Wired Intelligent Edge

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

interface lag 3
    no shutdown
    no routing
    vlan trunk native 390
    vlan trunk allowed 390
    lacp mode active
    exit

An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

I see you don't have a no shut on your example. Worth checking with the config above.

If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

Don't think about L3 until the LAG shows up.

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

This is all my configurations on the switch side of things:

VLAN 2

description Agg to PAN

interface VLAN 2

no shutdown

no routing

description Agg to PAN

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface lag 2

description Agg to PAN

no shutdown

no routing

vlan trunk native 2

vlan trunk allowed 2

lacp mode active

exit

int 1/1/1

description Agg to PAN

no shutdown

speed 1000-full

lag 2

exit

interface 1/1/2

description Agg to PAN

speed 1000-full

lag 2

exit

This is the output of the show interface lag 2:

Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

interface lag 3
    no shutdown
    no routing
    vlan trunk native 390
    vlan trunk allowed 390
    lacp mode active
    exit

An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

I see you don't have a no shut on your example. Worth checking with the config above.

If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

Don't think about L3 until the LAG shows up.

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

the config on the switch  look good, have got two 8325 configure as VSX with  interface lag  multi-chassis configure and connect to two FortiGate 3300E with no issue

am not familiar with Palo Alto it's best to check with the supplier.

This is all my configurations on the switch side of things:

VLAN 2

description Agg to PAN

interface VLAN 2

no shutdown

no routing

description Agg to PAN

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface lag 2

description Agg to PAN

no shutdown

no routing

vlan trunk native 2

vlan trunk allowed 2

lacp mode active

exit

int 1/1/1

description Agg to PAN

no shutdown

speed 1000-full

lag 2

exit

interface 1/1/2

description Agg to PAN

speed 1000-full

lag 2

exit

This is the output of the show interface lag 2:

Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

interface lag 3
    no shutdown
    no routing
    vlan trunk native 390
    vlan trunk allowed 390
    lacp mode active
    exit

An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

I see you don't have a no shut on your example. Worth checking with the config above.

If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

Don't think about L3 until the LAG shows up.

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

So this part of a VSX Cluster. I was only going to use one of the switches at first since I needed to free up some of the ethernet ports on the firewall, but this weekend I attempted to set it up on the VSX cluster.

This is how I have it configured with VSX going. I still see the same result though. I am using single mode patch cables, LV transceivers which should work with the single mode, On the PAN in the tab with the settings I have link speed, link duplex and link state all set to auto. I changed the speed on the switch to auto like Parnassus had mentioned as well. I was reading the documentation for PAN and it does look like it is set up correectly. The one thing I noticed was that the LACP was not enable on the PAN side, I did try that and still was not able to ping the IP of the agg interface. It very well could be on the PAN side, like I said, I am not very familiar with them...

the config on the switch  look good, have got two 8325 configure as VSX with  interface lag  multi-chassis configure and connect to two FortiGate 3300E with no issue

am not familiar with Palo Alto it's best to check with the supplier.

This is all my configurations on the switch side of things:

VLAN 2

description Agg to PAN

interface VLAN 2

no shutdown

no routing

description Agg to PAN

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface lag 2

description Agg to PAN

no shutdown

no routing

vlan trunk native 2

vlan trunk allowed 2

lacp mode active

exit

int 1/1/1

description Agg to PAN

no shutdown

speed 1000-full

lag 2

exit

interface 1/1/2

description Agg to PAN

speed 1000-full

lag 2

exit

This is the output of the show interface lag 2:

Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

interface lag 3
    no shutdown
    no routing
    vlan trunk native 390
    vlan trunk allowed 390
    lacp mode active
    exit

An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

I see you don't have a no shut on your example. Worth checking with the config above.

If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

Don't think about L3 until the LAG shows up.

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

Hi, It is important that you don't use ping as the test to know if you have any success. This is especially true when using a firewall which simply may be not responding even though the network layer is 100%.

