Switching

Hi All

A quick question please, perhaps I'm missing somehing.

I have a pair of QFX10K, they're connected with 2x100G in LACP Lag.

Both are connected to a firewall cluster, and the irb interface servs as their L3 Interfaces.

1st machine

show configuration interfaces irb.999
family inet {
address 10.199.4.11/24 {
vrrp-group 99 {
virtual-address 10.199.4.4;
priority 95;
fast-interval 100;
preempt {
hold-time 180;
}
accept-data;
authentication-type simple;
authentication-key ; ## SECRET-DATA

2nd machine

show configuration interfaces irb.999
description "[INTERSITE][vrf INTER-SITE-FW]";
family inet {
address 10.199.4.12/24 {
vrrp-group 99 {
virtual-address 10.199.4.4;
priority 105;
fast-interval 100;
preempt {
hold-time 180;
}
accept-data;
authentication-type simple;
authentication-key ; ## SECRET-DATA
}
}

vrrp is up on both ends.

1> show vrrp brief
Interface State Group VR state VR Mode Timer Type Address
irb.999 up 99 backup Active D 0.360 lcl 10.199.4.11
vip 10.199.4.4
mas 10.199.4.12

2> show vrrp brief
Interface State Group VR state VR Mode Timer Type Address
irb.999 up 99 master Active A 0.088 lcl 10.199.4.12
vip 10.199.4.4

vlan 999 runs between ae2 which is the ae connected directly between the qfx

2> show vlans 999

Routing instance VLAN name Tag Interfaces
default-switch v999 999
ae10.0*
ae2.0*
ae20.0*

but i can't ping from irb.999 in 1st switch to irb.999 in 2nd switch (.11 to .12, .12 to .11)

both can ping the vip (.4)

should i be able to ping between the l3 interfaces?

Did you tried the method mentioned in the below KB?

https://kb.juniper.net/InfoCenter/index?page=content&id=KB27865

Regards,

Rahul

Hi Rahul

Thanks for your reply.

The current configuration between the 2 interfaces is MC-LAG, there's an ICL-PL Link between them which is a trunk contains all vlan members should be transit under the mclag. i have more some irb units which acts as layer3 for the vlans in the mc-lags. in addition there's a layer2 interfaces that has no vlans.

i don't understand what is the l2 interface for this irb. i don't have ae1.21 (ae1 is the ICL-PL link) and it can't be configured and the mac address is one for all IRB's on the machine.

so, though the article you referred me probobaly would solve this issue, i'm having trouble in understanding on how to implement this.

Hi,

You can read the below document.

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/mc-lag/multichassis-link-aggregation-groups.html

Routing protocols run on the primary IP address of the IRB or RVI interface, and both of the MC-LAG peers run routing protocols independently. The routing protocols use the primary IP address of the IRB or RVI interface and the IRB or RVI MAC address to communicate with the MC-LAG peers. The IRB or RVI MAC address of each MC-LAG peer is replicated on the other MC-LAG peer and is installed as a MAC address that has been learned on the ICL.

labroot@TEST# show interfaces ae29 | display inheritance no-comments
mtu 9100;
aggregated-ether-options {
    lacp {
        active;
        periodic fast;
        system-id 00:29:29:29:29:29;
        admin-key 3;
    }
    mc-ae {
        mc-ae-id 29;
        chassis-id 0;
        mode active-active;
        status-control active;
        init-delay-time 229;
    }
}
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members [ MGMT PUBLIC ];
        }
    }
}

labroot@TEST# show vlans MGMT
vlan-id 86;
l3-interface irb.86;

labroot@TEST# show vlans PUBLIC 
vlan-id 88;
l3-interface irb.88;

labroot@TEST# show interfaces irb.86
family inet {
    address 10.3.18.2/26 {
        vrrp-group 2 {
            virtual-address 10.3.18.1;
            priority 150;
            preempt {
                hold-time 300;
            }
            accept-data;
        }
    }
}

labroot@TEST# show interfaces irb.88
family inet {
    address 10.2.3.2/27 {
        vrrp-group 4 {
            virtual-address 10.2.3.1;
            priority 150;
            preempt {
                hold-time 300;
            }
            accept-data;
        }
    }
}

labroot@TEST# run show interfaces mc-ae
 Member Link                  : ae29
 Current State Machine's State: mcae active state
 Local Status                 : active
 Local State                  : up
 Peer Status                  : active
 Peer State                   : up
     Logical Interface        : ae29.0
     Topology Type            : bridge
     Local State              : up
     Peer State               : up
     Peer Ip/MCP/State        : X.X.X.X ae10.0 up

{master:0}[edit]
labroot@TEST# run show iccp

Redundancy Group Information for peer X.X.X.X
  TCP Connection       : Established
  Liveliness Detection : Up

Client Application: l2ald_iccpd_client

Client Application: lacpd

Client Application: MCSNOOPD

{master:0}[edit]
labroot@TEST# run show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
irb.86        up              2   backup   Active      D  3.084 lcl    10.3.18.2     
                                                                vip    10.3.18.1     
                                                                mas    10.3.18.3      
   
irb.88        up              4   backup   Active      D  2.981 lcl    10.2.3.2   
                                                                vip    10.2.3.1   
                                                                mas    10.2.3.3     

labroot@TEST# run ping 10.3.18.3 count 10 rapid     
PING 10.3.18.3 (10.3.18.3): 56 data bytes
.........
--- 10.3.18.3 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

{master:0}[edit]
labroot@TEST# run ping 10.3.18.3 source 10.3.18.2 count 10 rapid
PING 10.3.18.3 (10.3.18.3): 56 data bytes
.........
--- 10.3.18.3 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

As per the below document , this seems to be an expected behavior
 
http://www.juniper.net/techpubs/en_US/junos14.1/information-products/pathway-pages/mc-lag/multichassis-link-aggregation-groups.html
 
" If you are using the VRRP over IRB or RVI method to enable Layer 3 functionality, you must configure static ARP entries for the IRB or RVI interface of the remote MC-LAG peer to allow routing protocols to run over the IRB or RVI interfaces."
 
Dynamic ARP resolution over the ICL interface is not supported.
 
I have added the configuration for static mac entries and  ping to the VRRP address started working.
 
Configuration added :
==================
 
set interfaces irb unit 86 family inet address 10.3.18.2/26 arp 10.3.18.3 l2-interface ae10.0
set interfaces irb unit 86 family inet address 10.3.18.2/26 arp 10.3.18.3 mac cc:e1:7f:68:43:00
 
 
root@TEST# run ping 10.3.18.3 count 10 rapid   
PING 10.3.18.3 (10.3.18.3): 56 data bytes
!!!!!!!!!!
--- 10.3.18.3 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.468/14.455/43.348/11.247 ms

As you discovered, yes for this to work you must map IP to MAC via the l2-interface knob.  Just as a point of reference, if you use Network Director and it's MC-LAG functionality, ND will automatically create this entry for you.

Hi rnayar, 

Thanks a lot for your detailed answer and explaination, I appriciate the time you took to answer this and your outputs your shared.

Extraordinary!

David