Errata

This section lists outstanding issues with the documentation.

Software Installation and Upgrades

• JUNOS software Release 9.1 does not provide unified in-service software upgrade (ISSU) support for the 4-port OC192 SONET/SDH PIC. When you perform a unified ISSU, the software issues a warning that the PIC will be brought offline. After the PIC is brought offline and the ISSU is complete, the PIC is brought back online with the new firmware. [JUNOS High Availability Configuration Guide]

User Interface and Configuration

• The show system statistics bridge command displays system statistics on MX-series routers. [System Basics Command Reference]
• When specifying a URL in a JUNOS statement using an IPv6 host address, you must enclose the entire URL in quotation marks (" ") and enclose the IPv6 host address in brackets ([ ]). For example, "ftp://username<:password>@[host-address]<:port>/url-path" or "scp://username<:password>@[host-address]<:port>/url-path". This type of URL format appears in the system archival statement syntax. Not using the quotations and brackets in conjunction with using an IPv6 host address results in a failure when the transfer on commit is executed. [System Basics]
• The show chassis temperature-thresholds command output displays temperatures in degrees Celsius. [System Basics Command Reference]
• The traceroute mpls ldp and the traceroute mpls rsvp commands are used to trace the route to a remote host for an MPLS-label switched path signaled by LDP and RSVP respectively. Both these commands have some command options specific to them that are not available in the parent traceroute command.

  The syntax of the traceroute mpls ldp command is:

  traceroute mpls <ldp> fec

  <destination>

  <detail>

  <exp>

  <fanout>

  <logical-system>

  <no-resolve>

  <paths>

  <retries>

  <routing-instance>

  <source>

  <ttl>

  <update>

  <wait>

  The following options are specific to the traceroute mpls ldp command:

  fec — Specify the IP address and optional prefix of FEC.destination — (Optional) Specify the destination address to use when sending probes.detail — (Optional) Display detailed output.exp — (Optional) Specify the class-of-service to use when sending probes. The range of values is 0 through 7. The default value is 7.fanout — (Optional) Specify the maximum number of nexthops to search per node. The range of values is 1 through 16. The default value is 16.paths — (Optional) Specify the number of paths to search. The range of values is 1 through 255. The default value is 16.retries — (Optional) Specify the number of times to resend probe. values. The range of values is 1 through 9. The default value is 3.

  The syntax of the traceroute mpls rsvp command is:

  traceroute mpls <rsvp> lsp-name

  <detail>

  <exp>

  <logical-system>

  <no-resolve>

  <retries>

  <source>

  The following options are specific to the traceroute mpls rsvp command:

  lsp-name — Specify the name of the LSP to be traced.detail — (Optional) Display detailed output.exp — (Optional) Specify the class-of-service to use when sending probes. The range of values is 0 through 7. The default value is 7.retries — (Optional) Specify the number of times to resend probe. The range of values is 1 through 9. The default value is 3.

  For a description of the other common command options, see the documentation for the parent traceroute command. [System Basics Command Reference]

• The correct description of the compress-configuration-files statement available at the [edit system] hierarchy level is “Compress the current operational configuration file. By default, the current operational configuration file is compressed, and is stored in the file juniper.conf, in the /config file system, along with the last three committed versions of the configuration.” [System Basics]
• The correct description of the path-mtu-discovery statement available at the [edit system internet-options] hierarchy level is:

  Configure path MTU discovery for outgoing Transmission Control Protocol (TCP) connections:

  • path-mtu-discovery—Path MTU discovery is enabled.
  • no-path-mtu-discovery—Path MTU discovery is disabled.

  [System Basics]

• The “Configuring the Authentication Order” topic has been revised to address some issues. [System Basics]. The following is the revised content:

  Configuring the Authentication Order—Using the authentication-order statement, you can prioritize the order in which the JUNOS software tries the different authentication methods when verifying user access to a router.

  To configure the authentication order, include the authentication-order statement at the [edit system] hierarchy level:

  [edit system]

  authentication-order [authentication-methods ];

  Specify one or more of the following authentication methods in the preferred order, from first tried to last tried:

  • radius—Verify the user using RADIUS authentication services
  • tacplus—Verify the user using TACACS+ authentication services.
  • password—Verify the user using the username and password configured locally by including the authentication statement at the [edit system login user] hierarchy level.

