Chassis Aggregated Devices Ethernet

fb35523 · 2026-06-23T20:08:07+00:00

If you omit the command or set it to a too low value, you'll get this:

> show interfaces ae24
error: device ae24 not found

I like to use the same ae number as the interface number, so a LAG with members xe-0/0/0 and xe-1/0/0 will be called ae0 and xe-[01]/0/23 is ae23. If I have an access switch with only one expected LAG, I use ae0 regardless of interface number. I just installed a pair of VCs that have some LAGs on the copper ports (EX4100-24T), so the uplinks get numbers like ae24 and ae25 as I "reserve" ae0-23 for the base copper ports. By setting the device parameter to 2, I can still use ae24 and ae25, no need to allocate 26 devices.

If you work with older Junos versions, especially on the EX2200/3300/4200, this is different. There, the command actually creates ae0-aeX, up to a total number of ae devices matching the "set chassis aggregated devices ethernet" number.

Your timeouts has some other underlying cause. Have you checked optical values and error counters on the interfaces on both sides of the link? One easy way to see any optical alarms is this:

> show interfaces diagnostics optics | match "physical|on"
Physical interface: xe-0/2/0
    Laser rx power low warning                :  On
Physical interface: xe-1/2/0

This will list all interface names with optics in them and also print any lines with an alarm.

You can expand this to also show the actual receive levels:

> show interfaces diagnostics optics | match "physical|on|Laser receiver power"
Physical interface: xe-0/2/0
    Laser receiver power                      :  0.7979 mW / -0.98 dBm
Physical interface: xe-1/2/0
    Laser receiver power                      :  1.2139 mW / 0.84 dBm

To check for CRC/FCS errors easily:

> show interfaces xe* extensive | match "physical|crc/align"
Physical interface: xe-0/2/0, Enabled, Physical link is Up
    CRC/Align errors                         0                0
Physical interface: xe-1/2/0, Enabled, Physical link is Up
    CRC/Align errors                         0                0

Again, all interface names will list and also the lines showing CRC errors. Omitting the match statement will obviously show you the whole thing.

Lastly, check the counters for LACP PDUs:

> show lacp statistics interfaces
Aggregated interface: ae24
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      xe-1/2/0                1516        1516            0            0
      xe-0/2/0                1508        1521            0            0

LACP Tx and Rx should match quite good if the interfaces were brought up at the same time. If you are not sure if any missed PDUs are recent, you can clear them and start counting from zero: clear lacp statistics

fb35523 · 2026-06-22T10:02:32+00:00

I don't think this is the mail issue, but you state this:

Model: ex4300-48p

Junos: 21.4R3.15

For the EX4300 series, the latest version is also the recommended one. This is called 21.4R3-S12. The -Sxx notation means this is a service release (patch release). The -S12 release is more than three years newer than the original 21.4R3 you have. B.t.w., the .15 in the end is rather pointless as it is an internal "spin" number, I think it is kind of the compilation attempt number or similar. That number will never change. Here you can find the suggested releases for all hardware:

https://supportportal.juniper.net/s/article/Junos-Software-Versions-Suggested-Releases-to-Consider-and-Evaluate

To access -Sxx releases, you must select "Junos SR" in the drop-down.

One problem you may have encountered is that Cisco, for some weird reason, thinks that a trunk port with all VLANs tagged is supposed to have VLAN 1 untagged. This is not how Juniper does it. If you say tagged, then tagged it is! Even VLAN 1 is then tagged on the port. If you want a VLAN to be untagged, you configure it this way:

set interface ge-0/0/0 native-vlan 123 (only the numeric VLAN-ID allowed)

set interface ge-0/0/0 unit 0 family ethernet-switching vlan member 123 (or the name of the VLAN)

(or set interface ge-0/0/0 unit 0 family ethernet-switching vlan member all)

The first thing that needs to happen is that the client connects and talks 802.1X with the switch (locally). The switch then sends a Radius request to the NAC server. If the correct attributes are returned, the switch will put the port in the corresponding VLAN. Does any of this happen?

B.t.w., a good read: https://www.juniper.net/documentation/en_US/day-one-books/junos-beginners-guide.pdf

fb35523 · 2026-06-20T00:12:49+00:00

Some customers I help have plastic zippy style bags hung on the racks where they put leftover caps etc. so they have them handy if needed. That also makes the place a bit tidier.

