Aggregate Ethernet (AE) Interface
- Network > Interfaces > Ethernet
To configure an Aggregate
Ethernet (AE) Interface, first configure an Aggregate
Ethernet (AE) Interface Group and click the name of the interface
you will assign to that group. Among the interfaces that you assign
to any particular group, the hardware media can differ (for example,
you can mix fiber optic and copper), but the bandwidth and interface
type (such as Layer 3) must be the same. Furthermore, the interface
type must be the same as that defined for the AE interface group,
though you will change the type to
Aggregate Ethernet
when
you configure each interface. Specify the following information
for each interface that you assign to the group.If you enabled Link Aggregation Control
Protocol (LACP) for the AE interface group, select the same
Link
Speed
and Link Duplex
for every
interface in that group. For non-matching values, the commit operation
displays a warning and PAN-OS defaults to the higher speed and full
duplex.Aggregate Interface Settings | Configured In | Description |
|---|---|---|
Interface Name | Aggregate Ethernet Interface | The interface name is predefined and you
cannot change it. |
Comment | ( Optional ) Enter a description
for the interface. | |
Interface Type | Select Aggregate Ethernet . | |
Aggregate Group | Assign the interface to an aggregate group. | |
Link Speed | Select the interface speed in Mbps ( 10 , 100 ,
or 1000 ), or select auto to
have the firewall automatically determine the speed. | |
Link Duplex | Select whether the interface transmission
mode is full-duplex ( full ), half-duplex (half ),
or negotiated automatically (auto ). | |
Link State | Select whether the interface status is enabled
( up ), disabled (down ),
or determined automatically (auto ). | |
LACP Port Priority | The firewall only uses this field if you
enabled Link Aggregation Control Protocol (LACP) for the aggregate
group. If the number of interfaces you assign to the group exceeds
the number of active interfaces (the Max
Ports field), the firewall uses the LACP port priorities
of the interfaces to determine which are in standby mode. The lower
the numeric value, the higher the priority (range is 1-65,535; default
is 32,768). | |
Virtual Router | Select the virtual router to which you assign
the Aggregate Ethernet interface. | |
Security Zone | Select the security zone to which you assign
the Aggregate Ethernet interface. | |
Enable IPv6 on the interface | Select to enable IPv6 on this interface. | |
Interface ID | Enter the 64-bit extended unique identifier
(EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29).
If you leave this field blank, the firewall uses the EUI-64 generated
from the MAC address of the physical interface. If you Use
interface ID as host portion when adding an address,
the firewall uses the interface ID as the host portion of that address. | |
Address | Add an IPv6 address
and configure the following parameters:
| |
Enable Duplication Address Detection | Select to enable duplicate address detection
(DAD), which then allows you to specify the number of DAD Attempts . | |
DAD Attempts | Specify the number of DAD attempts within
the neighbor solicitation interval ( NS Interval )
before the attempt to identify neighbors fails (range is 1-10; default
is 1). | |
Reachable Time | Specify the length of time, in seconds,
that a neighbor remains reachable after a successful query and response
(range is 1-36,000; default is 30). | |
NS Interval (neighbor solicitation interval) | Specify the length of time, in seconds,
before a DAD attempt failure is indicated (range is 1-10; default
is 1). | |
Enable NDP Monitoring | Select to enable Neighbor Discovery Protocol monitoring.
When enabled, you can select the NDP (
in Features column)
and view information such as the IPv6 address of a neighbor the
firewall has discovered, the corresponding MAC address and User-ID
(on a best-case basis). | |
Enable Router Advertisement | Select to provide Neighbor Discovery on
IPv6 interfaces and configure the other fields in this section. IPv6
DNS clients that receive the router advertisement (RA) messages
use this information. RA enables the firewall to act as a
default gateway for IPv6 hosts that are not statically configured
and to provide the host with an IPv6 prefix for address configuration.
