Juniper JUNOS OS 10.4 - RELEASE NOTES REV 5 Release Note
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOS OS 10.4 - RELEASE NOTES REV 5
  6. Release note
Juniper JUNOS OS 10.4 - RELEASE NOTES REV 5 Release Note

Juniper JUNOS OS 10.4 - RELEASE NOTES REV 5 Release Note

Hide thumbs Also See for JUNOS OS 10.4 - RELEASE NOTES REV 5:
Table of Contents

Advertisement

Quick Links

Download this manual
®
Junos
OS 10.4 Release Notes
Release 10.4R1
04 February 2011
Revision 5
Contents
Copyright © 2011, Juniper Networks, Inc.
These release notes accompany Release 10.4R1 of the Junos operating system (Junos
OS). They describe device documentation and known problems with the software. Junos
OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX
Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.
You can also find these release notes on the Juniper Networks Junos OS Documentation
Web page, which is located at
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
MX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
MPLS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
http://www.juniper.net/techpubs/software/junos
.
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the JUNOS OS 10.4 - RELEASE NOTES REV 5 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 5

Summary of Contents for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 5

  • Page 1: Table Of Contents

    OS). They describe device documentation and known problems with the software. Junos OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.
  • Page 2 Downgrade from Release 10.4 ....... . . 86 Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers .
  • Page 3 Wireless LAN (WLAN) ........151 Copyright © 2011, Juniper Networks, Inc.
  • Page 4 Spanning Tree Protocols ........194 Copyright © 2011, Juniper Networks, Inc.
  • Page 5 Revision History ........... 209 Copyright © 2011, Juniper Networks, Inc.

  • Page 6: Junos Os Release Notes For Juniper Networks M Series Multiservice Edge Routers, Mx Series Ethernet Service Routers, And T Series Core Routers

    JUNOS OS 10.4 Release Notes Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series Ethernet Service Routers, and T Series Core Routers New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 6 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX...

  • Page 7: Interfaces And Chassis

    On MX80 routers and MX Series routers, MPCs based on G.8261 and G.8262. This feature does not work on the fixed configuration version of the MX80 routers. All Ethernet type ports are supported on MX80 routers and MX Series routers with MPCs Copyright © 2011, Juniper Networks, Inc.
  • Page 8 Once you diagnose and fix the cause of all fabric planes going down, you must then bring the SIBs back online. Bringing the SIBs back online brings up the interfaces. Copyright © 2011, Juniper Networks, Inc.
  • Page 9 New subscriber homes are allocated IPv6 addresses and IPv6-capable equipment; DS-Lite provides a method for the private IPv4 addresses behind the IPv6 equipment to reach the IPv4 network. An IPv4 host communicates with a NAT endpoint Copyright © 2011, Juniper Networks, Inc.
  • Page 10 IQ2 and IQ2E PIC interfaces report the total statistics for the IPv6 traffic. For other interfaces, the transit statistics are reported. IQ2 and IQ2E PIC interfaces report all IPv6 traffic received on the logical interface. For all other interfaces, only the routed traffic is accounted. Copyright © 2011, Juniper Networks, Inc.
  • Page 11 SA multicast mode, for proprietary connection of two Juniper Networks 100-Gigabit Ethernet PICs, uses the Ethernet header SA MAC address multicast bit to steer the packets to the appropriate PFE. VLAN steering mode allows the PIC to connect to non-Juniper Networks equipment.
  • Page 12 10-Gigabit Ethernet PIC with oversubscription. Deleting this configuration results in the control queue feature being re-enabled on all the ports of that PIC. [edit chassis] fpc 2 { pic 0 { no-pre-classifier; Copyright © 2011, Juniper Networks, Inc.

  • Page 13: Junos Os Xml Api And Scripting

    Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release 10.4 Request Tag Element CLI Command Response Tag Element <request- request dhcpv6 server reconfigure NONE dhcpv6-server- reconfigure-information>request_dhcpv6_ server_reconfigure_information <request-license-update> request system license update NONE request_license_update <request-package-nonstop-upgrade> request system software nonstop-upgrade NONE request_package_nonstop_upgrade Copyright © 2011, Juniper Networks, Inc.
  • Page 14 <get-mpls-cspf-information> show mpls context-identifier <mpls-context-identifier- information> get_mpls_cspf_information <get-authentication-pending-table> show network-access domain- map statistics <domain-map-statistics> get_authentication_pending_table <get-ospf-database-information> show ospf context-identifier <ospf-context-id-information> get_ospf_database_information <get-rps-power-supply-information> show redundant-power-supply led <rps-led-information> get_rps_power_supply_information <get-rps-status-information> show redundant-power-supply power-supply <rps-power-supply-information> get_rps_status_information Copyright © 2011, Juniper Networks, Inc.
  • Page 15 <service-fwnat-flow-table- sfw_flow_analysis_ information> information> get_service_sfw_flow_analysi s_information <get_service_sfw_ show services softwire statistics <service-softwire-statistics-information> flow_table_information> get_service_sfw_flow_table_i nformation <get_service_sfw_sip_register- show services stateful-firewall flow-analysis <service-sfw-flow-analysis-information> information> get_service_sfw_sip_register_i nformation <get_synchronous_ethernet_esmc-statistics> show synchronous-ethernet esmc statistics <clock-synchronization- statistics> get_synchronous_ethernet_esmc-statistics Copyright © 2011, Juniper Networks, Inc.

  • Page 16: Layer 2 Ethernet Services

    CLI configurations for this enhancement. In-service software upgrade (unified ISSU) is supported for tag next hops for MPLS on services PIC traffic, but no support is provided for tags over IPv6 packets or labels on multiple gateways. [MPLS] Copyright © 2011, Juniper Networks, Inc.

  • Page 17: Multicast

    BFD session failure action for LDP LSPs (including ECMP) RSVP Graceful Restart interop with Cisco using Nodal Hello support Failure action on BFD session down of RSVP LSPs in JUNOS RSVP transit L3VPN testing using RSVP NSR: RSVP ingress BFD via LDP Copyright © 2011, Juniper Networks, Inc.
  • Page 18 Support to commit configuration from op/event scripts Per PFE per packet load balancing Next Hop Handling Enhancements (Phase 3) Support local-as alias hidden command MIB Enhancements for Manual Bypass Tunnel Management ISIS LFA Improve IGMPv3 performance using bulk updates Copyright © 2011, Juniper Networks, Inc.

  • Page 19: Routing Policy And Firewall Filters

    SNMP server. This allows you to more quickly and easily scan the logs for potential issues on active OSPF interfaces. To disable and stop receiving notifications for state changes in a passive OSPF interface, include the statement at the following hierarchy levels: no-interface-state-traps Copyright © 2011, Juniper Networks, Inc.
  • Page 20 To disable attribute set messages, include independent-domain no-attrset statement at the following hierarchy levels: edit logical-systems logical-system-name routing-instances routing-instance-name routing-options autonomous-system autonomous-system edit routing-instances routing-instance-name routing-options autonomous-system autonomous-system [Routing Protocols] Copyright © 2011, Juniper Networks, Inc.

