Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6 Release Note
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOS OS 10.4 - S REV 5
  6. Release note
Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6 Release Note

Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6 Release Note

Hide thumbs Also See for JUNOS OS 10.4 - RELEASE NOTES REV 6:
Table of Contents

Advertisement

Quick Links

Download this manual
®
Junos
OS 10.4 Release Notes
Release 10.4R2
11 February 2011
Revision 6
Contents
Copyright © 2011, Juniper Networks, Inc.
These release notes accompany Release 10.4R2 of the Junos operating system (Junos
OS). They describe device documentation and known problems with the software. Junos
OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX
Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.
You can also find these release notes on the Juniper Networks Junos OS Documentation
Web page, which is located at
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
MX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
MPLS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
http://www.juniper.net/techpubs/software/junos
.
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the JUNOS OS 10.4 - RELEASE NOTES REV 6 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6

Summary of Contents for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6

  • Page 1: Table Of Contents

    OS). They describe device documentation and known problems with the software. Junos OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.
  • Page 2 Downgrade from Release 10.4 ........91 Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers .
  • Page 3 Wireless LAN (WLAN) ........157 Copyright © 2011, Juniper Networks, Inc.
  • Page 4 Layer 2 and Layer 3 Protocols ....... . . 201 Copyright © 2011, Juniper Networks, Inc.
  • Page 5 Revision History ........... . 216 Copyright © 2011, Juniper Networks, Inc.

  • Page 6: Junos Os Release Notes For Juniper Networks M Series Multiservice Edge Routers, Mx Series Ethernet Service Routers, And T Series Core Routers

    JUNOS OS 10.4 Release Notes Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series Ethernet Service Routers, and T Series Core Routers New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 6 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX...
  • Page 7 To apply the TCP configuration to an FRF.16 bundle (physical) interface, include the statement at the output-traffic-control-profile [edit class-of-service interfaces interface-name] hierarchy level. Copyright © 2011, Juniper Networks, Inc.
  • Page 8 { lsq-0/2/0:0 { output-traffic-control-profile rlsq_tc; scheduler-maps { rlsq { forwarding-class best-effort scheduler rlsq_scheduler; forwarding-class expedited-forwarding scheduler rlsq_scheduler1; schedulers { rlsq_scheduler { transmit-rate percent 20; priority low; rlsq_scheduler1 { transmit-rate percent 40; priority high; Copyright © 2011, Juniper Networks, Inc.

  • Page 9: Interfaces And Chassis

    Series routers with ATM2 PICs automatically copy the parent container interface configuration to the children interfaces. Container interfaces do not go down during APS switchovers, thereby shielding upper layers. This feature allows the various ATM features to work over the container ATM for APS. Copyright © 2011, Juniper Networks, Inc.
  • Page 10 The chassisd daemon traces when an FPC comes online, but a PIC attach is not done because no fabric plane is present. A CLI warning that the FPCs will reboot is issued when the last fabric plane is taken offline. Copyright © 2011, Juniper Networks, Inc.
  • Page 11 (including Strict High), ingress behavior aggregate (BA) classification, queue rate-limit policer, ingress rewrite, egress rewrite, and a forwarding class to queue remapping per DLCI. Copyright © 2011, Juniper Networks, Inc.
  • Page 12 Packet Forwarding Engine/traffic manager drops in the ingress direction. Transit statistics are not accounted separately because the IQ2 and IQ2E PICs cannot differentiate between transit and local statistics. Copyright © 2011, Juniper Networks, Inc.
  • Page 13 SA multicast forwarding-mode mode, for proprietary connection of two Juniper Networks 100-Gigabit Ethernet PICs, uses the Ethernet header SA MAC address multicast bit to steer the packets to the appropriate PFE. VLAN steering mode allows the PIC to connect to non-Juniper Networks equipment.
  • Page 14 However, all control queue counters are reported as zeros. Enabling or disabling the control queue feature results in the PIC being bounced (offline/online). Copyright © 2011, Juniper Networks, Inc.

  • Page 15: Junos Os Xml Api And Scripting

    New Junos OS XML API operational request tag elements—Table 1 on page 16 shows the Junos OS Extensible Markup Language (XML) operational request tag elements that are new in Junos OS Release 10.4 along with the corresponding CLI command and response tag element for each one. Copyright © 2011, Juniper Networks, Inc.
  • Page 16 <ingress-replication-information> get_interface_information <get-isis-context- show isis context-identifier <isis-context-identifier- information> identifier-origin- information> get_isis_context_ identifier_origin_information <get-isis-database-information> show isis context-identifier identifier <isis-context-identifier-origin-information> get_isis_database_information <get-mpls-cspf-information> show mpls context-identifier <mpls-context-identifier- information> get_mpls_cspf_information <get-authentication-pending-table> show network-access domain- map statistics <domain-map-statistics> get_authentication_pending_table Copyright © 2011, Juniper Networks, Inc.
  • Page 17 <msp-session-table> get_service_softwire_statistics _information <get_service_sfw_ show services softwire <service-softwire-table- information> conversation_ information> get_service_sfw_conversation _information <get_service_ show services softwire flows <service-fwnat-flow-table- sfw_flow_analysis_ information> information> get_service_sfw_flow_analysi s_information <get_service_sfw_ show services softwire statistics <service-softwire-statistics-information> flow_table_information> get_service_sfw_flow_table_i nformation Copyright © 2011, Juniper Networks, Inc.

  • Page 18: Layer 2 Ethernet Services

    Ethernet CFM support on Trio 3D MPCs and MICs (MX Series routers)—Enables support for Ethernet connectivity fault management (CFM) defined by IEEE 802.1ag family bridge interfaces. However, MEP configuration is not supported on aggregated Ethernet interfaces. [Layer 2 Configuration] Copyright © 2011, Juniper Networks, Inc.

  • Page 19: Mpls Applications

    For MPLS, RSVP, and LDP: BFD session failure action for LDP LSPs (including ECMP) RSVP Graceful Restart interop with Cisco using Nodal Hello support Failure action on BFD session down of RSVP LSPs in JUNOS RSVP transit Copyright © 2011, Juniper Networks, Inc.
  • Page 20 Interprovider VPLS Option "E": EBGP redistribution of labeled routes Miscellaneous: Support to commit configuration from op/event scripts Per PFE per packet load balancing Next Hop Handling Enhancements (Phase 3) Support local-as alias hidden command Copyright © 2011, Juniper Networks, Inc.

  • Page 21: Routing Policy And Firewall Filters

    OSPF interfaces. Passive OSPF interfaces advertise address information as an internal OSPF route, but do not run the actual protocol. If you are only interested in receiving notifications for active OSPF interfaces, Copyright © 2011, Juniper Networks, Inc.
  • Page 22 ASs in the routing instance, disable attribute set messages on the independent domain. To disable attribute set messages, include independent-domain no-attrset statement at the following hierarchy levels: edit logical-systems logical-system-name routing-instances routing-instance-name routing-options autonomous-system autonomous-system Copyright © 2011, Juniper Networks, Inc.

  • Page 23: Services Applications

    NOTE: The above two statements cannot be configured together. You can only configure one at a time, but not both. To check that the flows are established properly, use the show services command or the stateful-firewall flows show services stateful-firewall conversations command. Copyright © 2011, Juniper Networks, Inc.
  • Page 24 , and package statements at the [edit chassis fpc slot-number pic hierarchy level. For pic-number adaptive-services service-package extension-provider] the Services SDK, in the statement is package-name package package-name jservices-rpm user@host# show chassis Copyright © 2011, Juniper Networks, Inc.
  • Page 25 Switch Interface Board (SIB), the next-hop destination for the mirrored packet is available in the packet itself. A port-mirroring instance can now inherit input parameters from another instance that specifies it. To configure this option, include the input-parameters-instance Copyright © 2011, Juniper Networks, Inc.
  • Page 26 JSF Services integration will allow the option of running Junos OS services on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4, you can use JSF to run stateful firewall on the specified routers. Copyright © 2011, Juniper Networks, Inc.
  • Page 27 [edit services nat pool pool-name] level. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports Copyright © 2011, Juniper Networks, Inc.

