Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

LACP from PA to Juniper Switching

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LACP from PA to Juniper Switching

L0 Member

Got an odd issue I was hoping someone may have seen.

PA 500 setting up a 4 port LACP bond to juniper switches. Running PanOS 6.1.2

Setup the LACP bond on both ends, LACP would not negotiate. Spent many hours wtf’ing, couldn’t find anything odd anywhere, other LACP bonds we’ve setup previously work perfectly.

Eventually looking at other config snippets (We don’t run these switches so what I get to see is pretty limited) discover the MTU on juniper switches is 1514 (I do extreme networks and cisco so wasn’t expecting this) by default.

If we set the juniper ports to 1500, the bond comes up.

However, from what I have read, the 1514 mtu that juniper uses, includes the Ethernet header data, which in the cisco (and palo alto, and every other vendor known to man) is not included in the count. So effectively the data layer the juniper is putting out is 1500 less the Ethernet data.

By us forcing the Juniper to 1500, it has now lowered the data mtu to 1486 which is now going to cause fragmentation on the network, however the LACP bond connects.

Here is the juniper calculation:

Application Data (1472 Bytes) + ICMP Header (8 Bytes) + IPV4 Header (20 Bytes) + Ethernet Header (14 Bytes) = 1514 Bytes , Which will be the default MTU size of the Juniper Ethernet port.

And the rest of the world calculation:

APP-DATA + ICMP HEADER + IPV4 HEADER. Which comes to 1500 byes.

So. Where to from here? I can adjust the MTU on every juniper to 1500, however we would then need to adjust every workstation, laptop, tablet, printer to the same to avoid fragmentation

The PA only goes up to 1500 so I can't adjust that, and even if I could, its likley to cause other issues elsewhere.

Keen on any ideas you may have one this!

1 accepted solution

Accepted Solutions

L2 Linker

Why you need to adjust MTU on every workstation? Mostly you will find 1500 bytes MTU on client side machines. And TCP stack take cares for MSS size based upon MTU. Moreover on PA you can adjust the MSS size sent in SYN packets. And UDP based the applications keeps the payload size such that single packet can carry meaningful information for request and response. The 1500 MTU is enough in most of the cases for UDP based applications. If some tunneling using UDP then fragmentation is very difficult to stop.

View solution in original post

1 REPLY 1

L2 Linker

Why you need to adjust MTU on every workstation? Mostly you will find 1500 bytes MTU on client side machines. And TCP stack take cares for MSS size based upon MTU. Moreover on PA you can adjust the MSS size sent in SYN packets. And UDP based the applications keeps the payload size such that single packet can carry meaningful information for request and response. The 1500 MTU is enough in most of the cases for UDP based applications. If some tunneling using UDP then fragmentation is very difficult to stop.

  • 1 accepted solution
  • 4537 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!