End-of-Life (EoL)
Aggregate Ethernet (AE) Interface Group
- Network > Interfaces > Ethernet
An AE interface group uses IEEE 802.1AX link aggregation to combine
multiple Ethernet interfaces into a single virtual interface that
connects the firewall to another network device or another firewall.
An AE interface group increases the bandwidth between peers by load
balancing traffic across the combined interfaces. It also provides
redundancy; when one interface fails, the remaining interfaces continue
to support traffic.
Before configuring an AE interface group, you must configure
its interfaces. Among the interfaces assigned to any particular aggregate
group, the hardware media can differ (for example, you can mix fiber
optic and copper), but the bandwidth (1Gbps, 10Gbps, 40Gbps, or
100GBps) and interface type (HA3, virtual wire, Layer 2, or Layer
3) must be the same. You can add up to eight AE interface groups
per firewall and each group can have up to eight interfaces.
All Palo Alto Networks firewalls except the PA-200 and
VM-Series models support AE interface groups.
You can aggregate
the HA3 (packet forwarding) interfaces in a high availability (HA)
active/active configuration but only on the following firewall models:
- PA-220
- PA-500
- PA-800 Series
- PA-3000 Series
- PA-5000 Series
- PA-5200 Series
To configure an AE interface group,
Add Aggregate
Group
, configure the settings described in the following
table, and then assign interfaces to the group (see Aggregate
Ethernet (AE) Interface).Aggregate Interface Group
Settings | Configured In | Description |
---|---|---|
Interface Name | Aggregate Ethernet Interface | The read-only Interface Name is
set to ae . In the adjacent field, enter a
numeric suffix (1 to 8) to identify the AE interface group. |
Comment | Enter an optional description for the interface. | |
Interface Type | Select the interface type, which controls
the remaining configuration requirements and options:
| |
Netflow Profile | If you want to export unidirectional IP
traffic that traverses an ingress interface to a NetFlow server,
select the server profile or click Netflow Profile to
define a new profile (see Device
> Server Profiles > NetFlow). Select None to
remove the current NetFlow server assignment from the AE interface
group. | |
Enable LACP | Aggregate
Ethernet Interface LACP | Select if you want to enable Link Aggregation
Control Protocol (LACP) for the AE interface group. LACP is disabled
by default. If you enable LACP, interface failure detection
is automatic at the physical and data link layers regardless of
whether the firewall and its LACP peer are directly connected. (Without
LACP, interface failure detection is automatic only at the physical
layer between directly connected peers). LACP also enables automatic
failover to standby interfaces if you configure hot spares (see Max
Ports). |
Mode | Select the LACP mode of the firewall. Between
any two LACP peers, it is recommended that one is active and the other
is passive. LACP cannot function if both peers are passive.
| |
Transmission Rate | Select the rate at which the firewall exchanges
queries and responses with peer devices:
| |
Fast Failover | Select if, when an interface goes down,
you want the firewall to fail over to an operational interface within
one second. Otherwise, failover occurs at the standard IEEE 802.1AX-defined
speed (at least three seconds). | |
System Priority | Aggregate
Ethernet Interface LACP (cont) | The number that determines whether the firewall
or its peer overrides the other with respect to port priorities
(see the Max Ports field description below).The
lower the number, the higher the priority (range is 1-65,535; default
is 32,768). |
Max Ports | The number of interfaces (1-8) that can
be active at any given time in an LACP aggregate group. The value
cannot exceed the number of interfaces you assign to the group.
If the number of assigned interfaces exceeds the number of active
interfaces, the firewall uses the LACP port priorities of the interfaces
to determine which are in standby mode. You set the LACP port priorities
when configuring individual interfaces for the group (see Aggregate
Ethernet (AE) Interface). | |
Enable in HA Passive State | For firewalls deployed in a high availability
(HA) active/passive configuration, select to allow the passive firewall
to pre-negotiate LACP with its active peer before a failover occurs.
Pre-negotiation speeds up failover because the passive firewall
does not have to negotiate LACP before becoming active. | |
Same System MAC Address for Active-Passive HA | This applies only to firewalls deployed
in a high availability (HA) active/passive configuration;
firewalls in an active/active configuration require
unique MAC addresses. HA firewall peers have the same system
priority value. However, in an active/passive deployment, the system
ID for each can be the same or different, depending on whether you
assign the same MAC address. When
the LACP peers (also in HA mode) are virtualized (appearing to the
network as a single device), using the same system MAC address for
the firewalls minimizes latency during failover. When the LACP peers
are not virtualized, using the unique MAC address of each firewall
minimizes failover latency. LACP uses the MAC address
to derive a system ID for each LACP peer. If the firewall pair and
peer pair have identical system priority values, LACP uses the system
ID values to determine which overrides the other with respect to
port priorities. If both firewalls have the same MAC address, both
will have the same system ID, which will be higher or lower than
the system ID of the LACP peers. If the HA firewalls have unique
MAC addresses, it is possible for one to have a higher system ID
than the LACP peers while the other has a lower system ID. In the
latter case, when failover occurs on the firewalls, port prioritization
switches between the LACP peers and the firewall that becomes active. | |
MAC Address | If you enabled Use Same System
MAC Address , select a system-generated MAC address,
or enter your own, for both firewalls in the active/passive high
availability (HA) pair. You must verify the address is globally
unique. |
Recommended For You
Recommended Videos
Recommended videos not found.