  • Page 28: Subscriber Access Management

    HTTP requests to unauthorized Web resources. An HTTP redirect remote server that resides in a walled garden behind Junos OS routers processes HTTP requests redirected to it and responds with a redirect URL to a captive portal. Copyright © 2011, Juniper Networks, Inc.
  • Page 29 [edit services l2tp] within a preference is selected until its maximum sessions limit is reached. Then the Copyright © 2011, Juniper Networks, Inc.
  • Page 30 [edit class-of-service interfaces] hierarchy level. A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set name, and includes a predefined variable, . The VSA is $junos-interface-set-name supported for RADIUS Access-Accept messages only; change of authorization (CoA) requests are not supported.
  • Page 31 On egress tunnels, you configure rewrite rules to set the ToS or 802.1p value of the outer header. For example, to configure a rewrite-rule definition for an interface with Copyright © 2011, Juniper Networks, Inc.
  • Page 32 (LNS). Finally, you can configure a logical system and routing instance for the tunnel by including the logical-system logical-system-name routing-instance routing-instance-name statements. Copyright © 2011, Juniper Networks, Inc.
  • Page 33 Tunnel password in clear text. string: tunnel-password 26-33 Tunnel-Max-Sessions Maximum number of sessions integer: 4-octet allowed in a tunnel. 26-64 Tunnel-Group Name of the tunnel group string: (profile) assigned to a domain tunnel-group-name map. Copyright © 2011, Juniper Networks, Inc.
  • Page 34 To configure ADF support, use the following stanza at the [edit dynamic-profiles hierarchy profile-name interfaces interface-name unit logical-unit-number family family] level: filter { adf { counter; input-precedence precedence; output-precedence precedence; rule rule-value; [Subscriber Access, System Basics and Services Command Reference] Copyright © 2011, Juniper Networks, Inc.
  • Page 35 [edit forwarding-options dhcp-relay overrides group group-name] hierarchy level. To disable automatic binding behavior for a specific interface in a group, include the statement at the [edit forwarding-options dhcp-relay overrides group group-name interface interface-name] hierarchy level. Copyright © 2011, Juniper Networks, Inc.
  • Page 36 NOTE: In this release, Layer 2 wholesaling supports the use of only the default logical system using multiple routing instances. The Juniper Networks Layer 2 wholesale solution is similar to the Layer 3 wholesale solution in many ways. However, when configuring the Juniper Networks Layer 2...
  • Page 37 Specify the unit family as at the vpls [edit dynamic-profiles profile-name interface hierarchy level. “$junos-interface-ifd-name” unit $junos-interface-unit family] Include the statement for any interfaces you plan to use at the flexible-vlan-tagging hierarchy level. [edit interfaces interface-name] Copyright © 2011, Juniper Networks, Inc.
  • Page 38 Define access to your RADIUS server and specify the access profile at the [edit hierarchy level. access] To view the logical system and routing instance for each subscriber, use the show operational command. subscriber Copyright © 2011, Juniper Networks, Inc.

  • Page 39: System Logging

    New and deprecated system log tags—The following system log messages are new in this release: ASP_SFW_DELETE_FLOW CHASSISD_FM_FABRIC_DOWN CHASSISD_FPC_FABRIC_DOWN_REBOOT CHASSISD_FRU_INTEROP_UNSUPPORTED CHASSISD_RE_CONSOLE_FE_STORM RPD_AMT_CFG_ADDR_FMLY_INVALID RPD_AMT_CFG_ANYCAST_INVALID RPD_AMT_CFG_ANYCAST_MCAST RPD_AMT_CFG_LOC_ADDR_INVALID RPD_AMT_CFG_LOC_ADDR_MCAST RPD_AMT_CFG_PREFIX_LEN_SHORT RPD_AMT_CFG_RELAY_INVALID RPD_BGP_CFG_ADDR_INVALID RPD_BGP_CFG_LOCAL_ASNUM_WARN RPD_CFG_TRACE_FILE_MISSING RPD_LDP_GR_CFG_IGNORED RPD_MC_CFG_FWDCACHE_CONFLICT RPD_MC_CFG_PREFIX_LEN_SHORT RPD_MSDP_CFG_SA_LIMITS_CONFLICT RPD_MSDP_CFG_SRC_INVALID RPD_MVPN_CFG_PREFIX_LEN_SHORT RPD_PLCY_CFG_COMMUNITY_FAIL RPD_PLCY_CFG_FWDCLASS_OVERRIDDEN RPD_PLCY_CFG_IFALL_NOMATCH RPD_PLCY_CFG_PARSE_GEN_FAIL Copyright © 2011, Juniper Networks, Inc.

  • Page 40: Vpns

    For example, you can enable this option when you want to support a large number of routes for Layer 3 VPNs implemented using MPLS. However, we recommend enabling this option only if you do not have a very large firewall configuration. Copyright © 2011, Juniper Networks, Inc.
  • Page 41 PE router at the ingress of the Layer 2 circuit, the address of the PE router at the egress of the Layer 2 circuit, and the Layer 2 circuit’s identifier respectively. Configure Copyright © 2011, Juniper Networks, Inc.

  • Page 42: Changes In Default Behavior And Syntax In Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    The first value indicates either the default or the value specified through the statement. Now this is changed to HW supported queues. max-queues-per-interface The first value does not change with respect to the changes to max-queues-per-interface as before. [Class of Service] Copyright © 2011, Juniper Networks, Inc.

  • Page 43: Forwarding And Sampling

    , enables you to clear ITU-T Y.1731 Ethernet frame delay measurement (ETH-DM) delay-statistics and ETH-DM frame counts. Use the maintenance-association maintenance-association-name maintenance-domain maintenance-domain-name options to clear delay-statistics and frame counts for specific maintenance associations Copyright © 2011, Juniper Networks, Inc.
  • Page 44 Network interfaces show command output (All platforms)—The output of the show command now adds a table that shows complete (not interfaces detail extensive truncated) names of the forwarding classes associated with queues. [Network Interfaces] Copyright © 2011, Juniper Networks, Inc.

  • Page 45: Junos Os Xml Api And Scripting

    The default value for is null. Supported options are: $commit-options —Check the correctness of the candidate configuration syntax, but do not check commit the changes. —Force the commit on the other Routing Engine (ignore any force-synchronize warnings). Copyright © 2011, Juniper Networks, Inc.

  • Page 46: Mpls Application

    RSVP local revertive mode (local revertive mode as specified in RFC 4090, Fast Reroute Extensions to RSVP-TE for LSP). RSVP local revertive mode is supported on all Juniper Networks routers running the Junos OS software by default. If you configure the...

  • Page 47: Platform And Infrastructure

    BGP community entries required for an incoming route to match. This allows you to accept BGP routes based on a specific number of or range of BGP community entries. To configure the number of community entries, specify the Copyright © 2011, Juniper Networks, Inc.
  • Page 48 Jun 15 21:54:43.831533 RPD_PIM_NBRDOWN: Instance PIM.master: PIM neighbor 11.1.1.2 (so-0/1/3.0) removed due to: the interface is purged Jun 15 21:53:28.941198 RPD_PIM_NBRUP: Instance PIM.master: PIM new neighbor 11.1.1.2 interface so-0/1/3.0 [System Log Messages Reference] Copyright © 2011, Juniper Networks, Inc.

