Configure an Aggregate Interface Group
An aggregate interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into a single virtual interface that connects the firewall to another network device or another firewall. An aggregate group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancy; when one interface fails, the remaining interfaces continue supporting traffic.
By default, interface failure detection is automatic only at the physical layer between directly connected peers. However, if you enable Link Aggregation Control Protocol (LACP), failure detection is automatic at the physical and data link layers regardless of whether the peers are directly connected. LACP also enables automatic failover to standby interfaces if you configured hot spares. All Palo Alto Networks firewalls except the PA-200 and VM-Series models support aggregate groups. You can add up to eight aggregate groups per firewall and each group can have up to eight interfaces.
PAN-OS firewall models support a maximum of 16,000 IP addresses assigned to physical or virtual Layer 3 interfaces; this maximum includes both IPv4 and IPv6 addresses.
Before configuring an aggregate group, you must configure its interfaces. Among the interfaces assigned to any particular aggregate group, the hardware media can differ (for example, you can mix fiber optic and copper), but the bandwidth and interface type must be the same. The bandwidth and interface type options are:
- Bandwidth—1Gbps, 10Gbps, 40Gbps, or 100Gbps
- Interface type—HA3, virtual wire, Layer 2, or Layer 3. You can aggregate the HA3 (packet forwarding) interfaces in an active/active high availability (HA) deployment but only for PA-500, PA-3000 Series, and PA-5000 Series firewalls.
This procedure describes configuration steps only for the Palo Alto Networks firewall. You must also configure the aggregate group on the peer device. Refer to the documentation of that device for instructions.
- Configure the general interface group parameters.
- Select NetworkInterfacesEthernet and Add Aggregate Group.
- In the field adjacent to the read-only Interface Name, enter a number (1–8) to identify the aggregate group.
- For the Interface Type, select HA, Virtual Wire, Layer2, or Layer3.
- Configure the remaining parameters for the Interface Type you selected.
- Configure the LACP settings.Perform this step only if you want to enable LACP for the aggregate group.You cannot enable LACP for virtual wire interfaces.
- Select the LACP tab and Enable LACP.
- Set the Mode for LACP status
queries to Passive (the firewall just responds—the
default) or Active (the firewall queries
peer devices).As a best practice, set one LACP peer to active and the other to passive. LACP cannot function if both peers are passive. The firewall cannot detect the mode of its peer device.
- Set the Transmission Rate for LACP query and response exchanges to Slow (every 30 seconds—the default) or Fast (every second). Base your selection on how much LACP processing your network supports and how quickly LACP peers must detect and resolve interface failures.
- Select Fast Failover if you
want to enable failover to a standby interface in less than one
second. By default, the option is disabled and the firewall uses the
IEEE 802.1ax standard for failover processing, which takes at least
three seconds.As a best practice, use Fast Failover in deployments where you might lose critical data during the standard failover interval.
- Enter the Max Ports (number of interfaces) that are active (1–8) in the aggregate group. If the number of interfaces you assign to the group exceeds the Max Ports, the remaining interfaces will be in standby mode. The firewall uses the LACP Port Priority of each interface you assign (Step 3) to determine which interfaces are initially active and to determine the order in which standby interfaces become active upon failover. If the LACP peers have non-matching port priority values, the values of the peer with the lower System Priority number (default is 32,768; range is 1–65,535) will override the other peer.
- (Optional) For active/passive firewalls only,
select Enable in HA Passive State if you
want to enable LACP pre-negotiation for the passive firewall. LACP
pre-negotiation enables quicker failover to the passive firewall
(for details, see LACP
and LLDP Pre-Negotiation for Active/Passive HA).If you select this option, you cannot select Same System MAC Address for Active-Passive HA; pre-negotiation requires unique interface MAC addresses on each HA firewall.
- (Optional) For active/passive firewalls only,
select Same System MAC Address for Active-Passive HA and
specify a single MAC Address for both HA firewalls.
This option minimizes failover latency if the LACP peers are virtualized
(appearing to the network as a single device). By default, the option
is disabled: each firewall in an HA pair has a unique MAC address.If the LACP peers are not virtualized, use unique MAC addresses to minimize failover latency.
interfaces to the aggregate group.Perform the following steps for each interface (1–8) that will be a member of the aggregate group.
- Select NetworkInterfacesEthernet and click the interface name to edit it.
- Set the Interface Type to Aggregate Ethernet.
- Select the Aggregate Group you just defined.
- Select the Link Speed, Link
Duplex, and Link State.As a best practice, set the same link speed and duplex values for every interface in the group. For non-matching values, the firewall defaults to the higher speed and full duplex.
- (Optional) Enter an LACP Port Priority (default is 32,768; range is 1–65,535) if you enabled LACP for the aggregate group. If the number of interfaces you assign exceeds the Max Ports value of the group, the port priorities determine which interfaces are active or standby. The interfaces with the lower numeric values (higher priorities) will be active.
- Click OK.
- If the firewalls have an active/active configuration
and you are aggregating HA3 interfaces, enable packet forwarding
for the aggregate group.
- Select DeviceHigh AvailabilityActive/Active Config and edit the Packet Forwarding section.
- Select the aggregate group you configured for the HA3 Interface and click OK.
- Commit your changes and verify the aggregate group status.
- Click Commit.
- Select NetworkInterfacesEthernet.
- Verify that the Link State column displays a green icon for the aggregate group, indicating that all member interfaces are up. If the icon is yellow, at least one member is down but not all. If the icon is red, all members are down.
- If you configured LACP, verify that the Features column displays the LACP enabled icon for the aggregate group.
Aggregate Ethernet (AE) Interface Group
Aggregate Ethernet (AE) Interface Group Network > Interfaces > Ethernet An AE interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into ...
LACP and LLDP Pre-Negotiation for Active/Passive HA
LACP and LLDP Pre-Negotiation for Active/Passive HA If a firewall uses LACP or LLDP, negotiation of those protocols upon failover prevents sub-second failover. However, you ...
IEEE 802.3 LAG MIB
IEEE 802.3 LAG MIB Use the IEEE 802.3 LAG MIB to monitor the status of aggregate groups that have Link Aggregation Control Protocol ( ECMP ...
Aggregated Interfaces for a Virtual Wire
A virtual wire supports aggregate interface groups; if LACP is configured on devices connected to the firewall, the virtual wire passes LACP packets transparently. ...
Aggregate Ethernet (AE) Interface
Aggregate Ethernet (AE) Interface Network > Interfaces > Ethernet To configure an Aggregate Ethernet (AE) Interface , first configure an Aggregate Ethernet (AE) Interface Group ...
Configure the Network Interfaces
Configure the Network Interfaces Configure an aggregate Ethernet interface, member interfaces, and subinterface that your firewall uses to connect to the ACI leaf switches. If ...
Configure the Network Interfaces
Configure the Network Interfaces Configure the Ethernet interfaces that connect the firewall to the ACI leaf switches. The VLAN ID number used in this configuration ...
Configure Active/Passive HA
Configure Active/Passive HA The following procedure shows how to configure a pair of firewalls in an active/passive deployment as depicted in the following example topology. ...
Virtual Wire Support of High Availability
Virtual wires support active/passive and active/active HA and path monitoring. You can speed up HA failover for an active/passive HA pair by pre-negotiating LACP and ...