SD-WAN Support for AE and Subinterfaces

SD-WAN supports AE interfaces for link redundancy and tagged Layer 3 subinterfaces for traffic segmentation.
Physical firewalls running PAN-OS 10.1 and SD-WAN Plugin 2.1.0 support SD-WAN on aggregated Ethernet (AE) interfaces so that an SD-WAN firewall in a data center, for example, can have an aggregate interface group (bundle) of physical Ethernet interfaces that provide link redundancy. SD-WAN supports AE interfaces with or without subinterfaces. You can create an AE interface with subinterfaces that you can tag for different ISP services in order to provide end-to-end traffic segmentation. Thus, your ISP services can reach multiple labs or buildings without needing a dedicated pair of fibers for each connection. A Layer 3 AE interface group connects to a router:
VM-Series firewalls do not support AE interfaces. An SD-WAN hub or branch firewall that has an AE interface should not belong to the same VPN cluster as a VM-Series SD-WAN hub or branch firewall because AE interfaces are not supported on VM-Series firewalls.
The following task illustrates how to create an AE interface group, select its member Layer 3 interfaces, create a subinterface for each ISP (using a static IP address or DHCP), assign a VLAN tag to each subinterface, and enable SD-WAN on each subinterface. Create an SD-WAN interface profile to define each ISP connection and assign the profile to the corresponding subinterface (a virtual SD-WAN interface).
  1. Create an SD-WAN Interface Profile for each ISP connection (subinterface) in the AE interface group.
  2. Assign physical interfaces to the aggregate group.
  3. For the aggregate group, create a subinterface that uses a static IP address.
    1. Select
      Network
      Interfaces
      Ethernet
      , highlight the aggregate interface, such as ae1, and click
      Add Subinterface
      at the bottom of the screen.
    2. Configure the subinterface.
  4. Alternatively, for the aggregate group, create a subinterface that uses DHCP to get its address.
    1. Select
      Network
      Interfaces
      Ethernet
      and in the
      Template
      field, select a Template Stack.
    2. Highlight the aggregate interface, such as ae1, and click
      Add Subinterface
      at the bottom of the screen.
    3. Highlight the subinterface and click
      Override
      .
    4. Continue to configure the subinterface, selecting the DDNS vendor as
      Palo Alto Networks DDNS
      .
  5. Apply an SD-WAN Interface Profile to the subinterface.
  6. Repeat the prior steps to create additional Layer3 subinterfaces for the aggregate interface group and apply an SD-WAN Interface Profile to each subinterface.
  7. Commit
    .

Recommended For You