1. Home
    2. PAN-OS
    3. PAN-OS® Web Interface Reference
    4. Network
    5. Network > Interfaces
    6. Aggregate Ethernet (AE) Interface Group
    End-of-Life (EoL)

    Aggregate Ethernet (AE) Interface Group

    • Network > Interfaces > Ethernet
    An AE interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into a single virtual interface that connects the firewall to another network device or another firewall. An AE interface group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancy; when one interface fails, the remaining interfaces continue to support traffic.
    Before configuring an AE interface group, you must configure its interfaces. Among the interfaces assigned to any particular aggregate group, the hardware media can differ (for example, you can mix fiber optic and copper), but the bandwidth (1Gbps, 10Gbps, 40Gbps, or 100GBps) and interface type (HA3, virtual wire, Layer 2, or Layer 3) must be the same. You can add up to eight AE interface groups per firewall and each group can have up to eight interfaces.
    All Palo Alto Networks firewalls except the PA-200 and VM-Series models support AE interface groups.
    You can aggregate the HA3 (packet forwarding) interfaces in a high availability (HA) active/active configuration but only on the following firewall models:
    • PA-220
    • PA-500
    • PA-800 Series
    • PA-3000 Series
    • PA-5000 Series
    • PA-5200 Series
    To configure an AE interface group,
    Add Aggregate Group
    , configure the settings described in the following table, and then assign interfaces to the group (see Aggregate Ethernet (AE) Interface).
    Aggregate Interface Group Settings
    Configured In
    Description
    Interface Name
    Aggregate Ethernet Interface
    The read-only
    Interface Name
     is set to
    ae
    . In the adjacent field, enter a numeric suffix (1 to 8) to identify the AE interface group.
    Comment
    Enter an optional description for the interface.
    Interface Type
    Select the interface type, which controls the remaining configuration requirements and options:
    • HA
      —Only select if the interface is an HA3 link between two firewalls in an active/active deployment. Optionally select a
      Netflow Profile
       and configure the
      LACP
       tab (see Enable LACP).
    • Virtual Wire
      —Optionally select a
      Netflow Profile
      , and configure the
      Config
       and
      Advanced
       tabs as described in Virtual Wire Settings.
    • Layer 2
      —Optionally select a
      Netflow Profile
      ; configure the
      Config
       and
      Advanced
       tabs as described in Layer 2 Interface Settings; and optionally configure the
      LACP
       tab (see Enable LACP).
    • Layer 3
      —Optionally select a
      Netflow Profile
      ; configure the
      Config
      ,
      IPv4
       or
      IPv6
      , and
      Advanced
       tabs as described in Layer 3 Interface Settings; and optionally configure the
      LACP
       tab (see Enable LACP).
    Netflow Profile
    If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click
    Netflow Profile
     to define a new profile (see Device > Server Profiles > NetFlow). Select
    None
     to remove the current NetFlow server assignment from the AE interface group.
    Enable LACP
    Aggregate Ethernet Interface
    LACP
    Select if you want to enable Link Aggregation Control Protocol (LACP) for the AE interface group. LACP is disabled by default.
    If you enable LACP, interface failure detection is automatic at the physical and data link layers regardless of whether the firewall and its LACP peer are directly connected. (Without LACP, interface failure detection is automatic only at the physical layer between directly connected peers). LACP also enables automatic failover to standby interfaces if you configure hot spares (see Max Ports).
    Mode
    Select the LACP mode of the firewall. Between any two LACP peers, it is recommended that one is active and the other is passive. LACP cannot function if both peers are passive.
    • Active
      —The firewall actively queries the LACP status (available or unresponsive) of peer devices.
    • Passive
       (default)—The firewall passively responds to LACP status queries from peer devices.
    Transmission Rate
    Select the rate at which the firewall exchanges queries and responses with peer devices:
    • Fast
      —Every second
    • Slow
      —Every 30 seconds (this is the default setting)
    Fast Failover
    Select if, when an interface goes down, you want the firewall to fail over to an operational interface within one second. Otherwise, failover occurs at the standard IEEE 802.1AX-defined speed (at least three seconds).
    System Priority
    Aggregate Ethernet Interface
    LACP (cont)
    The number that determines whether the firewall or its peer overrides the other with respect to port priorities (see the
    Max Ports
     field description below).
    The lower the number, the higher the priority (range is 1-65,535; default is 32,768).
    Max Ports
    The number of interfaces (1-8) that can be active at any given time in an LACP aggregate group. The value cannot exceed the number of interfaces you assign to the group. If the number of assigned interfaces exceeds the number of active interfaces, the firewall uses the LACP port priorities of the interfaces to determine which are in standby mode. You set the LACP port priorities when configuring individual interfaces for the group (see Aggregate Ethernet (AE) Interface).
    Enable in HA Passive State
    For firewalls deployed in a high availability (HA) active/passive configuration, select to allow the passive firewall to pre-negotiate LACP with its active peer before a failover occurs. Pre-negotiation speeds up failover because the passive firewall does not have to negotiate LACP before becoming active.
    Same System MAC Address for Active-Passive HA
    This applies only to firewalls deployed in a high availability (HA) active/passive configuration; firewalls in an active/active configuration require unique MAC addresses.
    HA firewall peers have the same system priority value. However, in an active/passive deployment, the system ID for each can be the same or different, depending on whether you assign the same MAC address.
    When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), using the same system MAC address for the firewalls minimizes latency during failover. When the LACP peers are not virtualized, using the unique MAC address of each firewall minimizes failover latency.
    LACP uses the MAC address to derive a system ID for each LACP peer. If the firewall pair and peer pair have identical system priority values, LACP uses the system ID values to determine which overrides the other with respect to port priorities. If both firewalls have the same MAC address, both will have the same system ID, which will be higher or lower than the system ID of the LACP peers. If the HA firewalls have unique MAC addresses, it is possible for one to have a higher system ID than the LACP peers while the other has a lower system ID. In the latter case, when failover occurs on the firewalls, port prioritization switches between the LACP peers and the firewall that becomes active.
    MAC Address
    If you enabled
    Use Same System MAC Address
    , select a system-generated MAC address, or enter your own, for both firewalls in the active/passive high availability (HA) pair. You must verify the address is globally unique.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo