About tuckert

As I recall MLT in Avaya is an LACP based aggregation.  So I believe this will work across v-wire similar to how a Cisco LAG is connected. Assuming a two port LAG you would create two v-wire using the same two zones on each v-wire Then you connect switch stack A/B ports to the "trust" side of v-wire 1 & v-wire 2 Then connect switch stack C/D ports to the "untrust side of v-wire 1 & v-wire 2 The switches will behave as if they are directly connected not seeing the PA. the traffic will be visible to the PA on the v-wire interfaces and you can create your rules as in any other v-wire deploy. You could also add more v-wire and ports as needed up to the traffic capacity of the Palo Alto. This document describes the similar situation with Cisco switches. Cisco Link Aggregation Traffic Through a PAN Device ... View more

In addition to what karthik said below doc explains Why is a Proxy-ID Required for VPNs between PAN and Firewalls that Support Policy Based VPNs? https://live.paloaltonetworks.com/docs/DOC-3073 Hope this helps you resolve the issue. Thanks Numan ... View more