Junos Os 104 Release Notes Rev 6

7/25/2019 Junos Os 104 Release Notes Rev 6

1/216

JunosOS 10.4 Release Notes

Release 10.4R2

11 February 2011Revision6

These release notes accompany Release 10.4R2 of the Junos operating system (Junos

OS).Theydescribe device documentation and known problemswith the software. Junos

OS runs on all Juniper NetworksM Series, MX Series, and T Series routing platforms, SRX

Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.

You can also find these release notes on the Juniper Networks Junos OS Documentation

Web page, which is located at http://www.juniper.net/techpubs/software/junos.

Contents Junos OS Release Notes forJuniperNetworksM SeriesMultiservice Edge Routers,

MX Series Ethernet Service Routers, and T Series Core Routers . . . . . . . . . . . . 6

NewFeatures in Junos OS Release 10.4 for M Series, MX Series, andT Series

Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

MX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M

Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

MPLS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

1Copyright 2011, Juniper Networks, Inc.

loaded from www.Manualslib.commanuals search engine
http://www.manualslib.com/http://www.manualslib.com/


2/216


3/216

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 133

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Management and Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Multilink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Virtual LANs (VLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Unsupported CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Accounting-Options Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

AX411 Access Point Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Chassis Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Class-of-Service Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Ethernet-Switching Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Interfaces CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Protocols Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Routing Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Services Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

SNMP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

System Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

IPv6 and MVPN CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Known Limitations in Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 148

AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

DOCSIS Mini-PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 150

Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 154

IPv6 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

NetScreen-Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Point-to-Point Protocol over Ethernet (PPPoE) . . . . . . . . . . . . . . . . . . . 156

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157




4/216

Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J

Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Outstanding Issues In Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . 158

Resolved Issues in Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . 175

Errata and Changes in Documentation for Junos OS Release 10.4 for SRX

Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 178

Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 178

Errata for the Junos OS Documentation . . . . . . . . . . . . . . . . . . . . . . . . . 179

Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . 186

Hardware Requirements for Junos OS Release 10.4 for SRX Series Services

Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 189

Transceiver Compatibility for SRX Series and J Series Devices . . . . . . . 189

Power and Heat Dissipation Requirements for J Series PIMs . . . . . . . . . 189

Supported Third-Party Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

J Series CompactFlash and Memory Requirements . . . . . . . . . . . . . . . . 190Maximizing ALG Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Integrated Convergence Services Not Supported . . . . . . . . . . . . . . . . . . . . . 192

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX

Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 192

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 192

Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 194

New Features in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . 194

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Bridging, VLANs, and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX

Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196


Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Limitations in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . . . 197

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197


Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Copyright 2011, Juniper Networks, Inc.4

JUNOS OS 10.4 Release Notes



5/216

Spanning Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Outstanding Issues in Junos OS Release 10.4 for EX Series Switches . . . . . 202

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202


Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204


Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Resolved Issues in Junos OS Release 10.4 for EX Series Switches . . . . . . . . 206

Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209


Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Errata in Documentation for Junos OS Release 10.4 for EX Series

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX

Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 212

Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series

Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216




6/216

JunosOSRelease Notes for Juniper NetworksMSeriesMultiserviceEdge Routers,MXSeries EthernetServiceRouters, andTSeries CoreRouters

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series

Routers on page 6

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX

Series, and T Series Routers on page 42

Issuesin JunosOS Release 10.4 for M Series, MX Series, andT SeriesRouterson page55

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX

Series, and T Series Routers on page 77

Upgradeand Downgrade Instructions forJunos OS Release 10.4 forM Series, MX Series,

and T Series Routers on page 83

New Features in Junos OSRelease 10.4 for M Series, MXSeries, and T SeriesRouters

The following features have been added to Junos OS Release 10.4. Following the

description is the title of the manual or manuals to consult for further information.

Class ofService

Hierarchical policer functionality extendedtoModular Interface Cards (MICs) (MX

Series routers)Provides hierarchical policer feature parity with Enhanced Intelligent

Queuing (IQE)PICs. This is useful in provider edgeapplications usingaggregatepolicing

for general traffic andwhen applying a separate policer for premium traffic on a logical

or physical interface.

Hierarchical policing on MICs supports the following features:

Ingresstraffic is first classified intopremiumand non-premium trafficbeforea policeris applied.

The hierarchical policer contains two policers: premium and aggregate.

Premium traffic is policed by boththe premium policer and the aggregate policer. While

the premium policer rate-limits premium traffic, the aggregate policer onlydecrements

the credits but does not drop packets. Non-premium traffic is rate-limited by the

aggregate policer only, resulting in the following behavior:

Premium traffic is assuredto havethe bandwidthconfigured forthe premium policer.

Non-premium traffic is policed to the specified rate limit.

For a list of supported MICs, refer to:

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/

general/mic-mx-series-supported.html.

The logical-interface-policerandphysical-interface-policerstatementsprovideadditional

hierarchical policer parameters beyond those of the IQE PICs.

You can apply the policer at the inet, inet6, or mpls family level, as follows:

[edit interfaces ge-0/1/0 unit 0 family (inet | inet6 | mpls)]

input-hierarchical-policer Test-HP;





7/216

By makinga hierarchical policer a logical-interface-policer , you canachieve aggregation

within a logicalinterface. A hierarchical policerconfiguredas aphysical-interface-policer

supports aggregation within a physical interface. Please note that you still apply the

hierarchical policer at the interface and traffic of the families that do not have the

hierarchical policer will be policer. This is different from IQE PICs, where you apply a

hierarchical policer at the logical or physical interface.

For hierarchical policing of all traffic through a logical interface, a hierarchical policer

can bemade a logical-interface-policer andappliedto allfamilies in the logicalinterface.

Similarly, you can achieve aggregation at the physical interface level.

[Network Interfaces, Classof Service, Policy]

DSCP classification for VPLS at the ingressPE (M320with EnhancedType III FPC

andM120)Enables you to configure DSCP classification for VPLS at an ingress PE

for encapsulation typesvlan-vpls (IQ2 or IQ2E PICs) orATMII IQPIC. To configure,

define the DSCP classifier at the [edit class-of-serviceclassifiers dscpdscp-name]

hierarchy level and apply the DSCP classifier at the [edit interfaces at-fpc-pic-port

unit-logical-unit-numberclassifiers]hierarchy level. TheATM interface mustbe included

in the routing instance.

[Class of Service]

Traffic ControlProfile (TCP) support at the FRF.16physical interface levelFRF.16

bundle interfaces support multiple data-link connection identifiers (DLCIs). The

bandwidth of each of these DLCIs was previously limited to one of the following:

An aggregate value based on the number of DLCIs under the FRF.16 interface

A specific percentage through a traffic control profile (TCP) configuration applied

at the logical interface level

When there is a small proportion of traffic or no traffic on an individual DLCI, therespective member link interface bandwidth is underutilized. Support for TCP features

on the FRF.16 bundle (physical) interface level in Junos OS Release 10.4R2 addresses

this limitation. The supported features include:

Peak Information Rate (PIR)

scheduler-map

delay-buffer

To enable traffic control profiles to be applied at FRF.16 bundle (physical) interface

level, disable the per-unit scheduler, which is enabled by default, by including the

no-per-unit-scheduler statement at the[edit interfacesinterface-name] hierarchy level.

