Re: [j-nsp] MX204: 802.3ad LAG 2 x 1 G with a Palo Alto firewall
We have noticed issues with autonegotiation 1G links on mx10003 which caused one side to be up while the other is down. Disabling autonegotiation allowed the link to come up. We have not attempted link aggregation on gig ports, though. -- Eldon On Thu, Mar 18, 2021, 07:51 Emmanuel Halbwachs wrote: > Thank you very much to all for your replies, public or private. > > I should have said that we do not use LACP. Remote firewall admins > confirmed that there is no LACP, there wasn't LACP on the previous MX5 > and when I put the 10G switch in beetween, there is no LACP configured > (I should check if there is not LACP behind the curtain by default). > > So this is plain 802.3ad LAG, without LACP. > > Multiple answers said that LAG is not supported at 1G and here is a > link [1] (thanks Adrien Desportes) that says: > > On MX10003 and MX204 routers, Link Aggregation Group (LAG) is > supported on 10-Gbps speed only. It is not supported on 1-Gbps > speed. > > [1] > https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/speed-gigether-options.html > > I wasn't aware of this limitation. So I'm puzzled by Alexandre > Snarskii's reply who shows a working 1G LACP LAG on 18.4R3-S6.3. > > I'm running 19.4R1.10. > > I'll try a LAG with my switch first to be sure of it. > > Thanks again to everybody, > > -- > Emmanuel Halbwachs DIO/CASTORS/Resp. Réseau,Sécurité > Observatoire de Paris ✆ +33 1 45 07 75 54 > Campus Paris : 61 av. de l'Observatoire F 75014 PARIS > Campus Meudon : 11 av. Marcellin Berthelot F 92190 MEUDON > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX204: 802.3ad LAG 2 x 1 G with a Palo Alto firewall
Thank you very much to all for your replies, public or private. I should have said that we do not use LACP. Remote firewall admins confirmed that there is no LACP, there wasn't LACP on the previous MX5 and when I put the 10G switch in beetween, there is no LACP configured (I should check if there is not LACP behind the curtain by default). So this is plain 802.3ad LAG, without LACP. Multiple answers said that LAG is not supported at 1G and here is a link [1] (thanks Adrien Desportes) that says: On MX10003 and MX204 routers, Link Aggregation Group (LAG) is supported on 10-Gbps speed only. It is not supported on 1-Gbps speed. [1] https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/speed-gigether-options.html I wasn't aware of this limitation. So I'm puzzled by Alexandre Snarskii's reply who shows a working 1G LACP LAG on 18.4R3-S6.3. I'm running 19.4R1.10. I'll try a LAG with my switch first to be sure of it. Thanks again to everybody, -- Emmanuel Halbwachs DIO/CASTORS/Resp. Réseau,Sécurité Observatoire de Paris ✆ +33 1 45 07 75 54 Campus Paris : 61 av. de l'Observatoire F 75014 PARIS Campus Meudon : 11 av. Marcellin Berthelot F 92190 MEUDON ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX204: 802.3ad LAG 2 x 1 G with a Palo Alto firewall
Hi Emmanuel, On Thu, Mar 18, 2021 at 12:30:08PM +0100, Emmanuel Halbwachs wrote: > The LAG is seen UP on the MX204 but DOWN on the firewall. >From your configuration it seems that you did not enable LACP, but only did a link aggregation, that might not be what your firewall is expecting. To actually enable LACP you would need the following statement: set interfaces ae0 aggregated-ether-options lacp active Cheers, Benjamin -- Benjamin Collet ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX204: 802.3ad LAG 2 x 1 G with a Palo Alto firewall
On Thu, Mar 18, 2021 at 01:41:50PM +0200, Antti Ristimäki wrote:
> Hi,
>
> I don't know what the current state is, but at least initially LAG
> was not supported in MX204 interfaces when running them at 1G speed.
> At least the official documentation states that this holds true still.
Interesting limitation. However, on 18.4R3-S6.3 there are no problem
running lacp lag over 1G:
snar@RT> show configuration interfaces xe-0/1/2 gigether-options
802.3ad ae2;
speed 1g;
snar@RT> show lacp interfaces xe-0/1/2
Aggregated interface: ae2
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
xe-0/1/2 ActorNoNo Yes Yes Yes Yes FastActive
xe-0/1/2 PartnerNoNo Yes Yes Yes Yes FastActive
LACP protocol:Receive State Transmit State Mux State
xe-0/1/2 Current Fast periodic Collecting distributing
>
> Antti
>
> - On 18 Mar, 2021, at 13:30, Emmanuel Halbwachs
> emmanuel.halbwa...@obspm.fr wrote:
>
> > Hello,
> >
> > I'm having hard times moving a 2 x 1 Gb/s LAG with a Palo Alto
> > firewall from a MX5 to a MX204. The MX204 is on my side, the firewall
> > to the partner side. The firewall have 10G interfaces, but we're stuck
> > to 1G because of the MMF underground link between the two campuses.
