Wired Intelligent Edge

 View Only
Expand all | Collapse all

Aggregate Ethernet on Palo Alto to 8320 CX Series

This thread has been viewed 30 times
  • 1.  Aggregate Ethernet on Palo Alto to 8320 CX Series

    Posted May 22, 2024 09:27 PM

    I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

    I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

    VLAN 2

    description Palo Alto AE

    interface vlan 2

    description Palo Alto AE

    ip address 10.2.2.2/24

    ip ospf 1 10.2.2.2

    interface 1/1/1

    description Palo Alto AE

    vlan trunk native 1

    vlan trunk allowed 1,2

    This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

    interface lag 2

    description Palo Alo AE

    vlan trunk native 1

    vlan trunk allowed 1,2

    lacp mode active.

    I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?



  • 2.  RE: Aggregate Ethernet on Palo Alto to 8320 CX Series

    Posted May 23, 2024 02:30 AM
    Hi! a LAG is a logical interface made of two (or more) physical interfaces sharing some characteristics and thus acting as LAG member interfaces. Then the LAG acts like a physical interface regarding to (but not limited of) VLAN membership.

    This is true on Aruba CX switch side and on Palo Alto firewall side.

    So the question: are you able to check that you correctly configured a LAG on each side and those LAGs were build using physical interfaces sharing same characteristics (say, all 1G optical or all 10G optical, as example)?

    This will let you to verify that Layer 1 and 2 is OK and then you can focus on Layer 3, eventually.





  • 3.  RE: Aggregate Ethernet on Palo Alto to 8320 CX Series

    Posted May 23, 2024 04:07 AM

    Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

    interface lag 3
        no shutdown
        no routing
        vlan trunk native 390
        vlan trunk allowed 390
        lacp mode active
        exit

    An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

    I see you don't have a no shut on your example. Worth checking with the config above.

    If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

    Don't think about L3 until the LAG shows up.