To specify trafficcontrolprofile features applicable to FRF.16bundlephysical interfaces,

include the shaping-rate, delay-buffer-rate, and scheduler-map statements at the[edit

class-of-service traffic-control-profilesprofile-name] hierarchy level. The shaping-rate

and delay-buffer-ratemust be specified as a percentage.

To apply the TCP configuration to an FRF.16 bundle (physical) interface, include the

output-traffic-control-profile statement at the [edit class-of-service interfaces

interface-name] hierarchy level.


New Features in Junos OSRelease 10.4for M Series, MX Series, and T Series Routers



8/216

To view the TCP configuration for an FRF.16 bundle, enter the showclass-of-service

traffic-control-profilecommand.

user@host> show class-of-service traffic-control-profile

Traffic control profile: lsq-2/1/0:0, Index: 35757

Shaping rate: 30 percent

Scheduler map: sched_0

Delay Buffer rate: 30 percent

The following is a complete configuration example:

interfaces {

lsq-0/2/0:0 {

no-per-unit-scheduler;

encapsulation multilink-frame-relay-uni-nni;

unit0 {

dlci 100;

family inet {

address 18.18.18.2/24;

}

}

}

class-of-service {

traffic-control-profiles {

rlsq_tc {

scheduler-map rlsq;

shaping-rate percent 60;

delay-buffer-rate percent 10;

}}

interfaces {

lsq-0/2/0:0 {

output-traffic-control-profile rlsq_tc;

}

}

}

scheduler-maps {

rlsq {

forwarding-class best-effort scheduler rlsq_scheduler;

forwarding-class expedited-forwarding scheduler rlsq_scheduler1;

}

}

schedulers {rlsq_scheduler {

transmit-rate percent 20;

priority low;

}

rlsq_scheduler1 {

transmit-rate percent 40;

priority high;

}

}





9/216

[Class of Service]

InterfacesandChassis

Extend support for64-bit JunosOSto include RE-1800 SeriesRouting Engines(M120,M320,MX960, MX480, andMX240 routers)Supported Routing Engines

include:

RE-1800x2-ASupports 64-bit Junos OS on M120 and M320 routers.

RE-1800x2-SSupports 64-bit Junos OS on MX240, MX480, and MX960 routers.

RE-1800x4-SSupports 64-bit Junos OS on MX240, MX480, and MX960 routers.

[SystemBasics]

Ethernet encapsulation for ATMscheduler (M7i,M10i,M120,andM320 [with

EnhancedIIIFPC]routers)Enables supportfor the configuration of an ATM scheduler

map on an Ethernet VPLS over a bridged ATM interface.

[Network Interfaces]

SynchronousEthernet (SyncE) onMX80 routersandMXSeries routerswith

MPCsSupportsthe Ethernet synchronization messaging channel(ESMC),G.8264-like

clock selection mechanism, and external clocking on MX80 routers and MX Series

routers with MPCs. Wireless backhaul and wireline transport services are the primary

applications for these features.

The following features are supported:

On MX80 routers and MX Series routers, MPCs based on G.8261 and G.8262. This

feature does not work on the fixed configuration version of the MX80 routers.

All Ethernet type ports are supported on MX80 routers and MX Series routers withMPCs

ESMC support as per G.8264

CLI command selection of clock sources

Monitoring clock sources (maximum of two clock sources can be monitored

simultaneously)

Revertive and nonrevertive modes

To configure SyncE, include the synchronization statement and its substatements at

the [edit chassis] hierarchy level.

[Network Interfaces, InterfacesCommand Reference]

Enhanced container interface allowsATMchildren for containersM Series and T

Series routers with ATM2 PICs automatically copy the parent container interface

configuration to the children interfaces. Container interfaces do not go down during

APS switchovers, thereby shielding upper layers. This feature allows the various ATM

features to work over the container ATM for APS.





10/216

To specifyATM children within a container interface,use thecontainer-listcin statement

and (primary | standby)optionat the[edit interfaceat-fpc/pic/slotcontainer]hierarchy

level.

To configure a container interface, including its children, use the cin statement and itsoptions at the [edit interface ci-n] hierarchy level.

Container ATM APS does not support inter-chassis APS. MLPPP over ATM CI is also

not supported.


Signaling neighboring routersof fabric downonT1600andT640 routersThe

signaling of neighboring routers is supported when a T640 or T1600 router is unable

to carry traffic due to all fabric planes being taken offline for one of the following

reasons:

CLI or offline button pressed

Automatically taken offline by the SPMB due to high temperature.

PIO errors and voltage errors detected by the SPMB CPU to the SIBs.

The following scenarios are not supported by this feature:

All PFEs get destination errors on all planes to all destinations, even with the SIBs

staying online.

Complete fabric loss caused by destination timeouts, with the SIBs still online.

When chassisd detects that all fabric planes are down, the router reboots all FPCs in

the system. When the FPCs come back up, the interfaces will not be created again,

since all fabric planes are down.

Once you diagnose and fix the cause of all fabric planes going down, you must then

bring the SIBs back online. Bringing the SIBs back online brings up the interfaces.

Fabric down signaling to neighboring routers offers the following benefits:

FPCs reboot when the control plane connection to the Routing Engine times out.

Extends a simple approach to reboot FPCs when the dataplane blacks out.

When theroutertransitions from a statewhereSIBs are onlineor spareto a state where

thereare no SIBs are online, then all theFPCsin thesystem are rebooted. An ERRMSG

indicates if all fabric planes are down, and the FPCs will reboot if any fabric planes do

not come up in 2 minutes.

An ERRMSG indicates the reason for FPC reboot on fabric connectivity loss.

The chassisd daemon traces when an FPC comes online, but a PIC attach is not done

because no fabric plane is present.

A CLI warning that the FPCs will reboot is issued when the last fabric plane is taken

offline.





11/216

You will need to bring the SIBs online after determining why the SIBs were not online.

When thefirst SIBgoesonline, andlinktrainingwith theFPCs completes,the interfaces

will be created.

Fabric down signaling to neighboring routers functionality is available by default, andno user configuration is required to enable it.

No new CLI commands or alarms are introduced for this feature. Alarms are already

implemented for when the SIBs are not online.

[Network Interfaces,System Basics]

Newenterprise-specificMIBtosupportdigital opticalmonitoring(MX960,MX480,

MX240,and 10-Gigabit Ethernet LAN/WANPICwith XFPonT640 andT1600

routers)Junos OS Release 10.4 introduces JUNIPER-DOM-MIB, a new

enterprise-specific MIB to extend MIB support for digital optical monitoring.

JUNIPER-DOM-MIB supports theSNMPGet request for statistics andSNMPTrap

notifications for alarms.

JUNIPER-DOM-MIB is part of the JUNIPER-SMIMIB hierarchy level.