> >
> > The LAG is seen UP on the MX204 but DOWN on the firewall.
> >
> > If I put a 10G switch before the MX204, using the same transceivers, I
> > can ping the remote side. It worked with a MX5. So there must be
> > something with my MX204 configuration.
> >
> > If a good soul from here could point me a clue or a direction where to
> > dig, it will make my day.
> >
> > Here is what seems relevant to me:
> >
> > chassis {
> >aggregated-devices {
> > ethernet {
> > device-count 1;
> > }
> >}
> >fpc 0 {
> > pic 1 {
> > port 4 {
> > speed 10g;
> > }
> > port 5 {
> > speed 10g;
> > }
> > }
> >}
> > }
> > interfaces {
> >xe-0/1/4 {
> > description "IAP (LAG 1/2)";
> > gigether-options {
> > 802.3ad ae0;
> > speed 1g;
> > }
> >}
> >xe-0/1/5 {
> > description "IAP (LAG 2/2)";
> > gigether-options {
> > 802.3ad ae0;
> > speed 1g;
> > }
> >}
> >ae0 {
> > description "IAP (LAG)";
> > unit 0 {
> > family bridge {
> > interface-mode access;
> > vlan-id 4000;
> > }
> > }
> >}
> >irb {
> > unit 4000 {
> > description IAP-INTERCO-TEST;
> > family inet {
> > address 145.238.192.9/30;
> > }
> > }
> >}
> > }
> >
> > eh-adm@ro-p-coeur> show interfaces xe-0/1/4 terse
> > Interface Admin Link ProtoLocal Remote
> > xe-0/1/4upup
> > xe-0/1/4.0 upup aenet--> ae0.0
> >
> > eh-adm@ro-p-coeur> show interfaces xe-0/1/5 terse
> > Interface Admin Link ProtoLocal Remote
> > xe-0/1/5upup
> > xe-0/1/5.0 upup aenet--> ae0.0
> >
> > eh-adm@ro-p-coeur> show interfaces ae0 terse
> > Interface Admin Link ProtoLocal Remote
> > ae0 upup
> > ae0.0 upup bridge
> >
> > eh-adm@ro-p-coeur> show interfaces xe-0/1/4 brief
> > Physical interface: xe-0/1/4, Enabled, Physical link is Up
> > Link-level type: Ethernet, MTU: 1514, MRU: 1522, LAN-PHY mode, Speed:
> > 10Gbps,
> > Loopback: None, Source filtering: Disabled,
> > Flow control: Disabled, Speed Configuration: 1G
> > Device flags : Present Running
> > Interface flags: SNMP-Traps Internal: 0x4000
> > Link flags : None
> >
> > Logical interface xe-0/1/4.0
> >Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
> >aenet
> >
> > eh-adm@ro-p-coeur> show interfaces xe-0/1/5 brief
> > Physical interface: xe-0/1/5, Enabled, Physical link is Up
> > Link-level type: Ethernet, MTU: 1514, MRU: 1522, LAN-PHY mode, Speed:
> > 10Gbps,
> > Loopback: None, Source filtering: Disabled,
> > Flow control: Disabled, Speed Configuration: 1G
> > Device flags : Present Running
> > Interface flags: SNMP-Traps Internal: 0x4000
> > Link flags : None
> >
> > Logical interface xe-0/1/5.0
> >Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
> >aenet
> >
> > eh-adm@ro-p-coeur> show interfaces ae0 brief
> > Physical interface: ae0, Enabled, Physical link is Up
> > Link-level type: Ethernet, MTU: 1514, Speed: 20Gbps, Loopback: Disabled,
> > Source
> > filtering: Disabled, Flow control: Disabled
> > Device flags : Present Running
> > Interface flags: SNMP-Traps Internal: 0x4000
> >
> > Logical interface ae0.0
> >Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
> >bridge
> >
> >
Re: [j-nsp] MX204: 802.3ad LAG 2 x 1 G with a Palo Alto firewall
Hi,
I don't know what the current state is, but at least initially LAG was not
supported in MX204 interfaces when running them at 1G speed. At least the
official documentation states that this holds true still.
