>
    Strata Copilot
    Configure Link Aggregation Control Protocol
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on KVM
    4. Install the VM-Series Firewall on KVM
    5. Configure Link Aggregation Control Protocol
    Download PDF
    VM-Series

    Configure Link Aggregation Control Protocol

    Table of Contents

    Configure Link Aggregation Control Protocol

    Configure link aggregation in ESXi and KVM environments.
    Where Can I Use This?What Do I Need?
    • KVM
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    Link aggregation involves configuring a link aggregation interface group and configuring the Link Aggregation Control Protocol. An aggregate interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into a single virtual interface that connects the firewall to another network device or firewall. This aggregate group increases bandwidth between peers by load-balancing traffic across the combined interfaces. It also provides redundancy; when one interface fails, the remaining interfaces continue supporting traffic.
    By default, interface failure detection is automatic only at the physical layer between directly connected peers. However, if you enable the Link Aggregation Control Protocol, failure detection is automatic at the physical and data link layers even if the peers are directly connected. LACP also enables automatic failover to standby interfaces if you configured hot spares.
    To configure an aggregate interface group and LACP, see Configure an Aggregate Interface Group.
    Create an Aggregate Ethernet Interface using Panorama
    Don't add Panorama VMs associated with virtual functions from the same physical function to the same Aggregate Ethernet interface. Doing so creates a loop. Create an Aggregate Ethernet interface:
    1. Configure an Aggregate Ethernet interface:
      1. Select Network>Interfaces>Ethernet and Add Aggregate Group.
      2. In the field adjacent to the read-only Interface Name, enter a number to identify the aggregate group. The range is 1 to the maximum number of aggregate interface groups supported by the firewall.
      3. For the Interface Type, select HA, Virtual Wire, Layer 2, or Layer 3.
      4. Configure the remaining parameters for the Interface Type you selected.
      5. Commit your changes.
      After creating the aggregate interface, add links to it.

    Add Links to the Aggregate Ethernet Interface

    To add links to the Aggregate Ethernet interface:
    1. On Panorama, aggregate an Ethernet interface to act as listener in passive mode for the peer. Select Network > Interface.
    2. Select an Ethernet interface to act as a peer.
    3. In the Aggregate Ethernet Interface screen, select LACP.
    4. Click Enable LACP.
    5. Ensure that the mode is Passive.
    6. Click OK.
    7. Commit your changes in Panorama.
    8. Confirm the configuration change. Click Yes.

    Create the Aggregate Ethernet Interface Using the CLI

    Use the following CLI commands to create an Aggregate Ethernet interface:
    admin@PA-VM# set network interface aggregate-ethernet
  ae1      ae1
  <value>  Aggregate interface name: ae1 - ae16
    For example, 
    admin@PA-VM# set network interface aggregate-ethernet ae1

    Associate a Secondary Interface Using the CLI

    Use the following CLI commands to associate a secondary interface:
    admin@PA-VM# set network interface ethernet ethernet1/1 aggregate-group
  ae1      aggregate-ethernet ae1
  <value>  Aggregate interface group
    For example, 
    set network interface ethernet ethernet1/1 aggregate-group ae1

    Display the Interface Configuration Using the CLI

    Use the following CLI commands to display the interface configuration:
    admin@PA-VM> show interface all

total configured hardware interfaces: 4

name                    id    speed/duplex/state            mac address
--------------------------------------------------------------------------------
ethernet1/1             16    10000/full/up                 ba:db:ee:fb:ad:30
ethernet1/2             17    10000/full/up                 52:54:00:ce:8a:f5
ethernet1/3             18    10000/full/up                 ba:db:ee:fb:ad:30
ae1                     48    [n/a]/[n/a]/up                ba:db:ee:fb:ad:30

aggregation groups: 1
ae1 members:
  ethernet1/1 ethernet1/3


total configured logical interfaces: 2

name                id    vsys zone             forwarding               tag    address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/2         17    1    trust            vr:default               0      192.168.20.196/24
ae1                 48    1    untrust          vr:default               0      192.168.10.110/24

    Display the Aggregate Ethernet Interface Configuration Using the CLI

    Use the following CLI commands to display the Aggregate Ethernet interface configuration:
    admin@PA-VM> show interface ae1

--------------------------------------------------------------------------------
Name: ae1, ID: 48
Link status:
  Runtime link speed/duplex/state: [n/a]/[n/a]/up
  Configured link speed/duplex/state: auto/auto/auto
MAC address:
  Port MAC address ba:db:ee:fb:ad:30
Aggregate group members: 2
  ethernet1/1 ethernet1/3
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ae1, ID: 48
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 192.168.10.110/24
Interface management profile: ae-mgmt-profile
  ping: yes  telnet: no  ssh: yes  http: yes  https: yes
  snmp: no  response-pages: no  userid-service: no
Service configured:
Zone: untrust, virtual system: vsys1
Adjust TCP MSS: no
Ignore IPv4 DF: no
Policing: no
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Physical port counters read from MAC:
--------------------------------------------------------------------------------
rx-broadcast                  0
rx-bytes                      7874426
rx-multicast                  0
rx-unicast                    151353
tx-broadcast                  0
tx-bytes                      9320
tx-multicast                  0
tx-unicast                    130
--------------------------------------------------------------------------------

Hardware interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received                           3920
bytes transmitted                        7406
packets received                         40
packets transmitted                      123
receive incoming errors                  0
receive discarded                        0
receive errors                           0
packets dropped                          0
--------------------------------------------------------------------------------

Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received                           7854114
bytes transmitted                        7700
packets received                         150927
packets transmitted                      130
receive errors                           0
packets dropped                          150614
packets dropped by flow state check      0
forwarding errors                        0
no route                                 0

    Configure Link Aggregation on the Switch Using the CLI

    Activate link aggregation on the switch:
    int eth1/4
channel-group 1 mode on
int eth1/8
channel-group 1 mode on
    Verify the configuration:
    show running-config interface Ethernet 1/4
interface Ethernet 1/4
	no lldp transmit
	no lldp receive
	no switchport
	Channel-group 1 mode on

show running-config interface Ethernet 1/8
interface Ethernet 1/8
	no lldp transmit
	no lldp receive
	no switchport
	Channel-group 1 mode on

    © 2026 Palo Alto Networks, Inc. All rights reserved.