  • Page 21: Services Applications

    PIC-based sampling configurations. This capability is supported on M Series, MX Series, and T Series routers and applies only to IPv4 and IPv6 traffic. It is enabled only at the global instance hierarchy level and is Copyright © 2011, Juniper Networks, Inc.
  • Page 22 For pic-number adaptive-services service-package extension-provider] the Services SDK, package-name in the package package-name statement is jservices-rpm user@host# show chassis fpc 1 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1; Copyright © 2011, Juniper Networks, Inc.
  • Page 23 To configure this option, include the input-parameters-instance statement at the instance-name [edit forwarding-options port-mirror instance hierarchy level. instance-name] You can also now configure port mirroring to next-hop groups using a tunnel interface. [Services Interfaces] Copyright © 2011, Juniper Networks, Inc.
  • Page 24 Multiservice interface. To check the configuration, use the show configuration services stateful-firewall command. To show the run time (dynamic state) information on the interface, use the command. show services sessions Copyright © 2011, Juniper Networks, Inc.

  • Page 25: Subscriber Access Management

    If the destination is unreachable, the router then moves to the next lower preference level and repeats the process. No configuration is required for this tunnel selection method. Copyright © 2011, Juniper Networks, Inc.
  • Page 26 [edit class-of-service hierarchy level. interfaces] A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set name, and includes a predefined variable, . The VSA is $junos-interface-set-name supported for RADIUS Access-Accept messages only; change of authorization (CoA) requests are not supported.
  • Page 27 L2TP network server (LNS). Classifiers and rewrite-rules enable you to properly transfer the type-of-service (ToS) value or the 802.1p value from the inner IP header to the outer IP header of the L2TP packet. Copyright © 2011, Juniper Networks, Inc.
  • Page 28 Include the preference number remote-gateway statement to configure the LNS address. address server-ip-address You can optionally configure the remaining tunnel attributes. Include the remote-gateway name server-name statement to configure the LNS hostname. Include Copyright © 2011, Juniper Networks, Inc.
  • Page 29 Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only). Tunnel-Client-Auth-Id Name used by the tunnel initiator during the authentication phase of tunnel establishment. Tunnel-Server-Auth-Id Name used by the tunnel terminator during the authentication phase of tunnel establishment. Copyright © 2011, Juniper Networks, Inc.
  • Page 30 (such as accept or discard). The ADF rule also specifies the filter direction, and can optionally provide traffic class and policer information. The router supports ADF rules for family types inet and inet6. Copyright © 2011, Juniper Networks, Inc.
  • Page 31 ACK, the client is bound and the ACK is forwarded to the client. If the server responds with a NAK, the database entry is deleted and the NAK is forwarded to the client. This behavior occurs regardless of whether authentication is configured. Copyright © 2011, Juniper Networks, Inc.
  • Page 32 NOTE: In this release, Layer 2 wholesaling supports the use of only the default logical system using multiple routing instances. The Juniper Networks Layer 2 wholesale solution is similar to the Layer 3 wholesale solution in many ways. However, when configuring the Juniper Networks Layer 2...
  • Page 33 $junos-vlan-map-id dynamic variable. Include the statement at the output-vlan-map [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level and specify the action that you want the output VLAN map to take. See the Network Copyright © 2011, Juniper Networks, Inc.
  • Page 34 NOTE: This encapsulation type can support multiple TPIDs and does not have a VLAN ID limitation. Specify the option for the statement for any retailer routing vpls instance-type instances you plan to use at the [edit routing-instances instance-name] hierarchy level. Copyright © 2011, Juniper Networks, Inc.

  • Page 35: System Logging

    System Logging New and deprecated system log tags—The following system log messages are new in this release: ASP_SFW_DELETE_FLOW CHASSISD_FM_FABRIC_DOWN CHASSISD_FPC_FABRIC_DOWN_REBOOT CHASSISD_FRU_INTEROP_UNSUPPORTED CHASSISD_RE_CONSOLE_FE_STORM RPD_AMT_CFG_ADDR_FMLY_INVALID RPD_AMT_CFG_ANYCAST_INVALID RPD_AMT_CFG_ANYCAST_MCAST RPD_AMT_CFG_LOC_ADDR_INVALID RPD_AMT_CFG_LOC_ADDR_MCAST RPD_AMT_CFG_PREFIX_LEN_SHORT RPD_AMT_CFG_RELAY_INVALID RPD_BGP_CFG_ADDR_INVALID RPD_BGP_CFG_LOCAL_ASNUM_WARN RPD_CFG_TRACE_FILE_MISSING RPD_LDP_GR_CFG_IGNORED RPD_MC_CFG_FWDCACHE_CONFLICT Copyright © 2011, Juniper Networks, Inc.

  • Page 36: Vpns

    T Series routers—Layer 3 VPN composite next hops can now be enabled on T Series routers with Enhanced Scaling FPCs by including the l3vpn-composite-nexthop statement at the [edit routing options] [edit logical-systems logical-system-name Copyright © 2011, Juniper Networks, Inc.
  • Page 37 PE routers to repair the connection within tens of milliseconds. An egress protection LSP addresses the problem of when a link failure occurs at the edge of the network (for example, a link failure between a PE router and a CE device). Copyright © 2011, Juniper Networks, Inc.
  • Page 38 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Documentation Series, and T Series Routers on page 39 Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 51 Copyright © 2011, Juniper Networks, Inc.

  • Page 39: Changes In Default Behavior And Syntax In Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    TLV events transmitted since the OAM layer was reset and displays the number of errored frames detected since the OAM layer was reset. Copyright © 2011, Juniper Networks, Inc.
  • Page 40 IMA Group state : NE: Firmware Error IMA Link state : Line: Firmware Error The customer must contact JTAC for a PIC firmware upgrade to proceed with IMA. [Interfaces Command Reference, System Log Messages Reference] Copyright © 2011, Juniper Networks, Inc.
  • Page 41 [edit services ipsec-vpn ike proposal proposal-name] To configure 2048-bit encryption for an IPSec policy, include the keys group14 option at the ] hierarchy [edit services ipsec-vpn ipsec policy policy-name perfect-forward-secrecy level. Copyright © 2011, Juniper Networks, Inc.

  • Page 42: Junos Os Xml Api And Scripting

    If the inherit interface-ranges attributes are included in the <get-configuration> tag and the client application requests Junos XML-tagged output (the format="xml" attribute is included or the attribute is omitted), the Junos XML protocol server format Copyright © 2011, Juniper Networks, Inc.

  • Page 43: Mpls Application

    [edit protocols rsvp] revertive mode as specified in RFC 4090, Fast Reroute Extensions to RSVP-TE for LSP). RSVP local revertive mode is supported on all Juniper Networks routers running the Junos OS software by default. If you configure the no-local-reversion statement, the Juniper Networks router uses global revertive mode instead.

  • Page 44: Platform And Infrastructure

    RPD_PIM_NBRUP system log messages have been updated to include the name of the routing instance. This enhancement is also applicable to Junos OS Release 10.0R4, 10.1R4, 10.2R2, and 10.3R1. The following sample shows the enhanced PIM system log Copyright © 2011, Juniper Networks, Inc.

