Software Release Notification for Junos Software Service Release version 15.1R6-S4

Alert Type:

SRN - Software Release Notification

Product Affected:

ACX, EX, M, MX, T

Alert Description:

Junos Software Service Release version 15.1R6-S4 is now available for download from the Junos software download site
Download Junos Software Service Release:

1. Go to Junos Platforms - Download Software page
2. Select your product
3. From the Type/OS drop-down menu, select Junos SR
4. From the Version drop-down menu, select your version
5. Click the Software tab
6. Select the Install Package as need and follow the prompts

Solution:
Junos Software service Release version 15.1R6-S4 is now available. The following are incremental changes in 15.1R6-S4.
 

PR Number	Synopsis	Description
1180397	MPC cell packing error causing send corrupt packets to fabric with multicast or bridge flood traffic	When multicast, vpls-flood or bridge-flood traffic, on an affected FPC type, with packet sizes ranging from 112 - 113 bytes or 108 - 109 bytes crosses zone boundaries within the router, traffic forwarding towards the fabric may stall. The following syslog entry will be reported "FO: Cell packing interface error". The MPC that reports this syslog error message needs to be restarted to recover from this condition.
1221766	LDP route deletion might cause the rpd process to crash	With Label Distribution Protocol (LDP) enabled, the deletion of an LDP entry (for example, LDP interface down) might cause many LDP entries to be deleted, which might result in routing protocol process (rpd) crash.
1233580	LCD corruption issue during booting up for EX Series switch	During boot up, EX4200, EX4550, and EX4300 switches might have no display or might display gibberish on the LCD. It is an LCD corruption issue.
1253544	When console log-out-on-disconnect is enabled, system reboot or switchover can result in processes remaining in the wait state and failure of the syslog feature	When the "set system log-out-on-disconnect" command is enabled, the Junos OS eventd process (daemon) will block the console-open(), but during this stage with syslog console configured (always logs on console), any logging will continue even if the console session has ended. While console logging is in wait state by eventd, syslog rotation freezes and some daemons directly attached to logging in the system would also get into the wait state, causing an undesirable behavior.
1260829	IPCP/IPv6CP re-negotiation is terminated by MX Series BNG	In a dual-stack PPPoE subscribers environment, when the PPP session has been in "OPEN" state, if the router receives a Conf-Request message from the client, it then sends a Term-Request message as a reply unexpectedly.
1262969	The packets with certain UDP destination port might be dropped on EX-VC except EX4300/EX4600/EX9200-VC	From Junos OS release 13.2X50-D15, for EX Virtual Chassis (VC) switches except EX4300/EX4600/EX9200-VC, when small UDP (<80 bytes) packets are forwarded between endpoints across Virtual Chassis port (VCP) link, a certain User Datagram Protocol (UDP) destination port gets black holed.
1265386	The "boot -s" command does not work as expected with 15.1R1 to 15.R6	On EX2200/EX3200/EX3300/EX4200/EX4500 and EX4550 platform, type "boot -s" from loader prompt can start up the system in single-user mode. The user can setup the password recovery in that mode. If "boot -s" is typed under loader in 15.1R1 ~15.1R6, the system does not go into the single-user mode but reboot from the alternate slice.
1269202	Dropping the TCP RST packet incorrectly on PFE might cause traffic drop	In rare cases, the Packet Forwarding Engine might drop the TCP RST (reset) packet from the Routing Engine side while doing GRES or flapping an interface, and traffic might be dropped.
1279192	In scaling VPLS scenario, convergence time is taking more than 10 minutes	In scaling VPLS scenario, convergence time is taking more than 10 minutes (which is expected to be 20secs). And in VPLS topologies the kernel may report the error "pointchange for TLV type 00000052 not supported on IFL " in /var/log/messages where is a VT or LSI interface used by VPLS. Sometimes the issue can be reproduced by simply loading the configuration if the scale is high enough, but other triggers may apply as well.
1294267	Family inet shows as not-configured after adding or deleting the loopback address.	Family inet showing as Not-configured after adding/deleting the loopback address.
1301717	All traffic can be Tail-/RED-dropped on some interfaces when 'chassis fpc max-queues' is configured..	When the total number of available CoS queues on MPC Type 1 or Type 2 with Enhanced Queuing chip (QX chip) is limited with 'chassis fpc max-queues' configuration, some interfaces might start dropping all traffic as Tail-/RED-drops.
1309770	Subscribers may not be able to access the device if dynamic vlan is used	In the subscriber management scenario a profile-add-request for a dynamic vlan may fail, this can cause subsequent subscribers login for the same vlan to fail. This is due to issues with internal data structure cleanup following the failed profile-adds.
1315009	L2TP LAC droping packets that have incorrect payload length in 15.1 but are forwarded in 14.1X50	L2TP LAC droping packets that have incorrect payload length in 15.1 but are forwarded in 14.1X50
1321392	IPv6 Framed Interface Id field is not properly showing at "show subscribers extensive" output	Customer, running MX router for BNG/Subscriber Management functionalities, reported that in Dual Stacked subscriber 'IPv6 Framed Interface Id field' (from "show subscribers extensive" output) is not matching the negotiated one.

16.2R2-S3: Software Release Notification for Junos Software Service Release version 16.2R2-S3

Alert Type:

SRN - Software Release Notification

Product Affected:

ACX, MX, T, TX, PTX, VMX, VRR

Alert Description:

Junos Software Service Release version 16.2R2-S3 is now available for download from the Junos software download site
Download Junos Software Service Release:

1. Go to Junos Platforms - Download Software page
2. Select your product
3. From the Type/OS drop-down menu, select Junos SR
4. From the Version drop-down menu, select your version
5. Click the Software tab
6. Select the Install Package as need and follow the prompts

 

Solution:
Junos Software service Release version 16.2R2-S3 is now available.
The following are incremental changes in 16.2R2-S3.
 

PR Number	Synopsis	Description
1275149	ACX500 IPSec license activation error - license not valid for this product	In some rare scenarios, ACX500 IPSec will have license activation error with message license not valid for this product. The license cannot be re-added after the deletion. This issue is related to incorrect Product information index in the license feature structure.
1298262	rpd core at aspath_migrate_and_prepend(), rt_ribgroup_migrate_domain(), rt_change_ribgroup_import() when configures routing-instance with static routes	The routing protocol process (rpd) may restart unexpectedly when configuring rib-groups and routing-instances with static routes in a certain order.
1302504	The rpd might crash when toggling vrf-propagate-ttl and no-vrf-propagate-ttl knob	With Protocol-Independent Load Balancing for Layer 3 VPNs enabled (i.e. configure 'routing-instances routing-options multipath') in virtual routing and forwarding (VRF) routing instance, when toggling TTL action knob (i.e. vrf-propagate-ttl/no-vrf-propagate-ttl) for this VRF routing instance, if BGP receives a VPN route update for the VRF during the processing of the reconfiguration, the rpd might crash. This is a timing issue due to the race condition.

End of Life Announcement: J-series subscription licenses

OVERVIEW:
This document announces the End of Life of the J-series licenses listed in the table below. This announcement is effective immediately with a last order date (LOD) of November 30, 2017. On the last order date, the SKUs are removed from the price list and are no longer orderable.

AFFECTED PRODUCTS:

EOL Model Number	Description	Last Software Version
J2320-IDP	One year subscription for IDP updates on J2320	12.1X46
J2320-K-AV	One year subscription for Juniper-Kaspersky AV updates on J2320	12.1X46
J2320-S2-AS	One year subscription for Juniper-Sophos Anti-Spam for J2320	12.1X46
J2320-SMB2-CS	One year security subscription for Enterprise - includes Kaspersky AV, WF, Sophos AS and IDP - on J2320	12.1X46
J2320-W-WF	One year subscription for Juniper-Websense Integrated Web Filtering for J2320	12.1X46
J2350-IDP	One year subscription for IDP updates on J2350	12.1X46
J2350-K-AV	One year subscription for Juniper-Kaspersky AV updates on J2350	12.1X46
J2350-S2-AS	One year subscription for Juniper-Sophos Anti-Spam for J2350	12.1X46
J2350-SMB2-CS	One year security subscription for Enterprise - includes Kaspersky AV, WF, Sophos AS and IDP - on J2350	12.1X46
J2350-W-WF	One year subscription for Juniper-Websense Integrated Web Filtering for J2350	12.1X46
J4350-IDP	One year subscription for IDP updates on J4350	12.1X46
J4350-K-AV	One year subscription for Juniper-Kaspersky AV updates on J4350	12.1X46
J4350-S2-AS	One year subscription for Juniper-Sophos Anti-Spam for J4350	12.1X46
J4350-SMB2-CS	One year security subscription for Enterprise-includes Kaspersky AV,WF,Sophos AS and IDP-on J4350	12.1X46
J4350-W-WF	One year subscription for Juniper-Websense Integrated Web Filtering for J4350	12.1X46
J6350-IDP	One year subscription for IDP updates on J6350	12.1X46
J6350-K-AV	One year subscription for Juniper-Kaspersky AV updates on J6350	12.1X46
J6350-S2-AS	One year subscription for Juniper-Sophos Anti-Spam for J6350	12.1X46
J6350-SMB2-CS	One year security subscription for Enterprise - includes Kaspersky AV, WF, Sophos AS and IDP - on J6350	12.1X46
J6350-W-WF	One year subscription for Juniper-Websense Integrated Web Filtering for J6350	12.1X46

