LACP on LAG in ICOS and reth in Juniper SRX series firewalls.

A typical trouble when connecting an ICOS-loaded switch to a couple of Juniper SRX series firewalls is that reth interface connected to a LAG group doesn’t provide load balancing and redundancy.

This usually happens due to an unsupported topology by Juniper, as in the Example A.

Example A:

ICOS Config:

interface 0/1-0/2
addport lag 1
interface lag 1
no port-channel static
switchport mode trunk

SRX Config:

set interfaces ge-3/0/0 gigether-options redundant-parent reth1
set interfaces ge-15/0/0 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options minimum-links 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow

Topology:

SRX (ge-3/0/0) is connected to Aurora (interface 0/1)
SRX (ge-15/0/0) is connected to Aurora (interface 0/2)

 

lacp_icos_juniper_1

 

Explanation:

The Aurora switch interfaces are in one LACP group and it is supposed to load balance; which means that it will send one packet to ge-3/0/0 and the next packet to ge-15/0/0, towards the SRX.

Assume that Node0 is active, the first packet sent to ge-3/0/0 will go through and the packet to ge-15/0/0 will be dropped as Node1 is passive.

 

Example B:

ICOS Config:

interface 0/1-0/2
addport lag 1
interface lag 1
no port-channel static
switchport mode trunk

interface 0/3-0/4
addport lag 2
interface lag 2
no port-channel static
switchport mode trunk

SRX Config:

set interfaces ge-3/0/0 gigether-options redundant-parent reth1
set interfaces ge-3/0/1 gigether-options redundant-parent reth1
set interfaces ge-15/0/0 gigether-options redundant-parent reth1
set interfaces ge-15/0/1 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow

Topology:

LAG1:
SRX (ge-3/0/0) is connected to Aurora (interface 0/1)
SRX (ge-3/0/1) is connected to Aurora (interface 0/2)

LAG2:
SRX (ge-15/0/0) is connected to Aurora (interface 0/3)
SRX (ge-15/0/1) is connected to Aurora (interface 0/4)

lacp_icos_juniper_2