Antti
- On 18 Mar, 2021, at 13:30, Emmanuel Halbwachs emmanuel.halbwa...@obspm.fr
wrote:
> Hello,
>
> I'm having hard times moving a 2 x 1 Gb/s LAG with a Palo Alto
> firewall from a MX5 to a MX204. The MX204 is on my side, the firewall
> to the partner side. The firewall have 10G interfaces, but we're stuck
> to 1G because of the MMF underground link between the two campuses.
>
> The LAG is seen UP on the MX204 but DOWN on the firewall.
>
> If I put a 10G switch before the MX204, using the same transceivers, I
> can ping the remote side. It worked with a MX5. So there must be
> something with my MX204 configuration.
>
> If a good soul from here could point me a clue or a direction where to
> dig, it will make my day.
>
> Here is what seems relevant to me:
>
> chassis {
>aggregated-devices {
> ethernet {
> device-count 1;
> }
>}
>fpc 0 {
> pic 1 {
> port 4 {
> speed 10g;
> }
> port 5 {
> speed 10g;
> }
> }
>}
> }
> interfaces {
>xe-0/1/4 {
> description "IAP (LAG 1/2)";
> gigether-options {
> 802.3ad ae0;
> speed 1g;
> }
>}
>xe-0/1/5 {
> description "IAP (LAG 2/2)";
> gigether-options {
> 802.3ad ae0;
> speed 1g;
> }
>}
>ae0 {
> description "IAP (LAG)";
> unit 0 {
> family bridge {
> interface-mode access;
> vlan-id 4000;
> }
> }
>}
>irb {
> unit 4000 {
> description IAP-INTERCO-TEST;
> family inet {
> address 145.238.192.9/30;
> }
> }
>}
> }
>
> eh-adm@ro-p-coeur> show interfaces xe-0/1/4 terse
> Interface Admin Link ProtoLocal Remote
> xe-0/1/4upup
> xe-0/1/4.0 upup aenet--> ae0.0
>
> eh-adm@ro-p-coeur> show interfaces xe-0/1/5 terse
> Interface Admin Link ProtoLocal Remote
> xe-0/1/5upup
> xe-0/1/5.0 upup aenet--> ae0.0
>
> eh-adm@ro-p-coeur> show interfaces ae0 terse
> Interface Admin Link ProtoLocal Remote
> ae0 upup
> ae0.0 upup bridge
>
> eh-adm@ro-p-coeur> show interfaces xe-0/1/4 brief
> Physical interface: xe-0/1/4, Enabled, Physical link is Up
> Link-level type: Ethernet, MTU: 1514, MRU: 1522, LAN-PHY mode, Speed: 10Gbps,
> Loopback: None, Source filtering: Disabled,
> Flow control: Disabled, Speed Configuration: 1G
> Device flags : Present Running
> Interface flags: SNMP-Traps Internal: 0x4000
> Link flags : None
>
> Logical interface xe-0/1/4.0
>Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
>aenet
>
> eh-adm@ro-p-coeur> show interfaces xe-0/1/5 brief
> Physical interface: xe-0/1/5, Enabled, Physical link is Up
> Link-level type: Ethernet, MTU: 1514, MRU: 1522, LAN-PHY mode, Speed: 10Gbps,
> Loopback: None, Source filtering: Disabled,
> Flow control: Disabled, Speed Configuration: 1G
> Device flags : Present Running
> Interface flags: SNMP-Traps Internal: 0x4000
> Link flags : None
>
> Logical interface xe-0/1/5.0
>Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
>aenet
>
> eh-adm@ro-p-coeur> show interfaces ae0 brief
> Physical interface: ae0, Enabled, Physical link is Up
> Link-level type: Ethernet, MTU: 1514, Speed: 20Gbps, Loopback: Disabled,
> Source
> filtering: Disabled, Flow control: Disabled
> Device flags : Present Running
> Interface flags: SNMP-Traps Internal: 0x4000
>
> Logical interface ae0.0
>Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
>bridge
>
> eh-adm@ro-p-coeur> ping firewall-iap-test
> PING firewall-iap-test.obspm.fr (145.238.192.10): 56 data bytes
> ^C
> --- firewall-iap-test.obspm.fr ping statistics ---
> 3 packets transmitted, 0 packets received, 100% packet loss
>
> --
> Emmanuel Halbwachs DIO/CASTORS/Resp. Réseau,Sécurité
> Observatoire de Paris ✆ +33 1 45 07 75 54
> Campus Paris : 61 av. de l'Observatoire F 75014 PARIS
> Campus Meudon : 11 av. Marcellin Berthelot F 92190 MEUDON
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> --
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX204: 802.3ad LAG 2 x 1 G with a Palo Alto firewall
Hi,
I'm pretty sure that LACP is not supported for 1G interfaces on MX204.
