Configure an Aggregate Interface Group
Table of Contents
10.1
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Configure an Aggregate Interface Group
An aggregate interface group uses IEEE 802.1AX
link aggregation to combine multiple Ethernet interfaces into a
single virtual interface that connects the firewall to another network
device or firewall. An aggregate group increases the bandwidth between
peers by load balancing traffic across the combined interfaces.
It also provides redundancy; when one interface fails, the remaining
interfaces continue supporting traffic.
By default, interface
failure detection is automatic only at the physical layer between
directly connected peers. However, if you enable Link Aggregation
Control Protocol (LACP), failure detection is automatic at the physical
and data link layers regardless of whether the peers are directly
connected. LACP also enables automatic failover to standby interfaces
if you configured hot spares. All Palo Alto Networks
®
firewalls
except VM-Series models support aggregate groups. The Product Selection tool indicates
the number of aggregate groups each firewall supports. Each aggregate
group can have up to eight interfaces.PAN-OS
®
firewall
models support a maximum of 16,000 IP addresses assigned to physical
or virtual Layer 3 interfaces; this maximum includes both IPv4 and
IPv6 addresses.QoS is supported on only the first
eight aggregate groups.
Before configuring an aggregate group,
you must configure its interfaces. Among the interfaces assigned
to any particular aggregate group, the hardware media can differ (for
example, you can mix fiber optic and copper), but the bandwidth
and interface type must be the same. The bandwidth and interface
type options are:
- Bandwidth—1Gbps, 10Gbps, 25Gbps, 40Gbps, or 100Gbps.
- Interface type—HA3, virtual wire, Layer 2, or Layer 3.
This procedure describes configuration
steps only for the Palo Alto Networks firewall. You must also configure
the aggregate group on the peer device. Refer to the documentation
of that device for instructions.
- Configure the general interface group parameters.
- SelectandNetworkInterfacesEthernetAdd Aggregate Group.
- In the field adjacent to the read-onlyInterface Name, enter a number to identify the aggregate group. The range is 1 to the maximum number of aggregate interface groups supported by the firewall.
- For theInterface Type, selectHA,Virtual Wire,Layer2, orLayer3.
- Configure the remaining parameters for theInterface Typeyou selected.
- Configure the LACP settings.Perform this step only if you want to enable LACP for the aggregate group.You cannot enable LACP for virtual wire interfaces.
- Select theLACPtab andEnable LACP.
- Set theModefor LACP status queries toPassive(the firewall just responds—the default) orActive(the firewall queries peer devices).As a best practice, set one LACP peer to active and the other to passive. LACP cannot function if both peers are passive. The firewall cannot detect the mode of its peer device.
- Set theTransmission Ratefor LACP query and response exchanges toSlow(every 30 seconds—the default) orFast(every second). Base your selection on how much LACP processing your network supports and how quickly LACP peers must detect and resolve interface failures.
- SelectFast Failoverif you want to enable failover to a standby interface in less than one second. By default, the option is disabled and the firewall uses the IEEE 802.1ax standard for failover processing, which takes at least three seconds.As a best practice, useFast Failoverin deployments where you might lose critical data during the standard failover interval.
- Enter theMax Ports(number of interfaces) that are active (1 to 8) in the aggregate group. If the number of interfaces you assign to the group exceeds theMax Ports, the remaining interfaces will be in standby mode. The firewall uses theLACP Port Priorityof each interface you assign (Step 3) to determine which interfaces are initially active and to determine the order in which standby interfaces become active upon failover. If the LACP peers have non-matching port priority values, the values of the peer with the lowerSystem Prioritynumber (default is 32,768; range is 1 to 65,535) will override the other peer.
- (Optional) For active/passive firewalls only, selectEnable in HA Passive Stateif you want to enable LACP pre-negotiation for the passive firewall. LACP pre-negotiation enables quicker failover to the passive firewall (for details, see LACP and LLDP Pre-Negotiation for Active/Passive HA).If you select this option, you cannot selectSame System MAC Address for Active-Passive HA; pre-negotiation requires unique interface MAC addresses on each HA firewall.
- (Optional) For active/passive firewalls only, selectSame System MAC Address for Active-Passive HAand specify a singleMAC Addressfor both HA firewalls. This option minimizes failover latency if the LACP peers are virtualized (appearing to the network as a single device). By default, the option is disabled: each firewall in an HA pair has a unique MAC address.If the LACP peers are not virtualized, use unique MAC addresses to minimize failover latency.
- ClickOK.
- Assign interfaces to the aggregate group.Perform the following steps for each interface (1–8) that will be a member of the aggregate group.
- Selectand click the interface name to edit it.NetworkInterfacesEthernet
- Set theInterface TypetoAggregate Ethernet.
- Select theAggregate Groupyou just defined.
- Select theLink Speed,Link Duplex, andLink State.As a best practice, set the same link speed and duplex values for every interface in the group. For non-matching values, the firewall defaults to the higher speed and full duplex.
- (Optional) Enter anLACP Port Priority(default is 32,768; range is 1 to 65,535) if you enabled LACP for the aggregate group. If the number of interfaces you assign exceeds theMax Portsvalue of the group, the port priorities determine which interfaces are active or standby. The interfaces with the lower numeric values (higher priorities) will be active.
- ClickOK.
- If the firewalls have an active/active configuration and you are aggregating HA3 interfaces, enable packet forwarding for the aggregate group.
- Selectand edit the Packet Forwarding section.DeviceHigh AvailabilityActive/Active Config
- Select the aggregate group you configured for theHA3 Interfaceand clickOK.
- Commityour changes.
- Verify the aggregate group status.
- Select.NetworkInterfacesEthernet
- Verify that the Link State column displays a green icon for the aggregate group, indicating that all member interfaces are up. If the icon is yellow, at least one member is down but not all. If the icon is red, all members are down.
- If you configured LACP, verify that the Features column displays the LACP enabled icon
for the aggregate group.
- (PA-7050 and PA-7080 firewalls only) If you have an aggregate interface group that has interfaces located on different line cards, it is a best practice to enable the firewall so that it can handle fragmented IP packets it receives on multiple interfaces of the AE group that are spread over multiple cards. To do so, use the following CLI operational command with thehashkeyword. (The other two keywords are also shown for completeness.)
- Use the following operational CLI command:set ae-frag redistribution-policy<self|fixed sXdpX|hash>
- self—(default) This keyword is for legacy behavior; it does not enable the firewall to handle fragmented packets received on multiple interfaces of an AE interface group.
- fixeds<slot-number>dp<dataplane-cpu-number>—Replace theslot-numbervariable and replace thedata-plane-cpu-numbervariable with the dataplane number of the dataplane that will handle all IP fragments received by all members of all AE interfaces. Thefixedkeyword is intended mainly for troubleshooting purposes and shouldn’t be used in production.
- hash—Use to enable the firewall to handle fragmented packets it receives on multiple interfaces of an AE interface group that are located on more than one line card.