  • Page 45: Services Applications

    The following is a sample of the section of the output showing inactivity notifications on the root termination: ROOT Notify Total Wildcard Success Error ocp/mg_overloaded it/ito 1404 1404 [Border Gateway Function (BGF), System Basics and Services Command Reference] Copyright © 2011, Juniper Networks, Inc.
  • Page 46 Explicit source filtering has not been applied by use of gm/saf. Explicit latching has not been applied by use of ipnapt/latch. [Border Gateway Function (BGF), Services Interfaces] Copyright © 2011, Juniper Networks, Inc.

  • Page 47: Subscriber Access Management

    [Subscriber Access] Required pppoe-options subhierarchy for configuring static and dynamic PPPoE interfaces (M120, M320, MX Series routers)—When you configure a static or dynamic (PPPoE) logical interface, you must include the subhierarchy in the pppoe-options Copyright © 2011, Juniper Networks, Inc.
  • Page 48 Ethernet interface, pppoe-options represented by the predefined dynamic variable, and the $junos-underlying-interface server statement. For example: [edit] dynamic-profiles { pppoe-profile { interfaces { pp0 { unit "$junos-interface-unit" { pppoe-options { underlying-interface "$junos-underlying-interface"; server; Copyright © 2011, Juniper Networks, Inc.

  • Page 49: User Interface And Configuration

    By default, the Junos OS disables the processing of IPv4-mapped IPv6 packets to protect against malicious packets from entering the network. To enable the processing of such IPv4-mapped IPv6 packets, include the statement in the CLI configuration. allow-v4mapped-packets [System Basics] Copyright © 2011, Juniper Networks, Inc.

  • Page 50: Vpns

    Destination class usage (DCU) is not supported when the is configured. vrf-table-label [VPNs, Network Interfaces] Related New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers Documentation on page 6 Copyright © 2011, Juniper Networks, Inc.

  • Page 51: Issues In Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    When the Rx power level is a negative value, the SFP diagnostics output displays an invalid receiver power level reading. [PR/235771] Upon a link up event, old packets from the previous link down are still dequeued. This leads to huge latency reports. [PR/515842] Copyright © 2011, Juniper Networks, Inc.
  • Page 52 [PR/558046] Under certain conditions, both the primary and the secondary sections of the interface might get disabled. To recover from this condition, deactivate and activate the interface configuration. [PR/559656] Copyright © 2011, Juniper Networks, Inc.
  • Page 53 An NTP server might not reply to clients with a source address that is explicitly configured. [PR/540430] The IPv6 BGP neighbors might not come back to the up state when an FPC associated with that session is manually taken offline, removed, and re-inserted. [PR/552376] Copyright © 2011, Juniper Networks, Inc.
  • Page 54 PIC with SFP+ might overwrite the DSCP value coming from the Routing Engine for a host generated traffic. [PR/575259] When a core-facing DPC is restarted, the message "mcsn: cannot perform nh operation ADDANDGET nhop (null) type indirect index 0 errno 22" appears. A trigger also moves Copyright © 2011, Juniper Networks, Inc.
  • Page 55 (transmit rate) parameters which are supported for the schedulers configuration. Use these parameters using the CLI. [PR/495947] Warning messages related to pending commits are not triggered when the following operations are performed: Software->Upload Copyright © 2011, Juniper Networks, Inc.
  • Page 56 Resolved Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers Class of Service On T Series routers, when the class of service scheduling or queueing parameters on an interface with a high traffic utilization (close to the line rate or oversubscribed) is Copyright © 2011, Juniper Networks, Inc.
  • Page 57 This data is small in size and does not contain any SOP or EOP information. This data consumes some D4P buffer memory. The D4P buffer does not remove this data until more data comes into the buffer. Periodic health check reports the following status: Copyright © 2011, Juniper Networks, Inc.
  • Page 58 [PR/571270: This issue has been resolved.] On any Junos OS device that supports Ethernet OAM, the cfmd process might crash when a malformed delay measurement message (DMM) is received. [PR/571673: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 59 "jtree memory free using incorrect value 8 correct 0" message is displayed for all DPCs. [PR/562719: This issue has been resolved.] On standalone routers with GRES enabled (using the set chassis redundancy command), or on multichassis platforms (TX and TXP routers), graceful-switchover Copyright © 2011, Juniper Networks, Inc.
  • Page 60 On a 3D MPC, the load balance might be broken when a BGP multipath is configured. [PR/557099: This issue has been resolved.] On M Series, MX Series, and T Series routers, the Virtual Router Redundancy Protocol (VRRP) process might become unresponsive when processing is delegated to the Copyright © 2011, Juniper Networks, Inc.
  • Page 61 This issue has been resolved.] Under certain circumstances, processing of links with maximum metric set by IS-IS shortest path first (SPF) computation algorithm might lead to suboptimal routing decisions. [PR/569649: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 62 In local-switched l2circuit scenario, the control and forwarding plane might not be properly updated by the routing protocol process when one of the logical interfaces forming an l2ckt is down. [PR/572780: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.

  • Page 63: Previous Releases

    Port mirroring does not work under the bridge-domain forwarding-option filter. [PR/529272: This issue has been resolved.] The policer counter might be missing in the SNMP walk. Reboot the router to solve this problem. [PR/535715: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 64 When a SIB is taken offline via a CLI command, the output of the show chassis sibs command does not display the message “Offlined by cli command.” However, this message is correctly displayed for the FPCs. [PR/519842: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 65 RDI-L alarm. As a workaround, when both sonet-options options are configured, flap the trigger as well. raise-rdi-on-rei trigger sonet-options [PR/540745: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 66 On MX960 routers with PWR-MX960-4100-AC PEMs (high capacity AC PEMs), the MPCs and DPCs do not power up when the system boots with only HC-AC PEM2,PEM3 being switched on, and PEM0,PEM1 being present but switched off. [PR/562125] Copyright © 2011, Juniper Networks, Inc.
  • Page 67 Maximum AvgBW Utilization field displays a value that is much higher than the actual bandwidth. [PR/550289: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 68 [PR/524294: This issue has been resolved.] When VPLS is configured on the router, the following log messages will appear when the interface goes down: RT-HAL,rt_entry_delete_msg_proc,XXX: route add posthandler failed Copyright © 2011, Juniper Networks, Inc.
  • Page 69 AE interface in an ECMP path is taken down, small packet drops might occur in the traffic on the other ECMP link. This issue does not occur when an indirect next hop is used. [PR/545166: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 70 TLV. [PR/533680: This issue has been resolved.] The routing protocol process might crash due to an invalid prefix-length value in one of the flow-spec routes. [PR/534757: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 71 In Junos OS Release 10.0 and later, the routing instance name is restricted to 63 characters. [PR/533882: This issue has been resolved.] The BGP_IPV4_NEXT_HOP field on the jflow v9 record matches the originator ID instead of the BGP next hop. [PR/534598: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 72 If a VPN routing and forwarding (VRF) instance contains a static route that is resolved via a route that is auto-exported from another routing instance, the static route may not be removed when the physical interface goes down. [PR/531540: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.

  • Page 73: Errata And Changes In Documentation For Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    Hardware documentation for MX Series 3D Universal Edge Routers: http: / / www . j u ni p er . n et/techpubs/ en_US/ rel e ase-i n dependent/j u nos/i n formati o n-products/ pathway-pages/ mx-seri e s/ Copyright © 2011, Juniper Networks, Inc.
  • Page 74 The configuration examples are applicable to Junos OS Release 10.2 and later. The Junos OS Layer 2 Configuration Guide provides an overview of the Layer 2 functions supported on Juniper Networks routers, including configuring bridge domains, MAC addresses and VLAN learning and forwarding, and spanning-tree protocols. It also details the routing instance types used by Layer 2 applications.

