SD-WAN Administrator’s Guide
    : Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. SD-WAN Administrator’s Guide
    4. Configure SD-WAN
    5. Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
    Download PDF

    SD-WAN Administrator’s Guide

    Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN

    Table of Contents

    Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN

    SD-WAN supports AE interfaces for link redundancy and tagged Layer 3 subinterfaces for traffic segmentation.
    Physical firewalls running PAN-OS 10.2 and SD-WAN Plugin 2.1.0 support SD-WAN on aggregated Ethernet (AE) interfaces so that an SD-WAN firewall in a data center, for example, can have an aggregate interface group (bundle) of physical Ethernet interfaces that provide link redundancy. SD-WAN supports AE interfaces with or without subinterfaces. You can create an AE interface with subinterfaces that you can tag for different ISP services in order to provide end-to-end traffic segmentation. Thus, your ISP services can reach multiple labs or buildings without needing a dedicated pair of fibers for each connection. A Layer 3 AE interface group connects to a router, as shown in the following figure:
    VM-Series firewalls do not support AE interfaces. An SD-WAN hub or branch firewall that has an AE interface should not belong to the same VPN cluster as a VM-Series SD-WAN hub or branch firewall because AE interfaces are not supported on VM-Series firewalls.
    PPPoE is not supported on subinterfaces.
    1. Log in to the Panorama Web Interface.
    2. Configure an SD-WAN Interface Profile for each ISP connection (subinterface) in the AE interface group to define its link attributes.
    3. Create an AE interface group.
      1. Select NetworkInterfacesEthernet, select a Panorama Template, and Add Aggregate Group.
      2. For Interface Name, enter the number to identify the aggregate group; range is 1 to 16.
      3. For Interface Type, select Layer3.
      4. Click OK.
    4. Assign physical interfaces to the aggregate group.
      1. Select NetworkInterfacesEthernet and select the interface you want to assign to the aggregate group.
      2. Select the Interface Type as Aggregate Ethernet.
      3. Select the Aggregate Group you created; for example, ae1.
      4. On the Advanced tab, select the Link Speed, Link Duplex, and Link State.
      5. Click OK.
      6. Repeat this step for each interface you want to assign to the aggregate group.
    5. For the aggregate group, create a subinterface that uses a static IP address.
      1. Select NetworkInterfacesEthernet, highlight the aggregate interface, such as ae1, and click Add Subinterface at the bottom of the screen.
      2. For Interface Name, enter a number after the period, such as 107.
      3. Enter the VLAN Tag to differentiate between the subinterfaces. For ease of use, make the tag the same number as the subinterface ID.
      4. Select the IPv4 tab and Enable SD-WAN.
      5. Select the Type of address: Static.
      6. Add the IP address (and subnet mask) of the subinterface.
      7. Enter the IP address of the Next Hop Gateway.
      8. Click OK.
    6. Alternatively, for the aggregate group, create a subinterface that uses DHCP to get its address.
      1. Select NetworkInterfacesEthernet and in the Template field, select a Template Stack.
      2. Highlight the aggregate interface, such as ae1, and click Add Subinterface at the bottom of the screen.
      3. Highlight the subinterface and click Override at the bottom of the screen.
      4. Highlight the subinterface and for Interface Name, enter a number after the period, such as 1.
      5. Enter the VLAN Tag to differentiate between the subinterfaces. For ease of use, make the tag the same number as the subinterface ID.
      6. Select the IPv4 tab and Enable SD-WAN.
      7. Select the Type of address: DHCP Client.
      8. Select Enable.
      9. Uncheck (do not select) Automatically create default route pointing to default gateway provided by server.
      10. Select the Advanced tab and DDNS tab.
      11. Select Settings and Enable. The Hostname is automatically generated by the Panorama SD-WAN plugin.
      12. Select the Vendor as Palo Alto Networks DDNS.
      13. Click OK.
    7. Apply an SD-WAN Interface Profile to the subinterface.
      1. Highlight the subinterface you created and select the SD-WAN tab.
      2. Select the SD-WAN Interface Profile you created for this link or create a new profile.
      3. Click OK.
    8. Repeat the prior steps to create additional Layer3 subinterfaces for the aggregate interface group and apply an SD-WAN Interface Profile to each subinterface.
    9. Commit.

    © 2025 Palo Alto Networks, Inc. All rights reserved.