Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

What's Changed

Learn about what changed in this release for PTX Series routers.

General Routing

  • Change in options and generated configuration for the EZ-LAG configuration IRB subnet-address statement—With the EZ-LAG subnet-address inet or subnet-address inet6 options at the edit services evpn evpn-vxlan irb irb-instance hierarchy, you can now specify multiple IRB subnet addresses in a single statement using the list syntax addr1 addr2 ... . Also, in the generated configuration for IRB interfaces, the commit script now includes default router-advertisement statements at the edit protocols hierarchy level for that IRB interface.

    See [ subnet-address (Easy EVPN LAG Configuration).]

  • On PTX10004, PTX10008, and PTX10016 routers, after executing the request node offline command, you must wait at least 180 seconds to execute the request chassis cb offline command.

  • Rescue configuration retained after reboot with disconnected HSM module - When you reboot vSRX 3.0 with the HSM module disconnected, the system boots up using the saved rescue configuration. This ensures that the device can recover to a known stable state, facilitating reliable system management and minimizing downtime.PR1777775

  • Media Access Control Security (MACsec) session remains stable when changing exclude-protocol configuration—When you change the protocols excluded from MACsec using the exclude-protocol protocol-name option at the edit security macsec connectivity-association connectivity-association-name, the MACsec session remains stable.

    [See exclude-protocol.]

  • Enhanced DDoS statistics operational command (PTX Series)—We've enhanced the aggregate DDoS statistics output field to display the aggregate statistics for BFD and DHCP protocols. The enhanced DHCP statistics output displays the collective DHCPv4 and DHCPv6 statistics for DDoS. Earlier to this release, the aggregate DDoS statistics output displayed 0 for aggregate BFD and the aggregate DHCPv4v6.

    [See show ddos-protection protocols.]

  • Feature bandwidth information in CLI output (PTX Series)—Starting in this release, the show system license command output displays bandwidth only if an IFL and Advance or Premium features are configured.PR1783572

  • ChaCha20-Poly1305 algorithm deprecation for SSH cipher option— The ChaCha20-Poly1305 authenticated encryption algorithm is deprecated for SSH cipher option. Configure aes-128-gcm and aes-256-gcm as the encryption algorithm for SSH Cipher option.

    [See ssh (System Services).]

  • Disable power redundancy alarms for JNP10K-PWR-DC2 PSM (PTX10008 and PTX10016)- The JNP10K-PWR-DC2 PSM supports power redundancy across two DIP switches. When all input feeds are not connected to power supplies, it triggers a chassis alarm such as PSM 5 Input B0 and B1 Failed. Starting in Junos OS Evolved Release 24.2R1, you can disable this chassis alarm by using the set chassis alarm psm psm number input input number ignore command.

    [See JNP10K-PWR-DC2 Power Supply.]

  • DDoS protection protocols statistics update (PTX Series)—Starting in Junos OS Evolved Release 23.2R2, the show ddos-protection protocols statistics displays the Max arrival rate and Arrival rate output values as expected. Earlier to this release, the Max arrival rate and Arrival rate output values were displayed larger than expected.

    [See show ddos-protection protocols parameters.]

  • DDoS violation information shows incorrect default time and date (PTX Series)—When you clear the DDoS violation state using the clear ddos-protection protocols states command in Junos OS Evolved, the log message displays an incorrect default time and date. However, if you bypass the recovery time while clearing the DDoS violation state, the log message displays accurately.

    See [ clear ddos-protection protocols.]

  • The system now checks the port number value (z) in the 'set interfaces et-x/y/z:n' configuration for a valid port range on PTX10002-36QDD. Previously, configurations with invalid port numbers were committed successfully. With this update, the system displays a UI error message and prevents committing configurations with invalid port numbers, ensuring configuration accuracy and preventing potential issues.

  • Disabled CDN auto download (Junos OS Evolved) - The PKI process periodically, by default every 24 hours, polls the CDN server for the latest default trusted CA bundle and updates the list for any changes to the trusted CAs in the bundle. If there are any changes, PKI process loads them in the background. The auto download of CA certificates might generate core files. We've disabled the service of PKI query to CDN server periodically to download the latest trusted CA bundle.