The following MIB objects are supported by JUNIPER-DOM-MIB for digital optical

monitoring:

jnxDomCurrentTable

jnxDomAlarmSet

jnxDomAlarmCleared

[SNMPMIBs and Traps Reference]

Logging improvementsYou can now control logging speed at the interface level. To

rate-limit the syslogs generated from a service PIC, include themessage-rate-limitstatement at the [edit interfacesinterface-nameservices-options syslog]hierarchy

level. This option configures the maximum number of syslog messages per second

that can formatted and sent from the PIC to either the Routing Engine (local) or to an

external server (remote). Thedefault ratesare 10,00 forthe RoutingEngine and 200,00

for an external server.


Support for SONET/SDHOC48/STM16Enhanced IQ (IQE)PICwith SFP(M320,

MX240,MX480,MX960, T640 andT1600 routers)Supports a 4-port SONET/SDH

OC48 Enhanced IQ (IQE) PIC (Type 3) with per data-link connection identifier (DLCI)

queuing. Supported FPCs include T640-FPC3-ES, M320-FPC3-E3, and MX-FPC3.

Class of service (CoS) enables enhanced egress queuing, buffering,and trafficshaping.

CoS supports eight queues per logical interface, a per-unit scheduler, and twoshaping

rates: a Committed Information Rate (CIR) and Peak Information Rate (PIR) per

data-link connection identifier(DLCI). OtherCoS features include,but arenotrestricted

to, sharing of excess bandwidth among logical interfaces, five levels of priorities

(including Strict High), ingress behavior aggregate (BA) classification, queue rate-limit

policer, ingress rewrite, egress rewrite, and a forwarding class to queue remapping per

DLCI.





12/216

The SONET/SDH OC48/STM 16 PIC supports CoS features similar to those in IQ2E

PICs, in terms of behaviorand configurationstatements. This PICsupportsthe following

Layer 2 protocols: PPP, Frame Relay, and Cisco HDLC encapsulations.

For more information, see the PC-4OC48-STM16-IQE-SFP documentation for yourrouter:

SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T1600 Router)

SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T640 Router)

SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (MX Series Routers)

SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320 Router)

[PICGuide, Network Interfaces, Class of Service]

IPv6 statisticsfrom IQ2andIQ2E PICs onM320 routerswith Enhanced IIIFPCs and

TSeriesroutersSupport statistical accounting for IPv6 traffic traversing the IQ2 and

IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers.

ForIQ2 andIQ2E PICinterfaces, the IPv6traffic that is reported willbe thetotal statistics

(sum of local and transit IPv6 traffic) in the ingress and egress direction. The IPv6

traffic in the ingress direction will be accounted separately only if the IPv6 family is

configured for the logical interface.

Statistics are maintained for routed IPv6 packets in the egress direction.

Byte and packet counters are maintained in the ingress and egress direction.

Differences in IPv6 statistics for IQ2 interfaces and all other interfaces are as follows:

IQ2 and IQ2E PIC interfaces report the total statistics for the IPv6 traffic. For other

interfaces, the transit statistics are reported.

IQ2 and IQ2E PIC interfaces report all IPv6 traffic received on the logical interface.

For all other interfaces, only the routed traffic is accounted.

IQ2 and IQ2E PIC interfaces report IPv6 statistics for the Layer 2 frame size. For all

other interfaces, the Layer 3 packet size is accounted.

The IPv6 statistics can be viewed by logging in to the individual IQ2 PIC or IQ2E PIC, or

by using the CLI.

Local statistics are not accounted separately.

To display total IPv6 statistics for IQ2 and IQ2E PICs, use theshowinterfaces extensive

command.

NOTE: The reported IPv6 statistics do not account for the traffic manager

drops in egress direction or the Packet Forwarding Engine/traffic manager

dropsin the ingress direction. Transitstatisticsare not accountedseparately

because the IQ2 and IQ2E PICs cannot differentiate between transit and

local statistics.





13/216


100-Gigabit Ethernet PIC interoperabilitywithVLANsteeringSupports

interoperability with similar PICs from other vendors using a VLAN steering forwarding

option. Previously, the PICs required interconnection to the same model PIC.Interoperabilitywith interfacesfromother vendors wasnot supported.JunosOS Release

10.4 introduces a new VLAN steering algorithm to configure 100-Gigabit Ethernet PIC

interoperation with similar interfaces from other vendors.

Twopacket forwardingmodesexistunder theforwarding-mode statement.SAmulticast

mode, for proprietary connection of two Juniper Networks 100-Gigabit Ethernet PICs,

uses the Ethernet header SA MAC address multicast bit to steer the packets to the

appropriate PFE. VLAN steering mode allows the PIC to connect to non-Juniper

Networks equipment. On ingress, the PIC compares the outer VLAN ID against a

user-defined VLAN ID andVLAN mask combination andsteers the packet accordingly.

Modifying the forwarding mode config reboots the PIC.

VLAN steering overview:

In VLAN steering mode, the SA multicast bit is not used for packet steering.

In SA multicast bit steering mode, VLANID and VLAN mask configuration is not used

for packet steering.

Configuration of packet forwarding mode and VLAN steering mode uses CLI

commands that result in a PIC reboot.

There are three tag types for ingress packets:

Untagged ingress packetThe packet is sent to PFE1.

Ingress packet with one VLANThe packet forwards based on the VLAN ID.

Ingress packet with two VLANsThe packet forwards based on the outer VLAN

ID.

VLAN rules describe how the router forwards packets. For VLAN steering, you must

use one of the two rules available in the CLI:

Odd-even ruleOdd number VLAN IDs go to PFE1; even number VLAN IDs go to

PFE0.

High-low rule1 through 2047 VLAN IDs go to PFE0; 2048 through 4096 VLAN

IDs go toPFE1.

When configured in VLAN steering mode, the PIC can be configured in two physical

interface mode or in aggregated Ethernet (AE) mode:

Two physical interface modeWhen the PIC is in two physical interface mode, it

creates physical interfaces et-x/0/0:0 and et-x/0/0:1. Each physical interface can

configure its ownlogicalinterfaceand VLAN.CLI enforces the following restrictions

on commit:

The VLAN ID configuration must comply with the selected VLAN rule.





14/216

The previous restriction implies that the same VLAN ID cannot be configured

on both physical interfaces.

AE modeIn AE mode, the two physical interfaces on thesame PICare aggregated

into one AE physical interface. PIC egress traffic is based on the AE internal hashalgorithm. PIC ingress traffic steering is basedon the customized VLANID rule. CLI

enforces the following restrictions on commit:

The PIC AE working in VLAN steering mode includes both links of this PIC, and

only the links of this PIC.

The PIC AE working in SA multicast steering mode can include more than one

PIC to achieve more than 100-gigabit capacity.

To configure the PIC forwarding mode, include the forwarding-mode statement and

its options at the [edit chassis fpcnumberpicnumber] hierarchy level.


Newcontrol queuedisable feature(TSeries routerswith 10-Gigabit Ethernet PIC

withoversubscription)Provides a newCLI statementfor disablingthe control queue

feature for the 10-Gigabit Ethernet PIC with oversubscription. To disable the control

queue, use the no-pre-classifier statement at the [chassis] hierarchy level.

