Aggregate Ethernet (AE) Interface Group

  • Network > Interfaces > Ethernet
An AE interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into a single virtual interface that connects the firewall to another network device or another firewall. An AE interface group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancy; when one interface fails, the remaining interfaces continue to support traffic.
Before configuring an AE interface group, you must configure its interfaces. Among the interfaces assigned to any particular aggregate group, the hardware media can differ (for example, you can mix fiber optic and copper), but the bandwidth (1Gbps, 10Gbps, 40Gbps, or 100GBps) and interface type (HA3, virtual wire, Layer 2, or Layer 3) must be the same. You can add up to eight AE interface groups per firewall and each group can have up to eight interfaces.
All Palo Alto Networks firewalls except the PA-200 and VM-Series models support AE interface groups.
You can aggregate the HA3 (packet forwarding) interfaces in a high availability (HA) active/active configuration but only on the following firewall models:
  • PA-220
  • PA-500
  • PA-800 Series
  • PA-3000 Series
  • PA-3200 Series
  • PA-5000 Series
  • PA-5200 Series
To configure an AE interface group,
Add Aggregate Group
, configure the settings described in the following table, and then assign interfaces to the group (see Aggregate Ethernet (AE) Interface).
Aggregate Interface Group Settings
Configured In
Description
Interface Name
Aggregate Ethernet Interface
The read-only
Interface Name
is set to
ae
. In the adjacent field, enter a numeric suffix (1 to 8) to identify the AE interface group.
Comment
Enter an optional description for the interface.
Interface Type
Select the interface type, which controls the remaining configuration requirements and options:
  • HA
    —Only select if the interface is an HA3 link between two firewalls in an active/active deployment. Optionally select a
    Netflow Profile
    and configure the
    LACP
    tab (see Enable LACP).
  • Virtual Wire
    —Optionally select a
    Netflow Profile
    , and configure the
    Config
    and
    Advanced
    tabs as described in Virtual Wire Settings.
  • Layer 2
    —Optionally select a
    Netflow Profile
    ; configure the
    Config
    and
    Advanced
    tabs as described in Layer 2 Interface Settings; and optionally configure the
    LACP
    tab (see Enable LACP).
  • Layer 3
    —Optionally select a
    Netflow Profile
    ; configure the
    Config
    ,
    IPv4
    or
    IPv6
    , and
    Advanced
    tabs as described in Layer 3 Interface Settings; and optionally configure the
    LACP
    tab (see Enable LACP).
Netflow Profile
If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click
Netflow Profile
to define a new profile (see Device > Server Profiles > NetFlow). Select
None
to remove the current NetFlow server assignment from the AE interface group.
Enable LACP
Aggregate Ethernet Interface
LACP
Select if you want to enable Link Aggregation Control Protocol (LACP) for the AE interface group. LACP is disabled by default.
If you enable LACP, interface failure detection is automatic at the physical and data link layers regardless of whether the firewall and its LACP peer are directly connected. (Without LACP, interface failure detection is automatic only at the physical layer between directly connected peers). LACP also enables automatic failover to standby interfaces if you configure hot spares (see Max Ports).
Mode
Select the LACP mode of the firewall. Between any two LACP peers, it is recommended that one is active and the other is passive. LACP cannot function if both peers are passive.
  • Active
    —The firewall actively queries the LACP status (available or unresponsive) of peer devices.
  • Passive
    (default)—The firewall passively responds to LACP status queries from peer devices.
Transmission Rate
Select the rate at which the firewall exchanges queries and responses with peer devices:
  • Fast
    —Every second
  • Slow
    —Every 30 seconds (this is the default setting)
Fast Failover
Select if, when an interface goes down, you want the firewall to fail over to an operational interface within one second. Otherwise, failover occurs at the standard IEEE 802.1AX-defined speed (at least three seconds).
System Priority
Aggregate Ethernet Interface
LACP (cont)
The number that determines whether the firewall or its peer overrides the other with respect to port priorities (see the
Max Ports
field description below).
The lower the number, the higher the priority (range is 1-65,535; default is 32,768).
Max Ports
The number of interfaces (1-8) that can be active at any given time in an LACP aggregate group. The value cannot exceed the number of interfaces you assign to the group. If the number of assigned interfaces exceeds the number of active interfaces, the firewall uses the LACP port priorities of the interfaces to determine which are in standby mode. You set the LACP port priorities when configuring individual interfaces for the group (see Aggregate Ethernet (AE) Interface).
Enable in HA Passive State
For firewalls deployed in a high availability (HA) active/passive configuration, select to allow the passive firewall to pre-negotiate LACP with its active peer before a failover occurs. Pre-negotiation speeds up failover because the passive firewall does not have to negotiate LACP before becoming active.
Same System MAC Address for Active-Passive HA
This applies only to firewalls deployed in a high availability (HA) active/passive configuration; firewalls in an active/active configuration require unique MAC addresses.
HA firewall peers have the same system priority value. However, in an active/passive deployment, the system ID for each can be the same or different, depending on whether you assign the same MAC address.
When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), using the same system MAC address for the firewalls minimizes latency during failover. When the LACP peers are not virtualized, using the unique MAC address of each firewall minimizes failover latency.
LACP uses the MAC address to derive a system ID for each LACP peer. If the firewall pair and peer pair have identical system priority values, LACP uses the system ID values to determine which overrides the other with respect to port priorities. If both firewalls have the same MAC address, both will have the same system ID, which will be higher or lower than the system ID of the LACP peers. If the HA firewalls have unique MAC addresses, it is possible for one to have a higher system ID than the LACP peers while the other has a lower system ID. In the latter case, when failover occurs on the firewalls, port prioritization switches between the LACP peers and the firewall that becomes active.
MAC Address
If you enabled
Use Same System MAC Address
, select a system-generated MAC address, or enter your own, for both firewalls in the active/passive high availability (HA) pair. You must verify the address is globally unique.

Related Documentation