  For each login attempt, the JUNOS software tries the configured authentication methods in order until the password is accepted. If the username and password are accepted, the login attempt succeeds and no other authentication methods are tried. The next method in the authentication order is consulted if the previous authentication method fails to respond OR if the method returns a reject response to the login attempt due to an incorrect username or password.

  If none of the configured authentication methods accept the login credentials and if a reject response is received, the login attempt fails. If no response is received from any configured authentication method, the JUNOS software consults local password authentication as a last resort.

  Using RADIUS or TACACS+ Authentication—You can configure the JUNOS software to be both a RADIUS or TACACS+ authentication client.

  If an authentication method included in the [authentication-order] statement is not available, or if the authentication is available but returns a reject response, the JUNOS software tries the next authentication method included in the authentication-order statement.

  The RADIUS or TACACS+ server authentication might fail because of the following reasons:

  • The authentication method is configured, but the corresponding authentication servers are not configured. For instance, the radius and tacplus authentication methods are included in the authentication-order statement, but the corresponding RADIUS or TACACS+ servers are not configured at the respective [edit system radius-server] and [edit system tacplus-server] hierarchy levels.
  • The RADIUS or TACACS+ server does not respond within the timeout period configured at the [edit system radius-server] or [edit system tacplus-server] hierarchy levels.
  • The RADIUS or TACACS+ server is not reachable due to a network problem.

  The RADIUS or TACACS+ server authentication might return a reject response because of the following reasons:

  • The user profiles of users accessing a router might not be configured on the RADIUS or TACACS+ server.
  • The user enters incorrect logon credentials.

  Using Local Password Authentication—You can explicitly configure the password authentication method or use this method as a fallback mechanism when remote authentication servers fail. The password authentication method consults the local user profiles configured at the [edit system login] hierarchy level. Users can log in to a router using their local user name and password in the following scenarios:

  • The password authentication method (password) is explicitly configured as one of the authentication methods in the [authentication-order authentication-methods] statement. In this case, the password authentication is consulted if no previous authentication accepts the logon credentials. This is true whether the previous authentication method fails to respond or returns a reject response due to an incorrect username or password.
  • The password authentication method is not explicitly configured as one of the authentication methods in the [authentication-order authentication-methods] statement. In this case, the password authentication method is consulted only if all configured authentication methods fail to respond. It is not consulted if any configured authentication method returns a reject response due to an incorrect username or password.

  Order of Authentication Attempts—The following table describes how the authentication-order statement at the [edit system] hierarchy level determines the procedure that the JUNOS software uses to authenticate users for access to a routing platform:

  Table 1: Order of Authentication Attempts

  Syntax	Order of Authentication Attempts
  authentication-order radius;	Try configured RADIUS authentication servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS server is available but authentication is rejected, deny access. If RADIUS servers are not available, try password authentication. Note: If a RADIUS server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.
  authentication-order [ radius password ];	Try configured RADIUS authentication servers. If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.
  authentication-order [ radius tacplus ];	Try configured RADIUS authentication servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ server is available but authentication is rejected, deny access. If both RADIUS and TACACS+ servers are not available, try password authentication. Note: If either RADIUS or TACACS+ servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.
  authentication-order [ radius tacplus password ];	Try configured RADIUS authentication servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.
  authentication-order tacplus;	Try configured TACACS+ authentication servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ server is available but authentication is rejected, deny access. If TACACS+ servers are not available, try password authentication. Note: If a TACACS+ server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.
  authentication-order [ tacplus password ];	Try configured TACACS+ authentication servers. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.
  authentication-order [ tacplus radius ];	Try configured TACACS+ authentication servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ servers fail to respond or return a reject response try configured RADIUS servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS server is available but authentication is rejected, deny access. If both TACACS+ and RADIUS servers are not available, try password authentication. Note: If either TACACS+ or RADIUS servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.
  authentication-order [ tacplus radius password ];	Try configured TACACS+ authentication servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ servers fail to respond or return a reject response try configured RADIUS servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS servers fail to respond or return a reject response try password authentication, because it is explicitly configured in the authentication order.
  authentication-order password;	Try to authenticate the user, using the password configured at the [edit system login] hierarchy level. If the authentication is accepted, grant access. If the authentication is rejected, deny access.