When theno-pre-classifier statement is set, the control queue feature will be disabled

for all ports on that 10-Gigabit Ethernet PIC with oversubscription. Deleting this

configuration results in the control queue feature being re-enabled on all the ports of

that PIC.

[edit chassis]

f p c 2 {

p i c 0 {

no-pre-classifier;

}

}

NOTE:

1. This feature is applicable in both oversubscribed and line-rate modes.

2. The control queue feature is enabled by default in both oversubscribed

and line-rate modes, whichcan be overridden by the user configuration.

3. CLI show commands remain unchanged. When the control queue is

disabled, various show queue commands continue to show the control

queue in the output. However, all control queue counters are reported

as zeros.

4. Enabling or disabling the control queue feature results in the PIC being

bounced (offline/online).





15/216

Once thecontrol queue featureis disabled, thenthe Layer2 andLayer 3 control packets

are subject to queue selection based on the BA classification. However, the following

control protocol packets are not classified using BA classification, as they might not

have a VLAN, MPLS, or IP header:

Untagged ARP packets

Untagged Layer 2 control packets such as LACP or Ethernet OAM

Untagged IS-IS packets

When the control queue feature is disabled, untagged ARP/IS-IS and other untagged

Layer2 control packets will go to the restricted queue corresponding to the forwarding

class associated with queue 0.


Microcoderemap (M320andM120 routers)M320 routers with E3 type-1 FPCs and

M120 routers with a single type-1 FPC mapped to an FEB, support a new microcodemap to resolve microcode overflow resulting in bad PIC combinations.

On M320 routers, the new microcode map is enabled by default and is the only option

available.

On M120 routers, you can enable the new microcode map by using the

ucode-imem-remap statement at the [editchassis febslotnumber]hierarchy level. On

M120routers,the defaultmicrocode map remains configured if theucode-imem-remap

statement is not configured.

[edit chassis]

feb

slotnumber

ucode-imem-remap

{

}

NOTE: On M120 routers, the FEB is automatically restarted once the

ucode-imem-remap statement is configured and committed.

[SystemBasics]

JunosOSXMLAPI and Scripting

NewJunosOSXMLAPIoperational request tag elementsTable 1 on page 16 shows

the Junos OS Extensible Markup Language (XML) operational request tag elements that

are new in Junos OS Release 10.4 along with the corresponding CLI command and

response tag element for each one.





16/216

Table 1: Junos OSXMLTagElementsand CLI Command Equivalents New in Junos OSRelease10.4

Response Tag ElementCLI CommandRequest Tag Element

NONErequest dhcpv6server reconfigurerequest_dhcpv6_

server_reconfigure_information

NONErequest system license update

request_license_update

NONErequest system softwarenonstop-upgrade

request_package_nonstop_upgrade

showamt statistics get_amt_statistics

showamt summary get_amt_summary

show amttunnel

get_amt_tunnel_information

showchassis redundant-power-supply

get_rps_chassis_information

NONEshowchassis routing-enginebios

get_bios_version_information

showclass-of-servicecongestion-notification

get_cos_congestion_notification_information

showfirewall filter version

get_firewall_log_information

show ingress-replication

get_interface_information

showisis context-identifierget_isis_context_

identifier_origin_information

showisis context-identifier identifier

get_isis_database_information

showmpls context-identifier

get_mpls_cspf_information

shownetwork-accessdomain-mapstatistics

get_authentication_pending_table





17/216

Table 1: Junos OSXMLTagElementsand CLI Command Equivalents New in Junos OSRelease10.4 (continued)


showospf context-identifier

get_ospf_database_information

showredundant-power-supply led

get_rps_power_supply_information

showredundant-power-supplypower-supply

get_rps_status_information

show redundant-power-supplystatus

get_rps_version_information

show redundant-power-supplyversion

get_rip_general_statistics_information

showsecurity idppolicy-commit-status

get_idp_policy_template_information

showservices border-signaling-gateway

charging statistics

get_service_border_signaling_

gateway_charging_status

showservices border-signaling-gateway

chargingstatus

get_service_bsg_denied_messages

showservices l2tpdestination

get_services_l2tp_radius_acco

unting_statistics_information

showservicessessions

get_service_softwire_statistics

_information

showservicessoftwire

get_service_sfw_conversation

_information

showservicessoftwire flows

get_service_sfw_flow_analysi

s_information

showservicessoftwire statistics

get_service_sfw_flow_table_i nformation





18/216

Table 1: Junos OSXMLTagElementsand CLI Command Equivalents New in Junos OSRelease10.4 (continued)


showservicesstateful-firewallflow-analysis

get_service_sfw_sip_register_i nformation

showsynchronous-ethernetesmcstatistics

get_synchronous_ethernet_esmc-statistics

showsynchronous-ethernetesmctransmit

get_synchronous_ethernet_esmc_transmit

NONEshowsynchronous-ethernet

global-information

get_-synchronous_ethernet_global_information

showsystem relay group

get_system_resource_cleanup_

processes_information

showsystem relaymember

get_rollback_information

showsystem relay summary

get_dhcp_binding_information

clear synchronous-

ethernet esmc

statistics

clear_synchronous_ethernet_esmc_

statistics

Layer 2 EthernetServices

Feature support for Trio3DMPCs andMICs (MXSeries routers)Enables you to

configurethe following featuresthroughJunos OS Release 9.1: load balancing,Ethernet

OAM IEEE 802.1agPhase 4 MIPsupport, LLDP, BPDU guardand loopguard,IRB support

for interworking of LDP-VPLS and BGP-VPLS, BGP multihoming for Inter-AS VPLS,

VPLS Ethernet as a core-facing interface, and limitations on next-hop flooding.

[Layer 2 Configuration]

EthernetCFMsupport onTrio3DMPCs andMICs (MXSeries routers)Enablessupport for Ethernet connectivity fault management (CFM) defined by IEEE 802.1ag

for familybridge interfaces. However, MEP configuration is not supported on aggregated

Ethernet interfaces.

[Layer 2 Configuration]





19/216

MPLSApplications

MPLS support on servicesPICsAdds MPLS label pop support for services PICs on

Junos OS routers. Previously all MPLS traffic would be dropped at the services PIC. No

changes are required to CLI configurations for this enhancement. In-service software

upgrade (unified ISSU) is supported for tag next hops for MPLS on services PIC traffic,

but no support is provided for tags over IPv6 packets or labels on multiple gateways.

[MPLS]

Addingdescriptions forbypassLSPYou can now add a text describing a bypass

LSP using the description option at the [edit protocols rsvp interfaceinterface-name

link-protectionbypassbypass-lsp-name] hierarchy level. Enclose any descriptive text

that includes spaces in quotation marks (" "). Any descriptive text you include is

displayed in the output of the show rsvp session bypasscommand and has no effect

on the operation of the bypass LSP.

[MPLS]

Multicast

Nonstop active routingPIMsupport for IPv6Starting with Release 10.4, Junos OS

extends the nonstop active routing support for Protocol Independent Multicast (PIM),

which is already supportedon IPv4, to include the IPv6 address families.The extension

of nonstop active routing PIM support to IPv6 enables IPv6 routers to maintain

self-generationIDs, multicast sessionstates, dynamic interface states, listof neighbors,

and RPSets across Routing Engine switchovers.

