SD-WAN supports AE interfaces for link redundancy and
tagged Layer 3 subinterfaces for traffic segmentation.
Physical firewalls running PAN-OS 10.1 and
SD-WAN Plugin 2.1.0 support SD-WAN on aggregated Ethernet (AE) interfaces
so that an SD-WAN firewall in a data center, for example, can have
an aggregate interface group (bundle) of physical Ethernet interfaces
that provide link redundancy. SD-WAN supports AE interfaces with
or without subinterfaces. You can create an AE interface with subinterfaces
that you can tag for different ISP services in order to provide
end-to-end traffic segmentation. Thus, your ISP services can reach
multiple labs or buildings without needing a dedicated pair of fibers
for each connection. A Layer 3 AE interface group connects to a
router:
VM-Series
firewalls do not support AE interfaces. An SD-WAN hub or branch
firewall that has an AE interface should not belong to the same
VPN cluster as a VM-Series SD-WAN hub or branch firewall because
AE interfaces are not supported on VM-Series firewalls.
The
following task illustrates how to create an AE interface group,
select its member Layer 3 interfaces, create a subinterface for
each ISP (using a static IP address or DHCP), assign a VLAN tag
to each subinterface, and enable SD-WAN on each subinterface. Create
an SD-WAN interface profile to define each ISP connection and assign
the profile to the corresponding subinterface (a virtual SD-WAN
interface).
Assign physical interfaces to the aggregate group.
For the aggregate group, create a subinterface that uses
a static IP address.
Select
Network
Interfaces
Ethernet
,
highlight the aggregate interface, such as ae1, and click
Add
Subinterface
at the bottom of the screen.
Configure the subinterface.
Alternatively, for the aggregate group, create a subinterface
that uses DHCP to get its address.
Select
Network
Interfaces
Ethernet
and
in the
Template
field, select a Template
Stack.
Highlight the aggregate interface, such as ae1, and
click
Add Subinterface
at the bottom of the screen.
Highlight the subinterface and click
Override
.
Continue to configure the subinterface, selecting
the DDNS vendor as
Palo Alto Networks DDNS
.
Apply an SD-WAN Interface Profile to the subinterface.
Repeat the prior steps to create additional Layer3 subinterfaces
for the aggregate interface group and apply an SD-WAN Interface
Profile to each subinterface.