PA 7k LACP over Multiple NPC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA 7k LACP over Multiple NPC

L3 Networker

Hi,

 

I'm curious to know if it is possible to configure an AE Group of interfaces in a PA 7000 series appliances with interfaces accross multiple NPC's?

 

This just seems to me to be the most logical way to load share on the platform with multiple NPC's, assuming its supported.

 

Thanks

1 accepted solution

Accepted Solutions

L7 Applicator

Yes, you can create AE groups of interfaces on the PA-7000 series leveraging interfaces across multiple NPCs.  This works for both static AE as well as LACP.

 

An NPC doesn't necessarily have to have it's physical interfaces connected in order for it to contribute it's security processing capabilities to the chassis as a whole.  Let me explain:

 

The default session distribution policy "ingress-slot" assigns a security processor core to the NPC that received the first packet of a particular session.  So if you had multiple NPCs but only one had physical Ethernet connectivity, you'd end up only using the CPUs from that single slot.   

 

The other session distribution policies allow you to leverage the CPUs from all NPCs, regardless of physical Ethernet connectivity.  The hardware guide for the PA-7000 Series discusses the different session distribution policies on page 65:

- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/hardware-g...

 

Hope that helps.  

View solution in original post

3 REPLIES 3

L7 Applicator

Yes, you can create AE groups of interfaces on the PA-7000 series leveraging interfaces across multiple NPCs.  This works for both static AE as well as LACP.

 

An NPC doesn't necessarily have to have it's physical interfaces connected in order for it to contribute it's security processing capabilities to the chassis as a whole.  Let me explain:

 

The default session distribution policy "ingress-slot" assigns a security processor core to the NPC that received the first packet of a particular session.  So if you had multiple NPCs but only one had physical Ethernet connectivity, you'd end up only using the CPUs from that single slot.   

 

The other session distribution policies allow you to leverage the CPUs from all NPCs, regardless of physical Ethernet connectivity.  The hardware guide for the PA-7000 Series discusses the different session distribution policies on page 65:

- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/hardware-g...

 

Hope that helps.  

Perfect.

 

Thanks for the response.

Does LACP also works across Gen1 and Gen2 NPC's? I can't find it in the docs...

ACE8, PCNSE,PCNSC
PSE Platform Professional
PSE Endpoint Professional
  • 1 accepted solution
  • 4558 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!