Maybe I've missed it but (to me) it's unclear what physical interfaces belonging to your entire VSX Cluster you're aggregating together (please consider that a VSX LAG = Multi-Chassis LAG).
Are you aggregating 1/1/9 and 1/1/10 interfaces belonging to VSX Primary (say Switch vsx-1) with corresponding 1/1/9 and 1/1/10 interfaces belonging to VSX Secondary (say Switch vsx-2) in order to form a VSX LAG (thus a LAG which is spanning into the multi-chassis represented by the entire VSX) made of 1/1/9 (vsx-1) + 1/1/10 (vsx-1) + 1/1/9 (vsx-2) + 1/1/10 (vsx-2)?
If so, such VSX LAG - seen by the peering standalone PAN Firewall - requires on the PAN Firewall the corresponding presence of a well formed non multi-chassis LAG (so a quite "standard" LAG) made of four interfaces (this to grant, with all interfaces correctly working and peering to VSX, a normal non degraded operation).
Or are you trying something else?
Original Message:
Sent: 5/29/2024 11:58:00 PM
From: Rford2798
Subject: RE: Aggregate Ethernet on Palo Alto to 8320 CX Series
vlan 2
name Agg from PAN
vsx-sync
interface vlan 2
description Agg from PAN
vsx-sync active-gateways
ip address 10.2.0.1/24
active-gateway ip mac 12:02:00:00:01:01
active-gateway ip 10.2.0.1
ip helper-address 10.2.0.22
ip ospf 1 area 0.0.0.0
no ip ospf passive
On my bottom switch in my cluster connected to the PAN:
interface vlan 2
description Agg from PAN
vsx-sync active-gateways
ip address 10.2.0.3/24
active-gateway ip mac 12:02:00:00:01:01
active-gateway ip 10.2.0.1
ip helper-address 10.2.0.22
ip ospf 1 area 0.0.0.0
interface lag 2
no shutdown
no routing
vlan trunk native 2
vlan trunk allowed 2
lacp mode active
interface 1/1/9
description Agg from PAN
lag 2
exit
interface 1/1/10
description Agg from PAN
lag 2
exit
VSX-LOWER-SWITCH# sho int lag 2
Aggregate lag2 is down
Admin state is up
State information : Disabled by aggregation
Description :
MAC Address : 88:3a:30:5e:96:38
Aggregated-interfaces : 1/1/9 1/1/10
Aggregation-key : 2
Aggregate mode : active
Speed : 0 Mb/s
qos trust dscp
VLAN Mode: native-untagged
Native VLAN: 2
Allowed VLAN List: 2
L3 Counters: Rx Disabled, Tx Disabled
Statistic RX TX Total
---------------- -------------------- -------------------- --------------------
Packets 0 946 946
Unicast 0 0 0
Multicast 0 946 946
Broadcast 0 0 0
Bytes 0 165356 165356
Jumbos 0 0 0
Dropped 0 0 0
Filtered 0 0 0
Pause Frames 0 0 0
Errors 0 0 0
CRC/FCS 0 n/a 0
Collision n/a 0 0
Runts 0 n/a 0
Giants 0 n/a 0
VSX-LOWER-SWITCH# sho mac-add vlan 2
MAC age-time : 300 seconds
Number of MAC addresses : 12
MAC Address VLAN Type Port
--------------------------------------------------------------
ec:2a:72:00:36:30 200 dynamic lag256
e4:3d:1a:ab:42:db 200 dynamic lag1
e4:3d:1a:a0:e2:23 200 dynamic lag256
d0:67:26:e2:1f:f2 200 dynamic lag256
00:0a:f7:e2:84:a9 200 dynamic lag256
00:0a:f7:8d:f6:99 200 dynamic lag1
08:30:6b:b1:92:11 200 dynamic lag256
14:18:77:35:f8:e5 200 dynamic 1/1/11
18:66:da:66:3c:72 200 dynamic lag1
44:a8:42:14:26:2f 200 dynamic 1/1/11
58:8a:5a:f6:50:e6 200 dynamic lag1
b0:7b:25:fe:4b:e8 200 dynamic lag1
sho arp | i lag 2 - command not supported...version is TL.10.13.1010
Original Message:
Sent: May 28, 2024 04:20 AM
From: IanNightingale
Subject: Aggregate Ethernet on Palo Alto to 8320 CX Series
Hi, It is important that you don't use ping as the test to know if you have any success. This is especially true when using a firewall which simply may be not responding even though the network layer is 100%.
Check for the interfaces being up first (layer 1)
Check for MAC addresses being present on "show mac-add" type commands (layer 2)
As you have changed some aspects it would help others to diagnose if you send the output to the following:
show int lag 2
show mac-address vlan 2
show arp | i lag2
Note that LACP is not enabled by default on aggregate interfaces on the Palo Alto. Here is an example of a working link between a PA and a CX switch. The PA is passive, the CX has lacp mode active as per your example.
In this working example all interfaces on all devices have duplex & speed set to auto.
