[j-nsp] MX204: 802.3ad LAG 2 x 1 G with a Palo Alto firewall

Alexandre Snarskii snar at snar.spb.ru
Thu Mar 18 07:50:09 EDT 2021 

On Thu, Mar 18, 2021 at 01:41:50PM +0200, Antti Ristimäki wrote:
> Hi,
> 
> I don't know what the current state is, but at least initially LAG 
> was not supported in MX204 interfaces when running them at 1G speed. 
> At least the official documentation states that this holds true still.

Interesting limitation. However, on 18.4R3-S6.3 there are no problem
running lacp lag over 1G:

snar at RT> show configuration interfaces xe-0/1/2 gigether-options 
802.3ad ae2;
speed 1g;

snar at RT> show lacp interfaces xe-0/1/2 
Aggregated interface: ae2
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      xe-0/1/2       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      xe-0/1/2     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
    LACP protocol:        Receive State  Transmit State          Mux State 
      xe-0/1/2                  Current   Fast periodic Collecting distributing

> 
> Antti
> 
> ----- On 18 Mar, 2021, at 13:30, Emmanuel Halbwachs Emmanuel.Halbwachs at obspm.fr wrote:
> 
> > Hello,
> > 
> > I'm having hard times moving a 2 x 1 Gb/s LAG with a Palo Alto
> > firewall from a MX5 to a MX204. The MX204 is on my side, the firewall
> > to the partner side. The firewall have 10G interfaces, but we're stuck
> > to 1G because of the MMF underground link between the two campuses.
> > 
> > The LAG is seen UP on the MX204 but DOWN on the firewall.
> > 
> > If I put a 10G switch before the MX204, using the same transceivers, I
> > can ping the remote side. It worked with a MX5. So there must be
> > something with my MX204 configuration.
> > 
> > If a good soul from here could point me a clue or a direction where to
> > dig, it will make my day.
> > 
> > Here is what seems relevant to me:
> > 
> > chassis {
> >    aggregated-devices {
> >	ethernet {
> >	    device-count 1;
> >	}
> >    }
> >    fpc 0 {
> >	pic 1 {
> >	    port 4 {
> >		speed 10g;
> >	    }
> >	    port 5 {
> >		speed 10g;
> >	    }
> >	}
> >    }
> > }
> > interfaces {
> >    xe-0/1/4 {
> >	description "IAP (LAG 1/2)";
> >	gigether-options {
> >	    802.3ad ae0;
> >	    speed 1g;
> >	}
> >    }
> >    xe-0/1/5 {
> >	description "IAP (LAG 2/2)";
> >	gigether-options {
> >	    802.3ad ae0;
> >	    speed 1g;
> >	}
> >    }
> >    ae0 {
> >	description "IAP (LAG)";
> >	unit 0 {
> >	    family bridge {
> >		interface-mode access;
> >		vlan-id 4000;
> >	    }
> >	}
> >    }
> >    irb {
> >	unit 4000 {
> >	    description IAP-INTERCO-TEST;
> >	    family inet {
> >		address 145.238.192.9/30;
> >	    }
> >	}
> >    }
> > }
> > 
> > eh-adm at ro-p-coeur> show interfaces xe-0/1/4 terse
> > Interface               Admin Link Proto    Local                 Remote
> > xe-0/1/4                up    up
> > xe-0/1/4.0              up    up   aenet    --> ae0.0
> > 
> > eh-adm at ro-p-coeur> show interfaces xe-0/1/5 terse
> > Interface               Admin Link Proto    Local                 Remote
> > xe-0/1/5                up    up
> > xe-0/1/5.0              up    up   aenet    --> ae0.0
> > 
> > eh-adm at ro-p-coeur> show interfaces ae0 terse
> > Interface               Admin Link Proto    Local                 Remote
> > ae0                     up    up
> > ae0.0                   up    up   bridge
> > 
> > eh-adm at ro-p-coeur> show interfaces xe-0/1/4 brief
> > Physical interface: xe-0/1/4, Enabled, Physical link is Up
> >  Link-level type: Ethernet, MTU: 1514, MRU: 1522, LAN-PHY mode, Speed: 10Gbps,
> >  Loopback: None, Source filtering: Disabled,
> >  Flow control: Disabled, Speed Configuration: 1G
> >  Device flags   : Present Running
> >  Interface flags: SNMP-Traps Internal: 0x4000
> >  Link flags     : None
> > 
> >  Logical interface xe-0/1/4.0
> >    Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
> >    aenet
> > 
> > eh-adm at ro-p-coeur> show interfaces xe-0/1/5 brief
> > Physical interface: xe-0/1/5, Enabled, Physical link is Up
> >  Link-level type: Ethernet, MTU: 1514, MRU: 1522, LAN-PHY mode, Speed: 10Gbps,
> >  Loopback: None, Source filtering: Disabled,
> >  Flow control: Disabled, Speed Configuration: 1G
> >  Device flags   : Present Running
> >  Interface flags: SNMP-Traps Internal: 0x4000
> >  Link flags     : None
> > 
> >  Logical interface xe-0/1/5.0
> >    Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
> >    aenet
> > 
> > eh-adm at ro-p-coeur> show interfaces ae0 brief
> > Physical interface: ae0, Enabled, Physical link is Up
> >  Link-level type: Ethernet, MTU: 1514, Speed: 20Gbps, Loopback: Disabled, Source
> >  filtering: Disabled, Flow control: Disabled
> >  Device flags   : Present Running
> >  Interface flags: SNMP-Traps Internal: 0x4000
> > 
> >  Logical interface ae0.0
> >    Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
> >    bridge
> > 
> > eh-adm at ro-p-coeur> ping firewall-iap-test
> > PING firewall-iap-test.obspm.fr (145.238.192.10): 56 data bytes
> > ^C
> > --- firewall-iap-test.obspm.fr ping statistics ---
> > 3 packets transmitted, 0 packets received, 100% packet loss
> > 
> > --
> > Emmanuel Halbwachs                  DIO/CASTORS/Resp. Réseau,Sécurité
> > Observatoire de Paris                             ✆ +33 1 45 07 75 54
> > Campus Paris  : 61 av. de l'Observatoire   F 75014 PARIS
> > Campus Meudon : 11 av. Marcellin Berthelot F 92190 MEUDON
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > 
> > 
> > --
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list