Kind Regards,
--
Adam Gent
- Original Message -
From: "Emmanuel Halbwachs"
To: juniper-nsp@puck.nether.net
Sent: Thursday, March 18, 2021 11:30:08 AM
Subject: [j-nsp] MX204: 802.3ad LAG 2 x 1 G with a Palo Alto firewall
Hello,
I'm having hard times moving a 2 x 1 Gb/s LAG with a Palo Alto
firewall from a MX5 to a MX204. The MX204 is on my side, the firewall
to the partner side. The firewall have 10G interfaces, but we're stuck
to 1G because of the MMF underground link between the two campuses.
The LAG is seen UP on the MX204 but DOWN on the firewall.
If I put a 10G switch before the MX204, using the same transceivers, I
can ping the remote side. It worked with a MX5. So there must be
something with my MX204 configuration.
If a good soul from here could point me a clue or a direction where to
dig, it will make my day.
Here is what seems relevant to me:
chassis {
aggregated-devices {
ethernet {
device-count 1;
}
}
fpc 0 {
pic 1 {
port 4 {
speed 10g;
}
port 5 {
speed 10g;
}
}
}
}
interfaces {
xe-0/1/4 {
description "IAP (LAG 1/2)";
gigether-options {
802.3ad ae0;
speed 1g;
}
}
xe-0/1/5 {
description "IAP (LAG 2/2)";
gigether-options {
802.3ad ae0;
speed 1g;
}
}
ae0 {
description "IAP (LAG)";
unit 0 {
family bridge {
interface-mode access;
vlan-id 4000;
}
}
}
irb {
unit 4000 {
description IAP-INTERCO-TEST;
family inet {
address 145.238.192.9/30;
}
}
}
}
eh-adm@ro-p-coeur> show interfaces xe-0/1/4 terse
Interface Admin Link ProtoLocal Remote
xe-0/1/4upup
xe-0/1/4.0 upup aenet--> ae0.0
eh-adm@ro-p-coeur> show interfaces xe-0/1/5 terse
Interface Admin Link ProtoLocal Remote
xe-0/1/5upup
xe-0/1/5.0 upup aenet--> ae0.0
eh-adm@ro-p-coeur> show interfaces ae0 terse
Interface Admin Link ProtoLocal Remote
ae0 upup
ae0.0 upup bridge
eh-adm@ro-p-coeur> show interfaces xe-0/1/4 brief
Physical interface: xe-0/1/4, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, MRU: 1522, LAN-PHY mode, Speed: 10Gbps,
Loopback: None, Source filtering: Disabled,
Flow control: Disabled, Speed Configuration: 1G
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
Link flags : None
Logical interface xe-0/1/4.0
Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
aenet
eh-adm@ro-p-coeur> show interfaces xe-0/1/5 brief
Physical interface: xe-0/1/5, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, MRU: 1522, LAN-PHY mode, Speed: 10Gbps,
Loopback: None, Source filtering: Disabled,
Flow control: Disabled, Speed Configuration: 1G
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
Link flags : None
Logical interface xe-0/1/5.0
Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
aenet
eh-adm@ro-p-coeur> show interfaces ae0 brief
Physical interface: ae0, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, Speed: 20Gbps, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
Logical interface ae0.0
Flags: Up SNMP-Traps 0x24024000 Encapsulation: Ethernet-Bridge
bridge
eh-adm@ro-p-coeur> ping firewall-iap-test
PING firewall-iap-test.obspm.fr (145.238.192.10): 56 data bytes
^C
--- firewall-iap-test.obspm.fr ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
--
Emmanuel Halbwachs DIO/CASTORS/Resp. Réseau,Sécurité
Observatoire de Paris ✆ +33 1 45 07 75 54
Campus Paris : 61 av. de l'Observatoire F 75014 PARIS
Campus Meudon : 11 av. Marcellin Berthelot F 92190 MEUDON
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