  • Page 49: Services Applications

    Summary option for the show services nat mapping command—You can now display summary statistics for Network Address Translation (NAT) mapping by using the show command. The following example shows the new services nat mapping summary output. Copyright © 2011, Juniper Networks, Inc.
  • Page 50 Explicit source filtering has not been applied by use of gm/saf. Explicit latching has not been applied by use of ipnapt/latch. [Border Gateway Function (BGF), Services Interfaces] Copyright © 2011, Juniper Networks, Inc.

  • Page 51: Subscriber Access Management

    [Subscriber Access] Required pppoe-options subhierarchy for configuring static and dynamic PPPoE interfaces (M120, M320, MX Series routers)—When you configure a static or dynamic (PPPoE) logical interface, you must include the subhierarchy in the pppoe-options Copyright © 2011, Juniper Networks, Inc.
  • Page 52 Ethernet interface, pppoe-options represented by the predefined dynamic variable, and the $junos-underlying-interface server statement. For example: [edit] dynamic-profiles { pppoe-profile { interfaces { pp0 { unit "$junos-interface-unit" { pppoe-options { underlying-interface "$junos-underlying-interface"; server; Copyright © 2011, Juniper Networks, Inc.

  • Page 53: User Interface And Configuration

    By default, the Junos OS disables the processing of IPv4-mapped IPv6 packets to protect against malicious packets from entering the network. To enable the processing of such IPv4-mapped IPv6 packets, include the statement in the CLI configuration. allow-v4mapped-packets [System Basics] Copyright © 2011, Juniper Networks, Inc.

  • Page 54: Vpns

    Destination class usage (DCU) is not supported when the is configured. vrf-table-label [VPNs, Network Interfaces] Related New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers Documentation on page 6 Copyright © 2011, Juniper Networks, Inc.

  • Page 55: Issues In Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    When the Rx power level is a negative value, the SFP diagnostics output displays an invalid receiver power level reading. [PR/235771] Upon a link up event, old packets from the previous link down are still dequeued. This leads to huge latency reports. [PR/515842] Copyright © 2011, Juniper Networks, Inc.
  • Page 56 [PR/558046] Under certain conditions, both the primary and the secondary sections of the interface might get disabled. To recover from this condition, deactivate and activate the interface configuration. [PR/559656] Copyright © 2011, Juniper Networks, Inc.
  • Page 57 The dynamic auto-sensed VPLS interfaces fail after modifications are made to the routing instance. Before making configuration changes to any routing instance, clear any active logical interfaces that are part of the routing instance using the clear auto-configuration interfaces operational command. Modifying a routing instance Copyright © 2011, Juniper Networks, Inc.
  • Page 58 [PR/561127] The 3D Packet Forwarding Engines might experience a rare transient error that temporarily corrupts one of the lookup engines, resulting in packet loss. A set of messages similar to the following is displayed: Copyright © 2011, Juniper Networks, Inc.
  • Page 59 [PR/433883] Selecting the monitor port for any port in the Chassis Viewer page displays the common Port Monitoring page instead of the corresponding Monitoring page of the selected port. [PR/446890] Copyright © 2011, Juniper Networks, Inc.
  • Page 60 After the "delete:" action is performed, the "replace" actions do not take effect in the "load replace terminal" operation. [PR/556971] The javascript error, "Object Expected" occurs when J-Web pages are navigated before the page loads completely. [PR/567756] Copyright © 2011, Juniper Networks, Inc.
  • Page 61 The Radius Accounting Interim message might not be sent immediately after a Change of Authorization (CoA), even if the CoA is successfully processed and the option is present in the configuration. [PR/570058: This issue coa-immediate-update has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 62 When a change in the bridge domain membership occurs, and the bridge domain has an IRB interface and a vt-x/y/z interface, the Packet Forwarding Engine that does not have any local interfaces on that bridge domain might restart. [PR/566878: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 63 In a Layer 2 circuit setup with a link services intelligent queuing interface (LSQ) in the core, and the control-word option is enabled, a ping between two CE interfaces fails. As a workaround, use the option. [PR/551207: This issue has been no-control-word resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 64 [PR/550539: This issue has been resolved.] A rare race condition might cause the routing protocol process to crash when an entry is removed. [PR/551949: This issue has been resolved.] (s,g)/(*,g) Copyright © 2011, Juniper Networks, Inc.
  • Page 65 [PR/565957: This issue has been resolved.] IS-IS might not use the MPLS label-switched paths (LSPs) if the names of the label-switched paths are similar in the first 32 characters. [PR/568093: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 66 [PR/570778: This issue has been resolved.] VPNs In MVPN routing-instances with local receivers, a flood next hop is created for each S,G entry for multicast traffic received from the CE. After the local receivers are joined Copyright © 2011, Juniper Networks, Inc.

  • Page 67: Previous Releases

    In Junos OS Release 10.2 and later, the cosd process might crash while a configured commit is processed, as this process accesses a memory location that has already been freed. However, this issue is encountered rarely. [PR/548367: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 68 PIC throughput exceeds 152 Mbps, data loss occurs and the following error message is displayed: “[Warning] ce_wp_poll_hspi_stats:2006: PF/Winpath SPI interface error, rx_err_sm 243.” This error message is not seen when encapsulation atm-ccc-vc-mux is used. Copyright © 2011, Juniper Networks, Inc.
  • Page 69 VLAN tagging. [PR/540620: This issue has been resolved.] The link-up time on a 16x 10-Gigabit Ethernet MPC is not less than the other platforms (ADPC and other MPCs) due to the emission dispersion compensation (EDC) Copyright © 2011, Juniper Networks, Inc.
  • Page 70 If the number of VPLS connection exceeds 31, frequent FPC and NPC crashes might occur. [PR/552099] The EOA family configurations over a container ATM interface might be deleted and added again upon every commit (including unrelated commits). [PR/553077: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 71 On a P2MP LSP setup, the routing protocol process of the transit router might core when the topology changes with respect to the ingress sub-LSP router. There is no workaround. [PR/549778: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 72 On T Series routers, the FPC might continuously reboot upon installation. [PR/510414: This issue has been resolved.] When the command is used, the default route is not system default-router a.b.c.d installed in the Packet Forwarding Engine. [PR/523663: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 73 (libstats). This causes the MIB2D process to crash as it reaches its maximum permitted size. [PR/541251: This issue has been resolved.] During router bootup, the error messages: "can't re-use a leaf (nd6_prune)!" and "can't re-use a leaf (nd6_mmaxtries)!" display. [PR/543422: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 74 [PR/522605: This issue has been resolved.] For Junos OS Release 9.5 and above, the BGP parse community begins with “0” as the octal value. This behavior is different in earlier releases. [PR/530086: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 75 An IS-IS adjacency flap at a precise interval can cause the routing protocol process to restart on a neighbor, as it is in the process of purging the LSAs of the previously down node from the local database. [PR/554233: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 76 This issue has been resolved.] When the command is used to refresh a script file, the script does not refresh, load set and exits from the CLI after displaying the rpc-related errors. [PR/555316: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.