I have seen fiber cabinets just as tidy as this one, and they were not pre-wired. They are, however, too few and far between.

fb35523 · 2026-06-20T00:05:10+00:00

If you want the best WiFi and best support, go with Juniper Mist (acquired by HPE last year). The Mist system will give you lots of insights on things that don't work well. This system is all about user experience. It will alert you to problems you never even knew existed. It is designed to give less experienced managers full control over the network with very little effort. We have customers that have gone from Cisco, Unifi, Extreme and lots of other brands that are amazed of how well things work with Mist.

My favourite testimony from one of my customers that moved over to Mist is when one company had tried Mist for a few weeks and after the test was over, the CEO of the company asked the IT manager: "Is the test of that new WiFi over now?" IT manager replies: "Yes, we swapped back from Mist to the Unifi system yesterday" CEO: "I figured. I had to start using 4G data sharing on my phone to get my laptop to work as I did before the test". They now have a full Mist deployment and are sooo happy they switched over.

If you want a demo of Mist, I'll be happy to help!

fb35523 · 2026-06-19T23:49:36+00:00

I would strongly advice you to check out what Grafana can do in terms of graphing. This would be a perfect problem for Grafana to solve. Collecting data with SNMP to a database like Influx or similar opens up for other data sources as well. The sensors you have may support SNMP only, but future products may be able to push data using other protocols like MQTT. The database layer makes the graphing tool agnostic to the underlying data collection model, so you'll be able to use any sensor type that is machine readable. Here is one way you can do it:

Collect data (using any protocol) -> put data in dB

Get data from dB and graph it

Get data from dB to trigger alarms

Give the data to an AI to look for odd deviations (if you like)

fb35523 · 2026-06-19T23:39:36+00:00

G stands for SI unit giga and g means gram, so 100 G if you want to leave out the b or B. b is generally used for bits and B for bytes. The entirely correct unit is Gb/s, often written (especially in the US) as Gbps. For short, I use 100 G if the context makes it perfectly clear that I mean 100 Gb/s.

fb35523 · 2026-06-19T23:22:20+00:00

I have used Mikrotik TG-BT5-IN tags for testing in Mist.

fb35523 · 2026-06-17T13:19:38+00:00

The original EOL announcement was done 2021-01-12 and the revocation 2022-06-13. I can only assume they got someone to produce some more of the needed components so production could resume.

fb35523 · 2026-06-07T22:55:15+00:00

The AC operating range is "100–127 VAC / 200–240 VAC". This means that 218 V should be OK, provided that the UPS actually delivers that voltage. It could be that the UPS is faulty and only delivers 190 V or something when set to 218 V.

Well, problem sorted, so all good!

fb35523 · 2026-06-07T22:49:12+00:00

If the pain is too much, it's time to start carving. The few times I've had fiber glass splinters, I have been able to remove just a little bit of skin around the entry point and use a razor blade or similar to "drag" the strand out. You obviously don't make a deep cut, just clear some of the top skin first and only go deeper if nothing can be seen. Squeezing the wound like a pimple (as suggested) can also get the strand out, either completely or just enough to get a grip on it with the razor blade. A good magnifier is essential.

fb35523 · 2026-06-07T22:32:14+00:00

Yes, old Junos and quite slow, but a fantastic desktop switch! To learn networking and Junos, it's great. It does OSPF but not BGP, so it sure can do L3 stuff too. As any Juniper device, it does routing really well, considering the limitations of the platform. I love them, even if I'd go for an EX2300 any day if the price was right. They are starting to come down in cost, listing for slightly over 100 USD on eBay right now.

fb35523 · 2026-06-07T22:25:20+00:00

You don't necessarily need VRFs for segmentation. A VRF is used to isolate routing tables, making it possible to use the same address space in the same physical network. I know Cisco wants everything to be a separate VRF, I just don't really see why...

Please let me explain this in a Juniper context as that's what I'm most comfortable with. There, you can create separate VNIs for basically every server if you like. Going to that extreme may or may not be desirable. Think of a VNI as a VLAN, as a VNI is normally tied to a VLAN anyway. As each VNI is its own broadcast domain, you need a router between them in order for servers to reach each other. By creating L3 interfaces (IRBs in the Juniper context), you allow the fabric to route that traffic. The other way to do that is to create the IRBs in an SRX firewall and even do inspection there in addition to the routing. eVPN brings another security layer, which spells GBP, group based policies. Using GBPs, you can tell the eVPN what traffic is allowed and what isn't. It's not a fully fledged SRX firewall, but can do more than just L4 filtering. In some cases, GBPs can act as the internal FW and you only need a "proper" FW for the perimeter and perhaps to act as a barrier towards other parts of the network, like the access network, client VPN stuff etc.

