Aggregate Ethernet (AE) Interface Group
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Aggregate Ethernet (AE) Interface Group
- Network > Interfaces > Ethernet > Add Aggregate Group
An Aggregate Ethernet (AE) interface group uses IEEE 802.1AX
link aggregation to combine multiple Ethernet interfaces in to a
single virtual interface that connects the firewall to another network
device or another firewall. An AE interface group increases the
bandwidth between peers by load balancing traffic across the combined
interfaces. It also provides redundancy; when one interface fails,
the remaining interfaces continue to support traffic.
Before configuring an AE interface group, you must configure its interfaces.
Among the interfaces assigned to any particular aggregate group, the
hardware media can differ (for example, you can mix fiber optic
and copper), but the bandwidth (1Gbps, 10Gbps, 40Gbps, or 100Gbps)
and interface type (HA3, virtual wire, Layer 2, or Layer 3) must
be the same.
The number of AE interface groups you can add depends on the
firewall model. The Product Selection tool indicates
the Maximum aggregate interfaces that
each firewall model supports. Each AE interface group can have up
to eight interfaces.
On PA-3200 Series, PA-5200 Series, and most PA-7000 Series firewalls,
QoS is supported on only the first eight AE interface groups. The exception
is the PA-7000 Series firewall with PA-7000-100G-NPC-A and SMC-B,
where QoS is supported on only the first 16 AE interface groups.
All Palo Alto Networks firewalls except the VM-Series models
support AE interface groups.
You can aggregate the HA3 (packet
forwarding) interfaces in a high availability (HA) active/active
configuration but only on the following firewall models:
- PA-220
- PA-800 Series
- PA-3200 Series
- PA-5200 Series
To configure an AE interface group, Add Aggregate
Group, configure the settings described in the following
table, and then assign interfaces to the group (see Aggregate
Ethernet (AE) Interface).
Aggregate Interface Group Settings | Configured In | Description |
|---|---|---|
Interface Name | Aggregate Ethernet Interface | The read-only Interface Name is
set to ae. In the adjacent field, enter a
numeric suffix to identify the AE interface group. The range of
the numeric suffix depends on how many AE groups the firewall model
supports. See the Maximum aggregate interfaces supported
per firewall model in the Product Selection tool. |
Comment | (Optional) Enter a description
for the interface. | |
Interface Type | Select the interface type, which controls
the remaining configuration requirements and options:
| |
Netflow Profile | If you want to export unidirectional IP
traffic that traverses an ingress interface to a NetFlow server,
select the server profile or NetFlow Profile to define
a new profile (see Device
> Server Profiles > NetFlow). Select None to remove
the current NetFlow server assignment from the AE interface group. | |
Enable LACP | Aggregate Ethernet InterfaceLACP | Select if you want to enable Link Aggregation
Control Protocol (LACP) for the AE interface group. LACP is disabled
by default. If you enable LACP, interface failure detection
is automatic at the physical and data link layers regardless of whether
the firewall and its LACP peer are directly connected. (Without
LACP, interface failure detection is automatic only at the physical
layer between directly connected peers.) LACP also enables automatic
failover to standby interfaces if you configure hot spares (see Max Ports). |
Mode | Select the LACP mode of the firewall. Between
any two LACP peers, we recommend that you configure one as active and
the other as passive. LACP cannot function if both peers are passive.
| |
Transmission Rate | Select the rate at which the firewall exchanges
queries and responses with peer devices:
| |
Fast Failover | Select if, when an interface goes down,
you want the firewall to fail over to an operational interface within
one second. Otherwise, failover occurs at the standard IEEE 802.1AX-defined
speed (at least three seconds). | |
System Priority | Aggregate Ethernet InterfaceLACP (cont) | The number that determines whether the firewall
or its peer overrides the other with respect to port priorities
(see Max Ports below). The lower
the number, the higher the priority (range is 1 to 65,535; default
is 32,768). |
Max Ports | The number of interfaces (1 to 8) that can
be active at any given time in an LACP aggregate group. This value
cannot exceed the number of interfaces you assign to the group.
If the number of assigned interfaces exceeds the number of active interfaces,
the firewall uses the LACP port priorities of the interfaces to
determine which are in standby mode. You set the LACP port priorities
when configuring individual interfaces for the group (see Aggregate
Ethernet (AE) Interface). | |
Enable in HA Passive State | For firewalls deployed in an HA active/passive configuration,
select to allow the passive firewall to pre-negotiate LACP with
its active peer before a failover occurs. Pre-negotiation speeds
up failover because the passive firewall does not have to negotiate
LACP before becoming active. | |
Same System MAC Address for Active-Passive HA | Aggregate Ethernet InterfaceLACP (cont) | This applies only to firewalls deployed
in an HA active/passive configuration;
firewalls in an active/active configuration require
unique MAC addresses. HA firewall peers have the same system
priority value. However, in an active/passive deployment, the system
ID for each can be the same or different depending on whether you assign
the same MAC address. When the LACP
peers (also in HA mode) are virtualized (appearing to the network
as a single device), using the same system MAC address for the firewalls minimizes
latency during failover. When the LACP peers are not virtualized,
using the unique MAC address of each firewall minimizes failover
latency. LACP uses the MAC address to derive a system
ID for each LACP peer. If the firewall pair and peer pair have identical system
priority values, LACP uses the system ID values to determine which
overrides the other with respect to port priorities. If both firewalls
have the same MAC address, both will have the same system ID, which
will be higher or lower than the system ID of the LACP peers. If
the HA firewalls have unique MAC addresses, it is possible for one
to have a higher system ID than the LACP peers while the other has
a lower system ID. In the latter case, when failover occurs on the firewalls,
port prioritization switches between the LACP peers and the firewall
that becomes active. |
MAC Address | Aggregate Ethernet InterfaceLACP (cont) | If you Use Same System MAC Address,
select a system-generated MAC address or enter your own MAC address for
both firewalls in the active/passive HA pair. You must verify that the
address is globally unique. |