REPLACEMENT PRODUCTS:

Model Number	Product Description	Min Software Version
NA	NA	NA

END OF LIFE TIMETABLE:

EOL Timetable Milestone	Definition of Action	Effective Date
End-of-life Notification	Product Support Notification released that announces end of life of a product.	10/30/2017
Last Order Date	Last day to buy product, order a new service contract, or add product to an existing support contract. Thereafter, products and services are removed from price lists.	11/30/2017
End-of-warranty service conversion	Last date to convert warranty coverage for products purchased prior to EOL to a support contract.	NA
First service step-down	The available services offerings for the product will be capped at Next-day and Next-day Onsite support. Same-day and Same-day onsite support will be discontinued.	NA
Second service step-down	The available J-Care services offerings for the product will be capped at Core and CorePlus support. The available JNSAC service offerings will be capped at Basic, RTF and AR-5. Next-day and Next Day Onsite support will be discontinued.	NA
End-of-service contract renewal date	Last date to renew or extend existing support contracts.  Support cannot extend beyond the end-of-support date.	NA
End of Software Engineering support date	EOSE is the date after which Juniper is no longer committed to furnish Software Engineering level support for the operating system software licensed for the affected hardware. This means that no further Releases (e.g. service or maintenance releases or patches) will be created for the support of the affected hardware product. JTAC support will generally be limited to investigation and troubleshooting in an attempt to provide solutions, configuration guidelines and workarounds.	07/31/2018
End of Hardware Engineering support date	After EOHE Juniper has no commitment to perform hardware engineering level support (including hardware modifications and hardware failure analysis) for hardware defects.	NA
End-of-service date	Last date to receive contracted service (including hardware and software bug fixes, and logistics replacement or repair services) for the product.  Limited support will be offered on a per-incident, non-contracted basis only, at the discretion of Juniper Networks.	07/31/2018

Out-of-Cycle Security Bulletin: Multiple Products: Multiple vulnerabilities in Wi-Fi Protected Access (WPA1/WPA2) protocols (aka KRACK attack).

Product Affected:

This issue affects Junos OS 12.1X46. Affected platforms: SRX 210, 240, 650 series firewalls with AX411 Wireless Access Points. This issue affects ScreenOS 6.3. Affected platforms: ScreenOS SSG-5 and SSG-20 devices with embedded Wireless Access Points radios. This issue affects WLAN 9.2, 9.6. Affected platforms: MSS.

 

Problem:

A series of Wi-Fi Protected Access (WPA/WPA1) and Wi-Fi Protected Access II (WPA2) security protocols used in Juniper’s SRX 210, 240, 650 series firewalls which support the AX411 Access Points, ScreenOS SSG-5 and SSG-20 firewalls with integrated WiFi radios, and lastly, the WLAN product line have one or more vulnerabilities present when these Wi-Fi radios are enabled.
This is a series of protocol level vulnerabilities and not specific to any Juniper products. WPA and WPA2 security protocols are present in nearly all modern Wi-Fi products.
Successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network.
The following CVE IDs have been issued for each of the possible vulnerabilities:
CVE-2017-13077 reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078 reinstallation of the group key in the Four-way handshake
CVE-2017-13079 reinstallation of the integrity group key in the Four-way handshake
CVE-2017-13080 reinstallation of the group key in the Group Key handshake
CVE-2017-13081 reinstallation of the integrity group key in the Group Key handshake
Juniper's products do not support Fast BSS Transition Reassociation so are Not Vulnerable to CVE-2017-13082.
The following CVE IDs are still under investigation:
CVE-2017-13084 reinstallation of the STK key in the PeerKey handshake
CVE-2017-13086 reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
CVE-2017-13087 reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088 reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
The research paper referenced in the related links section below can be reviewed for details.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

Solution:

WLAN
MSS 9.2.1, 9.6.5, and all subsequent releases.

This issue is being tracked as PR 1297300 and is visible on the Customer Support website.

Workaround:

There are no viable workarounds for these issues.
The following methods may be used to reduce the possibility of exploitation:
SRX 210, 240, 650 series firewalls with AX411 Wireless Access Points:
Disabling all Wi-Fi configurations and setting all ports with AX411 Access Points administratively down will protect the SRX device from exploitation.
Customers may also physically disconnect the AX411 Wi-Fi Access Points from their network.
ScreenOS devices with embedded Wireless Access Points:
Disable all Wi-Fi configurations.
WLAN:
Disable all Wi-Fi Access Points until such time that the MSS can be upgraded.

 

Implementation:

Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.

 

Modification History:

Modification History: 2017-10-16: Initial publication

 

Related Links:

• KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process

• KB16765: In which releases are vulnerabilities fixed?

• KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories

• Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team

• https://papers.mathyvanhoef.com/ccs2017.pdf

• AX411 Access Point Hardware

 

CVSS Score:

7.9 (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

 

Risk Level:

High

 

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

 

Acknowledgements:

Juniper SIRT would like to acknowledge and thank

   * researchers Mathy Vanhoef and Frank Piessens of DistriNet (Distributed Systems and Computer Networks) at the Computer Science department of the Katholieke Universiteit Leuven, Belgium for responsibly disclosing these vulnerabilities.
   * John A. Van Boxtel with Cyprus Semiconductor for finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.

User Interface update on JUNOS Software Download page - providing a URL for on device download

The user interface of the JUNOS Software Download page - https://www.juniper.net/support/downloads/group/?f=junos - has been updated. The last step in downloading software has been modified. The change will be in production on 2017-10-13T19:30:00-07:00

Solution:

The user interface of the JUNOS Software Download page - https://www.juniper.net/support/downloads/group/?f=junos - has been updated. The last step in downloading software has been modified to

1. Enhance automation by providing a URL of the image that can be used with command line tools such as "curl", "wget", or "cli> file copy ..." on a JUNOS device
2. The software image download no longer starts automatically via a user's browser. A user can choose to either click to download, or copy the image's URL to use on another device

The change will be in production on 2017-10-13T19:30:00-07:00

Implementation:

The user interface of the JUNOS Software Download page - https://www.juniper.net/support/downloads/group/?f=junos - has been updated as follow:
After a user selects a JUNOS image, the software download displays the "End User License Agreement" (EULA). The user reviews the EULA and can either agree or disagree with the EULA. If a user agrees, the image is downloaded using the user's browser within a couple of seconds.
​
Figure 1: Current software download step - after a user accepts the EULA, they are transferred to this page. The image downloads automatically after a few seconds delay to the browser download directory.


We received feedback from users that downloading a large image via a browser to use the image in the field is not optimal. Many users prefer to get the URL of the image. They can then use the URL on their devices to copy the image to local storage directly. To illustrate this scenario, a user has to:

1. Interrupt the download - one usually interrupts the automatic download since the browser starts downloading the image to the desktop within a couple of seconds
2. Copy the image's URL - usually by righ-click on the "Click to Download" link to get the URL
3. Delete the partially downloaded image on the browser download folder

The last step in downloading software has been modified to

1. Enhance automation by providing a URL of the image that can be used with command line tools such as "curl", "wget", or "cli> file copy ..." on a JUNOS device
2. The software image download is no longer starts automatically via a user's browser. A user can choose to either click to download, or copy the image's URL to use on another device

Figure 2: The new user interface to the last step of JUNOS software download procedure. The interface provides a URL to the image, or the ability to download the image via the browser

Chef for Junos OS

Chef software automates the provisioning and management of compute, networking, and storage resources.