The nonstop active routing support for PIM on IPv6 is similar to the nonstop active

routing PIM support on IPv4 except for the following:

Nonstop active routing support for PIM on IPv6 supports an embedded rendezvouspoint (RP) on non-RP routers.

Nonstopactiveroutingsupport forPIM on IPv6does notsupportauto-RP, asauto-RP

is not supported on IPv6.

For more information about nonstop active routing PIM support on IPv4 and IPv6, see

theJunos OS High Availability ConfigurationGuide.

[HighAvailability,Multicast]

MXSeries

Support for MXSeriesWhile these features have been available on the MX Series

routers in the past, we have now qualified the following features on the Trio chipset.

For MPLS, RSVP, and LDP:

BFD session failure action for LDP LSPs (including ECMP)

RSVP Graceful Restart interop with Cisco using Nodal Hello support

Failure action on BFD session down of RSVP LSPs in JUNOS

RSVP transit





20/216

L3VPN testing using RSVP

NSR: RSVP ingress

BFD via LDP

For Multicast:

OSPF

OSPF Database Protection

RFC 4136 OSPF Refresh and Flooding Reduction in Stable Topologies

PIM SSM in provider space (Draft-Rosen 7)

NG MVPN - PIM-SSM I-PMSI and deployment scenario testing

MVPN C-PIM in plain ASM mode

NGEN MVPN hub and spoke support with GRE S-PMSI transport

PIM Join suppression support

Translating PIM states to IGMP/MLD messages

Disable PIM for IPv6 via CLI

IPv6 multicast support over L3VPNs

PIM neighbor should be maintained wherever possible

Data MDT SAFI (draft-rosen-l3vpn-mvpn-profiles)

Inter-provider Option A support with Rosen 7

Rosen 7 interoperability with Cisco IOS

For VPNs:

VPLS: Configurable label block size (min 2)

Interoperate LDP-VPLS and BGP-VPLS with FEC 128

LDP-VPLS

Interprovider VPLS Option "E": EBGP redistribution of labeled routes

Miscellaneous:

Support to commit configuration from op/event scripts

Per PFE per packet load balancing

Next Hop Handling Enhancements (Phase 3)

Support local-as alias hidden command





21/216

MIB Enhancements for Manual Bypass Tunnel Management

ISIS LFA

Improve IGMPv3 performance using bulk updates

Improve IGMPv3 performance using bulk updates - with snooping

Allow ASM group override of SSM ranges

RoutingPolicy andFirewall Filters

Point-to-multipoint (P2MP) LSP load balancingacross aggregatedEthernet links

(MSeriesexceptM320)Enables you to load-balance VPLS multicast and P2MP

multicast traffic over link aggregation. This feature also re-load-balances traffic after

a change in the next-hop topology. Next-hop topology changes might include but are

not limited to:

Layer 2 membership change in the link aggregation

Indirect next-hop change

Composite next-hop change

No new configuration is required to configure this feature. The load balancing over

aggregatedlinks is automatically enabled withthis release. For a sample topology and

configuration example, seeJunos OS Policy Framework Configuration Guide.

[Policy]

Newrouting policysystem logmessageJunos OS Release 10.3 supports a new

routing policy system log message. The RPD_PLCY_CFG_NH_NETMASK system log

message provides information about ignored netmasks. If you have a policy statementwith a term that contains a next-hop address with a netmask, the netmask is ignored.

Thefollowingsample showsthe newsystem log message (depending on your network

configuration, the type of message you see might be different):

Jun 18 11:22:43 pro5-d rpd[1403]: RPD_PLCY_CFG_NH_NETMASK: Netmask ignored for

next hop: 10.0.0.1/24.

[SystemLogMessages Reference]

Support fordisplaying the firewall filter version informationYou can display the

version number of the firewall filter installed in the Routing Engine. The initial version

number is 1 and increments by one when you modify the firewall filter settings or an

associated prefix action. To show the version number of the installed firewall filter,

use the showfirewall filter version operational mode command.

[Routing Protocols andPolicies Command Reference]

RoutingProtocols

Support for disabling traps for passiveOSPFv2 interfacesYou can now disable

interface state change traps for passive OSPF interfaces. Passive OSPF interfaces

advertise address information as an internal OSPF route, but do not run the actual

protocol. If you are only interested in receiving notifications for active OSPF interfaces,





22/216

disabling traps forpassive OSPFinterfaces reducesthe number of notifications received

and processed by the SNMP server. This allows you to more quickly and easily scan

the logs for potential issues on active OSPF interfaces.

To disable and stop receiving notifications forstatechangesin a passive OSPFinterface,include theno-interface-state-trapsstatement at the following hierarchy levels:

[edit logical-systems logical-system-nameprotocolsospf areaarea-idinterface

interface-name]

[edit logical-systems logical-system-namerouting-instancesrouting-instance-name

protocolsospf areaarea-idinterfaceinterface-name]

[edit protocolsospf areaarea-idinterfaceinterface-name]

[edit routing-instancesrouting-instance-nameprotocolsospfareaarea-idinterface

interface-name]

[Routing Protocols]

Behavior change forBGP-independentASdomainsIndependent domains use the

transitive path attribute 128 (attribute set) messages to tunnel the independent

domains BGP attributes through the internal BGP (IBGP) core. In Junos OS Release

10.3and later, if youhave notconfigured an independent domainin anyroutinginstance,

BGP treats the received attribute 128 message as an unknown attribute. The AS path

fieldin theshowroutecommand hasbeen updatedto display an unrecognized attribute

and associated hexadecimal value if you have not configured an independent domain.

The following is a sample output of the AS path field (depending on your network

configuration, the output might be different):

AS path: [12345] I Unrecognized Attributes: 40 bytes

AS path: Attrflags e0code80: 00 09eb 1a40 01 0100 4002 0802 03fde9 fd e9 01

2d 40 05 04 00 00 00 64 c 0

[Routing Protocols]

Support for disabling theattribute setmessageson independentASdomains for

BGPloopdetectionBGPloopdetectionfor a specific routeusesthe local autonomous

system (AS) domain for the routing instance. By default, all routing instances belong

to a single primary routing instance domain. Therefore, BGP loop detection uses the

local ASs configured on all of the routing instances. Depending on your network

configuration, this default behavior can cause routes to be looped and hidden.

To limit the local ASs in the primary routing instance, configure an independent AS

domain for a routing instance. Independent domains use the transitive path attribute

128 (attribute set) messages to tunnel the independent domains BGP attributes

through the internal BGP (IBGP) core. If you want to configure independent domains

to maintain the independence of local ASs in the routing instance and perform BGP

loop detection only for the specified local ASsin the routing instance, disable attribute

set messages on the independent domain. To disable attribute set messages, include

the independent-domain no-attrset statement at the following hierarchy levels:

[edit logical-systems logical-system-namerouting-instancesrouting-instance-name

routing-options autonomous-systemautonomous-system]





23/216

[edit routing-instancesrouting-instance-name routing-options autonomous-system

autonomous-system]

[Routing Protocols]

Services Applications

NAT-PTwith DNSALG support (MSeriesandT Series routers)You can configure

Domain Name Service (DNS) application-level gateways (ALGs) using NAT with

protocol translation (NAT-PT) for IPv6 to IPv4. The implementation is described in

RFC2766 and RFC2694.

