: Aggregate Ethernet (AE) Interface Group
Focus
Focus

Aggregate Ethernet (AE) Interface Group

Table of Contents
End-of-Life (EoL)

Aggregate Ethernet (AE) Interface Group

  • Network > Interfaces > Ethernet > Add Aggregate Group
An Aggregate Ethernet (AE) interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces in to a single virtual interface that connects the firewall to another network device or another firewall. An AE interface group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancy; when one interface fails, the remaining interfaces continue to support traffic.
Before configuring an AE interface group, you must configure its interfaces. Among the interfaces assigned to any particular aggregate group, the hardware media can differ (for example, you can mix fiber optic and copper), but the bandwidth (1Gbps, 10Gbps, 40Gbps, or 100Gbps) and interface type (HA3, virtual wire, Layer 2, or Layer 3) must be the same.
The number of AE interface groups you can add depends on the firewall model. The Product Selection tool indicates the Maximum aggregate interfaces that each firewall model supports. Each AE interface group can have up to eight interfaces.
On PA-3200 Series, PA-5200 Series, and most PA-7000 Series firewalls, QoS is supported on only the first eight AE interface groups. The exception is the PA-7000 Series firewall with PA-7000-100G-NPC-A and SMC-B, where QoS is supported on only the first 16 AE interface groups.
All Palo Alto Networks firewalls except the VM-Series models support AE interface groups.
You can aggregate the HA3 (packet forwarding) interfaces in a high availability (HA) active/active configuration but only on the following firewall models:
  • PA-220
  • PA-800 Series
  • PA-3200 Series
  • PA-5200 Series
To configure an AE interface group, Add Aggregate Group, configure the settings described in the following table, and then assign interfaces to the group (see Aggregate Ethernet (AE) Interface).
Aggregate Interface Group Settings
Configured In
Description
Interface Name
Aggregate Ethernet Interface
The read-only Interface Name is set to ae. In the adjacent field, enter a numeric suffix to identify the AE interface group. The range of the numeric suffix depends on how many AE groups the firewall model supports. See the Maximum aggregate interfaces supported per firewall model in the Product Selection tool.
Comment
(Optional) Enter a description for the interface.
Interface Type
Select the interface type, which controls the remaining configuration requirements and options:
  • HA—Select only if the interface is an HA3 link between two firewalls in an active/active deployment. Optionally, select a NetFlow Profile and configure the settings on the LACP tab (see Enable LACP).
  • Virtual Wire—(Optional) Select a NetFlow Profile and configure the settings on the Config and Advanced tabs as described in Virtual Wire Settings.
  • Layer 2—(Optional) Select a NetFlow Profile; configure the settings on the Config and Advanced tabs as described in Layer 2 Interface Settings; and, optionally, configure the LACP tab (see Enable LACP).
  • Layer 3—(Optional) Select a NetFlow Profile; configure the settings on the Config tab, the IPv4 or IPv6 tab, and the Advanced tab as described in Layer 3 Interface Settings; and, optionally, configure the LACP tab (see Enable LACP).
Netflow Profile
If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or NetFlow Profile to define a new profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the AE interface group.
Enable LACP
Aggregate Ethernet InterfaceLACP
Select if you want to enable Link Aggregation Control Protocol (LACP) for the AE interface group. LACP is disabled by default.
If you enable LACP, interface failure detection is automatic at the physical and data link layers regardless of whether the firewall and its LACP peer are directly connected. (Without LACP, interface failure detection is automatic only at the physical layer between directly connected peers.) LACP also enables automatic failover to standby interfaces if you configure hot spares (see Max Ports).
Mode
Select the LACP mode of the firewall. Between any two LACP peers, we recommend that you configure one as active and the other as passive. LACP cannot function if both peers are passive.
  • Passive (default)—The firewall passively responds to LACP status queries from peer devices.
  • Active—The firewall actively queries the LACP status (available or unresponsive) of peer devices.
Transmission Rate
Select the rate at which the firewall exchanges queries and responses with peer devices:
  • Fast—Every second
  • Slow (default)—Every 30 seconds
Fast Failover
Select if, when an interface goes down, you want the firewall to fail over to an operational interface within one second. Otherwise, failover occurs at the standard IEEE 802.1AX-defined speed (at least three seconds).
System Priority
Aggregate Ethernet InterfaceLACP (cont)
The number that determines whether the firewall or its peer overrides the other with respect to port priorities (see Max Ports below).
The lower the number, the higher the priority (range is 1 to 65,535; default is 32,768).
Max Ports
The number of interfaces (1 to 8) that can be active at any given time in an LACP aggregate group. This value cannot exceed the number of interfaces you assign to the group. If the number of assigned interfaces exceeds the number of active interfaces, the firewall uses the LACP port priorities of the interfaces to determine which are in standby mode. You set the LACP port priorities when configuring individual interfaces for the group (see Aggregate Ethernet (AE) Interface).
Enable in HA Passive State
For firewalls deployed in an HA active/passive configuration, select to allow the passive firewall to pre-negotiate LACP with its active peer before a failover occurs. Pre-negotiation speeds up failover because the passive firewall does not have to negotiate LACP before becoming active.
Same System MAC Address for Active-Passive HA
Aggregate Ethernet InterfaceLACP (cont)
This applies only to firewalls deployed in an HA active/passive configuration; firewalls in an active/active configuration require unique MAC addresses.
HA firewall peers have the same system priority value. However, in an active/passive deployment, the system ID for each can be the same or different depending on whether you assign the same MAC address.
When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), using the same system MAC address for the firewalls minimizes latency during failover. When the LACP peers are not virtualized, using the unique MAC address of each firewall minimizes failover latency.
LACP uses the MAC address to derive a system ID for each LACP peer. If the firewall pair and peer pair have identical system priority values, LACP uses the system ID values to determine which overrides the other with respect to port priorities. If both firewalls have the same MAC address, both will have the same system ID, which will be higher or lower than the system ID of the LACP peers. If the HA firewalls have unique MAC addresses, it is possible for one to have a higher system ID than the LACP peers while the other has a lower system ID. In the latter case, when failover occurs on the firewalls, port prioritization switches between the LACP peers and the firewall that becomes active.
MAC Address
Aggregate Ethernet InterfaceLACP (cont)
If you Use Same System MAC Address, select a system-generated MAC address or enter your own MAC address for both firewalls in the active/passive HA pair. You must verify that the address is globally unique.