  • Page 75: Errata

    This configuration interoperates only between Juniper Networks routers running Junos OS Release 8.2 or earlier. This configuration does not interoperate with other network equipment, including a Juniper Networks router running Junos OS Release 8.3 or later, unless it is also configured with the same use-null-cw statement.
  • Page 76 [edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name] user@host# set version $junos-igmp-version The Subscriber Access Configuration Guide and the System Basics Configuration Guide contain information about the statement. This statement override-nas-information does not appear in the CLI and is not supported. Copyright © 2011, Juniper Networks, Inc.
  • Page 77 [Subscriber Access] In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by the AAA Service Framework topic and the Specifying an Address Pool in a Domain Map topic incorrectly indicate that VSA 26-2 (Local-Address-Pool) is supported. Subscriber management does not support this VSA.

  • Page 78: Upgrade And Downgrade Instructions For Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    When upgrading or downgrading the Junos OS, always use the jinstall package. Use other packages (such as the package) only when so instructed by a Juniper Networks jbundle support representative. For information about the contents of the package and jinstall details of the installation process, see the Junos OS Installation and Upgrade Guide.
  • Page 79 (the only exceptions are the juniper.conf files) might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the Junos OS System Basics Configuration Guide. Copyright © 2011, Juniper Networks, Inc.
  • Page 80 If you are not familiar with the download and installation process, follow these steps: Using a Web browser, follow the links to the download URL on the Juniper Networks Web page. Choose either Canada and U.S. Version or Worldwide Version: (customers in the United https://www.juniper.net/support/csc/swdist-domestic/...

  • Page 81: Upgrading A Router With Redundant Routing Engines

    VPN loopback address is used for reverse path forwarding (RPF) route resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN loopback address is also used as the source address in outgoing PIM control messages. Copyright © 2011, Juniper Networks, Inc.
  • Page 82 Juniper Networks routers and the other vendors’ routers. This configuration should be on Juniper Networks routers and on the other vendors’ routers where you configured the lo0.mvpn address in each VRF instance as the same address as the main loopback (lo0.0) address.

  • Page 83: Upgrading The Software For A Routing Matrix

    | match routing command For a routing matrix with a TX Matrix Plus router, the SFC contains two model RE-DUO-C2600-16G Routing Engines, and each LCC contains two model RE-DUO-C1800-8G Routing Engines. Copyright © 2011, Juniper Networks, Inc.

  • Page 84: Upgrading Using Issu

    PIM only, so that you can activate incompatible PIM features and continue to use NSR for the other protocols on the router: the nonstop-routing disable statement at the [edit hierarchy level. (Note that this statement disables NSR for all PIM features, protocols pim] not only incompatible features.) Copyright © 2011, Juniper Networks, Inc.

  • Page 85: Upgrade Policy For Junos Os Extended End-Of-Life Releases

    10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either 10.0 or 9.3. To downgrade from release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5. Copyright © 2011, Juniper Networks, Inc.

  • Page 86: Downgrade From Release 10.4

    Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 51 Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series, MX Series, and T Series Routers on page 73 Copyright © 2011, Juniper Networks, Inc.

  • Page 87: Junos Os Release Notes For Juniper Networks Srx Series Services Gateways And J Series Services Routers

    Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust networking and security services.

  • Page 88: Software Features

    Web management URL. Three other wizards in the J-Web interface enable you to configure basic firewall policies, basic IPsec VPN settings, and basic NAT settings. Copyright © 2011, Juniper Networks, Inc.
  • Page 89 The new log structure is as follows: <67>1 2009-08-18T19:47:23.191 srx5800-00 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.26 attack-name="SYN flood Src-IP based!" source-address="112.0.0.110" source-port="80" destination-address="111.0.0.113" destination-port="3033" source-zone-name="mobiles" interface-name="reth1.112" action="alarm-without-drop"] [Junos OS Security Configuration Guide] Copyright © 2011, Juniper Networks, Inc.
  • Page 90 SRX Series MGW is not required to register to it. To do so could cause complications. For example, the peer call server could drop the registration message “silently,” that is, without informing the Copyright © 2011, Juniper Networks, Inc.
  • Page 91 RTP packets and direct them to a higher priority queue in order to achieve better voice quality when packet traffic is congested. Juniper Networks devices provide classification, priority queuing, and other kinds of class-of-service (CoS) configuration under the CoS configuration hierarchy.
  • Page 92 This feature is supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported. [Junos OS Integrated Convergence Services Configuration and Administration Guide] Copyright © 2011, Juniper Networks, Inc.
  • Page 93 NOTE: IKE is not supported in a custom VR (virtual router). The IKE gateway external interface must reside in the default virtual router (inet.0). Manual key management Transit traffic Self-traffic VPN monitoring Hub-and-spoke VPNs Encapsulating Security Payload (ESP) protocol Authentication Header (AH) protocol Copyright © 2011, Juniper Networks, Inc.
  • Page 94 J Series devices. MIBs are not used in the IPv6 flow. IPv6 security is available to avoid impact on the existing IPv4 system. If IPv6 security is enabled, extended sessions and gates are allocated. The existing address fields and Copyright © 2011, Juniper Networks, Inc.
  • Page 95 Host inbound and outbound traffic—IPv6 advanced flow supports all route and management protocols running on the Routing Engine, including OSPF v3, RIPng, Telnet, and SSH. Note that flow label is not used in the flow. Tunnel traffic—IPv6 advanced flow supports the following tunnel types: Copyright © 2011, Juniper Networks, Inc.
  • Page 96 IPv4 packet, and transmits it across the softwire. The SC receives an IPv4 packet in the IPv6 softwire packet and decapsulates the IPv6 software packet to retrieve the inner IPv4 packet. Multiple SIs can have the same SC as the endpoint of the softwires. Copyright © 2011, Juniper Networks, Inc.
  • Page 97 [Junos OS CLI Reference, Junos OS Interfaces Configuration Guide for Security Devices, Junos OS Security Configuration Guide] FTP ALG for routing—This feature is supported on all SRX Series and J Series devices. Copyright © 2011, Juniper Networks, Inc.
  • Page 98 Translates an ICMPv4 error message to an ICMPv6 error message and translates its embedded IPv4 packet to an IPv6 packet Translates an ICMPv6 error message to an ICMPv4 error message and translates its embedded IPv6 packet to an IPv4 packet Copyright © 2011, Juniper Networks, Inc.
  • Page 99 In IPv6 multicast flow, a mulitcast router has the following three roles: Designated router Intermediate router Rendezvous point [Junos OS Class of Service Configuration Guide] NAT—This feature is supported on all SRX Series and J Series devices. Copyright © 2011, Juniper Networks, Inc.
  • Page 100 Note that you can now use the host inbound traffic configuration to permit traffic from the following IPv6-related services and protocols: DHCPv6, neighbor discovery (ND) protocol, OSPF3, and RIPng. [Junos OS Security Configuration Guide] Copyright © 2011, Juniper Networks, Inc.
  • Page 101 Port colors change to indicate the port link status. For example, the port lights steadily green when the port is up and red when the port is down. Displays Help tips when your hover the mouse over a port. Copyright © 2011, Juniper Networks, Inc.
  • Page 102 MAC limit does not apply to static MACs. User can configure any number of static MACs independent of MAC limit and all of them will be added to FDB. [Layer 2 Bridging and Switching Configuration Guide ] Copyright © 2011, Juniper Networks, Inc.
  • Page 103 The only features supported on a virtual channel are queuing, packet scheduling, and accounting. Rewrite rules and routing protocols apply to the entire logical interface. [LN1000 Mobile Secure Router User Guide] Copyright © 2011, Juniper Networks, Inc.
  • Page 104 When event activity occurs, you can quickly drill down to detailed information about the specific item. In Junos OS Release 10.4, on-box reporting capabilities include: Real-time threat event monitoring Dynamic visuals for quick threat identification, tracking, and analysis Copyright © 2011, Juniper Networks, Inc.
  • Page 105 USB flash drive into the USB port of the SRX Series device and performing a few simple steps. NOTE: USB upgrades are not supported on chassis clusters. Copyright © 2011, Juniper Networks, Inc.
  • Page 106 Each proposal set consists of two or more predefined proposals. The server selects one predefined proposal from the set configured and pushes it to the client in the client configuration. The client uses this proposal in negotiations with the server to establish the connection. Copyright © 2011, Juniper Networks, Inc.
  • Page 107 Assigns attributes such as wins server and name-server address. Updates the associated client entry in the session database. Note: For client applications that rely on a RADIUS or other external server for authentication, AUTHD might not assign IP addresses. Copyright © 2011, Juniper Networks, Inc.
  • Page 108 The shared-ike-id and group-ike-id allow you to configure VPN once for multiple users. All users connecting through a shared-ike-id configuration use the same IKE ID and preshared key. The user credentials are verified in the extended authentication (XAuth) Copyright © 2011, Juniper Networks, Inc.