When youconfigure NAT-PT with DNSALG support, youmust configuretwo NAT rules.

The first NAT rule ensures that the DNS query and response packets are translated

correctly. Forthis rule towork,you must configure a DNSALG application andreference

it in the rule. The second rule is required to ensure that NAT sessions are destined to

the address mapped by the DNS ALG.

To configure the correct translation of the DNS query and response packets, include

the dns-alg-pool dns-alg-pool or dns-alg-prefixdns-alg-prefixstatement at the [edit

services nat rulerule-name term term-name then translated] hierarchy level.

To configure the DNS ALG application, include theapplicationapplication-name

statement at the [edit applications] hierarchy level, then reference it at the [edit

services nat rulerule-name term term-name from] hierarchy level.

To configure destination translation with the DNS ALG address map, use the

use-dns-map-for-destination-translation statement at the [edit services natrule

rule-nameterm term-namethentranslated]hierarchy level. Thisstatement correlates

the DNS query or response processing done by the first rule with the actual data

sessions processed by the second rule.

You can also control the translation of IPv6 and IPv4 DNS queries in the following

ways.

For translation control of IPv6 DNS queries, use the

do-not-translate-AAAA-query-to-A-querystatement at the [edit applications

applicationapplication-name] hierarchy level.

For translation control of IPv4 queries, use the

do-not-translate-A-query-to-AAAA-querystatement at the [edit applications

applicationapplication-name] hierarchy level.

NOTE: The above two statements cannot be configured together. You

can only configure one at a time, but not both.

To check that the flows are established properly, use the showservices

stateful-firewallflowscommand or theshowservicesstateful-firewall conversations

command.





24/216

[Services Interfaces]

Enhancements to active flowmonitoringAdd support for extraction of bandwidth

usage information for billing purposes in PIC-based sampling configurations. This

capability is supported on M Series, MX Series, and T Series routers and applies onlyto IPv4 and IPv6 traffic. It is enabled only at the global instance hierarchy level and is

not available for per Packet Forwarding Engine instances. To configure the sampling

of traffic for billing purposes, include the template as-peer-billing-template-name

statement at the [edit forwarding-optionssampling family (inet | inet6)output

flow-serverserver-name version version-number] hierarchy level. To define the peer-AS

billing functionality, include thepeer-as-billing-templatestatement at the [editservices

flow-monitoring version9 template template-name] hierarchy level. For a list of the

templatefields, see theJunosOSServices InterfacesConfigurationGuide. You canapply

the existing destination class usage (DCU) policy option configuration for use with this

feature.

In addition, the MPLS top label IP address is added as a new field in the existing

MPLS-IPv4 flow template.You canuse thisfield to gatherMPLS forwardingequivalenceclass (FEC) -based traffic information for MPLS network capacity planning. These

ALGs that useJunos Services Framework (JSF)(M Series) is a PIC-only feature applied

on sampled traffic and collected by the services PIC or DPC. You candefine it for either

global or per Packet Forwarding Engine instances for MPLS traffic.

The showservices accounting aggregation templateoperational command has been

updated to include new output fields that reflect the additional functionality.

[Services Interfaces,SystemBasics and Services Command Reference]

Support for the RPM timestamp on the ServicesSDK (MSeries, MXSeries, and T

Series)Real-time performancemonitoring (RPM), which has been supported on the

Adaptive Services (AS) interface, is now supported by the Services SDK. RPM is

supported on all platforms and service PICs that support the Services SDK.

RPM timestamping is needed to account for any latency in packet communications.

You can apply timestamps on the client, the server, or both the client and server. RPM

timestamping is supported only with the icmp-ping, icmp-ping-timestamp, udp-ping,

and udp-ping-timestamp probe types.

To specify the Services SDK interface, include thedestination-interfacestatement at

the [edit services rpmprobeprobe-ownertest test-name] hierarchy level:

destination-interfacems-fpc/pic/port.logical-unit-number;

To specify the RPM client router and the RPM server router, include the rpm statement

at the [edit interfacesinterface-nameunit logical-unit-number] hierarchy level:

rpm(client | server);

To enable RPMon the Services SDK on theAS interface, configuretheobject-cache-size,

policy-db-size, andpackage statements at the [editchassisfpcslot-numberpic

pic-numberadaptive-services service-packageextension-provider] hierarchy level. For

the Services SDK,package-name in the packagepackage-name statement is

jservices-rpm.

user@host# showchassis





25/216

f p c 1 {

p i c 2 {

adaptive-services {

service-package {

extension-provider {control-cores 1;

data-cores 1;

object-cache-size 512;

policy-db-size 64;

package jservices-rpm;

syslog daemon any;

}

}

}

}

}


ALGsusing JunosOSServices Framework (JSF) (MSerieswithMultiservices PICsandMXSerieswithMSDPCs)Application-level gateways (ALGs) intercept and

analyze specified traffic, allocate resources, and define dynamic policies to permit

traffic to pass securely through a device. Beginning with Junos OS Release 10.4 on the

specified routers, you can use JSF ALGs with the following services:

Stateful firewall

Network Address Translation (NAT)

To use JSF to run ALGs, you must configure the jservices-alg package at the [edit

chassis fpcslotpicslot adaptive-servicesservice-packageextension-provider package]

hierarchy level. In addition, you must configure the ALG application at the [edit

applicationsapplicationapplication-name]hierarchy level, and referencethe application

in the stateful firewall rule or the NAT rule in those respective configurations.


Enhancements toport mirroringwith next-hopgroups(MXSeriesonly)Adds

support for binding up to two port-mirroring instances to the same MX Series Packet

Fowarding Engine.This enablesyou to choose multiple mirror destinations byspecifying

different port-mirroring instances in the filters. Filters must include the

port-mirror-instanceinstance-name statement at the [edit firewallfilterfilter-nameterm

term-name then] hierarchy level. You must also include theport-mirror-instance

instance-namestatement at the [editchassis fpcnumber] hierarchy level to specify the

FPC to be used.

Inline port mirroring allows you to configure instances that are not bound to the FPCspecified in the firewall filter then port-mirror-instanceinstance-nameaction. Instead,

you can define the thennext-hop-groupaction. Inline port-mirroring aims to decouple

the port-mirror destination from the input parameters, such as rate. While the input

parameters are programmed in the Switch Interface Board (SIB), the next-hop

destination for the mirrored packet is available in the packet itself.

A port-mirroring instance can now inherit input parameters fromanother instance that

specifies it. To configure this option, include the input-parameters-instance





26/216

instance-name statement at the [edit forwarding-options port-mirror instance

instance-name] hierarchy level.

You can also now configure port mirroring to next-hop groups using a tunnel interface.


