LACP on LAG in ICOS and reth in Juniper SRX series firewalls.

A typical trouble when connecting an ICOS-loaded switch to a couple of Juniper SRX series firewalls is that reth interface connected to a LAG group doesn’t provide load balancing and redundancy.

This usually happens due to an unsupported topology by Juniper, as in the Example A.

Example A:

ICOS Config:

interface 0/1-0/2
addport lag 1
interface lag 1
no port-channel static
switchport mode trunk

SRX Config:

set interfaces ge-3/0/0 gigether-options redundant-parent reth1
set interfaces ge-15/0/0 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options minimum-links 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow

Topology:

SRX (ge-3/0/0) is connected to Aurora (interface 0/1)
SRX (ge-15/0/0) is connected to Aurora (interface 0/2)

 

lacp_icos_juniper_1

 

Explanation:

The Aurora switch interfaces are in one LACP group and it is supposed to load balance; which means that it will send one packet to ge-3/0/0 and the next packet to ge-15/0/0, towards the SRX.

Assume that Node0 is active, the first packet sent to ge-3/0/0 will go through and the packet to ge-15/0/0 will be dropped as Node1 is passive.

 

Example B:

ICOS Config:

interface 0/1-0/2
addport lag 1
interface lag 1
no port-channel static
switchport mode trunk


interface 0/3-0/4
addport lag 2
interface lag 2
no port-channel static
switchport mode trunk

SRX Config:

set interfaces ge-3/0/0 gigether-options redundant-parent reth1
set interfaces ge-3/0/1 gigether-options redundant-parent reth1
set interfaces ge-15/0/0 gigether-options redundant-parent reth1
set interfaces ge-15/0/1 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow

Topology:

LAG1:
SRX (ge-3/0/0) is connected to Aurora (interface 0/1)
SRX (ge-3/0/1) is connected to Aurora (interface 0/2)

LAG2:
SRX (ge-15/0/0) is connected to Aurora (interface 0/3)
SRX (ge-15/0/1) is connected to Aurora (interface 0/4)

lacp_icos_juniper_2

NEWS

Latest news

Netberg supports Ubuntu 24.04 Noble Numbat

Taoyuan, Taiwan, 20th of January 2025. Netberg, the leading provider of open networking solutions, announces support of Ubuntu 24.04 Noble Numbat on its Broadcom-enabled portfolio.

Netberg launches Aurora 721 and Aurora 421 programmable switches

Taoyuan city, Taiwan, 24th of June 2024. Netberg announced the new Aurora 721 100G and Aurora 421 10G switches, which feature programmable pipelines powered by Broadcom StrataXGS® Trident3 Ethernet switch chips.

Netberg announces 1G and 25G programmable switches.

Taoyuan city, Taiwan, January 24th, 2024. Netberg announced the release of two new models powered by the Broadcom StrataXGS® Trident3 series , the Netberg Aurora 221 1G switch and Aurora 621 25G switch.

2024 January EOL Notice

Effective January 12, 2024: The following products are now End of Life (EOL) - Aurora 720 and Aurora 620.

Netberg Announces SONiC 2022.11 Support on its P4-Programmable Intel Tofino IFP systems.

Taoyuan city, Taiwan, December 20th, 2023. Netberg updates its Netberg SONiC distribution to release 2022.11 on Aurora 610, Aurora 710, and Aurora 750 P4-Programmable Intel Tofino IFP systems.

Netberg launches Aurora 810 platform for next-generation networks

Taipei, Taiwan, 14th of November 2022. Netberg announced the new Aurora 810 400G model programmable switch with Intel Tofino 2 Intelligent Fabric Processors (IFPs) at its heart. The new platform has 32x 400G QSFP-DD Ethernet ports and a 12.8Tbps switching capacity.

Address: 10F, No. 111-3, Xiyuan Road, Zhongli District, Taoyuan City, 320 Taiwan R.O.C.
Tel: + 886-3-2609203
Email: sales@netbergtw.com