  • Page 77: Errata And Changes In Documentation For Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    Related links to platform documentation pages are included in the right-hand navigation. The new pages contain all of the content on previous versions of the pages, only the formatting has changed. Copyright © 2011, Juniper Networks, Inc.
  • Page 78 The configuration examples are applicable to Junos OS Release 10.2 and later. The Junos OS Layer 2 Configuration Guide provides an overview of the Layer 2 functions supported on Juniper Networks routers, including configuring bridge domains, MAC addresses and VLAN learning and forwarding, and spanning-tree protocols. It also details the routing instance types used by Layer 2 applications.

  • Page 79: Errata

    However, the chapter does not mention that you can also include the encapsulation atm-ccc-cell-relay statement at the [edit interfaces interface-name unit hierarchy level. when you include the statement at the logical-unit-number] [edit ] hierarchy level, keep the following interfaces interface-name unit logical-unit-number] points in mind: Copyright © 2011, Juniper Networks, Inc.
  • Page 80 This configuration interoperates only between Juniper Networks routers running Junos OS Release 8.2 or earlier. This configuration does not interoperate with other network equipment, including a Juniper Networks router running Junos OS Release 8.3 or later, unless it is also configured with the same statement.
  • Page 81 ANCP are configured on the same logical interface, and the subscriber VLANs are the same for both ANCP and multicast. [Subscriber Access] The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the Subscriber Access Configuration Guide erroneously states that dynamic CoS is supported for Copyright © 2011, Juniper Networks, Inc.
  • Page 82 [Subscriber Access] In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by the AAA Service Framework topic and the Specifying an Address Pool in a Domain Map topic incorrectly indicate that VSA 26-2 (Local-Address-Pool) is supported. Subscriber management does not support this VSA.

  • Page 83: Upgrade And Downgrade Instructions For Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    When upgrading or downgrading the Junos OS, always use the package. Use other jinstall packages (such as the package) only when so instructed by a Juniper Networks jbundle support representative. For information about the contents of the jinstall package and details of the installation process, see the Junos OS Installation and Upgrade Guide.
  • Page 84 (the only exceptions are the juniper.conf files) might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the Junos OS System Basics Configuration Guide. Copyright © 2011, Juniper Networks, Inc.
  • Page 85 If you are not familiar with the download and installation process, follow these steps: Using a Web browser, follow the links to the download URL on the Juniper Networks Web page. Choose either Canada and U.S. Version or Worldwide Version: (customers in the United https://www.juniper.net/support/csc/swdist-domestic/...

  • Page 86: Upgrading A Router With Redundant Routing Engines

    VPN loopback address is used for reverse path forwarding (RPF) route resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN loopback address is also used as the source address in outgoing PIM control messages. Copyright © 2011, Juniper Networks, Inc.
  • Page 87 Juniper Networks routers and the other vendors’ routers. This configuration should be on Juniper Networks routers and on the other vendors’ routers where you configured the lo0.mvpn address in each VRF instance as the same address as the main loopback (lo0.0) address.

  • Page 88: Upgrading The Software For A Routing Matrix

    | match routing command For a routing matrix with a TX Matrix Plus router, the SFC contains two model RE-DUO-C2600-16G Routing Engines, and each LCC contains two model RE-DUO-C1800-8G Routing Engines. Copyright © 2011, Juniper Networks, Inc.

  • Page 89: Upgrading Using Issu

    PIM only, so that you can activate incompatible PIM features and continue to use NSR for the other protocols on the router: the nonstop-routing disable statement at the [edit hierarchy level. (Note that this statement disables NSR for all PIM features, protocols pim] not only incompatible features.) Copyright © 2011, Juniper Networks, Inc.

  • Page 90: Upgrade Policy For Junos Os Extended End-Of-Life Releases

    10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either 10.0 or 9.3. To downgrade from release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5. Copyright © 2011, Juniper Networks, Inc.

  • Page 91: Downgrade From Release 10.4

    Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55 Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series, MX Series, and T Series Routers on page 77 Copyright © 2011, Juniper Networks, Inc.

  • Page 92: Junos Os Release Notes For Juniper Networks Srx Series Services Gateways And J Series Services Routers

    JUNOS OS 10.4 Release Notes Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust networking and security services. SRX Series Services Gateways range from lower-end devices designed to secure small distributed enterprise locations to high-end devices designed to secure enterprise infrastructure, data centers, and server farms.

  • Page 93: Software Features

    Web management URL. Three other wizards in the J-Web interface enable you to configure basic firewall policies, basic IPsec VPN settings, and basic NAT settings. Copyright © 2011, Juniper Networks, Inc.
  • Page 94 The new log structure is as follows: <67>1 2009-08-18T19:47:23.191 srx5800-00 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.26 attack-name="SYN flood Src-IP based!" source-address="112.0.0.110" source-port="80" destination-address="111.0.0.113" destination-port="3033" source-zone-name="mobiles" interface-name="reth1.112" action="alarm-without-drop"] [Junos OS Security Configuration Guide] Copyright © 2011, Juniper Networks, Inc.
  • Page 95 SRX Series MGW is not required to register to it. To do so could cause complications. For example, the peer call server could drop the registration message “silently,” that is, without informing the Copyright © 2011, Juniper Networks, Inc.
  • Page 96 RTP packets and direct them to a higher priority queue in order to achieve better voice quality when packet traffic is congested. Juniper Networks devices provide classification, priority queuing, and other kinds of class-of-service (CoS) configuration under the CoS configuration hierarchy.
  • Page 97 This feature is supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported. [Junos OS Integrated Convergence Services Configuration and Administration Guide] Copyright © 2011, Juniper Networks, Inc.
  • Page 98 NOTE: IKE is not supported in a custom VR (virtual router). The IKE gateway external interface must reside in the default virtual router (inet.0). Manual key management Transit traffic Self-traffic VPN monitoring Hub-and-spoke VPNs Encapsulating Security Payload (ESP) protocol Authentication Header (AH) protocol Copyright © 2011, Juniper Networks, Inc.
  • Page 99 J Series devices. MIBs are not used in the IPv6 flow. IPv6 security is available to avoid impact on the existing IPv4 system. If IPv6 security is enabled, extended sessions and gates are allocated. The existing address fields and Copyright © 2011, Juniper Networks, Inc.
  • Page 100 Host inbound and outbound traffic—IPv6 advanced flow supports all route and management protocols running on the Routing Engine, including OSPF v3, RIPng, Telnet, and SSH. Note that flow label is not used in the flow. Tunnel traffic—IPv6 advanced flow supports the following tunnel types: Copyright © 2011, Juniper Networks, Inc.
  • Page 101 IPv4 packet, and transmits it across the softwire. The SC receives an IPv4 packet in the IPv6 softwire packet and decapsulates the IPv6 software packet to retrieve the inner IPv4 packet. Multiple SIs can have the same SC as the endpoint of the softwires. Copyright © 2011, Juniper Networks, Inc.
  • Page 102 [Junos OS CLI Reference, Junos OS Interfaces Configuration Guide for Security Devices, Junos OS Security Configuration Guide] FTP ALG for routing—This feature is supported on all SRX Series and J Series devices. Copyright © 2011, Juniper Networks, Inc.
  • Page 103 Translates an ICMPv4 error message to an ICMPv6 error message and translates its embedded IPv4 packet to an IPv6 packet Translates an ICMPv6 error message to an ICMPv4 error message and translates its embedded IPv6 packet to an IPv4 packet Copyright © 2011, Juniper Networks, Inc.
  • Page 104 In IPv6 multicast flow, a mulitcast router has the following three roles: Designated router Intermediate router Rendezvous point [Junos OS Class of Service Configuration Guide] NAT—This feature is supported on all SRX Series and J Series devices. Copyright © 2011, Juniper Networks, Inc.
  • Page 105 Note that you can now use the host inbound traffic configuration to permit traffic from the following IPv6-related services and protocols: DHCPv6, neighbor discovery (ND) protocol, OSPF3, and RIPng. [Junos OS Security Configuration Guide] Copyright © 2011, Juniper Networks, Inc.
  • Page 106 Port colors change to indicate the port link status. For example, the port lights steadily green when the port is up and red when the port is down. Displays Help tips when your hover the mouse over a port. Copyright © 2011, Juniper Networks, Inc.
  • Page 107 MAC limiting does not apply to static MACs. Users can configure any number of static MACs independent of the MAC limit, and all of them will be added to FDB. [Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices] Copyright © 2011, Juniper Networks, Inc.
  • Page 108 The only features supported on a virtual channel are queuing, packet scheduling, and accounting. Rewrite rules and routing protocols apply to the entire logical interface. [LN1000 Mobile Secure Router User Guide] Copyright © 2011, Juniper Networks, Inc.
  • Page 109 When event activity occurs, you can quickly drill down to detailed information about the specific item. In Junos OS Release 10.4, on-box reporting capabilities include: Real-time threat event monitoring Dynamic visuals for quick threat identification, tracking, and analysis Copyright © 2011, Juniper Networks, Inc.
  • Page 110 USB flash drive into the USB port of the SRX Series device and performing a few simple steps. NOTE: USB upgrades are not supported on chassis clusters. Copyright © 2011, Juniper Networks, Inc.
  • Page 111 To support per-policy TCP options, the following two options are available: sequence-check-required: The sequence-check-required value will override the global value no-sequence-check. Copyright © 2011, Juniper Networks, Inc.
  • Page 112 For IPsec, the server sends the setting that is configured in the IPsec proposal. IKE uses a custom proposal, and IPsec uses a proposal set. Copyright © 2011, Juniper Networks, Inc.
  • Page 113 SRX100, SRX210, SRX240, SRX650, J4350, and J6350 devices. When you configure extended authentication (XAuth), you must enter the username and password, after the Internet Key Exchange (IKE) phase 1 security association (SA) is established. AUTHD verifies the credentials received from you. Copyright © 2011, Juniper Networks, Inc.
  • Page 114 IKE gateway in a dynamic VPN client, a warning message appears. This feature introduces new commands for ike sa and dynamic-vpn and new options in the IKE Gateway Add/Edit page of J-Web. Copyright © 2011, Juniper Networks, Inc.

