Aggregate Ethernet (AE) Interface Group
- Network > Interfaces > Ethernet
An AE interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into a single virtual interface that connects the firewall to another network device or another firewall. An AE interface group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancy; when one interface fails, the remaining interfaces continue to support traffic.
Before configuring an AE interface group, you must configure its interfaces. Among the interfaces assigned to any particular aggregate group, the hardware media can differ (for example, you can mix fiber optic and copper), but the bandwidth (1Gbps, 10Gbps, 40Gbps, or 100GBps) and interface type (HA3, virtual wire, Layer 2, or Layer 3) must be the same. You can add up to eight AE interface groups per firewall and each group can have up to eight interfaces.
All Palo Alto Networks firewalls except the PA-200 and VM-Series models support AE interface groups.
You can aggregate the HA3 (packet forwarding) interfaces in a high availability (HA) active/active configuration but only on the following firewall models:
- PA-800 Series
- PA-3000 Series
- PA-3200 Series
- PA-5000 Series
- PA-5200 Series
To configure an AE interface group,
Add Aggregate Group, configure the settings described in the following table, and then assign interfaces to the group (see Aggregate Ethernet (AE) Interface).
Aggregate Interface Group Settings
Aggregate Ethernet Interface
Interface Nameis set to
ae. In the adjacent field, enter a numeric suffix (1 to 8) to identify the AE interface group.
Enter an optional description for the interface.
Select the interface type, which controls the remaining configuration requirements and options:
If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click
Netflow Profileto define a new profile (see Device > Server Profiles > NetFlow). Select
Noneto remove the current NetFlow server assignment from the AE interface group.
Aggregate Ethernet Interface
Select if you want to enable Link Aggregation Control Protocol (LACP) for the AE interface group. LACP is disabled by default.
If you enable LACP, interface failure detection is automatic at the physical and data link layers regardless of whether the firewall and its LACP peer are directly connected. (Without LACP, interface failure detection is automatic only at the physical layer between directly connected peers). LACP also enables automatic failover to standby interfaces if you configure hot spares (see Max Ports).
Select the LACP mode of the firewall. Between any two LACP peers, it is recommended that one is active and the other is passive. LACP cannot function if both peers are passive.
Select the rate at which the firewall exchanges queries and responses with peer devices:
Select if, when an interface goes down, you want the firewall to fail over to an operational interface within one second. Otherwise, failover occurs at the standard IEEE 802.1AX-defined speed (at least three seconds).
Aggregate Ethernet Interface
The number that determines whether the firewall or its peer overrides the other with respect to port priorities (see the
Max Portsfield description below).
The lower the number, the higher the priority (range is 1-65,535; default is 32,768).
The number of interfaces (1-8) that can be active at any given time in an LACP aggregate group. The value cannot exceed the number of interfaces you assign to the group. If the number of assigned interfaces exceeds the number of active interfaces, the firewall uses the LACP port priorities of the interfaces to determine which are in standby mode. You set the LACP port priorities when configuring individual interfaces for the group (see Aggregate Ethernet (AE) Interface).
Enable in HA Passive State
For firewalls deployed in a high availability (HA) active/passive configuration, select to allow the passive firewall to pre-negotiate LACP with its active peer before a failover occurs. Pre-negotiation speeds up failover because the passive firewall does not have to negotiate LACP before becoming active.
Same System MAC Address for Active-Passive HA
This applies only to firewalls deployed in a high availability (HA) active/passive configuration; firewalls in an active/active configuration require unique MAC addresses.
HA firewall peers have the same system priority value. However, in an active/passive deployment, the system ID for each can be the same or different, depending on whether you assign the same MAC address.
When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), using the same system MAC address for the firewalls minimizes latency during failover. When the LACP peers are not virtualized, using the unique MAC address of each firewall minimizes failover latency.
LACP uses the MAC address to derive a system ID for each LACP peer. If the firewall pair and peer pair have identical system priority values, LACP uses the system ID values to determine which overrides the other with respect to port priorities. If both firewalls have the same MAC address, both will have the same system ID, which will be higher or lower than the system ID of the LACP peers. If the HA firewalls have unique MAC addresses, it is possible for one to have a higher system ID than the LACP peers while the other has a lower system ID. In the latter case, when failover occurs on the firewalls, port prioritization switches between the LACP peers and the firewall that becomes active.
If you enabled
Use Same System MAC Address, select a system-generated MAC address, or enter your own, for both firewalls in the active/passive high availability (HA) pair. You must verify the address is globally unique.