SD-WAN Administration
  • SD-WAN Administration
  • SD-WAN Documentation
  • All Documentation
>
Configure an Aggregate Ethernet Interface and Subinterfaces for Link Redundancy
Focus
Download PDF
Focus
  1. Home
  2. SD-WAN
  3. Configure Interfaces for SD-WAN
  4. Configure an Aggregate Ethernet Interface and Subinterfaces for Link Redundancy
Download PDF
SD-WAN

Configure an Aggregate Ethernet Interface and Subinterfaces for Link Redundancy

Table of Contents

Configure an Aggregate Ethernet Interface and Subinterfaces for Link Redundancy

SD-WAN supports AE interfaces for link redundancy and tagged Layer 3 subinterfaces for traffic segmentation.
Where Can I Use This?What Do I Need?
  • NGFW
(SD-WAN plugin 2.1.0 and later versions) SD-WAN supports aggregated Ethernet (AE) interfaces so that an SD-WAN firewall in a data center, for example, can have an aggregate interface group (bundle) of physical Ethernet interfaces that provide link redundancy. SD-WAN supports AE interfaces with or without subinterfaces. You can create an AE interface with subinterfaces that you can tag for different ISP services in order to provide end-to-end traffic segmentation. Thus, your ISP services can reach multiple labs or buildings without needing a dedicated pair of fibers for each connection. A Layer 3 AE interface group connects to a router, as shown in the following figure:
VM-Series firewalls do not support AE interfaces. An SD-WAN hub or branch firewall that has an AE interface should not belong to the same VPN cluster as a VM-Series SD-WAN hub or branch firewall because AE interfaces are not supported on VM-Series firewalls.
PPPoE is not supported on subinterfaces.
  1. Log in to the Panorama Web Interface.
  2. Define your ISP connections and link types for each ISP connection (subinterface) in the AE interface group to define its link attributes.
  3. Create an AE interface group.
    1. Select NetworkInterfacesEthernet, select a Panorama Template, and Add Aggregate Group.
    2. For Interface Name, enter the number to identify the aggregate group; range is 1 to 16.
    3. For Interface Type, select Layer3.
    4. Click OK.
  4. Assign physical interfaces to the aggregate group.
    1. Select NetworkInterfacesEthernet and select the interface you want to assign to the aggregate group.
    2. Select the Interface Type as Aggregate Ethernet.
    3. Select the Aggregate Group you created; for example, ae1.
    4. On the Advanced tab, select the Link Speed, Link Duplex, and Link State.
    5. Click OK.
    6. Repeat this step for each interface you want to assign to the aggregate group.
  5. For the aggregate group, create a subinterface that uses a static IP address.
    1. Select NetworkInterfacesEthernet, highlight the aggregate interface, such as ae1, and click Add Subinterface at the bottom of the screen.
    2. For Interface Name, enter a number after the period, such as 107.
    3. Enter the VLAN Tag to differentiate between the subinterfaces. For ease of use, make the tag the same number as the subinterface ID.
    4. To configure a static IPv4 address for the subinterface, select the IPv4 tab and Enable SD-WAN.
    5. Select the Type of address: Static.
    6. Add the IP address (and subnet mask) of the subinterface.
    7. Enter the IP address of the Next Hop Gateway.
    8. (SD-WAN plugin 3.2.0 and later versions) To configure a static IPv6 address for the subinterface, select the IPv6 tab, Enable IPv6 on the interface, and Enable SD-WAN.
    9. (SD-WAN plugin 3.2.0 and later versions) In the EUI-64 (default 64-bit Extended Unique Identifier) field, enter the 64-bit EUI in hexadecimal format. If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the Use interface ID as host portion option when added an address, the firewall uses the Interface ID as the host portion of that address.
    10. (SD-WAN plugin 3.2.0 and later versions) SelectAddress Assignment and Add an IPv6 Address for the interface or select New Variable to create the variable.
    11. (SD-WAN plugin 3.2.0 and later versions) Use interface ID as host portion; see prior substep for EUI-64.
    12. (SD-WAN plugin 3.2.0 and later versions) Select Anycast to make the IPv6 address (route) an Anycast address (route), which means multiple locations can advertise the same prefix, and IPv6 sends the anycast traffic to the node it considers the nearest, based on routing protocol costs and other factors.
    13. (SD-WAN plugin 3.2.0 and later versions) Enter the IPv6 address of the Next Hop Gateway (the next hop from the IPv6 address you entered). The Next Hop Gateway must be on the same subnet as the IPv6 address. The Next Hop Gateway is the IP address of the ISP's default router that the ISP gave you when you bought the service. It is the next hop IP address to which the firewall sends traffic to reach the ISP's network, and ultimately, the internet and the hub.
    14. (SD-WAN plugin 3.2.0 and later versions) Select Send Router Advertisement to enable the firewall to send this address in Router Advertisements (RAs), in which case you must also enable the global Enable Router Advertisement option for the interface (on the Router Advertisement tab).
    15. (SD-WAN plugin 3.2.0 and later versions) Enter the Valid Lifetime (sec) in seconds that the firewall considers the address valid. The valid lifetime must equal or exceed the Preferred Lifetime (sec) (default is 2,592,000).
    16. (SD-WAN plugin 3.2.0 and later versions) Enter the Preferred Lifetime (sec) (in seconds) that the valid address is preferred, which means the firewall can use it to send and receive traffic. After the preferred lifetime expires, the firewall can't use the address to establish new connections, but any existing connections are valid until the valid lifetime expires (default is 604,800).
    17. (SD-WAN plugin 3.2.0 and later versions) Select On-link if systems that have addresses within the prefix are reachable without a router.
    18. (SD-WAN plugin 3.2.0 and later versions) Select Autonomous if systems can independently create an IP address by combining the advertised prefix with the Interface ID.
    19. Click OK.
  6. As an alternative to a static address, for the aggregate group, create a subinterface that uses DHCP to get its address.
    1. Select NetworkInterfacesEthernet and in the Template field, select a Template Stack.
    2. Highlight the aggregate interface, such as ae1, and click Add Subinterface at the bottom of the screen.
    3. Highlight the subinterface and click Override at the bottom of the screen.
    4. Highlight the subinterface and for Interface Name, enter a number after the period, such as 1.
    5. Enter the VLAN Tag to differentiate between the subinterfaces. For ease of use, make the tag the same number as the subinterface ID.
    6. Select the IPv4 tab and Enable SD-WAN.
      (SD-WAN plugin 3.2.0 and later versions) A subinterface in an aggregated interface group supports only an IPv4 address as a DHCP client, not an IPv6 address.
    7. Select the Type of address: DHCP Client.
    8. Select Enable.
    9. Uncheck (do not select) Automatically create default route pointing to default gateway provided by server.
    10. Select the Advanced tab and DDNS tab.
    11. Select Settings and Enable. The Hostname is automatically generated by the Panorama SD-WAN plugin.
    12. Select the Vendor as Palo Alto Networks DDNS.
    13. Click OK.
  7. Apply an SD-WAN Interface Profile to the subinterface.
    1. Highlight the subinterface you created and select the SD-WAN tab.
    2. Select the SD-WAN Interface Profile you created for this link or create a new profile.
    3. Click OK.
  8. Repeat the prior steps to create additional Layer3 subinterfaces for the aggregate interface group and apply an SD-WAN Interface Profile to each subinterface.
  9. Commit.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.