  • Page 115: Hardware Features-Srx210, Srx220, And Srx240 Services

    Junos Pulse enables secure authenticated network connections to protected resources and services over LANs and WANs. Junos Pulses is a remote access client developed to replace the earlier access client called Juniper Networks Access Manager. You must uninstall Access Manager before you install the Junos Pulse client.

  • Page 116: Gateways

    Hardware Features—SRX220 Services Gateway with Power Over Ethernet Overview The Juniper Networks SRX220 Services Gateway with Power over Ethernet (PoE) offers complete functionality and flexibility for delivering secure, reliable data over IP, along with multiple interfaces that support WAN and LAN connectivity.
  • Page 117 For more details on the SRX220 Services Gateway software features and licenses, see the Junos OS Administration Guide for Security Devices. Hardware Interfaces Table 4 on page 118 summarizes the interface ports supported on the SRX220 Services Gateway. Copyright © 2011, Juniper Networks, Inc.
  • Page 118 Uses an RJ-45 serial cable connector To provide the console interface Supports the RS-232 (EIA-232) To function as a management port to standard log into a device directly To configure the device using the CLI Copyright © 2011, Juniper Networks, Inc.

  • Page 119: Hardware Features-Srx1400 Services Gateway

    NOTE: We strongly recommend that only transceivers provided by Juniper Networks be used on an SRX220 Services Gateway. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used. Contact Juniper Networks for the correct transceiver part number for your device. Hardware Features—SRX1400 Services Gateway...
  • Page 120 The SRX1400 Services Gateway allows two power supplies for redundancy. The following types of power supplies are supported: AC power supply (for AC-powered devices) DC power supply (for DC-powered devices) Ethernet port (10/100/1000 Mbps) Console port Universal Serial Bus (USB) ports Copyright © 2011, Juniper Networks, Inc.
  • Page 121 2.4 lb (1.1 kg) Fan tray weight 2.93 lb (1.33 kg) Air filter weight 0.11 lb (0.054 kg) DC power supply weight 2.9 lb (1.3 kg) AC power supply weight 3.1 lb (1.4 kg) Copyright © 2011, Juniper Networks, Inc.

  • Page 122: Hardware Features-Srx3400 And Srx3600 Services Gateways

    1 IOCs 2 IOCs 1 IOC 0 IOCs supported In the SRX3600 Services Gateway, the supported SPC, NPC, and IOC configurations are the same for both the standard and the enhanced DC power supply. Copyright © 2011, Juniper Networks, Inc.

  • Page 123: Advertising Bandwidth For Neighbors On A Broadcast Link Support

    VPN. Cisco GET VPN members and Juniper Group VPN members can interoperate as long as the server role is played by a Cisco GET VPN server, Juniper Networks security devices are group members, and with the following caveats: The group VPN in Release 10.4 of Junos OS has been tested with Cisco GET VPN servers running Version 12.4(22)T and Version 12.4(24)T.

  • Page 124: Changes In Default Behavior And Syntax In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds before a key expires and the Cisco GET VPN member triggers rekeys 60 seconds before a key expires. When interacting with a Cisco GET VPN server, a Juniper Networks security device member would match Cisco behavior.

  • Page 125: Application Identification

    —Uninstall from your configuration all custom application definitions customer-defined that you created, but maintain the predefined application definition package. predefined —(Default) Uninstall from your configuration the predefined application definition package, but maintain all custom application definitions that you have created. Copyright © 2011, Juniper Networks, Inc.

  • Page 126: Application Layer Gateways (Algs)

    1000ms and 3 respectively from R10.4 branch platforms. In the prior releases the values for cluster heartbeat interval and threshold defaulted to 2000ms and 8 respectively. Copyright © 2011, Juniper Networks, Inc.

  • Page 127: Command-Line Interface (Cli)

    1 Channel 1 2 Channel 2 3 Channel 3 4 Channel 4 5 Channel 5 6 Channel 6 7 Channel 7 8 Channel 8 9 Channel 9 10 Channel 10 11 Channel 11 12 Channel 12 Copyright © 2011, Juniper Networks, Inc.
  • Page 128 Radio Frequency -a an Radio Frequency -an [edit] Example 2: user@host# set wlan access-point mav0 radio 2 radio-options mode ? Possible completions: 2.4GHz Radio Frequency --2.4GHz-n bg Radio Frequency -bg bgn Radio Frequency -bgn Copyright © 2011, Juniper Networks, Inc.

  • Page 129: Configuration

    24M /config s3f 342M /var s4a 30M recovery Configuration J Series devices no longer allow a configuration in which a tunnel's source or destination address falls under the subnet of the same logical interface’s address. Copyright © 2011, Juniper Networks, Inc.

  • Page 130: Dynamic Vpn

    Copyright © 2011, Juniper Networks, Inc.
  • Page 131 Junos OS Release 10.4 to 9.6 and earlier releases. Rename lsq-0/0/0 ls-0/0/0 in all its occurrences. Remove from the hierarchy level and from fragmentation-map [class-of-service] , if configured. [class-of-service interfaces lsq-0/0/0] Copyright © 2011, Juniper Networks, Inc.

