I have 2 x Palo Alto 3020 FW's. In Active / Standby.
Need to create an Aggregate group and add 2 x GB interfaces to the Aggregate Group. on the inside.
I then connect the 2 GB interfaces from FW01 and 2 GB from FW02 down to a cisco switch in VSS cluster.
Does the channel group need to be the same on the Cisco side?
I would try this but dont have a spare FW, these are in production. Anyone done this?
We're currently using two PAN-5060 units in Active/Active and they're directly connected to two Cisco 4500-X units in VSS.
On the Palo Alto side, we have an aggregate group with the vlans all set up as tagged sub-interfaces.
On the Cisco side, I believe the port-channels are just normal port-channels and the interfaces they are applied are are set to "mode active" on the channel-group. We're trunking Layer 3 vlans across so the port-channels are set up as switchports with "switchport mode trunk" and then we allow the vlans across that will have matching sub-interfaces on the Palo's aggregate group.
The creation of the Aggregate on the Palo Alto is relatively easy as long as you configure at least one port to continue to pass traffic. If you are not to terribly worried about port count I would configure one port as a 'backup' so to speak that you don't put in an aggregate. Create your aggregate with the two ports and verify that it comes up correctly, then you simply remove the port used as the 'backup' and let the aggregate do it's thing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!