Check for the interfaces being up first (layer 1)

Check for MAC addresses being present on "show mac-add" type commands (layer 2)

As you have changed some aspects it would help others to diagnose if you send the output to the following:

show int lag 2

show mac-address vlan 2

show arp | i lag2

Note that LACP is not enabled by default on aggregate interfaces on the Palo Alto. Here is an example of a working link between a PA and a CX switch. The PA is passive, the CX has lacp mode active as per your example.

In this working example all interfaces on all devices have duplex & speed set to auto.

So this part of a VSX Cluster. I was only going to use one of the switches at first since I needed to free up some of the ethernet ports on the firewall, but this weekend I attempted to set it up on the VSX cluster.

This is how I have it configured with VSX going. I still see the same result though. I am using single mode patch cables, LV transceivers which should work with the single mode, On the PAN in the tab with the settings I have link speed, link duplex and link state all set to auto. I changed the speed on the switch to auto like Parnassus had mentioned as well. I was reading the documentation for PAN and it does look like it is set up correectly. The one thing I noticed was that the LACP was not enable on the PAN side, I did try that and still was not able to ping the IP of the agg interface. It very well could be on the PAN side, like I said, I am not very familiar with them...

the config on the switch  look good, have got two 8325 configure as VSX with  interface lag  multi-chassis configure and connect to two FortiGate 3300E with no issue

am not familiar with Palo Alto it's best to check with the supplier.

This is all my configurations on the switch side of things:

VLAN 2

description Agg to PAN

interface VLAN 2

no shutdown

no routing

description Agg to PAN

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface lag 2

description Agg to PAN

no shutdown

no routing

vlan trunk native 2

vlan trunk allowed 2

lacp mode active

exit

int 1/1/1

description Agg to PAN

no shutdown

speed 1000-full

lag 2

exit

interface 1/1/2

description Agg to PAN

speed 1000-full

lag 2

exit

This is the output of the show interface lag 2:

Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

interface lag 3
    no shutdown
    no routing
    vlan trunk native 390
    vlan trunk allowed 390
    lacp mode active
    exit

An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

I see you don't have a no shut on your example. Worth checking with the config above.

If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

Don't think about L3 until the LAG shows up.

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

vlan 2
    name Agg from PAN
    vsx-sync

interface vlan 2
    description Agg from PAN
    vsx-sync active-gateways
    ip address 10.2.0.1/24
    active-gateway ip mac 12:02:00:00:01:01
    active-gateway ip 10.2.0.1
    ip helper-address 10.2.0.22
    ip ospf 1 area 0.0.0.0
    no ip ospf passive

On my bottom switch in my cluster connected to the PAN:
interface vlan 2
    description Agg from PAN
    vsx-sync active-gateways
    ip address 10.2.0.3/24
    active-gateway ip mac 12:02:00:00:01:01
    active-gateway ip 10.2.0.1
    ip helper-address 10.2.0.22
    ip ospf 1 area 0.0.0.0

interface lag 2
    no shutdown
    no routing
    vlan trunk native 2
    vlan trunk allowed 2
    lacp mode active

interface 1/1/9
    description Agg from PAN
    lag 2
    exit
interface 1/1/10
    description Agg from PAN
    lag 2
    exit

VSX-LOWER-SWITCH# sho int lag 2

Aggregate lag2 is down
 Admin state is up
 State information : Disabled by aggregation
 Description :
 MAC Address                 : 88:3a:30:5e:96:38
 Aggregated-interfaces       : 1/1/9 1/1/10
 Aggregation-key             : 2
 Aggregate mode              : active
 Speed                       : 0 Mb/s
 qos trust dscp
 VLAN Mode: native-untagged
 Native VLAN: 2
 Allowed VLAN List: 2
 L3 Counters: Rx Disabled, Tx Disabled