  • Page 132: Installation

    DHCP client on the interface and remains in the DHCP client mode. In previous releases, after a certain period, the interface changed from being a DHCP client to a DHCP server. Copyright © 2011, Juniper Networks, Inc.

  • Page 133: Intrusion Detection And Prevention (Idp)

    When no attack is seen within the 60-second period and the BFQ entry is flushed out, the match count starts afresh, and the new attack match shows up in the attack table, and the log is generated as explained above. Copyright © 2011, Juniper Networks, Inc.

  • Page 134: J-Web

    To disable J-Web, the administrator must configure a loopback interface of for HTTP or HTTPS. This ensures that the webserver rejects all J-Web access requests. web-management { traceoptions { level all; flag dynamic-vpn; flag all; Copyright © 2011, Juniper Networks, Inc.
  • Page 135 VPN login Not Found page dynamic VPN login dynamic VPN is page page configured. Case 2: J-Web and dynamic VPN do share the same interface. Scenario http(s)://server http(s)://server http(s)://server host host//configured attribute host//dynamic-vpn Copyright © 2011, Juniper Networks, Inc.

  • Page 136: Management And Administration

    By default, only the internal CompactFlash is enabled, and an option to take a snapshot of the configuration from the internal CompactFlash to the external compact flash is not supported. This can be done only by using a USB storage device. Copyright © 2011, Juniper Networks, Inc.

  • Page 137: Multilink

    S3 priority high Configure the following scheduler map set class-of-service scheduler-maps lsqlink_map forwarding-class best-effort scheduler set class-of-service scheduler-maps lsqlink_map forwarding-class assured-forwarding scheduler S2 set class-of-service scheduler-maps lsqlink_map forwarding-class network-control scheduler S3 Copyright © 2011, Juniper Networks, Inc.

  • Page 138: Power Over Ethernet (Poe)

    Table 9: VLAN IDs Reserved for Internal Use VLAN IDs Reservations SRX100 SRX210 SRX220 SRX240 SRX650 3968-4047 ——— ——— ——— Reserved Reserved 4093 Reserved Reserved Reserved Reserved Reserved 4094 Reserved* Reserved* Reserved* Reserved* Reserved* Copyright © 2011, Juniper Networks, Inc.

  • Page 139: Wireless Lan (Wlan)

    CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set chassis craft-lockout set chassis routing-engine on-disk-failure Copyright © 2011, Juniper Networks, Inc.

  • Page 140: Class-Of-Service Hierarchy

    CLI editor, they appear to succeed and do not display an error message. Aggregated Interface CLI on page 141 ATM Interface CLI on page 141 Ethernet Interfaces on page 142 GRE Interface CLI on page 142 IP Interface CLI on page 143 Copyright © 2011, Juniper Networks, Inc.
  • Page 141 0 compression-device set interfaces at-1/0/0 unit 0 epd-threshold set interfaces at-1/0/0 unit 0 inverse-arp set interfaces at-1/0/0 unit 0 layer2-policer set interfaces at-1/0/0 unit 0 multicast-vci set interfaces at-1/0/0 unit 0 multipoint Copyright © 2011, Juniper Networks, Inc.
  • Page 142 The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set interfaces gr-0/0/0 unit 0 ppp-options set interfaces gr-0/0/0 unit 0 layer2-policer Copyright © 2011, Juniper Networks, Inc.
  • Page 143 T1 Interface CLI The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set interfaces t1-1/0/0 receive-bucket Copyright © 2011, Juniper Networks, Inc.

  • Page 144: Protocols Hierarchy

    However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message. set protocols bfd no-issu-timer-negotiation set protocols bgp idle-after-switch-over Copyright © 2011, Juniper Networks, Inc.

  • Page 145: Routing Hierarchy

    SNMP hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set snmp community 90 logical-system set snmp logical-system-trap-filter set snmp trap-options logical-system set snmp trap-group d1 logical-system Copyright © 2011, Juniper Networks, Inc.

  • Page 146: System Hierarchy

    Copyright © 2011, Juniper Networks, Inc.
  • Page 147 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 158 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 178 Copyright © 2011, Juniper Networks, Inc.

  • Page 148: Known Limitations In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    On SRX Series device failover, access points on the Layer 2 switch reboot and all wireless clients lose connectivity for 4-6 minutes. On VDSL mini-PIM, chassis cluster is not supported for VDSL mode. Queuing on aggregated Ethernet interface is not supported. (ae) Copyright © 2011, Juniper Networks, Inc.

  • Page 149: Command-Line Interface (Cli)

    For SRX240 devices: six CLI users and five J-Web users On SRX210 devices with Integrated Convergence Services, TDM configuration change might interrupt existing TDM calls. The voice calls do not work. Run the CLI restart rtmd command after making a configuration change. Copyright © 2011, Juniper Networks, Inc.

  • Page 150: Docsis Mini-Pim

    On J Series devices, even when forwarding options are set to drop packets for the ISO protocol family, the device forms End System-to-Intermediate System (ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2 terminating packets. Copyright © 2011, Juniper Networks, Inc.

  • Page 151: Hardware

    In the packet processor on an IOC, the maximum number of terms of all simple filters is 4000. In the packet processor on an IOC, the maximum number of policers is 4000. Copyright © 2011, Juniper Networks, Inc.

  • Page 152: Interfaces And Routing

    On SRX240 High Memory devices, traffic might stop between SRX240 device and CISCO switch due to link mode mismatch. As a workaround, Juniper Networks recommends setting auto-negotiation parameters on both ends to the same value. On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a...
  • Page 153 On SRX100, SRX210, SRX240 and SRX650 devices, on the Level 3 interface, the following features are not supported: Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPOE) on Level 3 interfaces J-Web Level 3 for 10-Gigabit Ethernet Copyright © 2011, Juniper Networks, Inc.

  • Page 154: Intrusion Detection And Prevention (Idp)

    3.0 and below 3.5. NOTE: Other browser versions might not provide access to J-Web and only English-version browsers are supported. OS: Microsoft Windows XP Service Pack 3 SRX Series and J Series browser compatibility Copyright © 2011, Juniper Networks, Inc.

  • Page 155: Netscreen-Remote

    Table 10 on page 156. The limitation on the number of destination-rule-set and static-rule-set has been increased. Table 10 on page 156 provides the requirements per device to increase the configuration limitation as well as scale the capacity for each device. Copyright © 2011, Juniper Networks, Inc.

  • Page 156: Point-To-Point Protocol Over Ethernet (Pppoe)

    On SRX100, SRX210, SRX240, and SRX650 devices, CoA is not supported with 802.1x. On SRX100, SRX210, SRX240 and SRX650 devices, on the routed VLAN interface, the following features are not supported: IPv6 (family inet6) ISIS (family ISO) Copyright © 2011, Juniper Networks, Inc.

  • Page 157: Unified Threat Management (Utm)

    However, you can only configure and manage the maximum number of access points. Related New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Documentation Services Routers on page 92 Copyright © 2011, Juniper Networks, Inc.