Chef for Junos OS provides support for Chef on selected Juniper Networks devices running Junos OS, allowing you to automate common switching network configurations, such as physical and logical Ethernet link properties and VLANs.

Software Release Notification for Junos Software Service Release version 16.1R3-S5

Alert Description:

Junos Software Service Release version 16.1R3-S5 is now available for download from the Junos software download site
Download Junos Software Service Release:

1. Go to Junos Platforms - Download Software page
2. Select your product
3. From the Type/OS drop-down menu, select Junos SR
4. From the Version drop-down menu, select your version
5. Click the Software tab
6. Select the Install Package as need and follow the prompts

Solution:
Junos Software service Release version 16.1R3-S5 is now available.

The following are incremental changes in 16.1R3-S5.​
 

PR Number	Synopsis	Description
1209308	tcp_timer_keep: Dropping socket connection when remote VPLS PE comes up	In some rare scenarios remote VPLS PE coming up might cause TCP keepalive timeouts on the local sockets between the master RE and the FPCs (e.g. ppmd <-> PPManager connection): kernel: tcp_timer_keep: Dropping socket connection due to keepalive timer expiration Local(0x80000001:6011) Foreign(0x80000015:36678) kernel: tcp_timer_keep: Dropping socket connection due to keepalive
1231167	MPC2E-NG/MPC3E-NG core-dump with specific MIC due to tight loop of PCIe critical exceptions	On MX platform with MPC2E-3D-NG/MPC2E-3D-NG-Q/MPC3E-3D-NG/MPC3E-3D-NG-Q line card, if the FPC-MIC link failure happens, the bridge may keep sending register messages in an infinite loop, which would cause continuous PCI exceptions, the MPC might crash and traffic forwarding might be affected. This is a rare issue, it is hard to reproduce.
1241801	The rpd might crash on backup RE when changing l2circuit neighbor in NSR scenario	With NSR enabled and a Layer 2 circuit configured, an rpd crash might be observed on the backup Routing Engine when you change the Layer 2 circuit neighbor and then commit the changes. The issue does not exist if NSR is not enabled.
1251556	KRT queue stuck on RE causing RIB and FIB to go out of sync​	From Junos 16.1R1 and later, there is a rpd problem sending route update messages to the kernel. The KRT queue used to send the messages can get into a state where no more messages can be sent to the kernel. This causes the RIB and FIB to get out of
1256736	IRP interrupt "INTR: throttle 3630sec PECHIP[2]:pe.irp.intr.status:ap0_trap(0): (Count:3434)" would be observed for every hour under certain conditions.	While processing lookup results, IRP block would raise an interrupt upon detecting an error condition. The interrupt would be active until the trapcode error is read. Under certain conditions, software is not reading this trapcode error upon IRP interrupt. This issue causes the following syslog message to be generated: fpc5
1258472	The rpd might crash during the next-hop change if unicast reverse-path- forwarding (uRPF) is used	In a very rare cases, if the unicast reverse path forwarding (uRPF) is used, the rpd might crash and the core file might be generated during the next-hop change.
1259579	Rpd memory leak is observed in NG-MVPN environment	Rpd memory leak is seen when NG-MVPN type 6 and type 7 route adds/deletes/changes. The leak is 36 byte block size on Junos versions prior to 15.1, and 44 byte block size on Junos versions 15.1 or higher.
1276748	RPD core: Assertion failed rpd[6255]: file src/junos/usr.sbin/rpd/rsvp/rsvp_enh_lp.c", line 4928: "rsvp_enh_lp_supported_psb_type(psb)	RPD core: Assertion failed rpd[6255]: file src/junos/usr.sbin/rpd/rsvp/rsvp_enh_lp.c", line 4928: "rsvp_enh_lp_supported_psb_type(psb)
1280809	RPD core generation when a memory is allocated twice	Under a rare circumstance show task command of any type might cause a double free of a data structure resulting in a rpd coredump.
1282672	Rpd might crash due to a certain chain of events in BGP-LU protection scenario	In BGP-LU protection scenario with the statement per-prefix-label configured, rpd might crash due to a certain chain of events that if receiving a BGP route with the indirect next-hop firstly and later receiving another BGP route with the direct next-hop (which has the same prefix with the route received early)
1290789	The rpd crashes due to LDP defect during NSR-enabled RE switchover	The rpd will generate core file, if it involves an Label Distribution Protocol (LDP) egress route, which is stitched to a Border Gateway Protocol (BGP) route via the "ldp egress-policy" configuration.

Software Release Notification: Junos OS 16.1R5

Alert Description:

Junos OS 16.1R5 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series, T Series and Junos Fusion is now available.

Solution:

Consult Release Notes:
For new and changed features, changes in behavior, known behavior and issues, resolved issues, and more, refer to:

Release Notes for Junos OS 16.1R5 for the ACX Series, EX Series, MX Series, PTX Series, QFX Series, T Series and Junos Fusion.
HTML

PDF

Download Junos OS Software:

1. Go to Junos Platforms - Download Software page.
2. Select your product.
3. Under 'Type / OS', select 'Junos'.
​4. Under 'Version', select '16.1'.
4. Click the "Software" tab.
5. Select the Install Package Release needed, and follow the prompts.

Hardware End of Life Announcement: XFP-10GE-SR

AFFECTED PRODUCT:

EOL Model No.	Part Number	Product Description	Last Software Version
XFP-10GE-SR	740-011571	10GE-SR SHORT REACH MULTI-MODE PLUGGABLE INTERFACE	E320: 16.1 SRX: 17.4

REPLACEMENT PRODUCT:

Replacement Model No.	Part Number	Product Description	Min Software Version
XFP-10G-S	740-033777	10G Pluggable Transceiver for 10GE, 850nm for 300m Transmission	See Supported Platform Specifications

END OF LIFE TIMETABLE:

EOL Timetable Milestone	Definition of Action	Effective Date
End-of-life Notification	Product Support Notification released that announces end of life of a product.	08/11/2017
Last Order Date	Last day to buy product, order a new service contract, or add product to an existing support contract. Thereafter, products and services are removed from price lists.	08/11/2017
End-of-warranty service conversion	Last date to convert warranty coverage for products purchased prior to EOL to a support contract.	NA
First service step-down	The available services offerings for the product will be capped at Next-day and Next-day Onsite support. Same-day and Same-day onsite support will be discontinued.	NA
Second service step-down	The available J-Care services offerings for the product will be capped at Core and CorePlus support. The available JNSAC service offerings will be capped at Basic, RTF and AR-5. Next-day and Next Day Onsite support will be discontinued.	NA
End-of-service contract renewal date	Last date to renew or extend existing support contracts.  Support cannot extend beyond the end-of-support date.	NA
End of Software Engineering support date	EOSE is the date after which Juniper is no longer committed to furnish Software Engineering level support for the operating system software licensed for the affected hardware. This means that no further Releases (e.g. service or maintenance releases or patches) will be created for the support of the affected hardware product. JTAC support will generally be limited to investigation and troubleshooting in an attempt to provide solutions, configuration guidelines and workarounds.	08/11/2020
End of Hardware Engineering support date	After EOHE Juniper has no commitment to perform hardware engineering level support (including hardware modifications and hardware failure analysis) for hardware defects.	08/11/2020
End-of-service date	Last date to receive contracted service (including hardware and software bug fixes, and logistics replacement or repair services) for the product.  Limited support will be offered on a per-incident, non-contracted basis only, at the discretion of Juniper Networks.	08/11/2022

End of Life Announcement: SRX1400, SRX3400, SRX3600

OVERVIEW:

Juniper SRX Series Services Gateways are high-performance network security solutions for enterprises and service providers that pack high port-density, advanced security, and flexible connectivity, into easily managed platforms.

With superior hardware such as SRX1500, SRX4100 and SRX4200 now available, Juniper is announcing the end of sale of older SRX1400, SRX3400, SRX3600 chassis and related FRUs and licenses. The last order date for these products will be December 1, 2017. The last supported software version will be Junos 12.3X48 as described here: https://www.juniper.net/support/eol/junos.html .

Software Release Notification: Junos OS 16.2R2

---

Alert Type:

SRN - Software Release Notification

Product Affected:

ACX Series, EX Series, MX Series, PTX Series, T Series

Alert Description:

Junos OS 16.2R2 for the ACX Series, EX Series, MX Series, PTX Series and T Series is now available.