  • Page 109: Hardware Features-Srx210, Srx220, And Srx240 Services

    This Mini-PIM can be used in copper and optical environments to provide maximum flexibility when upgrading from an existing infrastructure to Metro Ethernet. This Mini-PIM is supported on the following devices: SRX210 Services Gateway SRX220 Services Gateway SRX240 Services Gateway Copyright © 2011, Juniper Networks, Inc.

  • Page 110: Gateways

    Hardware Features—SRX220 Services Gateway with Power Over Ethernet Overview The Juniper Networks SRX220 Services Gateway with Power over Ethernet (PoE) offers complete functionality and flexibility for delivering secure, reliable data over IP, along with multiple interfaces that support WAN and LAN connectivity.
  • Page 111 For more details on the SRX220 Services Gateway software features and licenses, see the Junos OS Administration Guide for Security Devices. Hardware Interfaces Table 4 on page 112 summarizes the interface ports supported on the SRX220 Services Gateway. Copyright © 2011, Juniper Networks, Inc.
  • Page 112 Uses an RJ-45 serial cable connector To provide the console interface Supports the RS-232 (EIA-232) To function as a management port to standard log into a device directly To configure the device using the CLI Copyright © 2011, Juniper Networks, Inc.

  • Page 113: Hardware Features-Srx1400 Services Gateway

    NOTE: We strongly recommend that only transceivers provided by Juniper Networks be used on an SRX220 Services Gateway. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used. Contact Juniper Networks for the correct transceiver part number for your device. Hardware Features—SRX1400 Services Gateway...
  • Page 114 The SRX1400 Services Gateway allows two power supplies for redundancy. The following types of power supplies are supported: AC power supply (for AC-powered devices) DC power supply (for DC-powered devices) Ethernet port (10/100/1000 Mbps) Console port Universal Serial Bus (USB) ports Copyright © 2011, Juniper Networks, Inc.
  • Page 115 2.4 lb (1.1 kg) Fan tray weight 2.93 lb (1.33 kg) Air filter weight 0.11 lb (0.054 kg) DC power supply weight 2.9 lb (1.3 kg) AC power supply weight 3.1 lb (1.4 kg) Copyright © 2011, Juniper Networks, Inc.

  • Page 116: Hardware Features-Srx3400 And Srx3600 Services Gateways

    1 IOCs 2 IOCs 1 IOC 0 IOCs supported In the SRX3600 Services Gateway, the supported SPC, NPC, and IOC configurations are the same for both the standard and the enhanced DC power supply. Copyright © 2011, Juniper Networks, Inc.

  • Page 117: Advertising Bandwidth For Neighbors On A Broadcast Link Support

    VPN. Cisco GET VPN members and Juniper Group VPN members can interoperate as long as the server role is played by a Cisco GET VPN server, Juniper Networks security devices are group members, and with the following caveats: The group VPN in Release 10.4 of Junos OS has been tested with Cisco GET VPN servers running Version 12.4(22)T and Version 12.4(24)T.

  • Page 118: Changes In Default Behavior And Syntax In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds before a key expires and the Cisco GET VPN member triggers rekeys 60 seconds before a key expires. When interacting with a Cisco GET VPN server, a Juniper Networks security device member would match Cisco behavior.

  • Page 119: Application Identification

    —Uninstall from your configuration all custom application definitions customer-defined that you created, but maintain the predefined application definition package. predefined —(Default) Uninstall from your configuration the predefined application definition package, but maintain all custom application definitions that you have created. Copyright © 2011, Juniper Networks, Inc.

  • Page 120: Application Layer Gateways (Algs)

    | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature. Copyright © 2011, Juniper Networks, Inc.

  • Page 121: Command-Line Interface (Cli)

    1 Channel 1 2 Channel 2 3 Channel 3 4 Channel 4 5 Channel 5 6 Channel 6 7 Channel 7 8 Channel 8 9 Channel 9 10 Channel 10 11 Channel 11 12 Channel 12 Copyright © 2011, Juniper Networks, Inc.
  • Page 122 Radio Frequency -a an Radio Frequency -an [edit] Example 2: user@host# set wlan access-point mav0 radio 2 radio-options mode ? Possible completions: 2.4GHz Radio Frequency --2.4GHz-n bg Radio Frequency -bg bgn Radio Frequency -bgn Copyright © 2011, Juniper Networks, Inc.

  • Page 123: Configuration

    24M /config s3f 342M /var s4a 30M recovery Configuration J Series devices no longer allow a configuration in which a tunnel's source or destination address falls under the subnet of the same logical interface’s address. Copyright © 2011, Juniper Networks, Inc.

  • Page 124: Dynamic Vpn

    Copyright © 2011, Juniper Networks, Inc.
  • Page 125 Junos OS Release 10.4 to 9.6 and earlier releases. Rename lsq-0/0/0 ls-0/0/0 in all its occurrences. Remove from the hierarchy level and from fragmentation-map [class-of-service] , if configured. [class-of-service interfaces lsq-0/0/0] Copyright © 2011, Juniper Networks, Inc.

  • Page 126: Installation

    DHCP client on the interface and remains in the DHCP client mode. In previous releases, after a certain period, the interface changed from being a DHCP client to a DHCP server. Copyright © 2011, Juniper Networks, Inc.