  • Page 158: Issues In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    On SRX3400, SRX3600, SRX5600, and SRX5800 devices, 8-queue configurations are not reflected on the chassis cluster interface. [PR/389451] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the functionality is iflset not supported for aggregated interfaces like . [PR/391377] reth Copyright © 2011, Juniper Networks, Inc.
  • Page 159 One node is primary; the other node is secondary. Both nodes have nonzero priority values unless a monitored interface is down. Use the command to verify that the PIC status is show chassis fpc pic-status Online Copyright © 2011, Juniper Networks, Inc.
  • Page 160 On J Series devices with a CoS configuration, when you try to delete all the flow sessions using the clear security flow session command, the WXC application acceleration platform might fail over with heavy traffic. [PR/273843] Copyright © 2011, Juniper Networks, Inc.
  • Page 161 On SRX Series devices, configuring the flow filter with the flag might result in traces that are not related to the configured filter. As a workaround, use the flow trace flag with the command basic set security flow traceoptions flag Copyright © 2011, Juniper Networks, Inc.
  • Page 162 IP address, application, and trap name, but the username is missing. [PR/439314] On SRX5800 devices, for any network processing bundle configuration change to take effect, a reboot is needed. Currently there is no message displayed after a bundle configuration change. [PR/441546] Copyright © 2011, Juniper Networks, Inc.
  • Page 163 On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the input packets and bytes counter shows random values both in traffic statistics and IPv6 transit statistics, when VLAN tagging is added or removed from the IPv6 address configured interface. [PR/489171] Copyright © 2011, Juniper Networks, Inc.
  • Page 164 On SRX240 devices, the combinations of Mini-PIMs cause SFP-copper links to go down in some instances during bootup, restarting fwdd, and restarting chassisd. As a workaround, reboot the device and the link will be up. [PR/437788] Copyright © 2011, Juniper Networks, Inc.
  • Page 165 SNMP does not provide support for survivable call server (SRX Series SCS) statistics. [PR/456454] On SRX210 devices with voice capability, SIP trunking or FXS trunking calls do not work if the called party supports only the G729AB/G711-Mu-law codec. [PR/504135] Copyright © 2011, Juniper Networks, Inc.
  • Page 166 Configure nonstop active routing (NSR) and Layer 2 circuit standby simultaneously and commit them Delete the NSR configuration and then add the configuration back when both the NSR and the Layer 2 circuits are up Copyright © 2011, Juniper Networks, Inc.
  • Page 167 On SRX650 devices, in the 2-port 10G XPIM, when the interface is linked with fiber, the activity LED does not blink when traffic enters the interface. However, the activity LED blinks properly when traffic goes out of the interface. [PR/513961] Copyright © 2011, Juniper Networks, Inc.
  • Page 168 SPC. This is primarily because of the watchdog timer expiration. The IDP function takes a long time to decrypt the session when you use a 4096-bit key. Copyright © 2011, Juniper Networks, Inc.
  • Page 169 (AS) and mask length. The AS or mask length values of cflowd packets show while sampling the packet on the virtual router interface. [PR/419563] Copyright © 2011, Juniper Networks, Inc.
  • Page 170 NAT wizard is not pushed to the CLI configuration. As a workaround, use the CLI. [PR/547630] On SRX100, SRX210, SRX220, and SRX240 devices, wizards take more time to commit the configuration setup and to load the page. [PR/548530] Copyright © 2011, Juniper Networks, Inc.
  • Page 171 [PR/504932] On SRX5600 devices, only network addresses are allowed in IPv6 NAT configuration from Junos OS Release 10.3 onward. This is enforced in commit check. [PR/545330] Copyright © 2011, Juniper Networks, Inc.
  • Page 172 Essentially, for each protected application server, you have to configure a single application-level DDoS rule. [PR/467326] Copyright © 2011, Juniper Networks, Inc.
  • Page 173 On SRX650 devices, when express AV is enabled, traffic from the server and client are buffered at the device. Sometimes, the buffer resource runs out because the traffic arrives faster than the buffer resource are released and results in the device detecting Copyright © 2011, Juniper Networks, Inc.
  • Page 174 Link Layer Discovery Protocol (LLDP) Protocol Data Units (PDUs) from neighbors. [PR/485845] For SRX210 High Memory devices, during configuration of access and trunk ports, the individual VLANs from the vlan-range are not listed. [PR/489872] Copyright © 2011, Juniper Networks, Inc.

  • Page 175: Resolved Issues In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    The following are the issues that have been resolved since Junos OS Release 10.4R1 for Juniper Networks SRX Series Services Gateways and J Series Services Routers. The identifier following the descriptions is the tracking number in the Juniper Networks Problem Report (PR) tracking system.
  • Page 176 [PR/454996: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show datapath-debug counter command gave error messages from the secondary node. [PR/477017: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.
  • Page 177 [PR/514771: This issue has been resolved.] On SRX220 devices, you could not edit the physical properties of a LAN interface in J-Web without entering the MAC address. [PR/519818: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.

  • Page 178: Errata And Changes In Documentation For Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    Single Commit on J-Web The following information pertains to SRX Series devices: For all J-Web procedures, follow these instructions to commit a configuration: If Commit Preference is Validate and commit configuration changes , click OK. Copyright © 2011, Juniper Networks, Inc.

  • Page 179: Errata For The Junos Os Documentation

    Junos OS flow-based routing functionality Low-impact cluster upgrade (ISSU light) Multicast routing Redundancy group 0 (backup for Routing Engine) Redundancy groups 1 through 128 Redundant Ethernet interfaces Redundant Ethernet interface link aggregation groups (LAGs) Copyright © 2011, Juniper Networks, Inc.
  • Page 180 SRX5600 and SRX5800 Services Gateways MIB Reference incorrectly state the downloadable version of the Real-Time Media (RTM) and SIP Common MIBs. The correct URLs are as follows: RTM MIB— http://www.juniper.net/techpubs/en_US/junos10.4/topics/ reference/mibs/mib-jnx-rtm.txt SIP Common MIB— http://www.juniper.net/techpubs/en_US/ Copyright © 2011, Juniper Networks, Inc.
  • Page 181 UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Policy Name: sample Running Detector Version: 10.4.160091104 Copyright © 2011, Juniper Networks, Inc.
  • Page 182 IPXCP151: Novell IPX Control Protocol LECP151: LAN Extension Control Protocol NBFCP151: NetBIOS Frames Control Protocol SDTP151: Serial Data Transport Protocol SNACP151: Systems Network Architecture (SNA) Control Protocol XNSCP151: Xerox Network Systems (XNS) Internet Datagram Protocol (IDP) Control Protocol Copyright © 2011, Juniper Networks, Inc.
  • Page 183 The “Verifying the Policy Compilation and Load Status” section of the Junos OS Security Configuration Guide has a missing empty/new line before the heading, IDPD Trace file in the second sample output. Copyright © 2011, Juniper Networks, Inc.
  • Page 184 ?target= option followed by either the %dest-url% variable or a specific URL. The variable forwards authenticated users to the protected resource they %dest-url% originally specified. A URL forwards authenticated users to a specific site. Copyright © 2011, Juniper Networks, Inc.
  • Page 185 This setting is required if a root user password was not set. user@host# delete vlans user@host# delete interfaces user@host# delete security zones security-zone trust interfaces user@host# delete security zones security-zone untrust interfaces Copyright © 2011, Juniper Networks, Inc.

  • Page 186: Errata For The Junos Os Hardware Documentation

    The SRX1400 Services Gateway Hardware Guide includes information about the following DC-powered SRX1400 Services Gateways: SRX1400BASE-XGE-DC SRX1400BASE-GE-DC These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models. Copyright © 2011, Juniper Networks, Inc.
  • Page 187 DC-powered SRX1400 Services Gateways: SRX1400BASE-GE-DC SRX1400BASE-XGE-DC These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models. In the SRX1400 Services Gateway Getting Started Guide, some of the graphics are shown with grounding lug attached on the front panel of the device.
  • Page 188 Step 5: Connect the External Devices and IOC Cables to the SRX1400 Services Gateway Step 7: Perform the Initial Software Configuration on the SRX1400 Services Gateway These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models. Quick Start Guides The SRX210 Services Gateway Quick Start and the SRX240 Services Gateway Quick Start incorrectly document the specified order of the default set of codecs as 711-μ,...

