Junos OS

I have a pair of QFX5120 running as network core routers. they are in a virtual cluster and from what I can tell are super happy together.
I would like to make a redundant link to a pair of Palo Alto NGFW that are running in an active/passive HA.

I have in my head there is a more elegant way to run redundant links, but I keep thinking in circles and feel like it's time to have someone just tell me the obvious answer. 
it's not redundant-trunk-groups as this will be l3 
it's not AggregateEth because I'm not looking to double bandwidth

I'm used to SRX and creating a reth, but I can't seem to do that on a qfx, as I can't find a way to make redundancy groups.

to quote Leeloo "please halp

Hi Travis,

The QFXs use ae interfaces for Aggregated Ethernet, this isn't exclusively used for bundling links for increased bandwidth, but redundancy as well. 
A lot of environments are set up with the architecture below, this is the same as connecting to an SRX cluster...

PAFW1 ae1 port ethernet1/4 > QFX-VC ae0 port xe-0/0/42
PAFW1 ae1 port ethernet1/5 > QFX-VC ae0 port xe-1/0/42

PAFW2 ae1 port ethernet1/4 > QFX-VC ae1 port xe-0/0/43
PAFW2 ae1 port ethernet1/5 > QFX-VC ae1 port xe-1/0/43

Palo Alto recommends using a single ae interface for all links and enabling LACP  to reduce time to recovery and enable communication on active/standby ports on the ae. More information: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/lacp-and-lldp-pre-negotiation-for-activepassive-ha#id2c171a8c-cc16-4c05-9b03-a47a57cf07e2 

------------------------------
GAVIN WHITE
------------------------------

Original Message:
Sent: 12-08-2023 15:12
From: TRAVIS MOLLECK
Subject: QFX5120 pair to Palo Alto FW

I have a pair of QFX5120 running as network core routers. they are in a virtual cluster and from what I can tell are super happy together.
I would like to make a redundant link to a pair of Palo Alto NGFW that are running in an active/passive HA.

I have in my head there is a more elegant way to run redundant links, but I keep thinking in circles and feel like it's time to have someone just tell me the obvious answer. 
it's not redundant-trunk-groups as this will be l3 
it's not AggregateEth because I'm not looking to double bandwidth

I'm used to SRX and creating a reth, but I can't seem to do that on a qfx, as I can't find a way to make redundancy groups.

to quote Leeloo "please halp"

------------------------------
TRAVIS MOLLECK
------------------------------

If I follow your setup correctly that the L3 interface on the PAN needs to failover between active/passive units to the QFX. 

I would use an irb interface assigned to the vlan.  Then have the two PAN connected to ports in that VLAN on different members of the virtual chassis.

This way failures of either a single QFX member or the PAN active would still work as expected.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
------------------------------

Original Message:
Sent: 12-08-2023 15:12
From: TRAVIS MOLLECK
Subject: QFX5120 pair to Palo Alto FW

I have a pair of QFX5120 running as network core routers. they are in a virtual cluster and from what I can tell are super happy together.
I would like to make a redundant link to a pair of Palo Alto NGFW that are running in an active/passive HA.

I have in my head there is a more elegant way to run redundant links, but I keep thinking in circles and feel like it's time to have someone just tell me the obvious answer. 
it's not redundant-trunk-groups as this will be l3 
it's not AggregateEth because I'm not looking to double bandwidth

I'm used to SRX and creating a reth, but I can't seem to do that on a qfx, as I can't find a way to make redundancy groups.

to quote Leeloo "please halp"

------------------------------
TRAVIS MOLLECK
------------------------------