  • Page 127: Intrusion Detection And Prevention (Idp)

    When no attack is seen within the 60-second period and the BFQ entry is flushed out, the match count starts afresh, and the new attack match shows up in the attack table, and the log is generated as explained above. Copyright © 2011, Juniper Networks, Inc.

  • Page 128: J-Web

    To disable J-Web, the administrator must configure a loopback interface of for HTTP or HTTPS. This ensures that the webserver rejects all J-Web access requests. web-management { traceoptions { level all; flag dynamic-vpn; flag all; Copyright © 2011, Juniper Networks, Inc.
  • Page 129 VPN login Not Found page dynamic VPN login dynamic VPN is page page configured. Case 2: J-Web and dynamic VPN do share the same interface. Scenario http(s)://server http(s)://server http(s)://server host host//configured attribute host//dynamic-vpn Copyright © 2011, Juniper Networks, Inc.

  • Page 130: Management And Administration

    By default, only the internal CompactFlash is enabled, and an option to take a snapshot of the configuration from the internal CompactFlash to the external compact flash is not supported. This can be done only by using a USB storage device. Copyright © 2011, Juniper Networks, Inc.

  • Page 131: Multilink

    S3 priority high Configure the following scheduler map set class-of-service scheduler-maps lsqlink_map forwarding-class best-effort scheduler set class-of-service scheduler-maps lsqlink_map forwarding-class assured-forwarding scheduler S2 set class-of-service scheduler-maps lsqlink_map forwarding-class network-control scheduler S3 Copyright © 2011, Juniper Networks, Inc.

  • Page 132: Power Over Ethernet (Poe)

    Table 9: VLAN IDs Reserved for Internal Use VLAN IDs Reservations SRX100 SRX210 SRX220 SRX240 SRX650 3968-4047 ——— ——— ——— Reserved Reserved 4093 Reserved Reserved Reserved Reserved Reserved 4094 Reserved* Reserved* Reserved* Reserved* Reserved* Copyright © 2011, Juniper Networks, Inc.

  • Page 133: Wireless Lan (Wlan)

    CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set chassis craft-lockout set chassis routing-engine on-disk-failure Copyright © 2011, Juniper Networks, Inc.

  • Page 134: Class-Of-Service Hierarchy

    CLI editor, they appear to succeed and do not display an error message. Aggregated Interface CLI on page 135 ATM Interface CLI on page 135 Ethernet Interfaces on page 136 GRE Interface CLI on page 136 IP Interface CLI on page 137 Copyright © 2011, Juniper Networks, Inc.
  • Page 135 0 compression-device set interfaces at-1/0/0 unit 0 epd-threshold set interfaces at-1/0/0 unit 0 inverse-arp set interfaces at-1/0/0 unit 0 layer2-policer set interfaces at-1/0/0 unit 0 multicast-vci set interfaces at-1/0/0 unit 0 multipoint Copyright © 2011, Juniper Networks, Inc.
  • Page 136 The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set interfaces gr-0/0/0 unit 0 ppp-options set interfaces gr-0/0/0 unit 0 layer2-policer Copyright © 2011, Juniper Networks, Inc.
  • Page 137 T1 Interface CLI The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set interfaces t1-1/0/0 receive-bucket Copyright © 2011, Juniper Networks, Inc.

  • Page 138: Protocols Hierarchy

    However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message. set protocols bfd no-issu-timer-negotiation set protocols bgp idle-after-switch-over Copyright © 2011, Juniper Networks, Inc.

  • Page 139: Routing Hierarchy

    SNMP hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set snmp community 90 logical-system set snmp logical-system-trap-filter set snmp trap-options logical-system set snmp trap-group d1 logical-system Copyright © 2011, Juniper Networks, Inc.

  • Page 140: System Hierarchy

    Copyright © 2011, Juniper Networks, Inc.
  • Page 141 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 152 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 172 Copyright © 2011, Juniper Networks, Inc.

  • Page 142: Known Limitations In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    On SRX Series device failover, access points on the Layer 2 switch reboot and all wireless clients lose connectivity for 4-6 minutes. On VDSL mini-PIM, chassis cluster is not supported for VDSL mode. Queuing on aggregated Ethernet interface is not supported. (ae) Copyright © 2011, Juniper Networks, Inc.

  • Page 143: Command-Line Interface (Cli)

    For SRX240 devices: six CLI users and five J-Web users On SRX210 devices with Integrated Convergence Services, TDM configuration change might interrupt existing TDM calls. The voice calls do not work. Run the CLI restart rtmd command after making a configuration change. Copyright © 2011, Juniper Networks, Inc.

  • Page 144: Docsis Mini-Pim

    On J Series devices, even when forwarding options are set to drop packets for the ISO protocol family, the device forms End System-to-Intermediate System (ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2 terminating packets. Copyright © 2011, Juniper Networks, Inc.

  • Page 145: Hardware

    In the packet processor on an IOC, the maximum number of terms of all simple filters is 4000. In the packet processor on an IOC, the maximum number of policers is 4000. Copyright © 2011, Juniper Networks, Inc.

  • Page 146: Interfaces And Routing

    On SRX240 High Memory devices, traffic might stop between SRX240 device and CISCO switch due to link mode mismatch. As a workaround, Juniper Networks recommends setting auto-negotiation parameters on both ends to the same value. On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a...
  • Page 147 On SRX100, SRX210, SRX240 and SRX650 devices, on the Level 3 interface, the following features are not supported: Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPOE) on Level 3 interfaces J-Web Level 3 for 10-Gigabit Ethernet Copyright © 2011, Juniper Networks, Inc.

  • Page 148: Intrusion Detection And Prevention (Idp)

    3.0 and below 3.5. NOTE: Other browser versions might not provide access to J-Web and only English-version browsers are supported. OS: Microsoft Windows XP Service Pack 3 SRX Series and J Series browser compatibility Copyright © 2011, Juniper Networks, Inc.

  • Page 149: Netscreen-Remote

    Table 10 on page 150. The limitation on the number of destination-rule-set and static-rule-set has been increased. Table 10 on page 150 provides the requirements per device to increase the configuration limitation as well as scale the capacity for each device. Copyright © 2011, Juniper Networks, Inc.

  • Page 150: Point-To-Point Protocol Over Ethernet (Pppoe)

    On SRX100, SRX210, SRX240, and SRX650 devices, CoA is not supported with 802.1x. On SRX100, SRX210, SRX240 and SRX650 devices, on the routed VLAN interface, the following features are not supported: IPv6 (family inet6) ISIS (family ISO) Copyright © 2011, Juniper Networks, Inc.

  • Page 151: Unified Threat Management (Utm)

    However, you can only configure and manage the maximum number of access points. Related New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Documentation Services Routers on page 87 Copyright © 2011, Juniper Networks, Inc.

