Palo Alto Networks: How to config Link Aggregation

1. The purpose of the article

Techbast will guide how to configure the LAG (Link Aggregation) port on the Palo Alto firewall device.

Before going into the configuration section we need to know what LAG port is and what its use is.

2. What is Port LAG and what is it for?

  • Port LAG (Link Aggregation) is a method of grouping two or more network ports together making them a single connection to consolidate bandwidth (trunking) or provide fault tolerance.
  • The LAG port with trunking will increase the connection speed beyond the speed of a single cable or individual network port.
  • The improved transmission performance really makes sense in a server environment where multiple connections are made from workstations.
  • Redundancy also creates higher availability and helps to avoid disruptions in network transmission.

3. Diagram

Details:

  • We will have a Palo Alto PA – 220 firewall device connected to the internet via ethernet1/1 port using PPPoE protocol with IP 14.169.x.x.
  • Inside the LAN we will have two ethernet1/7 and ethernet1/8 ports which will be configured as Link Aggregation ports and connect to 2 ports Gi0/1 and Gi0/2 of Cisco 2960 Switch.
  • Finally, PC 1 is connected to port 1 of the switch.

3. Scenario

We will configure the aggregation of 2 ports ethernet1/7 and ethernet1/8 to port LAG ae1 and connect them to the two ports Gi0/1 and Gi0/2 of the Cisco switch.

Then we will create DHCP on port LAG ae1 and use a PC to connect to the switch to check if the machine is receiving the IP allocated or not.

4. What to do

  • Create Aggregation Group.
  • Assign port ethernet1/7 and ethernet1/8 to Aggregation Group.
  • Create Virtual Routers
  • Create DHCP pool for Aggregation Group.
  • Result.

5. Configuration

5.1 Create Aggregation Group

Go to Network > Interfaces.

Click Add Aggregation Group and configure the following parameters:

Tab Config:

  • Interface Name: ae.1.
  • Interface Type: Layer 3.
  • Security Zone: LAN.

Tab IPv4:

  • Type: check box Static.
  • Click Add enter IP 10.140.40.1/24.

Tab LACP:

  • Check box Enable LACP
  • Mode: select Passive (usually the firewall will run Passive, while the attached devices such as switches will run Active).
  • Transmission Rate: select Fast (This is the baud rate of the LACP query, if Slow is selected, it will default to 30 seconds, and select Fast, it will query every second.
  • Fast Failover: Check (Select Fast Failover if you want to enable failover to standby port in less than a second. By default, this option is disabled and the firewall uses the IEEE 802.1ax standard to handle failover, takes at least three seconds.)
  • System Priority: 32768
  • Maximum Interfaces: enter 2 (this is the maximum number of ports assigned to the group. If the number of ports you assign to the group exceeds the maximum number, the remaining ports will be on standby. The firewall uses the LACP – System Priority port of each port you assign to determine which interfaces are initially active and in which order the redundant interfaces will be active during failover.
  • Click OK.

Click Commit and OK to save configuration changes.

5.2. Assign port ethernet1/7 and ethernet1/8 to Aggregation Group

Perform port assignment by going to Network> Interface.

Click on the name of the port ethernet1/7 and select the following:

  • Interface Type: Aggregate Ethernet.
  • Aggregate Group: select ae1 just created.
  • Click OK.

Similarly click on the name of the port ethernet1/8 and select the following:

  • Interface Type: Aggregate Ethernet.
  • Aggregate Group: select ae1.
  • Click OK.

Click Commit and OK to save configuration changes.

5.3. Create Virtual Routers

We go to Network > Virtual Routers > click Add and configure the following parameters:

At the tab Router Settings > General > click Add and add 2 ports ae1 and ethernet1/1.

Click OK.

Note: If you do not create Virtual Routers you will not be able to create DHCP.

5.4. Create DHCP Pool for Aggregation Group

Go to Network> DHCP> click Add and configure the following information:

Tab Lease:

  • Interface: Select ae1
  • Mode: Select enabled
  • Lease: Select Unlimited
  • IP Pools: click Add and enter a range IP 10.140.40.2-10.140.40.100

Tab Options:

  • Gateway: 10.140.40.1
  • Subnet Mask: 255.255.255.0
  • Primary DNS: 8.8.8.8
  • Secondary DNS: 8.8.4.4
  • Click OK.

Click Commit and OK to save configuration changes.

5.5. Result

We will connect two ports ethernet1/7 and ethernet1/8 to two network ports Gi0/1 and Gi0/2.

We will then connect PC 1 to the switch to check if DHCP is received.

As a result, the machine received the IP.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.