About Link Aggregation
A link aggregation (LA) interface is a group of physical interfaces that you configure to work together as a single, logical interface. You can use a link aggregation interface to increase the cumulative throughput beyond the capacity of a single physical interface, and to provide redundancy if there is a physical link failure. When you use link aggregation, you connect the link aggregation interfaces to a switch, and configure the connected switch to use the same link aggregation mode and link speed. Fireware supports link aggregation as specified in the IEEE 802.1ax and 802.3ad link aggregation specifications.
A link aggregation interface can be configured as an external, trusted, optional, or custom interface, or as a member of a VLAN or bridge interface. You can use a link aggregation interface in most of the same ways that you use a physical interface. For example, you can use it in the configuration of policies, multi-WAN, VPN, DHCP, and PPPoE. For detailed configuration information, go to Configure Link Aggregation.
Requirements and Limitations
- Link aggregation is supported only on a Firebox configured in mixed routing mode.
- Link aggregation interfaces do not support Traffic Management, QoS, and some other advanced interface settings.
- Active/Active FireClusters do not support link aggregation.
- FireboxV, Firebox T15, and Firebox NV5 devices do not support link aggregation.
- You cannot use a link aggregation interface as an endpoint of a managed branch office VPN tunnel.
FireCluster failover is triggered if all Link Aggregation member interfaces fail. FireCluster failover is not triggered if only some Link Aggregation member interfaces fail.
Link Aggregation Modes
You can configure a link aggregation interface in one of three modes. For all modes, a member interface can be active only when the member interface link status is up. Whether a member interface is active depends on both the link status of the physical interface and the link aggregation mode.
Dynamic (802.3ad)
All physical interfaces that are members of the link aggregation interface can be active. The physical interface used for traffic between any source and destination is determined through the use of Link Aggregation Control Protocol (LACP). LACP is the protocol used when the link aggregation group (LAG) runs in 802.3ad mode. LACP refers to the negotiation and interaction process between LAG peers. The peer device must also support LACP. For more information, go to the Link Aggregation Control Protocol (LACP) section in this topic.
Static
All physical interfaces that are members of the link aggregation interface can be active. The same physical interface is always used for traffic between a given source and destination based on source/destination MAC address and source/destination IP address. This mode provides load balancing and fault tolerance.
Active-backup
In this mode, at most only one member interface in the link aggregation group is active at a time. The other member interfaces in the link aggregation group become active only if the active interface fails. This mode provides fault tolerance for connections to network switches that do not support link aggregation.
To use dynamic or static link aggregation, you must also configure link aggregation on the connected switch. For Active-backup mode, you do not have to enable link aggregation on your switches.
Link Aggregation Control Protocol (LACP)
The default hash algorithm for LACP depends on the interface type.
For Interfaces in External, Trusted, Optional, or Custom zones:
- Bonding Mode — Specify Dynamic (802.3ad) or Static (balance-xor) in the Link Aggregation settings on the Firebox.
- Transmit Hash Policy — Layer 2+3. Transmits packets based on a hash of the packet's src/dst MAC addresses and src/dst IP addresses.
For interfaces in Bridge and VLAN zones (interfaces that are members of a bridge or VLAN):
- Bonding Mode — Specify Dynamic (802.3ad) or Static (balance-xor) in the Link Aggregation settings on the Firebox.
- Transmit Hash Policy — Layer 2. Transmits packets based on a hash of the packet's src/dst MAC addresses. IP addresses are not considered.
The hash algorithm determines which link a connection will use. If the LAG is in a VLAN or bridge, the return traffic from the External interface goes through a single link and is not distributed across links. This occurs because the src/dst MAC addresses do not change in this case.
For more information about LACP, see IEEE 802.3ad.
The Firebox does not support the Layer 3+4 hash policy.