Solution:

Consult Release Notes:
For new and changed features, changes in behavior, known behavior and issues, resolved issues, and more, refer to:

Release Notes for Junos OS 16.2R2 for the ACX Series, EX Series, MX Series, PTX Series and T Series.
HTML

PDF

Download Junos OS Software:

1. Go to Junos Platforms - Download Software page.
2. Select your product.
3. Under 'Type / OS' on the right, select 'Junos'.
​4. Under 'Version', select '16.2'.
5. Click the "Software" tab.
6. Select the Install Package Release needed, and follow the prompts.

ASIC Reinitialize May Occur on ScreenOS 6.3.0r23 and 6.3.0r24

Alert Type:

PSN - Product Support Notification

Product Affected:

ISG 1000, ISG 1000-IDP, ISG 2000, ISG 2000-IDP, and NetScreen-5000 series with the NS 5000-MGT2/SPM2 and NS 5000-MGT3/SPM3.

Alert Description:

Any ScreenOS device on ASIC hardware (including ISG1000, ISG1000-IDP, ISG2000, ISG2000-IDP, NS5200, and NS5400) running 6.3.0r23 or 6.3.0r24, may experience packet drops due to ASIC reinitializing.  

Solution:
This issue is tracked via PR1282754.  This issue is addressed in ScreenOS 6.3.0r23b and ScreenOS 6.3.0r24b from the Juniper Software Download page.

Download ScreenOS Software

1. Go to http://www.juniper.net/support/downloads
2. Select your product
3. Click the "Software" tab
4. Select the Install Package, and follow the online prompts

Workaround

This problem can be worked around by applying the command:

unset flow tcp-syn-check strict

CPU Clock Component Issue

Juniper Networks was recently made aware of the existence of an errata on a clock signal component manufactured by a third-party supplier. This errata may result in the component degrading over time. Although we believe the Juniper products with this component are performing normally at this time as of 13th February, 2017, the above listed Juniper product model numbers could, after the product has been in operation for at least 18 months, begin to exhibit symptoms such as the inability to boot, or cease to operate. Recovery in the field is not possible. Juniper products with this supplier’s component were first placed into service in January 2016.

Pursuant to information provided by the component supplier, the issue is expected to manifest after an extended period of time in operation (18 months or greater). Juniper has worked with the component supplier to implement a remediation. All products shipping currently (as of 15th February, 2017) have the necessary remediation for this issue. In addition, Juniper’s global spare parts depots will be purged and updated with the remediated product. The completion date for the purge will be communicated as soon as practicable and this Notification will be updated. Due to logistical considerations the completion of the depot purge is targeted for the beginning of the 3rd quarter of 2017.  

Solution:

For parts under warranty or a valid service contract that have this component, Juniper will proactively replace these parts. Due to the age-based nature of the failure and the volume of replacements, Juniper will take the product’s time in operation into consideration.

End of Life Announcement: SRX1400, SRX3400, SRX3600

END OF LIFE TIMETABLE:

OVERVIEW:

Juniper SRX Series Services Gateways are high-performance network security solutions for enterprises and service providers that pack high port-density, advanced security, and flexible connectivity, into easily managed platforms.
With superior hardware such as SRX1500, SRX4100 and SRX4200 now available, Juniper is announcing the end of sale of older SRX1400, SRX3400, SRX3600 chassis and related FRUs and licenses.
The last order date for these products will be December 1, 2017.        

END OF LIFE TIMETABLE:

                                                                                                                                                                       

EOL Timetable Milestone	Definition of Action	Effective Date
End-of-sale and end-of-service announcement	Product Support Notification released that announces end of life of a product.	06/01/2017
End-of-sale	Last day to buy product, order a new service contract, or add product to an existing support contract. Thereafter, products and services are removed from price lists.	12/01/2017*
End-of-warranty service conversion	Last date to convert warranty coverage for products purchased prior to EOL to a support contract.	12/01/2018
First service step-down	The available services offerings for the product will be capped at Next-day and Next-day Onsite support. Same-day and Same-day onsite support will be discontinued.	12/01/2019
Second service step-down	The available J-Care services offerings for the product will be capped at Core and CorePlus support. The available JNSAC service offerings will be capped at Basic, RTF and AR-5. Next-day and Next Day Onsite support will be discontinued.	12/01/2021
End-of-service contract renewal date	Last date to renew or extend existing support contracts.  Support cannot extend beyond the end-of-support date.	12/01/2021
Last software engineering support	Last date the identified software release which will support the product. After this date, new software releases may not be supported. Maintenance releases of the major software releases issued prior to this date will support the product within the current software EOL guidelines.	12/01/2022
Last hardware engineering support	Last date that hardware engineering will support the product.	12/01/2022
End-of-service date	Last date to receive contracted service (including hardware and software bug fixes, and logistics replacement or repair services) for the product.  Limited support will be offered on a per-incident, non-contracted basis only, at the discretion of Juniper Networks.	12/01/2022

* The End-Of-Sale date is different for most of the Software SKUs in this TSB and refer the respective SKUs

Junos OS Release 15.1R6 - New and Changed Features

Class of Service

• Class of service for PPP and MLPPP interfaces (ACX Series)—Junos OS for ACX Series Universal Access Routers support class-of-service (CoS) functionalities on PPP and MLPPP interfaces. Up to four forwarding classes and four queues are supported per logical interface for PPP and MLPPP packets.
  The following restrictions apply when you configure CoS on PPP and MLPPP interfaces on ACX Series routers:
  • For interfaces with PPP encapsulation, you can configure interfaces to support only the IPv4, Internet Protocol Control Protocol (IPCP), PPP Challenge Handshake Authentication Protocol (CHAP), and Password Authentication Protocol (PAP) applications.
  • Drop timeout is not supported.
  • Loss of traffic occurs during a change of scheduling configuration; you cannot modify scheduling attributes instantaneously.
  • Buffer size is calculated in terms of number of packets, with 256 bytes considered as the average packet size.
  • Only two loss priority levels, namely low and high, are supported.
• Support for MLPPP encapsulation (ACX Series)—You configure multilink bundles as logical units or channels on the link services interface lsq-0/0/0. With MLPPP, multilink bundles are configured as logical units on lsq-0/0/0—for example, lsq-0/0/0.0 and lsq-0/0/0.1. After creating multilink bundles, you add constituent links to the bundle.
  MLPPP is supported on ACX1000, ACX2000, and ACX2100 routers, and with Channelized OC3/STM1 (Multi-Rate) MICs with SFP and 16-port Channelized E1/T1 Circuit Emulation MIC on ACX4000 routers. With multilink PPP bundles, you can use the PPP Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) for secure transmission over the PPP interfaces.
  To configure MLPPP encapsulation, include the encapsulation multilink-ppp statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level. To aggregate T1 links into a an MLPPP bundle, include the bundle statement at the [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlppp] hierarchy level.
• Support for configuring the shared buffer size (ACX Series)—Junos OS for ACX Series Universal Access Routers enable you to control the amount of shared packet buffer a given queue can consume. Using this feature, you can ensure that important queues have a higher chance of using the shared buffers than by not so important queues. To achieve this, you can configure lower values for shared-buffer maximum CLI statement for the not so important queues, and higher values for the shared-buffer maximum CLI statement for the important queues.
  You can explicitly configure the shared-buffer maximum CLI statement at the [edit class-of-service] hierarchy level.

  Note: The default value for shared-buffer maximum is 66%.

Firewall Filters

• Support for hierarchical policers (ACX Series)—On ACX Series routers, two-level ingress hierarchical policing is supported. With single-level policers, you cannot administer the method using which the committed information rate (CIR) and the excess information rate (EIR) values specified in the bandwidth profile are shared across different flows. For example, in a certain network deployment, you might want an equal or even distribution of CIR across the individual flows. In such a scenario, you cannot accomplish this requirement using single-level policers and need to configure aggregate or hierarchical policers.
  Aggregate policers operate in peak, guarantee, and hybrid modes. You can configure an aggregate policer by including the aggregate-policer aggregate-policer-name statement at the [edit firewall policer policer-name if-exceeding] hierarchy level. You can specify the mode of the aggregate policer by including the aggregate-sharing-mode [guarantee | peak | hybrid] statement at the [edit firewall policer policer-name if-exceeding aggregate-policer aggregate-policer-name] hierarchy level.
• Enhancement to support additional firewall filter match capabilities (ACX Series)—Starting in Release 12.3X54, Junos OS for ACX Series router supports additional match capabilities at the [edit firewall family ccc filter] and [edit firewall family inet filter] hierarchy levels.
  The existing firewall do not support Layer 2, Layer 3, and Layer 4 fields at the [edit firewall family ccc filter] hierarchy level. With additional matching fields, ACX Series routers support all the available Layer 2, Layer 3, and Layer 4 fields on the user-to-network interface side (ethernet-ccc/vlan-ccc).
  At the [edit firewall family inet filter] hierarchy level, the fragment-flags match field has been removed to accommodate the following Layer 2 and Layer 3 fields:
  Table 1: Fields added to [edit firewall family inet filter] hierarchy level

  Field	Description
  first-fragment	Matches if packet is the first fragment
  is-fragment	Matches if packet is a fragment

  The scale for inet and ccc in the firewall family filter has been reduced from 250 hardware entries to 122 hardware entries.

