09-15-2020 12:36 AM
Dear Techs,
Hope you all are doing fine and safe.
Can some one give me an insight on how I can configure 'Aggregate Interface Group' so that I can maintain a high availability for Internet traffic with my core switch?
To make it more simple. The below is my current scenario. From a single cisco core switch, up-links goes to the firewall and then to the Internet.
This single core switch is now getting replaced by 2 Huawei core switches, both in active-active mode. We have tested the 1 up-link scenario to firewall and is working as expected.
To maintain the high network availability. Both up-links from Huawei core switch have to be added in the aggregate group in firewall.
I was following this doc https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/configure-... but is making me bit confused.
Let’s consider I have 2 ethernet interfaces (up links from Huawei) configured on the interfaces 2 and 9. Ideally both interface configuration should be same as well. While creating an aggregate group, how we will inform palo alto that I will be using interfaces 2 and 9 as up links and these ports should be in this group?
09-15-2020 01:07 AM
From switch side also, you need to create port aggregation/channel of the interfaces that are going to be terminated on the firewall. So on both end devices (switch and Palo Alto), you will have port channel/aggregation of the interfaces. This is the same the way we provide uplinks between two switches through port/ether channel.
09-15-2020 01:09 AM
Hi,
i will consider that both Huawei switches are as Stack otherwise that will not work:
all you need to do on Firewall is to configure both these interfaces as type "aggregated ethernet" and put them in same Aggregated group, (you can give the interfaces a LACP Priority), and then enable LACP on the new Aggregated Interface with crossponding Config (AE in same zone and VR....).
09-15-2020 03:21 AM
Dear Abdul,
Thanks for the update.
Both switches are in stack.
For my case can you please guide me through step by step for this configuration.
Currently port #1 is configured and is connected with Cisco core switch. This port interface type is L3.
Do i need to create a similar interface configuration on port 3 for the second switch? And then proceed to the 'Add Aggregate Group'?
09-15-2020 03:51 AM
Dear Abdul,
Am I mentioning the below in the configuration steps correctly? This is based on my idea so far. Please correct me if I am wrong.
STAGE 1
1. create agg grp
2. assign interface name (ae1)
3. interface type - Layer 3
4. config- virtual router > default
security zone > Internal Zone
5. IPv4 - assign the static IP for this group
6. enable LACP
7. maximum interfaces? keep it 2? as only 2 interfaces will be used for this purpose?
8. Advanced - Other info > Management Profile > Select the management profile
STAGE 2
1.Configure a new interface
2. Select aggregate group - ae1
3. leave the advanced settings to the default options
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
