Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Aggregate Ethernet on Palo Alto to 8320 CX Series

This thread has been viewed 29 times
  • 1.  Aggregate Ethernet on Palo Alto to 8320 CX Series

    Posted May 22, 2024 09:27 PM

    I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

    I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

    VLAN 2

    description Palo Alto AE

    interface vlan 2

    description Palo Alto AE

    ip address 10.2.2.2/24

    ip ospf 1 10.2.2.2

    interface 1/1/1

    description Palo Alto AE

    vlan trunk native 1

    vlan trunk allowed 1,2

    This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

    interface lag 2

    description Palo Alo AE

    vlan trunk native 1

    vlan trunk allowed 1,2

    lacp mode active.

    I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?



  • 2.  RE: Aggregate Ethernet on Palo Alto to 8320 CX Series

    MVP GURU
    Posted May 23, 2024 02:30 AM
    Hi! a LAG is a logical interface made of two (or more) physical interfaces sharing some characteristics and thus acting as LAG member interfaces. Then the LAG acts like a physical interface regarding to (but not limited of) VLAN membership.

    This is true on Aruba CX switch side and on Palo Alto firewall side.

    So the question: are you able to check that you correctly configured a LAG on each side and those LAGs were build using physical interfaces sharing same characteristics (say, all 1G optical or all 10G optical, as example)?

    This will let you to verify that Layer 1 and 2 is OK and then you can focus on Layer 3, eventually.





  • 3.  RE: Aggregate Ethernet on Palo Alto to 8320 CX Series

    Posted May 23, 2024 04:07 AM

    Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

    interface lag 3
        no shutdown
        no routing
        vlan trunk native 390
        vlan trunk allowed 390
        lacp mode active
        exit

    An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

    I see you don't have a no shut on your example. Worth checking with the config above.

    If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

    Don't think about L3 until the LAG shows up.




  • 4.  RE: Aggregate Ethernet on Palo Alto to 8320 CX Series

    Posted May 24, 2024 01:42 AM

    This is all my configurations on the switch side of things:

    VLAN 2

    description Agg to PAN

    interface VLAN 2

    no shutdown

    no routing

    description Agg to PAN

    ip address 10.2.2.2/24

    ip ospf 1 10.2.2.2

    interface lag 2

    description Agg to PAN

    no shutdown

    no routing

    vlan trunk native 2

    vlan trunk allowed 2

    lacp mode active

    exit

    int 1/1/1

    description Agg to PAN

    no shutdown

    speed 1000-full

    lag 2

    exit

    interface 1/1/2

    description Agg to PAN

    speed 1000-full

    lag 2

    exit

    This is the output of the show interface lag 2:

    Aggregate lag2 is down
     Admin state is up
     State information : Disabled by LACP or LAG
     Description : Agg to PAN
     MAC Address                 : 88:3a:30:5e:96:38
     Aggregated-interfaces       : 1/1/911/1/2
     Aggregation-key             : 2
     Aggregate mode              : active
     Speed                       : 0 Mb/s
     qos trust dscp
     VLAN Mode: native-untagged
     Native VLAN: 2
     Allowed VLAN List: 2
     L3 Counters: Rx Disabled, Tx Disabled
     Statistic                          RX                   TX                Total
     ---------------- -------------------- -------------------- --------------------
     Packets                             0                20089                20089
       Unicast                           0                   10                   10
       Multicast                         0                18626                18626
       Broadcast                         0                 1453                 1453
     Bytes                               0              2199543              2199543
     Jumbos                              0                    0                    0
     Dropped                             0                    0                    0
     Filtered                            0                    0                    0
     Pause Frames                        0                    0                    0
     Errors                              0                    0                    0
       CRC/FCS                           0                  n/a                    0
       Collision                       n/a                    0                    0
       Runts                             0                  n/a                    0
       Giants                            0                  n/a                    0
    I am was still not able to ping the IP address I am using for the Agg Interface on the PAN though. I did change it from vlan trunk native 2/ vlan trunk allowed 2 to vlan access 2 and it shows as up on the switch and on the PAN, but still wasn't able to ping the  IP on that Agg Interface on the PAN. I think it is something on the PAN, I am not very familiar with them, but when I was looking at it, there is a tab for LACP and it was not enabled.
    Going back to Parnassus, I set the speed to that on the interfaces because on the PAN that is what they were set to as well. 



  • 5.  RE: Aggregate Ethernet on Palo Alto to 8320 CX Series

    Posted May 24, 2024 02:13 AM

    the config on the switch  look good, have got two 8325 configure as VSX with  interface lag  multi-chassis configure and connect to two FortiGate 3300E with no issue

    am not familiar with Palo Alto it's best to check with the supplier.




  • 6.  RE: Aggregate Ethernet on Palo Alto to 8320 CX Series

    Posted May 27, 2024 11:23 PM

    So this part of a VSX Cluster. I was only going to use one of the switches at first since I needed to free up some of the ethernet ports on the firewall, but this weekend I attempted to set it up on the VSX cluster.

    This is how I have it configured with VSX going. I still see the same result though. I am using single mode patch cables, LV transceivers which should work with the single mode, On the PAN in the tab with the settings I have link speed, link duplex and link state all set to auto. I changed the speed on the switch to auto like Parnassus had mentioned as well. I was reading the documentation for PAN and it does look like it is set up correectly. The one thing I noticed was that the LACP was not enable on the PAN side, I did try that and still was not able to ping the IP of the agg interface. It very well could be on the PAN side, like I said, I am not very familiar with them...

    vlan 2
        vsx-sync
        description Agg to PAN
    interface vlan 2
        description Agg to PAN
        vsx-sync active-gateways
        ip address 10.2.0.1/24
        active-gateway ip mac 12:02:00:00:01:01
        active-gateway ip 10.2.0.1
        ip ospf 1 area 0.0.0.0
        no ip ospf passive
        exit
    interface lag 2
        description Agg to PAN
        no shutdown
        no routing
        vlan trunk native 1
        vlan trunk allowed 1,2
        lacp mode active
        exit
    interface 1/1/9
        description description Agg to PAN
        no shutdown
        lag 2
        exit
    interface 1/1/10
        description description Agg to PAN
        no shutdown
        lag 2
        exit
    1/1/9          1       trunk  1G-LX          yes     down    Waiting for link        --      Agg to PAN
    1/1/10         1       trunk  --             yes     down    No XCVR installed       --      Agg to PAN



  • 7.  RE: Aggregate Ethernet on Palo Alto to 8320 CX Series

    Posted May 28, 2024 04:21 AM

    Hi, It is important that you don't use ping as the test to know if you have any success. This is especially true when using a firewall which simply may be not responding even though the network layer is 100%.

    Check for the interfaces being up first (layer 1)
    Check for MAC addresses being present on "show mac-add" type commands (layer 2)

    As you have changed some aspects it would help others to diagnose if you send the output to the following:

    show int lag 2
    show mac-address vlan 2
    show arp | i lag2



    Note that LACP is not enabled by default on aggregate interfaces on the Palo Alto. Here is an example of a working link between a PA and a CX switch. The PA is passive, the CX has lacp mode active as per your example.

    image.png
    In this working example all interfaces on all devices have duplex & speed set to auto.