Interfaces and Chassis

• Support for Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (ACX4000)—The ACX4000 Universal Access Routers support the Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (model number ACX-MIC-4COC3-1COC12CE).
  The key features supported are:
  • Structure-Agnostic TDM over Packet (SAToP)
  • Pseudowire Emulation Edge to Edge (PWE3) control word for use over an MPLS packet-switched network (PSN)
• Support for 6-port Gigabit Ethernet Copper/SFP MIC (ACX4000)—The ACX4000 Universal Access Routers support the 6-port Gigabit Ethernet Copper/SFP MIC. The 6-port Gigabit Ethernet Copper/SFP MIC features six tri-speed (10/100/1000 Mbps) Ethernet ports. Each port can be configured to operate in either RJ45 or SFP mode and can support PoE.
• Support for chassis management (ACX4000)—The ACX4000 Universal Access Routers support the following CLI operational mode commands:
  Show commands:
  • show chassis alarms
  • show chassis craft-interface
  • show chassis environment
  • show chassis environment pem
  • show chassis fan
  • show chassis firmware
  • show chassis fpc pic-status
  • show chassis hardware (clei-models | detail | extensive | models)
  • show chassis mac-addresses
  • show chassis pic fpc-slot fpc-slot pic-slot pic slot
  • show chassis routing-engine
  Restart command:
  • restart chassis-control (gracefully | immediately | soft)
  Request commands:
  • request chassis feb restart slot slot-number
  • request chassis mic mic-slot mic-slot fpc-slot fpc-slot (offline | online)
  • request chassis pic offline fpc-slot fpc-slot pic-slot pic-slot
• User-defined alarms (ACX Series)—On an ACX Series router, the alarm contact port (labeled ALARM) provides four user-defined input ports and two user-defined output ports. Whenever a system condition occurs—such as a rise in temperature, and depending on the configuration, the input or output port is activated.
  To view the alarm relay information, issue the show chassis craft-interface command from the Junos OS command-line interface.
• Support for Ethernet synthetic loss measurement (ACX Series)—You can trigger on-demand and proactive Operations, Administration, and Maintenance (OAM) for measurement of statistical counter values corresponding to ingress and egress synthetic frames. Frame loss is calculated using synthetic frames instead of data traffic. These counters maintain a count of transmitted and received synthetic frames and frame loss between a pair of maintenance association end points (MEPs).
  The Junos OS implementation of Ethernet synthetic loss measurement (ETH-SLM) is fully compliant with the ITU-T Recommendation Y.1731. Junos OS maintains various counters for ETH-SLM PDUs, which can be retrieved at any time for sessions that are initiated by a certain MEP. You can clear all the ETH-SLM statistics and PDU counters.
• Support for Network Address Translation (ACX Series)—Network Address Translation (NAT) is a method for modifying or translating network address information in packet headers. Either or both source and destination addresses in a packet may be translated. NAT can include the translation of port numbers as well as IP addresses. ACX Series routers support only source NAT for IPv4 packets. Static and destination NAT types are currently not supported on the ACX Series routers.

  Note: In ACX Series routers, NAT is supported only on the ACX1100 AC-powered router.

• Support for inline service interface (ACX Series)—Junos OS for ACX Series Universal Access Routers support inline service interface. An inline service interface is a virtual physical interface that resides on the Packet Forwarding Engine. The si- interface makes it possible to provide NAT services without a special services PIC.
  To configure inline NAT, you define the service interface as type si- (service-inline) interface. You must also reserve adequate bandwidth for the inline interface. This enables you to configure both interface or next-hop service sets used for NAT.

  Note: In ACX Series routers, you can configure only one inline services physical interface as an anchor interface for NAT sessions: si-0/0/0.

• Support for IPsec (ACX Series)—You can configure IPsec on ACX Series Universal Access Routers. The IPsec architecture provides a security suite for the IP version 4 (IPv4) network layer. The suite provides functionality such as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. In addition to IPsec, Junos OS also supports the Internet Key Exchange (IKE), which defines mechanisms for key generation and exchange, and manages security associations. IPsec also defines a security association and key management framework that can be used with any network layer protocol. The security association specifies what protection policy to apply to traffic between two IP-layer entities. IPsec provides secure tunnels between two peers.

  Note: IPsec is supported only on the ACX1100 AC-powered router.

• Support for ATM OAM F4 and F5 cells (ACX Series)—ACX Series routers provide Asynchronous Transfer Mode (ATM) support for the following Operations, Administration, and Maintenance (OAM) fault management cell types:
  • F4 alarm indication signal (AIS) (end-to-end)
  • F4 remote defect indication (RDI) (end-to-end)
  • F4 loopback (end-to-end)
  • F5 AIS
  • F5 RDI
  • F5 loopback
  ATM OAM is supported on ACX1000, ACX2000, and ACX2100 routers, and on 16-port Channelized E1/T1 Circuit Emulation MICs on ACX4000 routers.
  Junos OS supports the following methods of processing OAM cells that traverse through pseudowires with circuit cross-connect (CCC) encapsulation:
  • Virtual path (VP) pseudowires (CCC encapsulation)
  • Port pseudowires (CCC encapsulation)
  • Virtual circuit (VC) pseudowires (CCC encapsulation)
  For ATM pseudowires, the F4 flow cell is used to manage the VP level. On ACX Series routers with ATM pseudowires (CCC encapsulation), you can configure OAM F4 cell flows to identify and report virtual path connection (VPC) defects and failures. Junos OS supports three types of OAM F4 cells in end-to-end F4 flows:
  • Virtual path AIS
  • Virtual path RDI
  • Virtual path loopback
  For OAM F4 and F5 cells, IP termination is not supported. Also, Junos OS does not support segment F4 flows, VPC continuity check, or VP performance management functions.
  For OAM F4 cells, on each VP, you can configure an interval during which to transmit loopback cells by including the oam-period statement at the [edit interfaces interface-name atm-options vpi vpi-identifier] hierarchy level. To modify OAM liveness values on a VP, include the oam-liveness statement at the [edit interfaces interface-name atm-options vpi vpi-identifier] hierarchy level.
• Support for CESoPSN on Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (ACX Series)—You can configure structure-aware TDM CESoPSN on the Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (model number: ACX-MIC-4COC3-1COC12CE) on ACX Series routers. This rate-selectable MIC can be configured as four OC3/STM1 ports or one OC12/STM4 port.
• Support for Point-to-Point Protocol encapsulation (ACX Series)—You can configure Point-to-Point Protocol (PPP) encapsulation on physical interfaces on ACX Series routers. PPP provides a standard method for transporting multiprotocol datagrams over a point-to-point link. PPP uses the High-Speed Data Link Control (HDLC) protocol for its physical interface and provides a packet-oriented interface for the network-layer protocols.
  PPP is supported on the following MICs on ACX Series routers:
  • On ACX1000 routers with 8-port built-in T1/E1 TDM MICs.
  • On ACX2000 and ACX2100 routers with 16-port built-in T1/E1 TDM MICs.
  • On ACX4000 routers with 16-port Channelized E1/T1 Circuit Emulation MICs.
  On ACX Series routers, E1, T1, and NxDS0 interfaces support PPP encapsulation.
• Support for Ethernet link aggregation (ACX Series)—Junos OS for ACX Series Universal Access Routers support Ethernet link aggregation for Layer 2 bridging. Ethernet link aggregation is a mechanism for increasing the bandwidth of Ethernet links linearly and improving the links' resiliency by bundling or combining multiple full-duplex, same-speed, point-to-point Ethernet links into a single virtual link. The virtual link interface is referred to as a link aggregation group (LAG) or an aggregated Ethernet interface. The LAG balances traffic across the member links within an aggregated Ethernet interface and effectively increases the uplink bandwidth. Another advantage of link aggregation is increased availability, because the LAG is composed of multiple member links. If one member link fails, the LAG continues to carry traffic over the remaining links.
• 16-port Channelized E1/T1 Circuit Emulation MIC (ACX4000)—ACX4000 Universal Access Routers support the 16-port Channelized E1/T1 Circuit Emulation MIC (model number ACX-MIC-16CHE1-T1-CE).
  The key features supported on this MIC are:
  • Structure-Agnostic TDM over Packet (SAToP)
  • ATM encapsulation—Only the following ATM encapsulations are supported on this MIC:
    • ATM CCC cell relay
    • ATM CCC VC multiplex
  • ATM pseudowires
  • ATM quality-of-service (QoS) features—traffic shaping, scheduling, and policing
  • ATM Operation, Administration, and Maintenance
  • ATM (IMA) protocol at the T1/E1 level with up to 16 IMA (Inverse Multiplexing for ATM) groups. Each group can have 1-8 IMA links.
• Support for PIM and IGMP in global domain (ACX Series)—Junos OS for ACX Series Universal Access Routers supports Protocol Independent Multicast (PIM) and Internet Group Management Protocol (IGMP) messages for multicast data delivery. ACX Series routers are used as a leaf in the multicast distribution tree so that subscribers in the global domain can directly connect to the ACX Series routers through IPv4 interfaces. ACX Series routers can also be used as a branch point in the tree so that they are connected to other downstream ACX Series or MX Series routers and send multicast data according to the membership established through the PIM or IGMP messaging.

