topic Re: Aggregate interface state and routing in General Topics

Aggregate interface state and routing

jcostello — Tue, 18 Oct 2011 01:36:34 GMT

Two locations

Two pairs of 5050s

Have a configuration wtih two sets of aggregate ports

One set of VLANs that are local/native to the location the PAN assigned to the first set of aggregate ports - these are intended to be up at all times.

The other set of VLANs are assigned to the other data center but are stretched across the WAN backhaul to the other location - these interfaces will only be up when the other data center is down (either during a failure scenario or during a DR test)

Unfortunately when the physical interfaces are down (either through the Palo Alto configuration or through the Port Channel being turned down on the switch), the aggregate sub interfaces remain active and the routes to those subnets remain active on the local firewall.

If a single interface is configured with a subnet and virtual router and is down, then the routes do not appear in the routing table. In this configuration the routes remain in place even though the physical interfaces associated with the aggregate interface are down.

Is this functioning by design or is this an issue that we should open a case for?

If it is by design, is there a way to effectively down the aggreate interface (and sub interfaces) so that the routing goes into a disabled state?

Thanks

James

Re: Aggregate interface state and routing

ggarrison — Thu, 27 Oct 2011 15:41:26 GMT

If the virtual router assigned to any interface is down, then you will not see routes added to the table. Also, as the sub-interfaces are logically separated from the physical interface, the two can exist in an up or down state independent of one another. If the physical port to which the sub-interfaces are associated is brought down, then the sub-interfaces will effectively be brought down as well.

Re: Aggregate interface state and routing

jcostello — Wed, 02 Nov 2011 19:42:53 GMT

The problem we are running into is that all of the physical interfaces for an aggregate are down but the firewall does not see the aggregate subinterfaces as down and continues to have the routes for the IP ranges on those subinterface s in its routing table. If these were physical subinterfaces the IP ranges would no longer route and the traffic would follow the available routes (in this case to the remote data center)

Is there a way to automatically have the aggregate interfaces go down when all of their physical interfaces go down?

We are attempting to avoid having to have someone log in and bring these interfaces up manually by only having to bring up the aggregate/port channels on the switches.

Thanks

James

Re: Aggregate interface state and routing

ggutierrez — Wed, 09 Nov 2011 05:32:35 GMT

We were able to replicate this in our Support lab. There has been a bug opened with our Engineering group.