Palo Alto Aggregate Interface w/ LACP

Since PAN-OS version 6.1 the Palo Alto Networks firewall supports LACP, the Link Aggregation Control Protocol which bundles physical links to a logical channel. Palo Alto calls it “Aggregate Interface Group” while Cisco calls it EtherChannel or Channel Group. I configured LACP for two ports connected from a Palo Alto firewall to a Cisco switch. Following are the configuration steps for both devices as well as some show commands.

Some pre-notes:

  • I am using LACP in conjunction with LLDP to detect the physical neighbors. This is NOT mandatory for LACP to work. I am using it for practicing and for seeing potential differences on the Palo and Cisco sides. (Refer to my last post in which I covered LLDP on the Palo in more detail.)
  • To see how LACP looks on the wire, download my big pcap file here and filter for it.
  • This lab consists of a Palo Alto PA-3020 cluster with PAN-OS 8.0.1 and two
  • Cisco C3750 switches with IOS version Version 12.2(50)SE3.
  • I configured the channel in the following way (fiber ports):
    • Palo: ae1 = ethernet1/17 & ethernet1/18
    • Cisco: po1 = Gi1/0/1 & Gi1/0/2
  • Never forget that all physical interfaces MUST share the same parameters, such as speed & duplex, VLANs, etc.

Let’s go:

Configuration Palo & Cisco

The configuration for the Palo Alto firewall is done through the GUI as always. It consists of the following steps:

  1. Adding an Aggregate Group and enable LACP. The mode decides whether to form a logical link in an active or passive way. (If both sides are passive, it won’t work. At least one side must be active.) The transmission rate must be slow in order to match the one from the Cisco switch. (Only the bigger Cisco switches such as Nexus support the fast rate.) Tick the checkmark for the “Enable in HA Passive State” to have a faster convergence time in cluster environments.
  2. [Optional] Configure subinterfaces within the aggregate group.
  3. Edit the physical Ethernet interfaces to be an “Aggregate Ethernet” interface type and select the appropriate group.

Here are the corresponding screenshots:

The configuration of the Cisco switch is quite simple. Just add the channel-group  command on all relevant physical interfaces. However, don’t forget to have the same interface settings on all ports. Use the interface range <port-range>  command to configure more than one interface at a time. These are the final settings I used for both physical ports as well as for the port-channel:

 

Let the Show begin

Following are the show commands from the Palo Alto firewall for LACP and LLDP. Note that for the latter the “ae1” interface simply lists both physical ports:

The status and peers of LLDP can also be viewed from the GUI. Note that I have three ports connected to the same switch, hence it appears three times as well:

And here are the show commands from the Cisco switch, LACP and LLDP as well:

 

One more screenshot from another Palo Alto firewall, in which one of two ports was down, hence the AE port turned yellow:

Links

Featured image: “Langzeitbelichtung Autobahn” by Pette Photography is licensed under CC BY-NC-ND 2.0.

9 thoughts on “Palo Alto Aggregate Interface w/ LACP

  1. Was working on this today with a Cisco 3750X stack running software 15.0(2)SE10a. You are correct that it only supports slow LACP timers, however upgrading to 15.2(4) apparently does support fast ones. Anyway I got different failover times on depending on who was active vs. passive:

    Cisco Passive, Palo Alto Active: 25-30 seconds
    Cisco Active, Palo Alto Passive: 12-15 seconds

    Also worth noting that since the Palo Alto disables interfaces when the device is standby, it helps immensely to have the Port-Channel in Spanning-Tree Edge mode aka Portfast, since going through the blocking and learning states will add another 25 seconds.

    1. Hi John,

      thanks for your comment. Have you tested to change the “Palo Alto disables interfaces when the device is standby” option? Have a look at the HA settings on both devices. The “Passive Link State: shutdown” is default, but you can set it to “auto” which leaves them up. This should accelerate your HA times.

  2. Hello!
    Thanks for this tutorial.
    Could you describe the settings for LLDP profile (named “send-all”) and Cisco side? (example: “lldp run”)
    Regards
    Sim

  3. Hi Johannes,

    today I spent time configuring HA of our new 5220 devices.
    During testing I came across a few issues. First of all I tested without “Enable in HA Passive State” and the failover took about 50 seconds to work. Of course this is unacceptable in particular if you compare this result with our current setup without LACP where the failover time is below 1 sec.
    After that there was still a delay of 20 seconds because of Spanning Tree. After configuring edge ports (spanning-tree porfast trunk) on Cisco side the failover took roughly 2 seconds. Still to much.

    Tomorrow I try to do more tests with different modes and transmission rates.
    Do you use mode active on both sides?

    Kind regards
    Tobias

  4. I could finally tweak the failover time under 1 second. The key was to set Palo Alto LACP mode on passive and on Cisco side on active. Moreover “lacp rate fast” on Cisco is necessary.

    1. Hi Tobi,

      thanks a lot for your input. To be honest: I have not tried failover times to under 1 second. Hence no advice from me here. ;(

      (And since I used it only with non-Nexus Cisco switches, “LACP fast rate” was not available anyway.)

  5. Hi johan,
    I configured my PA 5060 port 23 and 24 as abundle,however port 24 is down. Tried on nother firewall the same how to verify this

Leave a Reply

Your email address will not be published. Required fields are marked *