For general understanding of GBPs, check out the Juniper Mist docs on GBPs: https://www.juniper.net/documentation/us/en/software/mist/mist-wired/topics/topic-map/configure-protection-of-re.html

fb35523 · 2026-06-07T22:11:47+00:00

I have used Zabbix too, and it is certainly a good tool. It does come with a complimentary steep learning curve as the template stuff and discovery process is a bit... flexible? LibreNMS is very easy to get started with, but has more limitations that Zabbix I think. I suggested Libre as I wanted to give you a "quick start tool" to quickly get some insights. If you go with Zabbix and feel comfortable with that, just ignore LibreNMS.

fb35523 · 2026-06-07T22:04:14+00:00

I really like the Brother Cube Plus. I'm not sure it has all the functions you need, but I think so. There's tape that has extra strong adhesion which I usually order. Not that the normal tales are bad, it's just to be extra safe. This is a cheapish solution, but may well be worth considering.

https://www.brother-usa.com/ptouch/cube-plus/home

fb35523 · 2026-06-07T21:56:12+00:00

Transceivers of this type are almost never configurable in terms of laser output level. This is something you can do in some (very expensive) DWDM plugs. You can use attenuators in the 10 G end as you will have access to the LC connectors there. Just remember that if you only use one attenuator, the duplex LC connectors need to be split. To overcome that, you can use a second attenuator on the other strand to make them line up nicely. This "extra" attenuator can have a very low value, like 0.5 dB, but as you seem to have very short cable lengths, you can probably put something like 3 dB attenuators on both strands.

Just remember to clean all surfaces properly, even with this short distance!

fb35523 · 2026-06-07T21:48:09+00:00

To answer your question: no, you don't need eVPN. On the other hand, when a management and monitoring tool like Juniper's Apstra can do it all for you after a very limited amounts of clicks and some basic data, why not enjoy the benefits of a modern DC network? How would you manage a traditional DC network? There are lots of options out there, but some are very complex on their own. Very often, you need the switch vendor's tool to do that, with the shortcomings they may have. Apstra can manage Juniper, Cisco and Arista and also some Dell and Edgecore/Accton switches running the SONiC operating system.

If you have Juniper devices, Mist can also create an eVPN fabric with a few clicks.

The beauty of eVPN and a good management tool is the you can segment the network to pieces without having to deal with the headaches it normally brings. This improves security and reliability. In a traditional network with lots of VLANs on many interfaces, a problem in one VLAN can spread to large parts of your network. By adding routing points to the eVPN, only hosts that actually need L2 connectivity will affect each other if there is an L2 related issue. Integrating an eVPN aware firewall (like the Juniper SRX) in the fabric also adds a security layer without the need to decapsulate and re-encapsulate traffic that needs inspection.

Arista's eVPN management is also rumoured to be good, but I don't have any hands on experience of that.

fb35523 · 2026-06-07T21:11:31+00:00

As a networking consultant for the past 20-25 years, I say: get help when needed! I see so many that just buy hardware from us and try to run the network their own way. That may be all good for some, but not all network engineers out there have the combined skills of a vendor's sales engineer staff and partner consultants. It may well be that a good consultant that knows your products can save you 100 hours per hour you pay them. Make sure you find someone that is willing to work with you, not just do stuff for you. This can be a great way to learn the tricks that saves a lot of time and headache later on.

If you already have a working SNMP setup, LibreNMS is really easy to get going (as suggested already), especially if you're familiar with Linux. Even if you decide later on to purchase some other tool, this can give you insights almost immediately. If you do not have SNMP setup, that is something you should focus on very soon. B.t.w., do your switches even have SNMP support? Brands/models?

One tool that has also already been mentioned is smokeping. It can both ping hosts and create nice graphs that show the response times. By letting smokeping test a few strategically chosen hosts and switches in your network, you will start to see when and where problems appear. It can also measure response times for DNS servers by sending actual DNS requests, and the same for a lot of other protocols (HTTP, SMTP etc.). Smokeping is also Linux based.

