An aggregate interface group uses IEEE 802.1AX
link aggregation to combine multiple Ethernet interfaces into a
single virtual interface that connects the firewall to another network
device or firewall. An aggregate group increases the bandwidth between
peers by load balancing traffic across the combined interfaces.
It also provides redundancy; when one interface fails, the remaining
interfaces continue supporting traffic.
By default, interface
failure detection is automatic only at the physical layer between
directly connected peers. However, if you enable Link Aggregation
Control Protocol (LACP), failure detection is automatic at the physical
and data link layers regardless of whether the peers are directly
connected. LACP also enables automatic failover to standby interfaces
if you configured hot spares. All Palo Alto Networks firewalls except
VM-Series models support aggregate groups. The
Product Selection tool indicates the
number of aggregate groups each firewall supports. Each aggregate
group can have up to eight interfaces.
PAN-OS firewall
models support a maximum of 16,000 IP addresses assigned to physical
or virtual Layer 3 interfaces; this maximum includes both IPv4 and
IPv6 addresses.
QoS is supported on only the first
eight aggregate groups.
Before configuring an aggregate group,
you must configure its interfaces. Among the interfaces assigned
to any particular aggregate group, the hardware media can differ (for
example, you can mix fiber optic and copper), but the bandwidth
and interface type must be the same. The bandwidth and interface
type options are:
Bandwidth—1Gbps, 10Gbps,
40Gbps, or 100Gbps.
Interface type—HA3, virtual wire, Layer 2, or Layer
3.
This procedure describes configuration
steps only for the Palo Alto Networks firewall. You must also configure
the aggregate group on the peer device. Refer to the documentation
of that device for instructions.