  • Page 152: Issues In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    On SRX3400, SRX3600, SRX5600, and SRX5800 devices, 8-queue configurations are not reflected on the chassis cluster interface. [PR/389451] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the functionality is iflset not supported for aggregated interfaces like . [PR/391377] reth Copyright © 2011, Juniper Networks, Inc.
  • Page 153 One node is primary; the other node is secondary. Both nodes have nonzero priority values unless a monitored interface is down. Use the command to verify that the PIC status is show chassis fpc pic-status Online Copyright © 2011, Juniper Networks, Inc.
  • Page 154 On J Series devices with a CoS configuration, when you try to delete all the flow sessions using the clear security flow session command, the WXC application acceleration platform might fail over with heavy traffic. [PR/273843] Copyright © 2011, Juniper Networks, Inc.
  • Page 155 On SRX Series devices, configuring the flow filter with the flag might result in traces that are not related to the configured filter. As a workaround, use the flow trace flag with the command basic set security flow traceoptions flag Copyright © 2011, Juniper Networks, Inc.
  • Page 156 IP address, application, and trap name, but the username is missing. [PR/439314] On SRX5800 devices, for any network processing bundle configuration change to take effect, a reboot is needed. Currently there is no message displayed after a bundle configuration change. [PR/441546] Copyright © 2011, Juniper Networks, Inc.
  • Page 157 On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the input packets and bytes counter shows random values both in traffic statistics and IPv6 transit statistics, when VLAN tagging is added or removed from the IPv6 address configured interface. [PR/489171] Copyright © 2011, Juniper Networks, Inc.
  • Page 158 On SRX240 devices, the combinations of Mini-PIMs cause SFP-copper links to go down in some instances during bootup, restarting fwdd, and restarting chassisd. As a workaround, reboot the device and the link will be up. [PR/437788] Copyright © 2011, Juniper Networks, Inc.
  • Page 159 SNMP does not provide support for survivable call server (SRX Series SCS) statistics. [PR/456454] On SRX210 devices with voice capability, SIP trunking or FXS trunking calls do not work if the called party supports only the G729AB/G711-Mu-law codec. [PR/504135] Copyright © 2011, Juniper Networks, Inc.
  • Page 160 Configure nonstop active routing (NSR) and Layer 2 circuit standby simultaneously and commit them Delete the NSR configuration and then add the configuration back when both the NSR and the Layer 2 circuits are up Copyright © 2011, Juniper Networks, Inc.
  • Page 161 On SRX650 devices, in the 2-port 10G XPIM, when the interface is linked with fiber, the activity LED does not blink when traffic enters the interface. However, the activity LED blinks properly when traffic goes out of the interface. [PR/513961] Copyright © 2011, Juniper Networks, Inc.
  • Page 162 SPC. This is primarily because of the watchdog timer expiration. The IDP function takes a long time to decrypt the session when you use a 4096-bit key. Copyright © 2011, Juniper Networks, Inc.
  • Page 163 (AS) and mask length. The AS or mask length values of cflowd packets show while sampling the packet on the virtual router interface. [PR/419563] Copyright © 2011, Juniper Networks, Inc.
  • Page 164 NAT wizard is not pushed to the CLI configuration. As a workaround, use the CLI. [PR/547630] On SRX100, SRX210, SRX220, and SRX240 devices, wizards take more time to commit the configuration setup and to load the page. [PR/548530] Copyright © 2011, Juniper Networks, Inc.
  • Page 165 [PR/504932] On SRX5600 devices, only network addresses are allowed in IPv6 NAT configuration from Junos OS Release 10.3 onward. This is enforced in commit check. [PR/545330] Copyright © 2011, Juniper Networks, Inc.
  • Page 166 Essentially, for each protected application server, you have to configure a single application-level DDoS rule. [PR/467326] Copyright © 2011, Juniper Networks, Inc.
  • Page 167 On SRX650 devices, when express AV is enabled, traffic from the server and client are buffered at the device. Sometimes, the buffer resource runs out because the traffic arrives faster than the buffer resource are released and results in the device detecting Copyright © 2011, Juniper Networks, Inc.
  • Page 168 Link Layer Discovery Protocol (LLDP) Protocol Data Units (PDUs) from neighbors. [PR/485845] For SRX210 High Memory devices, during configuration of access and trunk ports, the individual VLANs from the vlan-range are not listed. [PR/489872] Copyright © 2011, Juniper Networks, Inc.

  • Page 169: Resolved Issues In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    The following are the issues that have been resolved since Junos OS Release 10.4R1 for Juniper Networks SRX Series Services Gateways and J Series Services Routers. The identifier following the descriptions is the tracking number in the Juniper Networks Problem Report (PR) tracking system.
  • Page 170 [PR/454996: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show datapath-debug counter command gave error messages from the secondary node. [PR/477017: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 171 [PR/514771: This issue has been resolved.] On SRX220 devices, you could not edit the physical properties of a LAN interface in J-Web without entering the MAC address. [PR/519818: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.

  • Page 172: Errata And Changes In Documentation For Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    Single Commit on J-Web The following information pertains to SRX Series devices: For all J-Web procedures, follow these instructions to commit a configuration: If Commit Preference is Validate and commit configuration changes , click OK. Copyright © 2011, Juniper Networks, Inc.

  • Page 173: Errata For The Junos Os Documentation

    Junos OS flow-based routing functionality Low-impact cluster upgrade (ISSU light) Multicast routing Redundancy group 0 (backup for Routing Engine) Redundancy groups 1 through 128 Redundant Ethernet interfaces Redundant Ethernet interface link aggregation groups (LAGs) Copyright © 2011, Juniper Networks, Inc.
  • Page 174 SRX5600 and SRX5800 Services Gateways MIB Reference incorrectly state the downloadable version of the Real-Time Media (RTM) and SIP Common MIBs. The correct URLs are as follows: RTM MIB— http://www.juniper.net/techpubs/en_US/junos10.4/topics/ reference/mibs/mib-jnx-rtm.txt SIP Common MIB— http://www.juniper.net/techpubs/en_US/ Copyright © 2011, Juniper Networks, Inc.
  • Page 175 UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Policy Name: sample Running Detector Version: 10.4.160091104 Copyright © 2011, Juniper Networks, Inc.
  • Page 176 The ADSL2+ and ADSL2+ Annex M upstream values given in the Junos OS Interfaces Configuration Guide for Security Devices are displayed incorrectly. The correct values are as follows: Table 16: Standard Bandwidths of DSL Operating Modes Operating Modes Upstream Values ADSL2+ 1—1.5 Mbps Copyright © 2011, Juniper Networks, Inc.
  • Page 177 SRX Series devices when in fact they are not supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices: [edit security flow aging early-ageout] [edit security flow aging high-watermark] [edit security flow aging low-watermark Copyright © 2011, Juniper Networks, Inc.
  • Page 178 Note that when entering a URL with the ?target= option, you must substitute escape characters for any special characters in the URL. Use the following escape characters for these common special characters: Replace with Replace with Replace with Replace with Copyright © 2011, Juniper Networks, Inc.

  • Page 179: Errata For The Junos Os Hardware Documentation

    The Junos OS WLAN Configuration and Administration Guide provides information on AX411 access point clustering. Access point clustering is no longer supported. Errata for the Junos OS Hardware Documentation This section lists outstanding issues with the hardware documentation. Copyright © 2011, Juniper Networks, Inc.
  • Page 180 DC-powered SRX1400 Services Gateways: SRX1400BASE-XGE-DC SRX1400BASE-GE-DC These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models. Fan tray LED table in the “Replacing the Fan Tray on the SRX1400 Services Gateway”...
  • Page 181 DC-powered SRX1400 Services Gateways: SRX1400BASE-GE-DC SRX1400BASE-XGE-DC These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models. In the SRX1400 Services Gateway Getting Started Guide, some of the graphics are shown with grounding lug attached on the front panel of the device.
  • Page 182 In the answer, the sentence "The antenna will have a magnetic mount with ceiling and wall mount kits within the package" is incorrect and redundant. Copyright © 2011, Juniper Networks, Inc.

