Link Aggregation has been standardized by IEEE on 802.3ad 802.3ax. Common implementations of Link Aggregation are EtherChannel, Link Aggregation Control Protocol (LACP), Port Aggregation Protocol (PAgP), etc. This article describes how Sourcefire appliances handle link aggregated traffic.
Cisco recommends that you have knowledge on Sourcefire FirePOWER device models, virtual device models, Link Aggregation Control Protocol (LACP), EtherChannel, and Port Aggregation Protocol (PAgP).
Support of Link Aggregation
A Sourcefire appliance is able to work with any standard link aggregation implementations, because a link aggregation protocol does not add any additional data to the packet itself. There are no known issues between the implementation of Sourcefire appliances and any Link Aggregation protocols.
Things to Consider
The following points need to be considered when you deploy a Sourcefire appliance in link aggregated deployment:
- If a Sourcefire appliance is in passive mode and all of the links of EtherChannel are being monitored by the same detection engine, then the Link Aggregation configuration does not matter.
- If a single detection engine will only be monitoring some of the links or the device is being deployed as an inline device, then it is recommended that the Link Aggregation is configured to use both source and destination MAC addresses. This will avoid the performance problems related to asynchronous routing.
- Snort is capable of processing link aggregated traffic with no problem. However, Snort will not be able to decode the link aggregation control packets sent between the switches.
- Load balancing methods in EtherChannel are based on each traffic flow and not on each frame or packet, so the flows are what gets load balanced. The configuration of "Source IP and Destination IP" in EtherChannel may affect load balancing across Sourcefire snort instances. This is only if hashing performed results in a more limited set of IPs to choose from. The usage of "Source MAC and Destination MAC" may help with load distribution.
The following known issue on LACP is reported on all versions prior to and including 18.104.22.168:
In some cases, applying changes to your access control policy, intrusion policy, network discovery policy, or device configuration, or installing an intrusion rule update or update of the vulnerability database (VDB) causes the system to experience a disruption in traffic that uses Link Aggregation Control Protocol (LACP) in fast mode. As a workaround, configure LACP links in slow mode. (112070)