  Note: ACX Series routers support only sparse mode. Dense mode on ACX series is supported only for control multicast groups for autodiscovery of rendezvous point (auto-RP).

  You can configure IGMP on the subscriber-facing interfaces to receive IGMP control packets from subscribers, which in turn triggers the PIM messages to be sent out of the network-facing interface toward the rendezvous point (RP).

  Note: ACX Series routers do not support IPv6 interfaces for multicast data delivery and RP functionality.

• Support for dying-gasp PDU generation (ACX Series)—Junos OS for ACX Series Universal Access Routers supports the generation of dying-gasp protocol data units (PDUs). Dying gasp refers to an unrecoverable condition such as a power failure. In this condition, the local peer informs the remote peer about the failure state. When the remote peer receives a dying-gasp PDU, it takes an action corresponding to the action profile configured with the link-adjacency-loss event.
  ACX Series routers can generate and receive dying-gasp packets. When LFM is configured on an interface, a dying-gasp PDU is generated for the interface on the following failure conditions:
  • Power failure
  • Packet Forwarding Engine panic or a crash
• Support for logical tunnels (ACX Series)—Logical tunnel (lt-) interfaces provide quite different services depending on the host router. On ACX Series routers, logical tunnel interfaces enable you to connect a bridge domain and a pseudowire.
  To create tunnel interfaces, an FPC and the corresponding Packet Forwarding Engine on an ACX Series router must be configured to be used for tunneling services at the [edit chassis] hierarchy level. The amount of bandwidth reserved for tunnel services must also be configured.
  To create logical tunnel interfaces and the bandwidth in gigabits per second to reserve for tunnel services, include the tunnel-services bandwidth (1g | 10g) statement at the [edit chassis fpc slot-number pic number] hierarchy level.
• Support for PPP encapsulation on Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (ACX Series)—On ACX4000 routers, you can configure Point-to-Point Protocol (PPP) encapsulation on physical interfaces on Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP. PPP provides a standard method for transporting multiprotocol datagrams over a point-to-point link. PPP uses the High-Speed Data Link Control (HDLC) protocol for its physical interfaces and provides a packet-oriented interface for the network-layer protocols.
  On ACX Series routers, E1, T1, and NxDS0 interfaces support PPP encapsulation.
  IP class of service (CoS) is not supported on PPP interfaces. All the traffic is sent to the best effort queue (queue 0) and CoS code points are not processed. Also, fixed classifiers are not supported. PPP is supported only for IPv4 networks.
• Support for dual-rate SFP+ modules (ACX Series)—ACX2000, ACX2100, and ACX4000 routers support the dual-rate SFP+ optic modules. These modules operate at either 1 Gbps or 10 Gbps speeds. When you plug in the module to the small form-factor pluggable plus (SFP+) slot, the module can be set at either 1 Gbps or 10 Gpbs.
  ACX Series routers use the 2-port 10-Gigabit Ethernet (LAN) SFP+ MIC in the following two combinations:
  • 2-port 10-Gigabit Ethernet (LAN) SFP+ uses BCM84728 PHY on ACX 2100/ACX4000 routers.
  • 2-port 10-Gigabit Ethernet (LAN) SFP+ uses BCM8728/8747 on ACX2000 routers.
  To configure an xe port in 1-Gigabit Ethernet mode , use the set interfaces xe-x/y/z speed 1g statement. To configure an xe port in 10-Gigabit Ethernet mode, use the set interfaces xe-x/y/z speed 10g statement. The default speed mode is 1-Gigabit Ethernet mode.
• Support for inverse multiplexing for ATM (IMA) on Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (ACX Series)—You can configure inverse multiplexing for ATM (IMA) on the Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (model number: ACX-MIC-4COC3-1COC12CE) on ACX Series routers. You can configure four OC3/STM1 ports or one OC12/STM4 port on this rate-selectable MIC.
• Support for TDR for diagnosing cable faults (ACX Series)-—Junos OS for ACX Series Universal Access Routers supports Time Domain Reflectometry (TDR), which is a technology used for diagnosing copper cable states. This technique can be used to determine whether cabling is at fault when you cannot establish a link. TDR detects the defects by sending a signal through a cable, and reflecting it from the end of the cable. Open circuits, short circuits, sharp bends, and other defects in the cable reflects the signal back at different amplitudes, depending on the severity of the defect. TDR diagnostics is supported only on copper interfaces and not on fiber interfaces.
  TDR provides the following capabilities that you can use to effectively identify and correct cable problems:
  • Display detailed information about the status of a twisted-pair cable, such as cable pair being open or short-circuited.
  • Determine the distance in meters at which open or short-circuit is detected.
  • Detect whether or not the twisted pairs are swapped.
  • Identify the polarity status of the twisted pair.
  • Determine any downshift in the connection speed.

Installation

• Support for USB autoinstallation from XML file (ACX Series routers)—Junos OS for ACX Series Universal Access Routers support USB autoinstallation using the configuration file in XML format. The USB-based autoinstallation process overrides the network-based autoinstallation process. If the ACX Series router detects a USB Disk-on-Key device containing a valid configuration file during autoinstallation, the router using the configuration file on Disk-on-Key instead of fetching the configuration from the network.
• Support for hybrid mode of autoinstallation—Junos OS for ACX Series Universal Access Routers support hybrid mode of autoinstallation. The autoinstallation mechanism allows the router to configure itself out-of-the-box with no manual intervention, using the configuration available on the network, locally through a removable media, or using a combination of both. ACX Series routers support the retrieval of partial configuration from an external USB storage device plugged into the router’s USB port during the autoinstallation process. This partial configuration in turn facilitates the network mode of autoinstallation to retrieve the complete configuration file from the network. This method is called hybrid mode of autoinstallation.

Layer 2 Features

• Support for Layer 2 security (ACX Series)—ACX Series routers support bridge family firewall filters. These family filters can be configured at the logical interface level and can be scaled up to 124 terms for ingress traffic, and 126 terms for egress traffic.
• Support for Ethernet Local Management Interface protocol (ACX Series)—The Ethernet Local Management Interface (E-LMI) protocol on ACX Series Universal Access Routers supports Layer 2 circuit and Layer 2 VPN Ethernet virtual connection (EVC) types.
  Junos OS for ACX Series Universal Access Routers support E-LMI only on provider edge (PE) routers.
• Support for Layer 2 control protocols and Layer 2 protocol tunneling (ACX Series)—You can configure spanning tree protocols to prevent Layer 2 loops in a bridge domain. Layer 2 control protocols for ACX Series Universal Access Routers include the Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), Multiple Spanning Tree Protocol (MSTP), VLAN Spanning Tree Protocol (VSTP), and Link Layer Discovery Protocol (LLDP). ACX Series routers can support up to 128 STP instances, which includes all instances of VSTP, MSTP, RSTP and STP.
  Layer 2 protocol tunneling (L2PT) is supported on ACX Series routers. L2PT allows Layer 2 protocol data units (PDUs) to be tunneled through a network. L2PT can be configured on a port on a customer-edge router by using MAC rewrite configuration. MAC rewrite is supported for STP, Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), IEEE 802.1X, IEEE 802.3ah, Ethernet Local Management Interface (E-LMI), Link Aggregation Control Protocol (LACP), Link Layer Discovery Protocol (LLDP), Multiple MAC Registration Protocol (MMRP), and Multiple VLAN Registration Protocol (MVRP) packets.
• Support for Layer 2 bridging (ACX Series)—Junos OS for ACX Series Universal Access Routers supports Layer 2 bridging and Q-in-Q tunneling. A bridge domain is created by adding a set of Layer 2 logical interfaces in a bridge domain to represent a broadcast domain. Layer 2 logical interfaces are created by defining one or more logical units on a physical interface with encapsulation as ethernet-bridge or vlan-bridge. All the member ports of the bridge domain participate in Layer 2 learning and forwarding. You can configure one or more bridge domains to perform Layer 2 bridging. You can optionally disable learning on a bridge domain.