Original Message:
Sent: 5/27/2024 11:23:00 PM
From: Rford2798
Subject: RE: Aggregate Ethernet on Palo Alto to 8320 CX Series
So this part of a VSX Cluster. I was only going to use one of the switches at first since I needed to free up some of the ethernet ports on the firewall, but this weekend I attempted to set it up on the VSX cluster.
This is how I have it configured with VSX going. I still see the same result though. I am using single mode patch cables, LV transceivers which should work with the single mode, On the PAN in the tab with the settings I have link speed, link duplex and link state all set to auto. I changed the speed on the switch to auto like Parnassus had mentioned as well. I was reading the documentation for PAN and it does look like it is set up correectly. The one thing I noticed was that the LACP was not enable on the PAN side, I did try that and still was not able to ping the IP of the agg interface. It very well could be on the PAN side, like I said, I am not very familiar with them...
vlan 2
vsx-sync
description Agg to PAN
interface vlan 2
description Agg to PAN
vsx-sync active-gateways
active-gateway ip mac 12:02:00:00:01:01
active-gateway ip 10.2.0.1
ip ospf 1 area 0.0.0.0
no ip ospf passive
exit
interface lag 2
description Agg to PAN
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1,2
lacp mode active
exit
interface 1/1/9
description description Agg to PAN
no shutdown
lag 2
exit
interface 1/1/10
description description Agg to PAN
no shutdown
lag 2
exit
1/1/9 1 trunk 1G-LX yes down Waiting for link -- Agg to PAN
1/1/10 1 trunk -- yes down No XCVR installed -- Agg to PAN
Original Message:
Sent: May 24, 2024 02:13 AM
From: lw25
Subject: Aggregate Ethernet on Palo Alto to 8320 CX Series
the config on the switch look good, have got two 8325 configure as VSX with interface lag multi-chassis configure and connect to two FortiGate 3300E with no issue
am not familiar with Palo Alto it's best to check with the supplier.
Original Message:
Sent: May 24, 2024 01:41 AM
From: Rford2798
Subject: Aggregate Ethernet on Palo Alto to 8320 CX Series
This is all my configurations on the switch side of things:
VLAN 2
description Agg to PAN
interface VLAN 2
no shutdown
no routing
description Agg to PAN
ip address 10.2.2.2/24
ip ospf 1 10.2.2.2
interface lag 2
description Agg to PAN
no shutdown
no routing
vlan trunk native 2
vlan trunk allowed 2
lacp mode active
exit
int 1/1/1
description Agg to PAN
no shutdown
speed 1000-full
lag 2
exit
interface 1/1/2
description Agg to PAN
speed 1000-full
lag 2
exit
This is the output of the show interface lag 2:
Aggregate lag2 is down
Admin state is up
State information : Disabled by LACP or LAG
Description : Agg to PAN
MAC Address : 88:3a:30:5e:96:38
Aggregated-interfaces : 1/1/911/1/2
Aggregation-key : 2
Aggregate mode : active
Speed : 0 Mb/s
qos trust dscp
VLAN Mode: native-untagged
Native VLAN: 2
Allowed VLAN List: 2
L3 Counters: Rx Disabled, Tx Disabled
Statistic RX TX Total
---------------- -------------------- -------------------- --------------------
Packets 0 20089 20089
Unicast 0 10 10
Multicast 0 18626 18626
Broadcast 0 1453 1453
Bytes 0 2199543 2199543
Jumbos 0 0 0
Dropped 0 0 0
Filtered 0 0 0
Pause Frames 0 0 0
Errors 0 0 0
CRC/FCS 0 n/a 0
Collision n/a 0 0
Runts 0 n/a 0
Giants 0 n/a 0
I am was still not able to ping the IP address I am using for the Agg Interface on the PAN though. I did change it from vlan trunk native 2/ vlan trunk allowed 2 to vlan access 2 and it shows as up on the switch and on the PAN, but still wasn't able to ping the IP on that Agg Interface on the PAN. I think it is something on the PAN, I am not very familiar with them, but when I was looking at it, there is a tab for LACP and it was not enabled.
Going back to Parnassus, I set the speed to that on the interfaces because on the PAN that is what they were set to as well.
Original Message:
Sent: May 23, 2024 04:07 AM
From: IanNightingale
Subject: Aggregate Ethernet on Palo Alto to 8320 CX Series
Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.
interface lag 3
no shutdown
no routing
vlan trunk native 390
vlan trunk allowed 390
lacp mode active
exit
An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.
I see you don't have a no shut on your example. Worth checking with the config above.
If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.
Don't think about L3 until the LAG shows up.
Original Message:
Sent: May 22, 2024 09:27 PM
From: Rford2798
Subject: Aggregate Ethernet on Palo Alto to 8320 CX Series
I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.
I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:
VLAN 2
description Palo Alto AE
interface vlan 2
description Palo Alto AE
ip address 10.2.2.2/24
ip ospf 1 10.2.2.2
interface 1/1/1
description Palo Alto AE
vlan trunk native 1
vlan trunk allowed 1,2
This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:
interface lag 2
description Palo Alo AE
vlan trunk native 1
vlan trunk allowed 1,2
lacp mode active.
I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?