11-01-2021 01:01 PM
I have two PA3050s Active/Active, where I already have E1/12 configured as type Layer 3, no sub interfaces. Is it as simple as doing the LACP configurations on the upstream switches and then converting physical interface E1/12 type to Aggregate, then add in E1/13 as a second member. The existing E1/12 has the following objects associated.
2 NAT objects (one assigned to device 0 and the other to device 1)
2 Floating IP addresses in HA active/active configuration.
For device specific configurations
1 IP address for router traffic
1 IP address for global protect gateway
Or would it be easier to just create a new aggregate with say E1/13 and E1/14. Then move those configurations to the new aggregate.
11-02-2021 05:22 PM
Either way your commits are actually going to look the same from the firewalls perspective, so either one really doesn't matter.
If you've already configured an aggregate interface previously so you know that your switch and PAN are actually going to play nice together how you configure them, then I wouldn't have any issue saying to go ahead and include Ethernet1/12 as an aggregate member in the new aggregate ethernet interface.
If you haven't previously configured an aggregate interface between these switches and your firewall I would have the aggregate use Ethernet1/13 and Ethernet1/14 as members instead and transition things to the new AE interface once you've verified the aggregate actually comes up on the firewall and switch well. This just helps verify that the switch and the firewall are actually going to play nice prior to migrating the services over to them.
11-02-2021 05:22 PM
Either way your commits are actually going to look the same from the firewalls perspective, so either one really doesn't matter.
If you've already configured an aggregate interface previously so you know that your switch and PAN are actually going to play nice together how you configure them, then I wouldn't have any issue saying to go ahead and include Ethernet1/12 as an aggregate member in the new aggregate ethernet interface.
If you haven't previously configured an aggregate interface between these switches and your firewall I would have the aggregate use Ethernet1/13 and Ethernet1/14 as members instead and transition things to the new AE interface once you've verified the aggregate actually comes up on the firewall and switch well. This just helps verify that the switch and the firewall are actually going to play nice prior to migrating the services over to them.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