  • On Junos OS Evolved, password authentication for SCP based configuration archival is supported.

  • Corrected show ddos-protection protocols CLI command (PTX10003, PTX10008, and PTX10016)—When you clear the DDoS state and then execute the show ddos-protection protocols CLI command, the output accurately displays that the policer was never violated. Earlier to this release, the show ddos-protection protocols CLI command output displayed that the policer was no longer violated, which indicates that violation occurred and wasn't cleared correctly.

    [See show ddos-protection protocols.]

  • Limit on number of IP address associations per MAC address per bridge domain in EVPN MAC-IP database—By default, devices can associate a maximum of 200 IP addresses with a single MAC address per bridge domain. We provide a new CLI statement to customize this limit, mac-ip-limit statement at the edit protocols evpn hierarchy level. In most use cases, you don?t need to change the default limit. If you want to change the default limit, we recommend that you don?t set this limit to more than 300 IP addresses per MAC address per bridge domain. Otherwise, you might see very high CPU usage on the device, which can degrade system performance.

    [See mac-ip-limit.]

EVPN

  • Limit on number of IP address associations per MAC address per bridge domain in EVPN MAC-IP database—By default, devices can associate a maximum of 200 IP addresses with a single MAC address per bridge domain. We provide a new CLI statement to customize this limit, mac-ip-limit statement at the edit protocols evpn hierarchy level. In most use cases, you don?t need to change the default limit. If you want to change the default limit, we recommend that you don?t set this limit to more than 300 IP addresses per MAC address per bridge domain. Otherwise, you might see very high CPU usage on the device, which can degrade system performance.

    See [ mac-ip-limit.]

  • Updates to syslog EVPN_DUPLICATE_MAC messages—EVPN_DUPLICATE_MAC messages in the System log (syslog) now contain additional information to help identify the location of a duplicate MAC address in an EVPN network. These messages will include the following in addition to the duplicate MAC address:
    • The peer device, if the duplicate MAC address is from a remote VXLAN tunnel endpoint (VTEP).
    • The VLAN or virtual network identifier (VNI) value.
    • The source interface name for the corresponding local interface or multihoming Ethernet segment identifier (ESI).
    For example: Feb 27 22:55:13 DEVICE_VTEP1_RE rpd 39839: EVPN_DUPLICATE_MAC: MAC address move detected for 00:01:02:03:04:03 within instance=evpn-vxlan on VNI=100 from 10.255.1.4 to ge-0/0/1.0.

    For more on supported syslog messages, see System Log Explorer.

Infrastructure

  • Option to disable path MTU discovery—Path MTU discovery is enabled by default. To disable it for IPv4 traffic, you can configure the no-path-mtu-discovery statement at the edit system internet-options hierarchy level. To reenable it, use the path-mtu-discovery statement.

    [See Path MTU Discovery.]

Junos OS API and Scripting

  • <get-trace> RPC support removed (ACX Series, PTX Series, and QFX Series)—The show trace application app-name operational command and equivalent <get-trace> RPC both emit raw trace data. Because the <get-trace> RPC does not emit XML data, we've removed support for the <get-trace> RPC for XML clients.

Network management and Monitoring

  • get-trace RPC support removed (ACX Series, PTX Series, and QFX Series)—The show trace application app-name operational command and equivalent <get-trace> RPC both emit raw trace data. Because the <get-trace> RPC does not emit XML data, we've removed support for the <get-trace> RPC for XML clients.

System Management

  • Additional Upgrade fields for the show system applications detail command (ACX Series, PTX Series, and QFX Series)—The show system applications detail command and corresponding RPC include additional Upgrade output fields. The fields provide information about notifications and actions related to various upgrade activities.

    [See show system applications (Junos OS Evolved).]

VPNs

  • Increase in revert-delay timer range— The revert-delay timer range is increased to 600 seconds from 20 seconds.

    [See min-rate.]

  • Configure min-rate for IPMSI traffic explicitly— In a source-based MoFRR scenario, you can set a min-rate threshold for IPMSI traffic explicitly by configuring ipmsi-min-rate under set routing-instances protocols mvpn hot-root-standby min-rate. If not configured, the existing min-rate will be applicable to both IPMSI and SPMSI traffic.

    [See min-rate.]