  Note: ACX Series routers do not support the creation of bridge domains by using access and trunk ports.

  On ACX Series routers, you can configure E-LAN and E-LINE services on bridge domains. When you configure E-LAN and E-LINE services by using a bridge domain without a vlan-id statement, the bridge domain should explicitly be normalized by an input VLAN map to a service VLAN ID and TPID. Explicit normalization is required when a logical interface’s outer VLAN ID and TPID are not the same as the service VLAN ID and TPID of the service being configured.
• Support for IEEE 802.1ad classifier (ACX Series)—Junos OS for ACX Series Universal Access Routers supports the IEEE 802.1ad classifier. Rewrite rules at the physical interface level support the IEEE 802.1ad bit value. The IEEE 802.1ad classifier uses IEEE 802.1p and DEI bits together. On logical interfaces, only fixed classifiers are supported.
  You can configure either IEEE 802.1p or IEEE 802.1ad classifiers at the physical interface level. You can define the following features:
  • IEEE 802.1ad classifiers (inner or outer)
  • IEEE 802.1ad rewrites (outer)

  Note: You cannot configure both IEEE 802.1p and IEEE 802.1ad classifiers together at the physical interface level.

  ACX Series routers support the IEEE 802.1ad classifier and rewrite along with the existing class-of-service features for Layer 2 interfaces.
• Support for OAM with Layer 2 bridging as a transport mechanism (ACX Series)—Junos OS for ACX Series Universal Access Routers supports the following OAM features that use Layer 2 bridging as a transport mechanism:
  • IEEE 802.3ah LFM—IEEE 802.3ah link fault management (LFM) operates at the physical interface level and the packets are sent using Layer 2 bridging as a transport mechanism.
  • Dying-gasp packets—Dying-gasp PDU generation operates at the physical interface level. Dying-gasp packets are sent through the IEEE 802.3ah LFM-enabled interfaces.
  • IEEE 802.1ag and ITU-T Y.1731 protocols on down MEPs—IEEE 802.1ag configuration fault management (CFM) and ITU-T Y.1731 performance-monitoring OAM protocols, which are used for end-to-end Ethernet services, are supported only on down maintenance association end points (MEPs). The ITU-T Y.1731 protocol supports delay measurement on down MEPs but does not support loss measurement on down MEPs.
• Support for Storm Control—Storm control is supported on ACX Series routers. Storm control is only applicable at the IFD level for ACX Series. When a traffic storm is seen on the interface configured for storm control, the default action is to drop the packets exceeding the configured bandwidth. No event is generated as part of this. Storm control is not enabled on the interface by default.
• Support for RFC 2544-based benchmarking tests (ACX Series)—Junos OS for ACX Series Universal Access Routers support RFC 2544-based benchmarking tests for E-LINE and ELAN services configured using bridge domains. RFC 2544 defines a series of tests that can be used to describe the performance characteristics of network interconnecting devices. RFC 2544 tests methodology can be applied to a single device under test, or a network service (set of devices working together to provide end-to-end service). When applied to a service, the RFC 2544 test results can characterize the service-level-agreement parameters.
  RFC 2544 tests are performed by transmitting test packets from a device that functions as the generator or the initiator. These packets are sent to a device that functions as the reflector, which receives and returns the packets back to the initiator.
  ACX Series routers support RFC 2544 tests to measure throughput, latency, frame loss rate, and back-to-back frames.
  With embedded RFC 2544, an ACX Series router can be configured as an initiator and reflector.
  • You can configure RFC 2544 tests on the following underlying services:
    • Between two IPv4 endpoints.
    • Between two user-to-network interfaces (UNIs) of Ethernet Virtual Connection (EVC), Ethernet Private Line (EPL, also called E-LINE), Ethernet Virtual Private Line (EVPL), EVC (EPL, EVPL).
• Support for IEEE 802.1ag and ITU-T Y.1731 OAM protocols on up MEPs (ACX Series)—Junos OS for ACX Series Universal Access Routers supports IEEE 802.1ag configuration fault management (CFM) and ITU-T Y.1731 performance-monitoring OAM protocols on up maintenance association end points (MEPs). CFM OAM protocol is supported on link aggregation group (LAG) or aggregated Ethernet (AE) interfaces. The ITU-T Y.1731 protocol supports delay measurement on up MEPs but does not support loss measurement on up MEPs.

  Note: ACX Series routers do not support ITU-T Y.1731 OAM protocol on AE interfaces.

• Support for Ethernet alarm indication signal (ACX Series)—Junos OS for ACX Series Universal Access Routers support ITU-T Y.1731 Ethernet alarm indication signal function (ETH-AIS) to provide fault management for service providers. ETH-AIS enables you to suppress alarms when a fault condition is detected. Using ETH-AIS, an administrator can differentiate between faults at the customer level and faults at the provider level. When a fault condition is detected, a maintenance end point (MEP) generates ETH-AIS packets to the configured client levels for a specified duration until the fault condition is cleared. Any MEP configured to generate ETH-AIS packets signals to a level higher than its own. A MEP receiving ETH-AIS recognizes that the fault is at a lower level and then suppresses alarms at current level the MEP is in.
  ACX Series routers support ETH-AIS PDU generation for server MEPs on the basis of the following defect conditions:
  • Loss of connectivity (physical link loss detection)
  • Layer 2 circuit or Layer 2 VPN down
• Support for Ethernet ring protection switching (ACX Series)--You can configure Ethernet ring protection switching (ERPS) on ACX Series routers to achieve high reliability and network stability. The basic idea of an Ethernet ring is to use one specific link, called the ring protection link (RPL), to protect the whole ring. Links in the ring will never form loops that fatally affect the network operation and services availability.
  ACX Series routers support multiple Ethernet ring instances that share the physical ring. Each instance has its own control channel and a specific data channel. Each ring instance can take a different path to achieve load balancing in the physical ring. When no data channel is specified, ERP operates only on the VLAN ID associated with the control channel. G.8032 open rings are supported.
  ACX Series routers do not support aggregate Ethernet–based rings.
  To configure Ethernet ring protection switching, include the protection-ring statement at the [edit protocols] hierarchy level.
• Support for integrated routing and bridging (ACX Series)—Junos OS for ACX Series Universal Access Routers supports integrated routing and bridging (IRB) functionality. IRB provides routing capability on a bridge domain. To enable this functionality, you need to configure an IRB interface as a routing interface in a bridge domain and then configure a Layer 3 protocol such as IP or ISO on the IRB interface.
  ACX Series routers support IRB for routing IPv4 packets. IPv6 and MPLS packets are not supported.
• Support for IGMP snooping (ACX Series)—Junos OS for ACX Series routers support IGMP snooping functionality. IGMP snooping functions by snooping at the IGMP packets received by the switch interfaces and building a multicast database similar to that a multicast router builds in a Layer 3 network. Using this database, the switch can forward multicast traffic only to the downstream interfaces of interested receivers. This technique allows more efficient use of network bandwidth, particularly for IPTV applications. You configure IGMP snooping for each bridge on the router.
• Support for unicast reverse path forwarding (ACX Series)—For interfaces that carry IPv4 or IPv6 traffic, you can reduce the impact of denial-of-service (DoS) attacks by configuring unicast reverse path forwarding (RPF). Unicast RPF helps determine the source of attacks and rejects packets from unexpected source addresses on interfaces where unicast RPF is enabled.
  Reverse path forwarding is not supported on the interfaces that you configure as tunnel sources. This limitation affects only the transit packets exiting the tunnel.
  To configure unicast reverse path forwarding, issue the rpf-check statement at the [edit interfaces interface-name unit logical-unit-number family inet] hierarchy level. RPF fail filters are not supported on ACX Series routers. The RPF check to be used when routing is asymmetrical is not supported.
• Support for disabling local switching in bridge domains (ACX Series)—In a bridge domain, when a frame is received from a customer edge (CE) interface, it is flooded to the other CE interfaces and all of the provider edge (PE) interfaces if the destination MAC address is not learned or if the frame is either broadcast or multicast.
  To prevent CE devices from communicating directly include the no-local-switching statement at the [edit bridge-domains bridge-domain-name] hierarchy level. Configure the logical interfaces in the bridge domain as core-facing (PE interfaces) by including the core-facing statement at the [edit interfaces interface-name unit logical-unit-number family family] hierarchy level to specify that the VLAN is physically connected to a core-facing ISP router and ensure that the network does not improperly treat the interface as a client interface. When local switching is disabled, traffic from one CE interface is not forwarded to another CE interface.
• Support for hierarchical VPLS (ACX Series)—Hierarchical LDP-based VPLS requires a full mesh of tunnel LSPs between all the PE routers that participate in the VPLS service. Using hierarchical connectivity reduces signaling and replication overhead to facilitate large-scale deployments. In a typical IPTV solution, IPTV sources are in the public domain and the subscribers are in the private VPN domain.
  For an efficient delivery of multicast data from the IPTV source to the set-top boxes or to subscribers in the private domain using the access devices (ACX Series routers in this case), P2MP LSPs and MVPN are necessary. Because VPLS and MVPN are not supported on ACX routers, an alternative approach is used to achieve hierarchical VPLS (HPVLS) capabilities. The subscriber devices are connected to a VPLS or a Layer 3 VPN domain on the ACX Series (access) router and they are configured to import the multicast routes. The support for PIM snooping in Layer 3 interfaces, IGMP snooping in Layer 2 networks, IRB interfaces, and logical tunnel interfaces enables HVPLS support.

