A typical trouble when connecting an ICOS-loaded switch to a couple of Juniper SRX series firewalls is that reth interface connected to a LAG group doesn’t provide load balancing and redundancy.
This usually happens due to an unsupported topology by Juniper, as in the Example A.
ICOS Config:
interface 0/1-0/2 addport lag 1 interface lag 1 no port-channel static switchport mode trunk
SRX Config:
set interfaces ge-3/0/0 gigether-options redundant-parent reth1 set interfaces ge-15/0/0 gigether-options redundant-parent reth1 set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 redundant-ether-options minimum-links 1 set interfaces reth1 redundant-ether-options lacp passive set interfaces reth1 redundant-ether-options lacp periodic slow
Topology:
SRX (ge-3/0/0) is connected to Aurora (interface 0/1)
SRX (ge-15/0/0) is connected to Aurora (interface 0/2)
The Aurora switch interfaces are in one LACP group and it is supposed to load balance; which means that it will send one packet to ge-3/0/0 and the next packet to ge-15/0/0, towards the SRX.
Assume that Node0 is active, the first packet sent to ge-3/0/0 will go through and the packet to ge-15/0/0 will be dropped as Node1 is passive.
ICOS Config:
interface 0/1-0/2 addport lag 1 interface lag 1 no port-channel static switchport mode trunkinterface 0/3-0/4 addport lag 2 interface lag 2 no port-channel static switchport mode trunk
SRX Config:
set interfaces ge-3/0/0 gigether-options redundant-parent reth1 set interfaces ge-3/0/1 gigether-options redundant-parent reth1 set interfaces ge-15/0/0 gigether-options redundant-parent reth1 set interfaces ge-15/0/1 gigether-options redundant-parent reth1 set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 redundant-ether-options lacp passive set interfaces reth1 redundant-ether-options lacp periodic slow
Topology:
LAG1:
SRX (ge-3/0/0) is connected to Aurora (interface 0/1)
SRX (ge-3/0/1) is connected to Aurora (interface 0/2)
LAG2:
SRX (ge-15/0/0) is connected to Aurora (interface 0/3)
SRX (ge-15/0/1) is connected to Aurora (interface 0/4)