 Statistic                          RX                   TX                Total
 ---------------- -------------------- -------------------- --------------------
 Packets                             0                  946                  946
   Unicast                           0                    0                    0
   Multicast                         0                  946                  946
   Broadcast                         0                    0                    0
 Bytes                               0               165356               165356
 Jumbos                              0                    0                    0
 Dropped                             0                    0                    0
 Filtered                            0                    0                    0
 Pause Frames                        0                    0                    0
 Errors                              0                    0                    0
   CRC/FCS                           0                  n/a                    0
   Collision                       n/a                    0                    0
   Runts                             0                  n/a                    0
   Giants                            0                  n/a                    0

VSX-LOWER-SWITCH# sho mac-add vlan 2
MAC age-time            : 300 seconds
Number of MAC addresses : 12

MAC Address          VLAN     Type                      Port
--------------------------------------------------------------
ec:2a:72:00:36:30    200      dynamic                   lag256
e4:3d:1a:ab:42:db    200      dynamic                   lag1
e4:3d:1a:a0:e2:23    200      dynamic                   lag256
d0:67:26:e2:1f:f2    200      dynamic                   lag256
00:0a:f7:e2:84:a9    200      dynamic                   lag256
00:0a:f7:8d:f6:99    200      dynamic                   lag1
08:30:6b:b1:92:11    200      dynamic                   lag256
14:18:77:35:f8:e5    200      dynamic                   1/1/11
18:66:da:66:3c:72    200      dynamic                   lag1
44:a8:42:14:26:2f    200      dynamic                   1/1/11
58:8a:5a:f6:50:e6    200      dynamic                   lag1
b0:7b:25:fe:4b:e8    200      dynamic                   lag1

sho arp | i lag 2 - command not supported...version is TL.10.13.1010

Hi, It is important that you don't use ping as the test to know if you have any success. This is especially true when using a firewall which simply may be not responding even though the network layer is 100%.

Check for the interfaces being up first (layer 1)

Check for MAC addresses being present on "show mac-add" type commands (layer 2)

As you have changed some aspects it would help others to diagnose if you send the output to the following:

show int lag 2

show mac-address vlan 2

show arp | i lag2

Note that LACP is not enabled by default on aggregate interfaces on the Palo Alto. Here is an example of a working link between a PA and a CX switch. The PA is passive, the CX has lacp mode active as per your example.

In this working example all interfaces on all devices have duplex & speed set to auto.

So this part of a VSX Cluster. I was only going to use one of the switches at first since I needed to free up some of the ethernet ports on the firewall, but this weekend I attempted to set it up on the VSX cluster.

This is how I have it configured with VSX going. I still see the same result though. I am using single mode patch cables, LV transceivers which should work with the single mode, On the PAN in the tab with the settings I have link speed, link duplex and link state all set to auto. I changed the speed on the switch to auto like Parnassus had mentioned as well. I was reading the documentation for PAN and it does look like it is set up correectly. The one thing I noticed was that the LACP was not enable on the PAN side, I did try that and still was not able to ping the IP of the agg interface. It very well could be on the PAN side, like I said, I am not very familiar with them...

the config on the switch  look good, have got two 8325 configure as VSX with  interface lag  multi-chassis configure and connect to two FortiGate 3300E with no issue

am not familiar with Palo Alto it's best to check with the supplier.

This is all my configurations on the switch side of things:

VLAN 2

description Agg to PAN

interface VLAN 2

no shutdown

no routing

description Agg to PAN

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface lag 2

description Agg to PAN

no shutdown

no routing

vlan trunk native 2

vlan trunk allowed 2

lacp mode active

exit

int 1/1/1

description Agg to PAN

no shutdown

speed 1000-full

lag 2

exit

interface 1/1/2

description Agg to PAN

speed 1000-full

lag 2

exit

This is the output of the show interface lag 2:

Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

interface lag 3
    no shutdown
    no routing
    vlan trunk native 390
    vlan trunk allowed 390
    lacp mode active
    exit

An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

I see you don't have a no shut on your example. Worth checking with the config above.

If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

Don't think about L3 until the LAG shows up.

