Versions Compared

Old Version 12

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Also:     Aggregated Ethernet Links (AE) to for an link aggregation group (LAG)

...

https://www.juniper.net/documentation/en_US/junos/topics/concept/lag-qfx-series-overview.html




EX


QFX   

Junos OS Evolved

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/link-aggregation-cli.html

Code Block
titleAE/LAG interface and LACP
set chassis aggregated-devices ethernet device-count 2
set interfaces ae0 aggregated-ether-options link-speed 1g
set interfaces xe-0/0/4 ether-options 802.3ad ae0
set interfaces ae0.0 family inet address 192.168.200.1/24
set interfaces xe-1/0/4 ether-options 802.3ad ae0
set interfaces ae0 aggregated-ether-options minimum-links 1



{master:0}
root@QFX5100-1-RL102> show interfaces ae0 detail | find "Logical interface ae0.0"
  Logical interface ae0.0 (Index 656) (SNMP ifIndex 720) (HW Token 4095) (Generation 247)
    Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :            13          0          3900            0
        Output:            35          0          7483            0
    Adaptive Statistics:
        Adaptive Adjusts:          0
        Adaptive Scans  :          0
        Adaptive Updates:          0
    Link:
      xe-0/0/4.0
        Input :             0          0             0            0
        Output:             6          0          1878            0
      xe-1/0/4.0
        Input :             0          0             0            0
        Output:            51          0         13524            0


    Aggregate member links: 2

    Marker Statistics:   Marker Rx     Resp Tx   Unknown Rx   Illegal Rx
      xe-0/0/4.0                 0           0            0            0
      xe-1/0/4.0                 0           0            0            0
    Protocol inet, MTU: 1500
    Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
    Generation: 224, Route table: 8
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 192.168.200/24, Local: 192.168.200.1, Broadcast: 192.168.200.255, Generation: 140



https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/lacp-cli.html


Code Block
titleLACP
configurationSRX

AE configuration

Security Zone Configuration

Code Block
titlesecurity zones
BMS1 Zone:

set security zones security-zone BMS1Zone host-inbound-traffic protocols all
set security zones security-zone BMS1Zone interfaces ae0

DC-GW Zone:
set security zones security-zone DC-GW1 interfaces ge-0/0/2.0
set security zones security-zone DC-GW1 interfaces ge-0/0/3.0
Code Block
titleshow interface and security zone
collapsetrue
root@SRX300-1-RL102> show interfaces ae0 detail | find "Security: Zone:" Security: Zone: BMS1Zone Allowed host-inbound traffic : bfd bgp dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp Flow Statistics : Flow Input statistics : Self packets
config and show commands
collapsetrue
set interfaces ae0 aggregated-ether-options lacp active


{master:0}
root@QFX5100-1-RL102> show lacp interfaces
Aggregated interface: ae0
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      xe-1/0/4       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      xe-1/0/4     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
      xe-0/0/4       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      xe-0/0/4     Partner    No    No   Yes  Yes  Yes   Yes     Fast   Passive
    LACP protocol:        Receive State  Transmit State          Mux State
      xe-1/0/4                  Current   Fast periodic Collecting distributing
      xe-0/0/4                  Current   Fast periodic Collecting distributing


{master:0}
root@QFX5100-1-RL102> show lacp statistics interfaces ae0
Aggregated interface: ae0
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      xe-0/0/4                  37         179            0            0
      xe-1/0/4                  35         180            0            0



{master:0}
root@QFX5100-1-RL102> ping routing-instance vr1 192.168.200.2
PING 192.168.200.2 (192.168.200.2): 56 data bytes
64 bytes from 192.168.200.2: icmp_seq=0 ttl=64 time=18.152 ms
64 bytes from 192.168.200.2: icmp_seq=1 ttl=64 time=13.183 ms


Virtual Router

Code Block
titleconfig VR
collapsetrue
set routing-instances vr1 instance-type virtual-router
set routing-instances vr1 interface ae0.0
set routing-instances vr1 interface ae1.0


SRX

AE configuration

Code Block
titleae configuration
set interfaces ae1 aggregated-ether-options link-speed 1g
set interfaces ae1 aggregated-ether-options minimum-links 1
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1.0 family inet address 192.168.210.1/24

set interfaces xe-0/0/2 ether-options 802.3ad ae1
set interfaces xe-1/0/2 ether-options 802.3ad ae1