  • Page 189: Hardware Requirements For Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    SRX Series and J Series interface modules. Different transceiver types (long-range, short-range, copper, and others) can be used together on multiport SFP interface modules as long as they are provided by Juniper Networks. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used.

  • Page 190: Supported Third-Party Hardware

    II SanDisk CompactFlash 512 MB SDCFB-512-455 SanDisk CompactFlash 1 GB SDCFB-1000.A10 J Series CompactFlash and Memory Requirements Table 18 on page 191 lists the CompactFlash card and DRAM requirements for J Series Services Routers. Copyright © 2011, Juniper Networks, Inc.

  • Page 191: Maximizing Alg Sessions

    TCP Proxy connection capacity: 40,000 sessions per flow SPU NOTE: Flow session capacity will be reduced to half per flow SPU and the above capacity numbers will not change on the central point SPU. Copyright © 2011, Juniper Networks, Inc.

  • Page 192: Integrated Convergence Services Not Supported

    Integrated Convergence Services is no longer supported. The Media-Gateway (MGW) versions of SRX Series low-end devices have been discontinued and are no longer supported. If you have an ICS-supported SKU, please contact Juniper Networks for further guidance. Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers In order to upgrade to Junos OS Release 10.4 or later, your device must be running one...
  • Page 193 This policy remains unchanged. For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html Copyright © 2011, Juniper Networks, Inc.

  • Page 194: Junos Os Release Notes For Ex Series Switches

    —The XRE200 External Routing Engine is used to XRE200 External Routing Engine create a Virtual Chassis composed of Juniper Networks EX8200 Ethernet Switches. A Virtual Chassis is multiple switches connected together that operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis...

  • Page 195: Bridging, Vlans, And Spanning Trees

    Management and RMON —J-Web J-Web interface support for the 40-port SFP+ line card for EX8200 switches interface support has been added for the 40-port SFP+ line card for EX8200 switches. Copyright © 2011, Juniper Networks, Inc.

  • Page 196: Packet Filters

    Beginning in Junos OS Release 10.2, you can configure multiple class-of-service (CoS) rewrite rules for DSCP, IP precedence, and IEEE 802.1p. Rewrite rules are not assigned to interfaces by default, and for rewrites to occur, you must assign a user-defined rewrite Copyright © 2011, Juniper Networks, Inc.

  • Page 197: Limitations In Junos Os Release 10.4 For Ex Series Switches

    When a switch is running Virtual Routing Redundancy Protocol (VRRP) and you enable or disable a large number (on the order of 50 or more) of routed VLAN interfaces (RVIs), the STP topology might change for a short period of time during the commit process. Copyright © 2011, Juniper Networks, Inc.

  • Page 198: Class Of Service

    If you press the reset button on the Switch Fabric and Routing Engine (SRE) module in an EX8208 switch without taking the module offline first (by using the CLI), the fabric planes in the module might not come back online. Copyright © 2011, Juniper Networks, Inc.

  • Page 199: High Availability

    “date: connect: Can't assign requested address”. On EX8208 switches, when a line card that has no interface configurations and is not connected to any device is taken offline using the command request chassis fpc-slot Copyright © 2011, Juniper Networks, Inc.

  • Page 200: Interfaces

    As a workaround, configure a port mirroring analyzer with each port of the VLAN as egress input. The following interface counters are not supported on routed VLAN interfaces (RVIs): local statistics, traffic statistics, and transit statistics. Copyright © 2011, Juniper Networks, Inc.

  • Page 201: J-Web Interface

    On EX8200 Virtual Chassis systems, ECMP might not work for links present between Virtual Chassis. On an EX8200 Virtual Chassis with a single hard disk, the hard disk might not boot. The error message is "TIMEOUT - WRITE_DMA retrying". Copyright © 2011, Juniper Networks, Inc.

  • Page 202: Outstanding Issues In Junos Os Release 10.4 For Ex Series Switches

    As a workaround, do not enable all VRRP sessions simultaneously if the switch’s VRRP configuration is large. [PR/556114] Ethernet Switching When the pfem restarts, EX Series switches cannot receive any Q-in-Q frames and drops them all. [PR/527117] Copyright © 2011, Juniper Networks, Inc.

  • Page 203: Firewall Filters

    [PR/579234] On EX8200 switches, when you are upgrading the line cards, the nonstop software upgrade (NSSU) process might abort. The system generates a core file when this happens. [PR/580494] Copyright © 2011, Juniper Networks, Inc.

  • Page 204: J-Web Interface

    The J-Web interface Static Routing page might not display details on entries registered in the routing table. [PR/483885] In the J-Web interface, the Software Upload and Install Package option might not display a warning message when there are pending changes to be committed. [PR/514853] Copyright © 2011, Juniper Networks, Inc.

  • Page 205: Layer 2 And Layer 3 Protocols

    On an EX4200 Virtual Chassis, when you configure the RPM hardware timestamp with configuration statement, the hardware-timestamp show services rpm probe-results command displays the hardware timestamp status as "No hardware timestamps". As a workaround, do not configure a source address for RPM probes. Packets are sent Copyright © 2011, Juniper Networks, Inc.

  • Page 206: Management And Rmon

    NOTE: Other software issues that are common to both EX Series switches and M, MX, and T Series routers are listed in “Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers” on page 55. Copyright © 2011, Juniper Networks, Inc.

  • Page 207: Access Control And Port Security

    On EX4200 switches, spurious packets (packets with unsupported fields) arriving at the backup Routing Engine while a GRES operation is in progress can cause a kernel crash ( vmcore ). [PR/546314: This issue has been resolved] Copyright © 2011, Juniper Networks, Inc.

  • Page 208: Interfaces

    On EX Series switches, the configured interface hold time does not work. [PR/537477: This issue has been resolved.] On EX4500 switches, when you are configuring Gigabit Ethernet interfaces from the command-line interface (CLI), automatic command completion does not work. [PR/561565: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.

  • Page 209: J-Web Interface

    [PR/562454: This issue has been resolved.] The dashboard in the J-Web interface might not refresh automatically if you navigate back and forth between the Dashboard page and other pages. [PR/566359: This issue has been resolved.] Copyright © 2011, Juniper Networks, Inc.

  • Page 210: Layer 2 And Layer 3 Protocols

    This section lists outstanding issues with the documentation. J-Web Interface To access the J-Web interface, your management device requires the following software: Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version Language support—English-version browsers Copyright © 2011, Juniper Networks, Inc.

  • Page 211: Virtual Chassis

    Download the software package as described in Downloading Software Packages from Juniper Networks (Optional) Back up the current software configuration to a second storage option. See the Junos OS Installation and Upgrade Guide at http://www.juniper.net/techpubs/software/junos/index.html for instructions. Copyright © 2011, Juniper Networks, Inc.

  • Page 212: Upgrade Policy For Junos Os Extended End-Of-Life Releases

    Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to 10.4, you first need to upgrade to Junos OS Release 9.3 or 10.0, and then upgrade a second time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either Copyright © 2011, Juniper Networks, Inc.

  • Page 213: Upgrading Or Downgrading From Junos Os Release 9.4R1 For Ex Series Switches

    Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210 Copyright © 2011, Juniper Networks, Inc.

  • Page 214: Junos Os Documentation And Release Notes

    Juniper Networks website at http://www.juniper.net/techpubs/ Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices.
  • Page 215 CLI before contacting support: user@host> request support information | save filename To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to .

  • Page 216: Revision History

    Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

This manual is also suitable for:

Junos os 10.4

Table of Contents