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

vlan 2
    name Agg from PAN
    vsx-sync

interface vlan 2
    description Agg from PAN
    vsx-sync active-gateways
    ip address 10.2.0.1/24
    active-gateway ip mac 12:02:00:00:01:01
    active-gateway ip 10.2.0.1
    ip helper-address 10.2.0.22
    ip ospf 1 area 0.0.0.0
    no ip ospf passive

On my bottom switch in my cluster connected to the PAN:
interface vlan 2
    description Agg from PAN
    vsx-sync active-gateways
    ip address 10.2.0.3/24
    active-gateway ip mac 12:02:00:00:01:01
    active-gateway ip 10.2.0.1
    ip helper-address 10.2.0.22
    ip ospf 1 area 0.0.0.0

interface lag 2
    no shutdown
    no routing
    vlan trunk native 2
    vlan trunk allowed 2
    lacp mode active

interface 1/1/9
    description Agg from PAN
    lag 2
    exit
interface 1/1/10
    description Agg from PAN
    lag 2
    exit

VSX-LOWER-SWITCH# sho int lag 2

Aggregate lag2 is down
 Admin state is up
 State information : Disabled by aggregation
 Description :
 MAC Address                 : 88:3a:30:5e:96:38
 Aggregated-interfaces       : 1/1/9 1/1/10
 Aggregation-key             : 2
 Aggregate mode              : active
 Speed                       : 0 Mb/s
 qos trust dscp
 VLAN Mode: native-untagged
 Native VLAN: 2
 Allowed VLAN List: 2
 L3 Counters: Rx Disabled, Tx Disabled

 Statistic                          RX                   TX                Total
 ---------------- -------------------- -------------------- --------------------
 Packets                             0                  946                  946
   Unicast                           0                    0                    0
   Multicast                         0                  946                  946
   Broadcast                         0                    0                    0
 Bytes                               0               165356               165356
 Jumbos                              0                    0                    0
 Dropped                             0                    0                    0
 Filtered                            0                    0                    0
 Pause Frames                        0                    0                    0
 Errors                              0                    0                    0
   CRC/FCS                           0                  n/a                    0
   Collision                       n/a                    0                    0
   Runts                             0                  n/a                    0
   Giants                            0                  n/a                    0

VSX-LOWER-SWITCH# sho mac-add vlan 2
MAC age-time            : 300 seconds
Number of MAC addresses : 12

MAC Address          VLAN     Type                      Port
--------------------------------------------------------------
ec:2a:72:00:36:30    200      dynamic                   lag256
e4:3d:1a:ab:42:db    200      dynamic                   lag1
e4:3d:1a:a0:e2:23    200      dynamic                   lag256
d0:67:26:e2:1f:f2    200      dynamic                   lag256
00:0a:f7:e2:84:a9    200      dynamic                   lag256
00:0a:f7:8d:f6:99    200      dynamic                   lag1
08:30:6b:b1:92:11    200      dynamic                   lag256
14:18:77:35:f8:e5    200      dynamic                   1/1/11
18:66:da:66:3c:72    200      dynamic                   lag1
44:a8:42:14:26:2f    200      dynamic                   1/1/11
58:8a:5a:f6:50:e6    200      dynamic                   lag1
b0:7b:25:fe:4b:e8    200      dynamic                   lag1

sho arp | i lag 2 - command not supported...version is TL.10.13.1010

Hi, It is important that you don't use ping as the test to know if you have any success. This is especially true when using a firewall which simply may be not responding even though the network layer is 100%.

Check for the interfaces being up first (layer 1)

Check for MAC addresses being present on "show mac-add" type commands (layer 2)

As you have changed some aspects it would help others to diagnose if you send the output to the following:

show int lag 2

show mac-address vlan 2

show arp | i lag2

Note that LACP is not enabled by default on aggregate interfaces on the Palo Alto. Here is an example of a working link between a PA and a CX switch. The PA is passive, the CX has lacp mode active as per your example.

In this working example all interfaces on all devices have duplex & speed set to auto.

