Palo Alto Networks: OSPF and L3 Link aggregation

The previous post about Cisco VSS is to integrate with Palo Alto Firewalls.
PA-LAB2

Layer 3 link aggregation on PA firewall
Click on Network tab and select Interfaces from the menu on the left.
There is an “Add Aggregate Group” at the bottom of the page, it may seem quite unnoticeable.
Link aggregation1

The link aggregation support several network types.

The link aggregation support several network types.

I used the default virtual router profile to create my own virtual router with OSPF enabled. I have also created trust-l3 which is a layer3 security zone.

I used the default virtual router profile to create my own virtual router with OSPF enabled. I have also created trust-l3 which is a layer3 security zone.

Assign IPv4 Address to the logical layer3 link aggregated link.

Assign IPv4 Address to the logical layer3 link aggregated link.

I add an interface management profile which allows icmp echo request on the PA firewall interface.

I add an interface management profile which allows icmp echo request on the PA firewall interface.

After the link aggregation link is created physical interfaces are added into the aggregated group.

Simply choose Aggregate Ethernet from interface type and select the created aggregated group.

Simply choose Aggregate Ethernet from interface type and select the created aggregated group.

AE7

The command line on how to achieve the UI configuration is as below:

admin@PA-5050> configure
Entering configuration mode
[edit]
admin@PA-5050# set network interface aggregate-ethernet ae1 layer3 interface-management-profile icmp-profile ip 192.168.50.1/30
[edit]
admin@PA-5050# set network interface ethernet ethernet1/11 aggregate-group ae1
[edit]
admin@PA-5050# set network interface ethernet ethernet1/12 aggregate-group ae1
[edit]
admin@PA-5050# commit

Create virtual router
PA firewall has the ability to create multiple virtual router, you simply assign the real physical interface on the virtual router then configure the routing protocol you wish to use. Each real physical interface can only be assigned to one virtual router.

Click on Network tab and select Virtual Routers from the menu on the left.

Use the default virtual router which exists on the PA firewall. Add interfaces onto this router.

Use the default virtual router which exists on the PA firewall. Add interfaces onto this router.

Select OSPF from the menu on the left and click Add.

Area ID 0.0.0.0 is the same as Cisco's Area 0.

Area ID 0.0.0.0 is the same as Cisco’s Area 0.

Add the subnet or host range you want your virtual router to advertise with ospf.

Add the subnet or host range you want your virtual router to advertise with ospf.

Select Interface tab and click add.

Select Interface tab and click add.

The interface of the OSPF.

The interface of the OSPF.

The completed ospf configuration.

The completed ospf configuration.

The other PA firewall will have similar configuration as this PA firewall hence the process will not be repeated here.

admin@PA-5050# set network virtual-router default interface [ ae1 loopback.1 ]

[edit]
admin@PA-5050# set network virtual-router default protocol ospf router-id 1.1.1.1 area 0.0.0.0 type normal

[edit]
admin@PA-5050# set network virtual-router default protocol ospf area 0.0.0.0 interface ae1 link-type p2p

[edit]
admin@PA-5050# set network virtual-router default protocol ospf area 0.0.0.0 interface loopback.1 link-type p2p passive yes

[edit]
admin@PA-5050# set network virtual-router default protocol ospf area 0.0.0.0 range 1.1.1.1/32

[edit]
admin@PA-5050# set network virtual-router default protocol ospf area 0.0.0.0 range 192.168.50.1/30

[edit]
admin@PA-5050# set network virtual-router default protocol ospf enable yes area 0.0.0.0 interface ae1 enable yes

[edit]
admin@PA-5050# set network virtual-router default protocol ospf enable yes area 0.0.0.0 interface loopback.1 enable yes

[edit]
admin@PA-5050# commit


....55%98%.....100%
Configuration committed successfully

[edit]
admin@PA-5050#

OSPF adjacency verification

admin@PA-5050> show routing protocol ospf neighbor

  Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr
 LSA capability,
           N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS ca
pability
  ==========
  virtual router:                default
  neighbor address:              192.168.51.1
  local address binding:         0.0.0.0
  type:                          dynamic
  status:                        full
  neighbor router ID:            2.2.2.2
  area id:                       0.0.0.0
  neighbor priority:             1
  lifetime remain:               33
  messages pending:              0
  LSA request pending:           0
  options:                       0x42: O E
  hello suppressed:              no

admin@PA-5050>
Adjacency is full.

Adjacency is full.

Advertisements
This entry was posted in Firewall, OSPF, Route, Security and tagged , , , , . Bookmark the permalink.

5 Responses to Palo Alto Networks: OSPF and L3 Link aggregation

  1. John Marler says:

    Great writeup, thanks for sharing. I assume this is PAN-OS 5.0?

    • cyruslab says:

      Hi John,

      This is PanOS 4.1.6. Btw have you done redistribution before with PanOS? I am familiar with Cisco IOS in regards to redistribution. I find the redistribution profile difficult to understand in PanOS, and there is no tech note on how this is done correctly. The admin guide serves no help at all, in terms of wide documentations and tech notes PAN still has room for improvements. If you have idea on how to do redistribution correctly I would appreciate if you can share with me 🙂 Thanks!

  2. Roman says:

    Hi John,
    Great write-up. Which mode of ether channel is deployed on cisco side (facing PA)?
    Is it “on” (manual etherchannel)?
    Thank You

  3. yertz says:

    Hi,
    Unfortunatly I don’t see any option to use LACP over the aggregated interface. For such a setup I believe this should be included by Palo Alto as well.

  4. Kazi says:

    LACP is supported from 6.1.X and onward on Palo Alto Next Generation Firewall.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s