Virtual Router

Code Block
titleVirtual router
collapsetrue
coming soon


Security Zone Configuration

Code Block
titlesecurity zones
BMS1 Zone:
set security zones security-zone BMS1Zone host-inbound-traffic system-services all
set security zones security-zone BMS1Zone host-inbound-traffic protocols all
set security zones security-zone BMS1Zone interfaces ae0

DC-GW Zone:
set security zones security-zone DC-GW1 host-inbound-traffic system-services all
set security zones security-zone DC-GW1 host-inbound-traffic protocols all
set security zones security-zone BMS1Zone interfaces ae1


Code Block
titleshow interface and security zone
collapsetrue
root@SRX300-1-RL102> show interfaces ae0 detail | find "Security: Zone:"
    Security: Zone: BMS1Zone
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping
    reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl tcp-encap sdwan-appqoe
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     7177
      ICMP packets :                     7967
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        602868
      Connections established :          7174
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        602868
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
2
    No SA for
ICMP
incoming
packets 
SPI:            0
      No tunnel
3
found:
VPN
packets
:
          0
      No session for a gate:
0
Multicast
packets
:
   0
      No zone or NULL zone binding
0
      1
Bytes
permitted
by
policy
:
  Policy denied:
168
Connections
established
:
       0
0
    Security
Flow
association
Output
not
statistics
active:   0
Multicast
packets
:
 TCP sequence number out of window: 0
      Syn-attack protection:
0
Bytes
permitted
by
policy
:
 0
168
User authentication errors:
Flow
error
statistics
(Packets
dropped
due
to):
 0
    Protocol
Address
inet,
spoofing
MTU: 1500
    Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt:
0
1, Curr new hold cnt: 0, NH
Authentication
drop
failed
cnt: 0
    Generation: 167, Route 
table: 0
Incoming NAT errors:
Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
0
   Destination: 192.168.200/24, Local:
Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT
192.168.200.2, Broadcast: 192.168.200.255, Generation: 154

root@SRX300-1-RL102>



LACP configuration

Code Block
titleLACP config and show commands
collapsetrue
set interfaces ae0 aggregated-ether-options lacp passive


root@SRX300-1-RL102> show lacp interfaces
Aggregated interface: ae0
    LACP state:       Role   Exp
0
Def  Dist  Col  Syn
No
parent
Aggr
for
a
Timeout
gate:
 Activity
      ge-0/0/4
0
 Actor    No
No
one
interested
No
in
self
packets:
Yes
0
 Yes  Yes   Yes
No
minor
session:
  Fast   Passive
      ge-0/0/4     Partner
0
   No    No
more
sessions:
 Yes  Yes  Yes   Yes     Fast    Active
0
      ge-0/0/5
No
NAT
gate:
    Actor    No    No   Yes  Yes  Yes   Yes
0
    Fast
No
Passive
route
present:
     ge-0/0/5     Partner    No
0
No   Yes  Yes
No
Yes
SA
for
incoming
Yes
SPI:
    Fast    Active
0
 LACP protocol:
No
tunnel
found:
 Receive State  Transmit State          Mux State
0
    ge-0/0/4
No
session
for
a
gate:
           Current
0
 Fast periodic Collecting distributing
No
zone
or
NULL zone binding
 ge-0/0/5
1
Policy
denied:
  Current   Fast periodic Collecting distributing

root@SRX300-1-RL102> show lacp statistics interfaces ae0
Aggregated interface: ae0
0
  LACP Statistics:
Security
association
not
active:
LACP Rx
0
   LACP Tx
TCP
Unknown
sequence
Rx
number
out
of
Illegal
window:
Rx
0
Syn-attack protection: 
ge-0/0/4
0
User
392
authentication
errors:
       392
0
Protocol
inet,
MTU:
1500
   0
Max
nh
cache:
100000,
New
hold
nh
limit:
100000,
Curr
nh
0
cnt:
1,
Curr
new
hold
cnt:
0, NH drop cnt: 0
ge-0/0/5
Generation:
167,
Route
table:
0
   392
Flags: Sendbcast-pkt-to-re
     390
Addresses,
Flags:
Is-Preferred
Is-Primary
    0
Destination:
192.168.200/24,
Local:
192.168.200.2,
Broadcast:
192.168.200.255,
Generation:
154
0
LACP configuration
root@SRX300-1-RL102>




MX