Interfaces and Chassis

• For 10-Gigabit Ethernet IQ2 interfaces, you can define the TPIDs expected to be sent or received on a particular VLAN. For each Gigabit Ethernet port, you can configure up to eight TPIDs using the tag-protocol-id statement. However, only the first four TPIDs are supported on 10-Gigabit Ethernet IQ2 interfaces. [Network Interfaces]
• To configure the Link Aggregation Control Protocol (LACP), include the lacp statement at the [edit protocols] hierarchy level. [Network Interfaces]
• When the VRRP virtual interface is down, the output of the show vrrp extensive and show vrrp detail commands now show N/A for the Master router: field. Previously when you issued these commands, the Master router: field displayed the IP address of the last known master router. [Interfaces Command Reference]
• The show interfaces terse command includes a new routing-instance all option. When executing the show interfaces terse command using the routing-instance all option, interfaces for all routing instances are displayed. [Interfaces Command Reference]
• The physical interface hold time can be configured from 0 to 4,294,967,296 milliseconds. To configure the hold time, include the hold-time statement at the [edit interfaces interface-name] hierarchy level. [Network Interfaces]
• The show interfaces command now includes the routing-instance option, which displays the names of the routing instances associated with each interface. In addition, the show interfaces interface-name routing-instance routing-instance-name extensive command displays the logical interfaces associated with the specified routing instance. [Interfaces Command Reference]
• The show interfaces command has been modified so that when a physical interface is specified within a logical routing instance, the command output only displays information about the logical interfaces defined within the scope of that logical routing instance. Information about the physical interface itself is displayed only in the master routing instance. [Interfaces Command Reference]

Services Applications

• To enable multicast filters on Ethernet interfaces when IPv6 NAT is used for neighbor discovery, you must include the ipv6-multicast-interfaces all statement at the [edit services nat] hierarchy level. [Services Interfaces]

General Routing

• The statement “Nonstop active routing is supported for BGP unicast IPv4 and IPv6 address families only. If you configure any other address family, the BGP session will not come up on the backup router” should read “Nonstop active routing is supported for BGP unicast IPv4 and IPv6 address families only. If you configure any other address family, the BGP session is reset and the backup router must reestablish the BGP session. [High Availability]
• With JUNOS software Release 9.1, nonstop active routing does not support VPLS mesh groups. [High Availability]
• The statement “If you have multiple VRRP groups on an interface, the interface can be the master virtual router for only one of the groups” is incorrect. Actually, when there are multiple VRRP groups on an interface, the interface can be master virtual router for more than one group. [High Availability]
• For BFD sessions to remain up during a Routing Engine switchover event when nonstop active routing is configured, the value for the minimum-interval configuration statement (a BFD liveness detection parameter) must be at least 2500 msec for Routing Engine-based sessions and at least 10 msec for distributed BFD sessions. [High Availability]
• The description of the show system switchover command output field Peer state is documented as “Routing Engine peer state: Synchronization completed—Peer completed switchover transition; Synchronizing—Peer in switchover transition.” The description should read: “Routing Engine peer state: Steady State—Peer completed switchover transition; Peer Connected—Peer in switchover transition.” [System Basics Command Reference]

VPNs

• The LDP BGP VPLS feature is currently supported only on MX-series and M320 routers. [VPNs, Feature Guide]
• The connectivity-type (ce | irb) configuration statement enables you to specify when a VPLS connection is taken down depending on whether or not the interface for the VPLS routing instance is customer facing or Integrated Routing and Bridging (IRB). To enable this feature, include the connectivity-type (ce | irb) statement at either of the following hierarchy levels:
  • [edit logical-routers logical-router-name routing-instances routing-instance-name protocols vpls]
  • [edit routing-instances routing-instance-name protocols vpls]

  The default value is ce. [VPNs]

Class of Service

• The documentation states that rich queuing (per-VLAN queuing) is NOT supported on the Enhanced Queuing Distributed Port Concentrators (EQ DPCs) used in MX-series routers. This is not correct. Rich queuing is supported on EQ DPCs. [Class of Service]