interfaces pp0 unit logical-unit-number] hierarchy
level. Rewrite rules are applied accordingly to the forwarding
class, packet loss priority (PLP), and code point. The proper
transfer of the inner IP header to the outer IP header of the L2TP
packet depends on the classifier and rewrite rule configuration