Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Understanding LAG link protection on virtual chassis configurations

0

0

Article ID: KB37555 KB Last Updated: 04 Oct 2021Version: 1.0
Summary:

When using link protection of aggregated Ethernet interfaces, a primary and backup link is designated to support link protection. Egress traffic passes only through the designated primary link. This includes transit traffic and locally generated traffic on the router or switch. When the primary link fails, traffic is routed through the backup link.

When LAG links are configured on virtual chassis (VC) configurations, they are typically configured in distributed fashion, having one member link on one VC member while the other member link is on another member. If link protection of aggregated Ethernet interfaces are used in these VC configurations, users need to be aware of how VC split scenarios may influence link protection convergence on distributed aggregated interfaces. In certain split-brain scenarios, it is possible that both parts of the VC declare themselves as active and designate their local LAG link member as primary link.

Symptoms:

If Virtual chassis is configured with "no-split-detection" knob, during split-brain state scenarios, both VC parts will continue to work independently from one another. In an example with two-member VC during split-brain state, both members will claim primary role and declare the other member of the VC as non-present. This will effectively make each member declare itself as Primary Routing Engine, inherit the configuration and declare interfaces from the other member as down. This will have an unfavorable effect on the LAG link protection feature as each Primary member will make it's LAG link member a primary link and put it in active state. 

Upstream/Downstream sides of LAG link will see this change moving from active/standby state to active/active state which defeats the purpose of LAG link protection and can have a negative effect on traffic forwarding.

Cause:

The LAG link protection feature designates one link as primary (active) and other as backup (standby). This decision is made by the RE based on active configuration. If the RE notices primary link is lost (port goes down), the backup link becomes active. In order this transition to happen, the RE needs to see the primary link as down. If the situation is different, where the primary link is up while backup is down, the RE will keep the primary link as active and no changes will be made.

On the other hand, the virtual chassis with "no-split-detection" configuration knob ensures that in the event of split-brain state, both parts of the VC claims primary role, inherit the configuration and continue to operate as legitimate inheritor of VC.

Using the LAG link protection feature on VC deployments with "no-split-detection" configuration knob can create undesirable LAG link protection convergence in the event of split-brain state. For example, in a two-member VC (Member 0 and Member 1), where LAG link protection is configured so that primary link is located on Member 0 while backup is located on Member 1  if VCP connections are suddenly lost between VC members, it will cause the following chain of events:

  1. VC will enter split brain state. Member 0 and Member 1 will not see each other in the VC anymore.
  2. Member 0 (originally Primary RE) will remain Primary RE, keep the configuration and declare all ports from Member 1 as down while keeping the interfaces from Member 0 as up
  3. Member 1 (originally Backup RE) will declare itself as Primary RE, inherit the configuration and declare all ports from Member 0 as down while keeping the interfaces from Member 1 as up
  4. Member 0, as Primary RE of it's own VC realm will see that local interface of LAG link protection bundle is designated as primary and it is in UP state while interface on non-accessible Member 1 is designated as backup and is in DOWN state. Member 0 will keep the local interface as primary one and it will continue to receive and forward traffic over that interface
  5. Member 1, as Primary RE of it's own VC realm will see that local interface of LAG link protection bundle is designated as backup and it is in UP state while interface on non-accessible Member 0 is designated as primary and it is in DOWN state. Member 1 will now initiate convergence of LAG link protection bundle and declare local interface as primary link. This will effectively make the local link active and it will begin to send and receive traffic over that interface
  6. In the end, both links will work as active and they will both attempt to forward the traffic. The other end of this LAG link will therefore move from expected active/standby state to active/active state.
Solution:

When using the LAG link protection feature on Virtual-Chassis configurations, be aware how split-brain scenarios affect the convergence of this feature. In order to avoid active/active scenarios on LAG links with link protection feature, do not use the "no-split-detection" configuration knob in the VC configuration.

However, be aware of how omitting "no-split-detection" will influence the VC split-brain scenarios. Be sure to review the Virtual-Chassis best practice and implementation guide before omitting "no-split-detection".

In summary, it is a best practice to take into consideration the pros and cons before deciding whether to use the LAG link protection feature on Virtual-Chassis configurations.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search