So this part of a VSX Cluster. I was only going to use one of the switches at first since I needed to free up some of the ethernet ports on the firewall, but this weekend I attempted to set it up on the VSX cluster.

This is how I have it configured with VSX going. I still see the same result though. I am using single mode patch cables, LV transceivers which should work with the single mode, On the PAN in the tab with the settings I have link speed, link duplex and link state all set to auto. I changed the speed on the switch to auto like Parnassus had mentioned as well. I was reading the documentation for PAN and it does look like it is set up correectly. The one thing I noticed was that the LACP was not enable on the PAN side, I did try that and still was not able to ping the IP of the agg interface. It very well could be on the PAN side, like I said, I am not very familiar with them...

the config on the switch  look good, have got two 8325 configure as VSX with  interface lag  multi-chassis configure and connect to two FortiGate 3300E with no issue

am not familiar with Palo Alto it's best to check with the supplier.

This is all my configurations on the switch side of things:

VLAN 2

description Agg to PAN

interface VLAN 2

no shutdown

no routing

description Agg to PAN

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface lag 2

description Agg to PAN

no shutdown

no routing

vlan trunk native 2

vlan trunk allowed 2

lacp mode active

exit

int 1/1/1

description Agg to PAN

no shutdown

speed 1000-full

lag 2

exit

interface 1/1/2

description Agg to PAN

speed 1000-full

lag 2

exit

This is the output of the show interface lag 2:

Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

interface lag 3
    no shutdown
    no routing
    vlan trunk native 390
    vlan trunk allowed 390
    lacp mode active
    exit

An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

I see you don't have a no shut on your example. Worth checking with the config above.

If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

Don't think about L3 until the LAG shows up.

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

This is all my configurations on the switch side of things:

VLAN 2

description Agg to PAN

interface VLAN 2

no shutdown

no routing

description Agg to PAN

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface lag 2

description Agg to PAN

no shutdown

no routing

vlan trunk native 2

vlan trunk allowed 2

lacp mode active

exit

int 1/1/1

description Agg to PAN

no shutdown

speed 1000-full

lag 2

exit

interface 1/1/2

description Agg to PAN

speed 1000-full

lag 2

exit

This is the output of the show interface lag 2:

Hi, just to confirm the CX config, here is a working example of a LAG that connects to a PA firewall.

interface lag 3
    no shutdown
    no routing
    vlan trunk native 390
    vlan trunk allowed 390
    lacp mode active
    exit

An "ae" or aggregate ethernet interface on the PA is a LACP setup. Two physicals, one logical.

I see you don't have a no shut on your example. Worth checking with the config above.

If that still doesn't work this is most likely because of a config issue on the PA side. I recall the config wasn't straight forward/logical. See what happens with the above config and paste the interface, lag and show-interface-lag output.

Don't think about L3 until the LAG shows up.

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?

I have been working on this one for the last few days. I saw a post from some time ago when someone did it with Comware/ HPE device and I tried to mimic it with no luck.

I have a Palo Alto that I have an aggregate ethernet set up on. On my switch it connects to, I have my VLAN, the interface VLAN, and the port configured as a trunk with just the interfaces then I tried it with a LAG. What I see is that the Palo Alto says it is up, but my switch says it is down and I cannot ping the IP I am using on the AE on the Palo Alto. This is what I have done on the switch side:

VLAN 2

description Palo Alto AE

interface vlan 2

description Palo Alto AE

ip address 10.2.2.2/24

ip ospf 1 10.2.2.2

interface 1/1/1

description Palo Alto AE

vlan trunk native 1

vlan trunk allowed 1,2

This showed up on the switch for a little bit until I started trying to ping it. When it didn't ping I rolled the fiber then tried and still got nothing and then rolled it back and the port showed down so I tried as a LAG:

interface lag 2

description Palo Alo AE

vlan trunk native 1

vlan trunk allowed 1,2

lacp mode active.

I still was unable to ping the IP of the AE on the Palo Alto. I am not sure whether I need a LAG or a just using the interfaces would be ok or maybe I am going about this the wrong way?