Palo Alto / Arista LAG HOWTO

This is a quick guide on configuring a LAG (802.1ad LACP) between a PAN-5060 firewall and an Arista switch. *

*Pre-requisite: PANOS 6.1 or above

PAN FW / ARIST LAG Topoloy

PAN Cli config: 

set network interface aggregate-ethernet ae1 layer2 lacp enable yes
set network interface ethernet ethernet1/3 aggregate-group ae1
set network interface ethernet ethernet1/4 aggregate-group ae1
set network interface aggregate-ethernet ae1 layer2 units ae1.100 tag 100
set address 192.168.1.1 ip-netmask 192.168.1.1/24
set network profiles interface-management-profile Trust https yes
set network profiles interface-management-profile Trust ssh yes
set network profiles interface-management-profile Trust snmp yes
set network profiles interface-management-profile Trust ping yes
set network interface vlan units vlan.100 ip 192.168.1.1
set network interface vlan units vlan.100 interface-management-profile Trust
set zone Trust-L3 network layer3 vlan.100
set network virtual-router default interface vlan.100
set network vlan vlan100 virtual-interface interface vlan.100
set network vlan vlan100 interface ae1.100
set import network interface [ ae1 ae1.100 vlan.100 ]
commit

Arista config:

!
vlan 100
name PAN-Test
!
interface Port-Channel1
description LACP to PAN FW
switchport trunk allowed vlan 100
switchport mode trunk
spanning-tree portfast
!
interface Ethernet3
description to PAN Eth1/3
channel-group 1 mode active
!
interface Ethernet4
description to PAN Eth1/4
channel-group 1 mode active
!
interface Vlan100
ip address 192.168.1.2/24
!

Make sure it works:

arista#show interfaces port-Channel 1 status
Port      Name                          Status          Vlan     Duplex    Speed     Type
Po1       LACP to PAN FW     connected   trunk    full          2G            N/A

arista#
arista#ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 72(100) bytes of data.
80 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=3.13 ms
80 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.436 ms
80 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.412 ms
80 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.397 ms
80 bytes from 192.168.1.1: icmp_req=5 ttl=64 time=0.372 ms

— 192.168.1.1 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 11ms
rtt min/avg/max/mdev = 0.372/0.951/3.138/1.093 ms, ipg/ewma 2.843/2.005 ms
arista#
arista#show arp
Address           Age (min)  Hardware Addr      Interface
192.168.1.1     0                   001b.17a2.5a01      Vlan100, Port-Channel1
arista#

admin@PA-5060> show arp all

maximum of entries supported : 20480
default timeout: 1800 seconds
total ARP entries in table : 1
total ARP entries shown : 1
status: s – static, c – complete, e – expiring, i – incomplete

interface       ip address      hw address               port          status    ttl
——————————————————————————–
vlan.100       192.168.1.2     00:1c:73:0c:19:0c   ae1.100    c             581

admin@PA-5060>