https://live.paloaltonetworks.com/t5/general-topics/lacp-from-pa-to-juniper-switching/m-p/1862#M1387 <HTML><HEAD></HEAD><BODY><P>Got an odd issue I was hoping someone may have seen.</P><P></P><P>PA 500 setting up a 4 port LACP bond to juniper switches. Running PanOS 6.1.2</P><P></P><P>Setup the LACP bond on both ends, LACP would not negotiate. Spent many hours wtf’ing, couldn’t find anything odd anywhere, other LACP bonds we’ve setup previously work perfectly.</P><P></P><P>Eventually looking at other config snippets (We don’t run these switches so what I get to see is pretty limited) discover the MTU on juniper switches is 1514 (I do extreme networks and cisco so wasn’t expecting this) by default.</P><P></P><P>If we set the juniper ports to 1500, the bond comes up.</P><P></P><P>However, from what I have read, the 1514 mtu that juniper uses, includes the Ethernet header data, which in the cisco (and palo alto, and every other vendor known to man) is not included in the count. So effectively the data layer the juniper is putting out is 1500 less the Ethernet data.</P><P></P><P>By us forcing the Juniper to 1500, it has now lowered the data mtu to 1486 which is now going to cause fragmentation on the network, however the LACP bond connects.</P><P></P><P>Here is the juniper calculation: </P><P>Application Data (1472 Bytes) + ICMP Header (8 Bytes) + IPV4 Header (20 Bytes) + Ethernet Header (14 Bytes) = 1514 Bytes , Which will be the default MTU size of the Juniper Ethernet port.</P><P>And the rest of the world calculation:</P><P>APP-DATA + ICMP HEADER + IPV4 HEADER. Which comes to 1500 byes.</P><P></P><P>So. Where to from here? I can adjust the MTU on every juniper to 1500, however we would then need to adjust every workstation, laptop, tablet, printer to the same to avoid fragmentation</P><P>The PA only goes up to 1500 so I can't adjust that, and even if I could, its likley to cause other issues elsewhere.</P><P></P><P></P><P>Keen on any ideas you may have one this!</P></BODY></HTML> Wed, 11 Mar 2015 04:26:33 GMT BrentAddis 2015-03-11T04:26:33Z https://live.paloaltonetworks.com/t5/general-topics/lacp-from-pa-to-juniper-switching/m-p/1862#M1387 <HTML><HEAD></HEAD><BODY><P>Got an odd issue I was hoping someone may have seen.</P><P></P><P>PA 500 setting up a 4 port LACP bond to juniper switches. Running PanOS 6.1.2</P><P></P><P>Setup the LACP bond on both ends, LACP would not negotiate. Spent many hours wtf’ing, couldn’t find anything odd anywhere, other LACP bonds we’ve setup previously work perfectly.</P><P></P><P>Eventually looking at other config snippets (We don’t run these switches so what I get to see is pretty limited) discover the MTU on juniper switches is 1514 (I do extreme networks and cisco so wasn’t expecting this) by default.</P><P></P><P>If we set the juniper ports to 1500, the bond comes up.</P><P></P><P>However, from what I have read, the 1514 mtu that juniper uses, includes the Ethernet header data, which in the cisco (and palo alto, and every other vendor known to man) is not included in the count. So effectively the data layer the juniper is putting out is 1500 less the Ethernet data.</P><P></P><P>By us forcing the Juniper to 1500, it has now lowered the data mtu to 1486 which is now going to cause fragmentation on the network, however the LACP bond connects.</P><P></P><P>Here is the juniper calculation: </P><P>Application Data (1472 Bytes) + ICMP Header (8 Bytes) + IPV4 Header (20 Bytes) + Ethernet Header (14 Bytes) = 1514 Bytes , Which will be the default MTU size of the Juniper Ethernet port.</P><P>And the rest of the world calculation:</P><P>APP-DATA + ICMP HEADER + IPV4 HEADER. Which comes to 1500 byes.</P><P></P><P>So. Where to from here? I can adjust the MTU on every juniper to 1500, however we would then need to adjust every workstation, laptop, tablet, printer to the same to avoid fragmentation</P><P>The PA only goes up to 1500 so I can't adjust that, and even if I could, its likley to cause other issues elsewhere.</P><P></P><P></P><P>Keen on any ideas you may have one this!</P></BODY></HTML> Wed, 11 Mar 2015 04:26:33 GMT https://live.paloaltonetworks.com/t5/general-topics/lacp-from-pa-to-juniper-switching/m-p/1862#M1387 BrentAddis 2015-03-11T04:26:33Z https://live.paloaltonetworks.com/t5/general-topics/lacp-from-pa-to-juniper-switching/m-p/1863#M1388 <HTML><HEAD></HEAD><BODY><P>Why you need to adjust MTU on every workstation? Mostly you will find 1500 bytes MTU on client side machines. And TCP stack take cares for MSS size based upon MTU. Moreover on PA you can adjust the MSS size sent in SYN packets. And UDP based the applications keeps the payload size such that single packet can carry meaningful information for request and response. The 1500 MTU is enough in most of the cases for UDP based applications. If some tunneling using UDP then fragmentation is very difficult to stop.</P></BODY></HTML> Thu, 12 Mar 2015 02:52:24 GMT https://live.paloaltonetworks.com/t5/general-topics/lacp-from-pa-to-juniper-switching/m-p/1863#M1388 jthakur 2015-03-12T02:52:24Z