An aggregate interface group uses IEEE 802.1AX
link aggregation to combine multiple Ethernet interfaces into a
single virtual interface that connects the firewall to another network
device or another firewall. An aggregate group increases the bandwidth
between peers by load balancing traffic across the combined interfaces.
It also provides redundancy; when one interface fails, the remaining
interfaces continue supporting traffic.
By default, interface
failure detection is automatic only at the physical layer between
directly connected peers. However, if you enable Link Aggregation
Control Protocol (LACP), failure detection is automatic at the physical
and data link layers regardless of whether the peers are directly
connected. LACP also enables automatic failover to standby interfaces
if you configured hot spares. All Palo Alto Networks firewalls except
VM-Series models support aggregate groups. You can add up to eight
aggregate groups per firewall and each group can have up to eight
interfaces.
PAN-OS firewall models support a maximum
of 16,000 IP addresses assigned to physical or virtual Layer 3 interfaces;
this maximum includes both IPv4 and IPv6 addresses.
Before
configuring an aggregate group, you must configure its interfaces. Among
the interfaces assigned to any particular aggregate group, the hardware media
can differ (for example, you can mix fiber optic and copper), but
the bandwidth and interface type must be the same. The bandwidth
and interface type options are:
Bandwidth—1Gbps,
10Gbps, 40Gbps, or 100Gbps
Interface type—HA3, virtual wire, Layer 2, or Layer
3.
This procedure describes configuration
steps only for the Palo Alto Networks firewall. You must also configure
the aggregate group on the peer device. Refer to the documentation
of that device for instructions.