You can use a separate DHCPv6 server in conjunction with this feature
to provide DNS and other settings to clients. This is a global
setting for the interface. If you want to set RA options for individual
IP addresses, Add and configure an Address in
the IP address table. If you set RA options for any IP address,
you must Enable Router Advertisement for
the interface. | |
Min Interval (sec) | Specify the minimum interval, in seconds,
between RAs that the firewall will send (range is 3-1,350; default is
200). The firewall will send RAs at random intervals between the
minimum and maximum values you configure. | |
Max Interval (sec) | Specify the maximum interval, in seconds,
between RAs that the firewall will send (range is 4-1,800; default is
600). The firewall will send RAs at random intervals between the
minimum and maximum values you configure. | |
Hop Limit | Specify the hop limit to apply to clients
for outgoing packets (range is 1-255; default is 64). Enter 0 for
no hop limit. | |
Link MTU | Specify the link maximum transmission unit
(MTU) to apply to clients. Select unspecified for
no link MTU (range is 1,280-9,192; default is unspecified). | |
Reachable Time (ms) | Specify the reachable time, in milliseconds,
that the client will use to assume a neighbor is reachable after receiving
a reachability confirmation message. Select unspecified for
no reachable time value (range is 0-3,600,000; default is unspecified). | |
Retrans Time (ms) | Specify the retransmission timer that determines
how long the client will wait, in milliseconds, before retransmitting
neighbor solicitation messages. Select unspecified for
no retransmission time (range is 0-4,294,967,295; default is unspecified). | |
Router Lifetime (sec) | Specify how long, in seconds, the client
will use the firewall as the default gateway (range is 0-9,000;
default is 1,800). Zero specifies that the firewall is not the default
gateway. When the lifetime expires, the client removes the firewall
entry from its Default Router List and uses another router as the
default gateway. | |
Router Preference | If the network segment has multiple IPv6
routers, the client uses this field to select a preferred router.
Select whether the RA advertises the firewall router as having a High , Medium (default),
or Low priority relative to other routers
on the segment. | |
Managed Configuration | Select to indicate to the client that addresses
are available via DHCPv6. | |
Other Configuration | Select to indicate to the client that other
address information (such as DNS-related settings) is available via
DHCPv6. | |
Consistency Check | Select if you want the firewall to verify
that RAs sent from other routers are advertising consistent information
on the link. The firewall logs any inconsistencies in a system log;
the type is ipv6nd . | |
Include DNS information in Router Advertisement | Select for the firewall to send DNS information
in NDP router advertisement (RA) messages from this IPv6 Aggregated
Ethernet interface. The other DNS Support fields in this table are
visible only after you select this option. | |
Server | Add one or more recursive
DNS (RDNS) server addresses for the firewall to send in NDP router advertisements
from this IPv6 Aggregated Ethernet interface. RDNS servers send
a series of DNS lookup requests to root DNS servers and authoritative
DNS servers to ultimately provide an IP address to the DNS client.You
can configure a maximum of eight RDNS Servers that the firewall
sends—in the order listed from top to bottom—in an NDP router advertisement
to the recipient, which then uses those addresses in the same order.
Select a server and Move Up or Move
Down to change the order of the servers or Delete a
server when you no longer need it. | |
Lifetime | Enter the maximum number of seconds after
the IPv6 DNS client receives the router advertisement that it can use
the RDNS Servers to resolve domain names (range is the value of Max
Interval (sec) to twice the Max Interval; default is 1,200). | |
Suffix | Add and configure
one or more domain names (suffixes) for the DNS search list (DNSSL).
The maximum suffix length is 255 bytes.A DNS search list
is a list of domain suffixes that a DNS client router appends (one
at a time) to an unqualified domain name before it enters the name
into a DNS query, thereby using a fully qualified domain name in the
DNS query. For example, if a DNS client tries to submit a DNS query
for the name “quality” without a suffix, the router appends a period
and the first DNS suffix from the DNS search list to the name and transmits
the DNS query. If the first DNS suffix on the list is “company.com”,
the resulting DNS query from the router is for the fully qualified
domain name “quality.company.com”. If the DNS query fails,
the router appends the second DNS suffix from the list to the unqualified
name and transmits a new DNS query. The router tries DNS suffixes
until a DNS lookup is successful (ignores the remaining suffixes)
or until the router has tried all of suffixes on the list. Configure
the firewall with the suffixes you want to provide to the DNS client
router in a Neighbor Discovery DNSSL option; the DNS client receiving
the DNSSL option uses the suffixes in its unqualified DNS queries. You
can configure a maximum of eight domain names (suffixes) for a DNS
search list that the firewall sends—in order listed from top to
bottom—in an NDP router advertisement to the recipient, which uses
them in the same order. Select a suffix and Move Up or Move Down to
change the order of the suffixes or Delete a suffix
from the list when you no longer need it. | |
Lifetime | Enter the maximum number of seconds after
the IPv6 DNS client receives the router advertisement that it can use
a domain name (suffix) on the DNS search list (range is the value
of Max
Interval (sec) to twice the Max Interval; default is 1,200). |
