PA 7k LACP over Multiple NPC

Reply
L2 Linker

PA 7k LACP over Multiple NPC

Hi,

 

I'm curious to know if it is possible to configure an AE Group of interfaces in a PA 7000 series appliances with interfaces accross multiple NPC's?

 

This just seems to me to be the most logical way to load share on the platform with multiple NPC's, assuming its supported.

 

Thanks

Tags (3)

Accepted Solutions
Highlighted
L7 Applicator

Yes, you can create AE groups of interfaces on the PA-7000 series leveraging interfaces across multiple NPCs.  This works for both static AE as well as LACP.

 

An NPC doesn't necessarily have to have it's physical interfaces connected in order for it to contribute it's security processing capabilities to the chassis as a whole.  Let me explain:

 

The default session distribution policy "ingress-slot" assigns a security processor core to the NPC that received the first packet of a particular session.  So if you had multiple NPCs but only one had physical Ethernet connectivity, you'd end up only using the CPUs from that single slot.   

 

The other session distribution policies allow you to leverage the CPUs from all NPCs, regardless of physical Ethernet connectivity.  The hardware guide for the PA-7000 Series discusses the different session distribution policies on page 65:

- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/hardware-g...

 

Hope that helps.  

View solution in original post


All Replies
Highlighted
L7 Applicator

Yes, you can create AE groups of interfaces on the PA-7000 series leveraging interfaces across multiple NPCs.  This works for both static AE as well as LACP.

 

An NPC doesn't necessarily have to have it's physical interfaces connected in order for it to contribute it's security processing capabilities to the chassis as a whole.  Let me explain:

 

The default session distribution policy "ingress-slot" assigns a security processor core to the NPC that received the first packet of a particular session.  So if you had multiple NPCs but only one had physical Ethernet connectivity, you'd end up only using the CPUs from that single slot.   

 

The other session distribution policies allow you to leverage the CPUs from all NPCs, regardless of physical Ethernet connectivity.  The hardware guide for the PA-7000 Series discusses the different session distribution policies on page 65:

- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/hardware-g...

 

Hope that helps.  

View solution in original post

Highlighted
L2 Linker

Perfect.

 

Thanks for the response.

Highlighted
L2 Linker

Does LACP also works across Gen1 and Gen2 NPC's? I can't find it in the docs...

ACE8, PCNSE,PCNSC
PSE Platform Professional
PSE Endpoint Professional
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!