Multiple IDPdetector support (MXSeries routers, M120 routers,andEnhanced III

FPCs inM320routers)TheIDP detectorprovidesinformationabout services,contexts,

and anomalies that are supported by the associated protocol decoder.

The specified routers now support loading multiple IDP detectors simultaneously.

When a policy is loaded, it is also associated with a detector. If the new policy being

loaded has an associated detector that matches the detector already being used by

the existing policy, the new detector is not loaded and both policies use a single

associated detector. However, if the new detectordoes not match the current detector,

the new detector is loaded along with the new policy. In this case, each loaded policy

will then use its own associated detector for attack detection. Note that with the

specified routers, a maximum of four detectors can be loaded at any given time.

Multiple IDP detector support for the specified routers functions in a similar way to the

existing IDP detector support on J Series and SRX Series devices, except for the

maximum number of decoder binary instancesthat are loaded into the process space.

To viewthe current policy and the corresponding detector version, use theshowsecurity

idpstatusdetailcommand.

For more information, see theJunos OS Security Configuration Guide.


NAT using JunosOSServices Framework(JSF) (MSeriesandT Serieswith

Multiservices PICs andMXSerieswithMultiservices DPCs)The Junos OS Services

Framework (JSF) is a unified framework for Junos OS services integration. JSFServices

integration will allow the option of running Junos OS services on services PICs or DPCs

in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4,

you can use JSF to run NAT on the specified routers.

To useJSF to runNAT, you must configure the jservices-natpackage at the[edit chassis

fpcslotpicslotadaptive-servicesservice-packageextension-providerpackage]hierarchy

level. In addition, you must configure NAT rules and a service set with a Multiservice

interface.To checkthe configuration, use theshowconfigurationservicesnatcommand.

To show the run time (dynamic state) information on the interface, use the show

services sessions and show services natpool commands.


Stateful firewall using JunosOSServices Framework (JSF) (MSerieswith

Multiservices PICs,MXSerieswithMultiservices DPCs, andT Series routers)The

Junos OS Services Framework (JSF) is a unified framework for Junos OS services

integration. JSF Services integration will allow the option of running Junos OS services

on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with

Junos OS Release 10.4, you can use JSF to run stateful firewall on the specified routers.





27/216

To use JSF to run stateful firewall, you must configure the jservices-sfwpackage at the

[edit chassis fpcslotpicslotadaptive-services service-packageextension-provider

package] hierarchy level. In addition, you must configure stateful firewall rules and a

service set with a Multiservice interface. To check the configuration, use the show

configurationservicesstateful-firewallcommand. To show the run time(dynamicstate)

information on the interface, use the showservices sessions command.


Transitionof IPv4 traffic to IPv6 addresses using Dual StackLite (DS-Lite)Adds

support for DS-Lite, a means for transitioning IPv4 traffic to IPv6 addresses. This

transition will become necessary as the supply of unique IPv4 addresses nears

exhaustion. New subscriber homes are allocated IPv6 addresses and IPv6-capable

equipment; DS-Lite provides a method for the private IPv4 addresses behind the IPv6

equipmentto reachthe IPv4 network.An IPv4 host communicateswitha NAT endpoint

over an IPv6 network usingsoftwires. DS-Lite createsthe IPv6 softwiresthat terminate

on the services PIC. Packets coming out of the softwire can then have other services

such as NAT applied on them.

[Services Interfaces,SystemBasics and Services Command Reference]

Round-robinallocationforNATPaddressesYou cannowspecifyround-robinaddress

allocation from NAT pools when you use NATP. In the default method of

address-allocation, NAT addresses are allocated sequentially. All of the addresses in

a given range must be allocatedbefore addresses from a different range are allocated.

The following example illustrates the sequential (legacy) implementation, which is

still available to provide backward compatibility.

pool napt {

address-range low 9.9.99.1 high 9.9.99.3;

address-range low 9.9.99.4 high 9.9.99.6;

address-range low 9.9.99.8 high 9.9.99.10;address-range low 9.9.99.12 high 9.9.99.13;

port {

range low 3333 high 3334;

}

}

In this example, for each unique source address, a new address range is used for

allocationonlywhen there areno ports available in the previousaddress range. Address

9.9.99.4:3333is picked only whenall ports foraddresses in the first range areexhausted.

The first connection is allocated NAT address 9.9.99.1:3333.

The second connection is allocated 9.9.99.1:3334.

The third connection is allocated 9.9.99.2:3333.

The fourth connection is allocated 9.9.99.2:3334, and so on.

To configure round-robin allocation for NAT pools, include theaddress-allocation

round-robinconfiguration statement at the [edit servicesnatpoolpool-name]hierarchy

level. When you use round-robin allocation, one port is allocated from each address

in a range before repeating the process for each address in the next range. After ports





28/216

have been allocated for all addresses in the last range, the allocation process wraps

around and allocates the next unused port for addresses in the first range.

The first connection is allocated NAT address 9.9.99.1:3333.

The second connection is allocated 9.9.99.2:3333.

The third connection is allocated 9.9.99.3:3333.

The fourth connection is allocated 9.9.99.4:3333.

The fifth connection is allocated address 9.9.99.5:3333.

The sixth connection is allocated address 9.9.99.6:3333.

The seventh connection is allocated address 9.9.99.7:3333.

The eighth connection is allocated address 9.9.99.8:3333.

The ninth connection is allocated address 9.9.99.9:3333.

The tenth connection is allocated address 9.9.99.10:3333.

The eleventh connection is allocated address 9.9.99.11:3333.

The twelfth connection is allocated address 9.9.99.12:3333.

Wraparound occurs and the thirteenthconnection is allocated address 9.9.99.1:3334.


SubscriberAccessManagement

Enhancementtotheshowservicesl2tp destination commandThe showservicesl2tpdestinationcommand hasbeen extendedto displaythe lockoutstateof the destination

from the LAC. A destination that is reachable is not locked. An unreachable destination

is locked out. L2TP makes no further attempts to connect to this destination until the

timeout period (300 seconds) expires, unless the unreachable destination is the only

destination in the tunnel configuration list. In that case, L2TP ignores the lockout and

continues trying to connect to the destination.

[Subscriber Access]

RedirectingHTTPredirect requests(MXSeries routers)Enables support for HTTP

traffic requests from subscribers to be aggregated from access networks onto a BRAS

router, where HTTP traffic can be intercepted and redirected to a captive portal. A

captive portal provides authentication and authorization services for redirected

subscribers before granting access to protected servers outside of a walled garden. A

walled garden defines a group of servers where access is provided to subscribers

without reauthorization through a captive portal. You can use a captive portal page as

the initial page a subscriber sees after logging in to a subscriber session and as a page

used to receive and manage HTTP requests to unauthorized Web resources. An HTTP

redirect remoteserverthatresidesin a walledgarden behind Junos OS routers processes

HTTP requests redirected to it and responds with a redirect URL to a captive portal.





29/216

To configure HTTP redirect, include the captive-portal-content-deliverystatement at

the [edit services] hierarchy level.

[Subscriber Access]

Filtersupport for service packet countingYou can count service packets, applying

them to a specific named counter (__junos-dyn-service-counter), for use by RADIUS.

