Cisco Link Aggregation Traffic Through a PaloAlto Firewall

Cisco Link Aggregation Traffic Through a PaloAlto Firewall

68505
Created On 09/25/18 17:39 PM - Last Modified 06/08/23 02:48 AM


Resolution


In Virtual Wire mode, the Palo Alto Networks device can pass Cisco Link Aggregation Control Protocol traffic in vwire only when the links are not aggregated on the PAN-fw.  In V-wire if  the Links are aggregated then the firewall could forward the packets to the other ports in AE , that will cause the LACP to not come between peers.

 

 

Topology example

7-13-2012 3-16-06 PM.png

 

Switch 1 ConfigurationSwitch 2 Configuration

port-channel load-balance dst-ip

interface Port-channel5

switchport access vlan 10

switchport mode access

 

interface GigabitEthernet0/1

switchport access vlan 10

switchport mode access

channel-group 5 mode active

!

interface GigabitEthernet0/2

switchport access vlan 10

switchport mode access

channel-group 5 mode active

!

interface GigabitEthernet0/3

switchport access vlan 10

switchport mode access

!

 

port-channel load-balance dst-ip

interface Port-channel10

switchport access vlan 10

switchport mode access

!

 

interface GigabitEthernet0/13

switchport access vlan 10

switchport mode access

channel-group 10 mode active

!

interface GigabitEthernet0/14

switchport access vlan 10

switchport mode access

channel-group 10 mode active

!

interface GigabitEthernet0/15

switchport access vlan 10 

switchport mode access

!

 

Firewall configuration

 

 

Screen Shot 2018-02-21 at 9.08.50 PM.png

 

This is the expected behavior in 7.1.x and 8.0.x

 

 

More information on 802.3ad link aggregation can be found on wikipedia's Link aggregation page.

 

owner: mchandrase
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHTCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language