  • Page 183: Hardware Requirements For Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    SRX Series and J Series interface modules. Different transceiver types (long-range, short-range, copper, and others) can be used together on multiport SFP interface modules as long as they are provided by Juniper Networks. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used.

  • Page 184: J Series Compactflash And Memory Requirements

    512 MB 512 MB 2 GB J6350 512 MB 1 GB 2 GB Related New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Documentation Services Routers on page 87 Copyright © 2011, Juniper Networks, Inc.

  • Page 185: Maximizing Alg Sessions

    Integrated Convergence Services is no longer supported. The Media-Gateway (MGW) versions of SRX Series low-end devices have been discontinued and are no longer supported. If you have an ICS-supported SKU, please contact Juniper Networks for further guidance. Copyright © 2011, Juniper Networks, Inc.

  • Page 186: Upgrade And Downgrade Instructions For Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    This policy remains unchanged. For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html Copyright © 2011, Juniper Networks, Inc.

  • Page 187: Junos Os Release Notes For Ex Series Switches

    —The XRE200 External Routing Engine is used to XRE200 External Routing Engine create a Virtual Chassis composed of Juniper Networks EX8200 Ethernet Switches. A Virtual Chassis is multiple switches connected together that operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis...

  • Page 188: Bridging, Vlans, And Spanning Trees

    Management and RMON —J-Web J-Web interface support for the 40-port SFP+ line card for EX8200 switches interface support has been added for the 40-port SFP+ line card for EX8200 switches. Copyright © 2011, Juniper Networks, Inc.

  • Page 189: Packet Filters

    Beginning in Junos OS Release 10.2, you can configure multiple class-of-service (CoS) rewrite rules for DSCP, IP precedence, and IEEE 802.1p. Rewrite rules are not assigned to interfaces by default, and for rewrites to occur, you must assign a user-defined rewrite Copyright © 2011, Juniper Networks, Inc.

  • Page 190: Limitations In Junos Os Release 10.4 For Ex Series Switches

    When a switch is running Virtual Routing Redundancy Protocol (VRRP) and you enable or disable a large number (on the order of 50 or more) of routed VLAN interfaces (RVIs), the STP topology might change for a short period of time during the commit process. Copyright © 2011, Juniper Networks, Inc.

  • Page 191: Class Of Service

    If you press the reset button on the Switch Fabric and Routing Engine (SRE) module in an EX8208 switch without taking the module offline first (by using the CLI), the fabric planes in the module might not come back online. Copyright © 2011, Juniper Networks, Inc.

  • Page 192: High Availability

    “date: connect: Can't assign requested address”. On EX8208 switches, when a line card that has no interface configurations and is not connected to any device is taken offline using the command request chassis fpc-slot Copyright © 2011, Juniper Networks, Inc.

  • Page 193: Interfaces

    As a workaround, configure a port mirroring analyzer with each port of the VLAN as egress input. The following interface counters are not supported on routed VLAN interfaces (RVIs): local statistics, traffic statistics, and transit statistics. Copyright © 2011, Juniper Networks, Inc.

  • Page 194: J-Web Interface

    FPCs might not come up for more than eight minutes when the Virtual Chassis has a square topology. (This is a topology in which the Routing Engines of member 0 connect to those of member 8, the Routing Engines of member 1 connect to those of Copyright © 2011, Juniper Networks, Inc.

  • Page 195: Outstanding Issues In Junos Os Release 10.4 For Ex Series Switches

    [PR/527117] On EX4500 switches, if you activate and then deactivate a firewall filter configuration, VSTP convergence might not occur properly. As a workaround, restart the Ethernet switching process ( ). [PR/548446] eswd Copyright © 2011, Juniper Networks, Inc.

  • Page 196: Firewall Filters

    A VLAN configured to receive analyzer output can be associated with only one port. [PR/400814] When you use the Microsoft Internet Explorer browser to open a report from the following pages in the J-Web interface, the report opens in the same browser session: Copyright © 2011, Juniper Networks, Inc.
  • Page 197 J-Web interface, the error message “Internet Explorer was not able to open the Internet site” is displayed: Files page (Maintain > Files) History page (Maintain > Config Management > History) Copyright © 2011, Juniper Networks, Inc.

  • Page 198: Layer 2 And Layer 3 Protocols

    RPM probes. Packets are sent and received on the same interface. This problem does not occur if both egress and ingress interfaces are on the same Virtual Chassis member. [PR/578734] Copyright © 2011, Juniper Networks, Inc.

  • Page 199: Management And Rmon

    NOTE: Other software issues that are common to both EX Series switches and M, MX, and T Series routers are listed in “Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers” on page 51. Copyright © 2011, Juniper Networks, Inc.

  • Page 200: Access Control And Port Security

    On EX4200 switches, spurious packets (packets with unsupported fields) arriving at the backup Routing Engine while a GRES operation is in progress can cause a kernel crash ( vmcore ). [PR/546314: This issue has been resolved] Copyright © 2011, Juniper Networks, Inc.

  • Page 201: Interfaces

    On EX Series switches, the configured interface hold time does not work. [PR/537477: This issue has been resolved.] On EX4500 switches, when you are configuring Gigabit Ethernet interfaces from the command-line interface (CLI), automatic command completion does not work. [PR/561565: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.

  • Page 202: J-Web Interface

    [PR/562454: This issue has been resolved.] The dashboard in the J-Web interface might not refresh automatically if you navigate back and forth between the Dashboard page and other pages. [PR/566359: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.

  • Page 203: Layer 2 And Layer 3 Protocols

    This section lists outstanding issues with the documentation. J-Web Interface To access the J-Web interface, your management device requires the following software: Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version Language support—English-version browsers Copyright © 2011, Juniper Networks, Inc.

  • Page 204: Virtual Chassis

    Download the software package as described in Downloading Software Packages from Juniper Networks (Optional) Back up the current software configuration to a second storage option. See the Junos OS Installation and Upgrade Guide at http://www.juniper.net/techpubs/software/junos/index.html for instructions. Copyright © 2011, Juniper Networks, Inc.

  • Page 205: Upgrade Policy For Junos Os Extended End-Of-Life Releases

    Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to 10.4, you first need to upgrade to Junos OS Release 9.3 or 10.0, and then upgrade a second time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either Copyright © 2011, Juniper Networks, Inc.

  • Page 206: Upgrading Or Downgrading From Junos Os Release 9.4R1 For Ex Series Switches

    Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 195 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 199 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 203 Copyright © 2011, Juniper Networks, Inc.

  • Page 207: Junos Os Documentation And Release Notes

    Juniper Networks website at http://www.juniper.net/techpubs/ Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices.
  • Page 208 CLI before contacting support: user@host> request support information | save filename To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to .

  • Page 209: Revision History

    Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

This manual is also suitable for:

Junos os 10.4

Table of Contents