To enable service packet accounting, specify the service-accountingaction at the [edit

firewall family family-name filter filter-name term term-name then] hierarchy level.

[Policy Framework,Subscriber Access]

Support for domainmaps that applyconfigurationoptions basedon subscriber

domainnames (MXSeriesandM Seriesrouters)You use domain maps to apply

access options and session-specific parameters to subscribers whose domain name

correspondsto the domain mapname. You canalso create a default domainmap that

the router uses for subscribers whose username does not include a domain name or

has a non-matching domain name.

Domain maps apply subscriber-related characteristics such as profiles (access,

dynamic, and tunnel), target and AAA logical system mapping, address pool usage,

and PADN routing information.

You configure domain maps at the [edit access domain] hierarchy level.

[Subscriber Access]

L2TP LAC support for subscribermanagement (MXSeries routers)You can now

configure an L2TP access concentrator (LAC) on MPC-equipped MX Series routers.

As part of thenew L2TP LAC support, you canconfigure how therouter selects a tunnel

fora PPP subscriber from among a setof availabletunnels.The defaulttunnel selection

method is to fail over between tunnel preference levels. When a PPP user tries to login toa domain, therouter attemptsto connect toa destinationin that domainby means

of the associated tunnel with the highest preference level. If the destination is

unreachable, the router then moves to the next lower preference level and repeats the

process. No configuration is required for this tunnel selection method.

You can include the fail-over-within-preferencestatement at the [edit services l2tp]

hierarchy level to configure tunnel selection failover within a preference level. With this

method, when therouter tries toconnect to a destination andis unsuccessful,it selects

a new destination at the same preference level. If all destinations at a preference level

are marked as unreachable, the router does not attempt to connect to a destination

at that level. It drops to the next lower preference level to select a destination. If all

destinations at all preference levels are marked as unreachable, the router chooses

the destination that failed first and tries to make a connection. If the connection fails,the router rejects the PPP user session without attempting to contact the remote

router.

By default, the router uses a round-robinselection process among tunnelsat the same

preference level. Include theweighted-load-balancingstatement at the statement at

the [edit services l2tp]hierarchy levelto specify that the tunnel with the highest weight

within a preference is selected until its maximum sessions limit is reached. Then the





30/216

tunnel with the next highest weight is selected until its limit is reached, and so on. The

tunnel with the highest configured maximum sessions value has the greatest weight.

Another feature of L2TP LACs on MX Series routers is the ability to control whether

the LAC sends the Calling Number AVP 22 to the LNS. The AVP value is derived fromthe Calling-Station-Id and identifies the interface that is connected to the customer

in the access network. By default, the LAC includes this AVP in ICRQ packets it sends

to theLNS.In somenetworksyou maywish to conceal yournetwork access information.

To prevent the LAC from sending the Calling Number AVP to the LNS, include the

disable-calling-number-avp statement at the [edit services l2tp]hierarchy level.

[Subscriber Access]

Support for dynamic interface sets (M120,M320,andMXSeries routers)Enables

you to configure sets of subscriber interfaces in dynamic profiles. Interface sets are

used for providing hierarchical scheduling. Previously, interface sets were supported

for interfaces configured in the static hierarchies only.

Supported subscriber interfacesinclude static and dynamic demux, static and dynamicPPPoE, and static and dynamic VLAN interfaces.

To configure an interface set in a dynamic profile, include the interface-set

interface-set-name statement at the [edit dynamic-profiles interfaces] hierarchy level.

To add a subscriber interface to the set, include the interfaceinterface-nameunit

logical-unit-numberstatement at the [edit dynamic-profiles interfaces interface-set

interface-set-name]hierarchy level. You apply traffic shapingand scheduling parameters

to the interface-set by including the interface-set interface-set-name and

output-traffic-control-profileprofile-namestatements atthe static[editclass-of-service

interfaces]hierarchy level.

A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set

name, and includes a predefined variable, $junos-interface-set-name. TheVSA issupported for RADIUS Access-Accept messages only; change of authorization (CoA)

requests are not supported.

[Subscriber Access]

Support forservice sessionaccounting statistics (MXSeries routers)You can now

capture accounting statisticsfor subscriber service sessions. Subscriber management

supports service session accounting based on service activation and deactivation, as

wellas interim accounting. Time-based accounting is supported forall servicesessions.

Time and volume-based accounting is supported for classic firewall filter and fast

update firewall filter service sessions only.

To provide volume service accounting, the well-known accounting counter

(junos-dyn-service-counter) must also be configured for the classic firewall filter andfast update firewall filter service. You define the counter at the [edit firewall family

familyfilter filterterm term then] hierarchy level.





31/216

The following VSAs (vendor ID 4874) are used for service accounting:

ValueDescriptionAttribute Name

Attribute

Number

0 = disable

1 = enable time statistics

2 = enable timeand

volume statistics

Enable or disable

statistics for the

service.

Service-Statistics26-69

string: service-nameName of the

service.

Acct-Service-Session26-83

range = 60086400

seconds

0 = disabled

Amount of time

between interim

accounting

updates for this

service.

Service-Interim-Acct-Interval26-140

[Subscriber Access]

Subscriber securepolicy trafficmirroring supported for L2TP sessions on theLAC

(MXSeries routers)The L2TP access concentrator (LAC) implementation supports

RADIUS-initiated per-subscriber traffic mirroring. Both subscriber ingress traffic (from

the subscriber into the tunnel) and subscriber egress traffic (from the tunnel to the

subscriber) is mirrored at the (subscriber-facing) ingress interface on the LAC. The

ingress traffic is mirrored after PPPoE decapsulation and before L2TP encapsulation.

The egress traffic is mirrored after L2TP decapsulation. The mirrored packet includes

the complete HDLC frame sent to the LNS.

[Subscriber Access]

Supportfor staticanddynamicCoSonL2TPLACsubscriber interfaces(M120,M320,

andMXSeries routers)Enables you to configure static and dynamic CoS for L2TP

access concentrator (LAC) tunnels thattransportPPP subscribers at Layer 2 and Layer

3 of the network.

IP and L2TP headers are added to packets arriving at the LAC from a subscriber before

being tunneled to the L2TP network server (LNS). Classifiers and rewrite-rules enable

you to properly transfer the type-of-service (ToS) value or the 802.1p value from the

innerIP header to the outerIP header of the L2TP packet.

For ingress tunnels, you configure fixed or behavior aggregate (BA) classifiers for the

PPP interface or an underlying VLAN interface at Layer 2. You can configure Layer 3

classifiers for a family of PPP interfaces. Layer 2 and Layer 3 classifiers can co-exist

for a PPP subscriber.

For example, to classify incoming packets for a PPP subscriber, include the classifier

type classifier-name statement at the [edit class-of-service interfaces pp0unit

logical-unit-number] hierarchy level or at the [edit dynamic-profilesclass-of-service

interfaces pp0unit logical-unit-number] hierarchy level.

On egress tunnels, you configure rewrite rules to set the ToS or 802.1p value of the

outer

Documents

Junos Os 104 Release Notes Rev 6