Management

• Support for real-time performance monitoring (ACX Series)—Real-time performance monitoring (RPM) allows you to perform service-level monitoring. When RPM is configured on a router, the router calculates network performance based on packet response time, jitter, and packet loss. You can configure these values to be gathered by HTTP, Internet Control Message Protocol (ICMP), TCP, and UDP requests. The router gathers RPM statistics by sending out probes to a specified probe target, identified by an IP address. When the target receives a probe, it generates responses that are received by the router. You set the probe options in the test test-name statement at the [edit services rpm probe owner] hierarchy level. You use the show services rpm probe-results command to view the results of the most recent RPM probes.

  Note: Packet Forwarding Engine timestamping is available only for ICMP probes and for UDP probes with the destination port set to UDP_ECHO port (7).

• Support for Virtual Router Redundancy Protocol version 2 (ACX Series)—Junos OS for ACX Series Universal Access Routers supports Virtual Router Redundancy Protocol (VRRP) version 2 configuration. VRRP enables hosts on a LAN to make use of redundant routers on that LAN without requiring more than the static configuration of a single default route on the hosts. Routers running VRRP share the IP address corresponding to the default route configured on the hosts. At any time, one of the routers running VRRP is the master (active) and the others are backups. If the master fails, one of the backup routers becomes the new master router, providing a virtual default router and enabling traffic on the LAN to be routed without relying on a single router. Using VRRP, a backup router can take over a failed default router within a few seconds. This is done with minimum VRRP traffic and without any interaction with the hosts.
• Support for DHCP client and DHCP server (ACX Series)—ACX Series Universal Access Routers can be enabled to function as a DHCP client and an extended DHCP local server. An extended DHCP local server provides an IP address and other configuration information in response to a client request in the form of an address-lease offer. An ACX Series router configured as a DHCP client can obtain its TCP/IP settings and the IP address from a DHCP local server.
• Support for preserving DHCP server subscriber information (ACX Series)—Junos OS for ACX Series Universal Access Routers preserves DHCP server subscriber binding information. ACX series router functioning as a DHCP server stores the subscriber binding information to a file and when the router reboots, the subscriber information is read from the file and restored.
• Support for Two-Way Active Measurement Protocol (ACX Series)—Junos OS for ACX Series Universal Access Routers supports Two-Way Active Measurement Protocol (TWAMP). TWAMP provides a method for measuring round-trip IP performance between two devices in a network. ACX Series routers support only the reflector side of TWAMP.

Routing

• Support for ECMP flow-based forwarding (ACX Series)—Junos OS for ACX Series Universal Access Routers supports equal-cost multipath (ECMP) flow-based forwarding. An ECMP set is formed when the routing table contains multiple next-hop addresses for the same destination with equal cost. If there is an ECMP set for the active route, Junos OS uses a hash algorithm to choose one of the next-hop addresses in the ECMP set to install in the forwarding table. You can configure Junos OS so that multiple next-hop entries in an ECMP set are installed in the forwarding table. On ACX Series routers, per-flow load balancing can be performed to spread traffic across multiple paths between the routers.
  ECMP flow-based forwarding is supported for IPv4, IPv6, and MPLS packets.

Security

• Support for IP and MAC address validation (ACX Series)—Junos OS for ACX Series Universal Access Routers supports IP and MAC address validation. This feature enables the ACX Series router to validate that received packets contain a trusted IP source and an Ethernet MAC source address. Configuring MAC address validation can provide additional validation when subscribers access billable services. MAC address validation provides additional security by enabling the router to drop packets that do not match, such as packets with spoofed addresses.
• Support for unattended boot mode (ACX Series)—Junos OS for ACX Series Universal Access Routers support unattended boot mode. Unattended boot mode feature blocks any known methods to get access to the router from CPU reset till Junos OS login prompt, thereby preventing a user to make any unauthorized changes on the router such as viewing, modifying, or deleting configuration information.

Subscriber Access Management

• Support for DHCP relay agent (ACX Series)—You can configure extended DHCP relay options on an ACX Series router and enable the router to function as a DHCP relay agent. A DHCP relay agent forwards DHCP request and reply packets between a DHCP client and a DHCP server that might or might not reside in the same IP subnet.
  To configure the DHCP relay agent on the router for IPv4 packets, include the dhcp-relay statement at the [edit forwarding-options] hierarchy level. You can also include the dhcp-relay statement at the [edit routing-instances routing-instance-name forwarding-options] and the [edit routing-instances routing-instance-name protocols vrf] hierarchy levels.

Timing and Synchronization

• Support for PTP over Ethernet (ACX Series)—Precision Time Protocol (PTP) is supported over IEEE 802.3 or Ethernet links on ACX Series routers. This functionality is supported in compliance with the IEEE 1588-2008 specification. PTP over Ethernet enables effective implementation of packet-based technology that enables the operator to deliver synchronization services on packet-based mobile backhaul networks that are configured in Ethernet rings. Deployment of PTP at every hop in an Ethernet ring using the Ethernet encapsulation method enables robust, redundant, and high-performance topologies to be created that enables a highly-precise time and phase synchronization to be obtained.
• PTP slave performance metrics (ACX Series)—Precision Time Protocol (PTP) slave devices are used to provide frequency and time distribution throughout large networks. On ACX Series routers, PTP slave devices calculate performance metrics based on standard PTP timing messages. These performance metrics include both inbound and outbound packet delay and jitter between the PTP slave and master. Metrics are exported every 15 minutes to Junos Space. Performance metrics are also stored locally on the ACX Series router and can be accessed with the show ptp performance-monitor [short-term | long-term] command.
• Support for hybrid mode (ACX Series)—Junos OS for ACX Series Universal Access Routers supports hybrid mode, which is a combined operation of Synchronous Ethernet and Precision Time Protocol (PTP). In hybrid mode, the synchronous Ethernet equipment clock (EEC) on the router derives the frequency from Synchronous Ethernet and the phase and time of day from PTP. Time synchronization includes both phase synchronization and frequency synchronization.
  Synchronous Ethernet supports hop-by-hop frequency transfer, where all interfaces on the trail must support Synchronous Ethernet. PTP (also known as IEEE 1588v2) synchronizes clocks between nodes in a network, thereby enabling the distribution of an accurate clock over a packet-switched network.
  To configure the router in hybrid mode, you must configure Synchronous Ethernet options at the [edit chassis synchronization] hierarchy level and configure PTP options at the [edit protocols ptp] hierarchy level. Configure hybrid mode options by including the hybrid statement at the [edit protocols ptp slave] hierarchy level.