🔗 LACP in Palo Alto HA Active/Passive Configurations

📘 Overview

Link Aggregation Control Protocol (LACP) allows multiple physical interfaces to be combined into a single logical interface, known as an Aggregate Ethernet (AE) interface. In Palo Alto Networks' High Availability (HA) Active/Passive configurations, LACP enhances failover performance by enabling the passive firewall to pre-negotiate LACP sessions with connected devices, ensuring a seamless transition during failover events.

For detailed information, refer to the official documentation: LACP and LLDP Pre-Negotiation for Active/Passive HA .

🛡️ Benefits of LACP Pre-Negotiation in HA

• Faster Failover: Pre-negotiation allows the passive firewall to establish LACP sessions before failover, reducing downtime.
• Maintained Network Stability: By keeping link-layer protocols active, network topology remains stable during failover.
• Improved Redundancy: Ensures that the passive firewall is ready to take over immediately, enhancing overall network resilience.

⚠️ Caveats and Considerations

• Supported Modes: LACP pre-negotiation is supported in Layer 2 and Layer 3 deployments on AE interfaces. It is not supported in Virtual Wire mode.
• Interface Support: Pre-negotiation is not supported on subinterfaces or tunnel interfaces.
• HA Mode Requirement: Pre-negotiation is only supported in Active/Passive HA mode.

🔧 Configuration Steps

1. Set Passive Link State to Auto:
   • Navigate to Device > High Availability > General > Active/Passive Settings .
   • Change Passive Link State from Shutdown to Auto .
2. Enable LACP Pre-Negotiation on AE Interfaces:
   • Navigate to Network > Interfaces > Aggregate Ethernet .
   • Select the AE interface (e.g., ae1) and go to the LACP tab.
   • Check Enable in HA Passive State .
3. Commit the Configuration:
   • After making the above changes, commit the configuration to apply settings.

📊 Mermaid Diagram