Palo Alto Aggregate Interface w/ LACP

Since PAN-OS version 6.1 the Palo Alto Networks firewall supports LACP, the Link Aggregation Control Protocol which bundles physical links to a logical channel. Palo Alto calls it “Aggregate Interface Group” while Cisco calls it EtherChannel or Channel Group. I configured LACP for two ports connected from a Palo Alto firewall to a Cisco switch. Following are the configuration steps for both devices as well as some show commands.

Some pre-notes:

  • I am using LACP in conjunction with LLDP to detect the physical neighbors. This is NOT mandatory for LACP to work. I am using it for practicing and for seeing potential differences on the Palo and Cisco sides. (Refer to my last post in which I covered LLDP on the Palo in more detail.)
  • To see how LACP looks on the wire, download my big pcap file here and filter for it.
  • This lab consists of a Palo Alto PA-3020 cluster with PAN-OS 8.0.1 and two
  • Cisco C3750 switches with IOS version Version 12.2(50)SE3.
  • I configured the channel in the following way (fiber ports):
    • Palo: ae1 = ethernet1/17 & ethernet1/18
    • Cisco: po1 = Gi1/0/1 & Gi1/0/2
  • Never forget that all physical interfaces MUST share the same parameters, such as speed & duplex, VLANs, etc.

Let’s go:

Configuration Palo & Cisco

The configuration for the Palo Alto firewall is done through the GUI as always. It consists of the following steps:

  1. Adding an Aggregate Group and enable LACP. The mode decides whether to form a logical link in an active or passive way. (If both sides are passive, it won’t work. At least one side must be active.) The transmission rate must be slow in order to match the one from the Cisco switch. (Only the bigger Cisco switches such as Nexus support the fast rate.) Tick the checkmark for the “Enable in HA Passive State” to have a faster convergence time in cluster environments.
  2. [Optional] Configure subinterfaces within the aggregate group.
  3. Edit the physical Ethernet interfaces to be an “Aggregate Ethernet” interface type and select the appropriate group.

Here are the corresponding screenshots:

The configuration of the Cisco switch is quite simple. Just add the channel-group  command on all relevant physical interfaces. However, don’t forget to have the same interface settings on all ports. Use the interface range <port-range>  command to configure more than one interface at a time. These are the final settings I used for both physical ports as well as for the port-channel:

 

Let the Show begin

Following are the show commands from the Palo Alto firewall for LACP and LLDP. Note that for the latter the “ae1” interface simply lists both physical ports:

The status and peers of LLDP can also be viewed from the GUI. Note that I have three ports connected to the same switch, hence it appears three times as well:

And here are the show commands from the Cisco switch, LACP and LLDP as well:

 

Links

Featured image: “Langzeitbelichtung Autobahn” by Pette Photography is licensed under CC BY-NC-ND 2.0.

2 thoughts on “Palo Alto Aggregate Interface w/ LACP

  1. Was working on this today with a Cisco 3750X stack running software 15.0(2)SE10a. You are correct that it only supports slow LACP timers, however upgrading to 15.2(4) apparently does support fast ones. Anyway I got different failover times on depending on who was active vs. passive:

    Cisco Passive, Palo Alto Active: 25-30 seconds
    Cisco Active, Palo Alto Passive: 12-15 seconds

    Also worth noting that since the Palo Alto disables interfaces when the device is standby, it helps immensely to have the Port-Channel in Spanning-Tree Edge mode aka Portfast, since going through the blocking and learning states will add another 25 seconds.

    1. Hi John,

      thanks for your comment. Have you tested to change the “Palo Alto disables interfaces when the device is standby” option? Have a look at the HA settings on both devices. The “Passive Link State: shutdown” is default, but you can set it to “auto” which leaves them up. This should accelerate your HA times.

Leave a Reply

Your email address will not be published. Required fields are marked *