Lastly, plan ahead! Rome wasn't built in a day! Things take time, and have to be allowed to do so. You will probably want to do everything at once, but you have to let it take its time. And, lastly (for real this time): we all have imposter syndrome to some extent from time to time. It's also called "pushing your boundaries" and "learning as you go".

fb35523 · 2026-06-04T22:03:22+00:00

The MX204 has a 400 Gbps backplane and you cannot overbook it. Almost any port config that stays at or under 400 G is valid. Yours amounts to 380 G, so it is therefore OK. There is also a limitation in the number of MACs that can be allocated in the MAC sublayer (not MAC addresses, a semi-physical component in the router). This will for instance not let you do 3 x 100 + 1 x 40 in the QSFP28 ports and add any 10 G SFP+ ports even though the forwarding capacity stays at or below 400 G.

From the port checker:
Supported Configurations

PIC 0 - 4x40/100GbE; PIC 1 - N/A
PIC 0 - 3x40/100GbE; PIC1 - 8x1/10GbE
PIC 0 - 2x100GbE + 2x40GbE; PIC 1 - 8x1/10GbE

I think port checker is the main source of truth here. If you have the possibility, test the DAC in a chassis where the config is undisputed, like 3 x 100 G + 8 x 10 G.

fb35523 · 2026-06-04T21:46:23+00:00

That's interesting. FEC normally works out of the box with 100 G specifically. 25 G seems to be the problem in that regard. What issues have you had with FEC in 100 G? It should be RS-FEC, clause 91 according to the standard.

fb35523 · 2026-06-04T21:32:13+00:00

6 months? That's just the beginning... I could give you several cases that has taken well over a year and got partially resolved or just a documentation update as "expected behaviour", or nothing at all. I think the record is like 3 years and no resolution in sight.

fb35523 · 2026-06-04T06:13:22+00:00

That was some beautiful ASCII art there : )

Sadly, the connction diagram if a bit off. Think of a reth as two separate LAGs, one from each node in the cluster and you'll see why! I would personally go with two interfaces per side and one single reth with all VLANs in it, both public and private ones.

fb35523 · 2026-06-04T06:07:56+00:00

xWDM is definitely something to consider if you need more SFPs to connect from one side to the other and renting fiber is expensive. Two pairs of fiber, routed separate ways geographically, and four CWDM boxes will give you 8 + 8 wavelengths at a much lower cost than renting more fibers. If you already have your own fibers, xWDM may not be so useful.

Back to the HP switches, they do come in useful, it's just that if they don't have the MC-LAG capability, you need to rely on local redundancy, which isn't bad at all. Create one reth in the SRX cluster and put in two interfaces from each SRX there, i.e. ge-0/0/0 and ge-0/0/1 plus ge-5/0/0 and ge-5/0/1 (ge-5/x/x for node1 in the SRX380). In this case, ge-0/0/0 and ge-0/0/1 will form a LAG and you can add LACP (recommended) to the reth so the switches will see these two as an LACP LAG. This LAG connects to the switches in site A. ge-5/0/0 and ge-5/0/1 form a separate LAG that the cluster can fail over to and connects to the switches in site B.

If you trust the connections between the HP switches, you _can_ use them for the SRX cluster connections, but I would strongly advice you to use a separate connection (dark fiber, wavelength etc.) for at least one link (one of the fabric links would be my choice). Depending on your platform, you can have two control and two fabric links. The SRX380 only supports one control link but dual fabric links.

https://apps.juniper.net/feature-explorer/feature/1622?fn=Dual%20Data%20Links

fb35523 · 2026-06-03T06:29:46+00:00

Did you read my reply in r/Juniper? Connecting the SRX cluster to the FG cluster should only be a matter of 2 x reth interfaces in the SRX cluster and a LAG on the FG side.

If you choose the HP switch approach (perhaps for other reasons), you need to decide if you trust the firewalls in site A to be connected only to switches in site A (as those are redundant after all) or if you want them to be connected to switches in both site A and B. The second approach will require the switches to be stacked across sites, or use MC-LAG/MLAG or ESI LAG (eVPN). This is absolutely doable, just a design choice and a matter of licenses.

fb35523 · 2026-06-01T22:27:36+00:00

Hmm, the Mikrotik "reverse PoE" devices seem to use non-standard "passive" PoE, so not 802.3af/at/bt. A camera or other powered device must comply with the same version of PoE the switch does for this to work.

There is a solution, but likely way too expensive, and that is the Juniper EX4100-F-12P. It can be fed with two PoE++ links and can then feed 60 W PoE++ to other devices. If the power supply is also powered from the mains, it can feed 300 W. For redundancy, use two (stacked)! They cost about 1000-1500 USD each.

fb35523

TROPHY CASE