PAN-OS ® New Features Guide
    : SD-WAN Support for AE and Subinterfaces
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. SD-WAN Features
    5. SD-WAN Support for AE and Subinterfaces
    Download PDF

    PAN-OS ® New Features Guide

    SD-WAN Support for AE and Subinterfaces

    Table of Contents

    SD-WAN Support for AE and Subinterfaces

    SD-WAN supports AE interfaces for link redundancy and tagged Layer 3 subinterfaces for traffic segmentation.
    Physical firewalls running PAN-OS 10.1 and SD-WAN Plugin 2.1.0 support SD-WAN on aggregated Ethernet (AE) interfaces so that an SD-WAN firewall in a data center, for example, can have an aggregate interface group (bundle) of physical Ethernet interfaces that provide link redundancy. SD-WAN supports AE interfaces with or without subinterfaces. You can create an AE interface with subinterfaces that you can tag for different ISP services in order to provide end-to-end traffic segmentation. Thus, your ISP services can reach multiple labs or buildings without needing a dedicated pair of fibers for each connection. A Layer 3 AE interface group connects to a router:
    VM-Series firewalls do not support AE interfaces. An SD-WAN hub or branch firewall that has an AE interface should not belong to the same VPN cluster as a VM-Series SD-WAN hub or branch firewall because AE interfaces are not supported on VM-Series firewalls.
    The following task illustrates how to create an AE interface group, select its member Layer 3 interfaces, create a subinterface for each ISP (using a static IP address or DHCP), assign a VLAN tag to each subinterface, and enable SD-WAN on each subinterface. Create an SD-WAN interface profile to define each ISP connection and assign the profile to the corresponding subinterface (a virtual SD-WAN interface).
    1. Log in to the Panorama Web Interface.
    2. Create an SD-WAN Interface Profile for each ISP connection (subinterface) in the AE interface group.
    3. Create a Layer 3 AE interface group.
    4. Assign physical interfaces to the aggregate group.
    5. For the aggregate group, create a subinterface that uses a static IP address.
      1. Select NetworkInterfacesEthernet, highlight the aggregate interface, such as ae1, and click Add Subinterface at the bottom of the screen.
      2. Configure the subinterface.
    6. Alternatively, for the aggregate group, create a subinterface that uses DHCP to get its address.
      1. Select NetworkInterfacesEthernet and in the Template field, select a Template Stack.
      2. Highlight the aggregate interface, such as ae1, and click Add Subinterface at the bottom of the screen.
      3. Highlight the subinterface and click Override.
      4. Continue to configure the subinterface, selecting the DDNS vendor as Palo Alto Networks DDNS.
    7. Apply an SD-WAN Interface Profile to the subinterface.
    8. Repeat the prior steps to create additional Layer3 subinterfaces for the aggregate interface group and apply an SD-WAN Interface Profile to each subinterface.
    9. Commit.

    © 2024 Palo Alto Networks, Inc. All rights reserved.