Applies To: Cloud-managed Fireboxes
A link aggregation group (LAG) is a group of physical interfaces that you configure to work together as a single, logical interface. You can use a LAG interface to increase the cumulative throughput beyond the capacity of a single physical interface and to provide redundancy if there is a physical link failure.
In WatchGuard Cloud, you can configure a LAG interface as an external, internal, or guest interface, or as a member of a VLAN or bridge interface. You can use a LAG interface in most of the same ways that you use a physical interface. For more information, go to Configure Link Aggregation in WatchGuard Cloud.
Requirements and Limitations
- Link aggregation is supported only on a cloud-managed Firebox configured in mixed routing mode.
- LAG interfaces do not support Traffic Management, QoS, and some other advanced interface settings.
- FireboxV, Firebox T10, Firebox T15, and Firebox NV5 devices do not support link aggregation.
- Physical interfaces that are members of a LAG must support the same link speed. For example, Firebox M590 and M690 models interfaces 8 and 9 support only 10 Gbps full duplex (FD). If you use eth8 or eth9 as a member of a link aggregation interface on these models, you must set the Link Speed to 10000 Mbps, full duplex (10 Gbps full duplex) in the LAG interface configuration and on the connected network switches.
- If you use link aggregation with a FireCluster, failover is triggered if all LAG member interfaces fail. FireCluster failover is not triggered if only some LAG member interfaces fail.
- When you configure link aggregation for a FireCluster, you must configure a separate LAG for each switch for the switch ports that connect to each cluster member. For more information, go to Configure Link Aggregation for a FireCluster in WatchGuard Cloud.
Link Aggregation Modes
You can configure a LAG interface in one of three modes. For all modes, a member interface can be active only when the member interface link status is up. Whether a member interface is active depends on both the link status of the physical interface and the link aggregation mode.
Dynamic (802.3ad)
All physical interfaces that are members of the LAG interface can be active. The physical interface used for traffic between any source and destination is determined through the use of Link Aggregation Control Protocol (LACP). LACP is the protocol used when the LAG runs in 802.3ad mode. LACP refers to the negotiation and interaction process between LAG peers. The peer device must also support LACP. For more information, go to the Link Aggregation Control Protocol (LACP) section in this topic.
Static
All physical interfaces that are members of the LAG interface can be active. The same physical interface is always used for traffic between a given source and destination based on source/destination MAC address and source/destination IP address. This mode provides load balancing and fault tolerance.
Active-backup
In this mode, at most, only one member interface in the LAG is active at a time. The other member interfaces in the LAG become active only if the active interface fails. This mode provides fault tolerance for connections to network switches that do not support link aggregation.
To use dynamic or static link aggregation, you must also configure link aggregation on the connected switch. For Active-backup mode, you do not have to enable link aggregation on your switches.
Link Aggregation Control Protocol (LACP)
You can use LACP to combine multiple interfaces into a single interface. The default hash algorithm for LACP depends on the interface type. For more information about LACP, go to IEEE 802.3ad (external link).
For interfaces in external, internal, or guest zones:
- Bonding Mode — Specify Dynamic (802.3ad) or Static (balance-xor) in the LAG settings on the cloud-managed Firebox.
- Transmit Hash Policy — Layer 2+3. Transmits packets based on a hash of the packet src/dst MAC addresses and src/dst IP addresses.
For interfaces in Bridge and VLAN zones (interfaces that are members of a bridge or VLAN):
- Bonding Mode — Specify Dynamic (802.3ad) or Static (balance-xor) in the LAG settings on the cloud-managed Firebox.
- Transmit Hash Policy — Layer 2. Transmits packets based on a hash of the packet src/dst MAC addresses. IP addresses are not considered.
The hash algorithm determines which link a connection uses. If the LAG interface is in a VLAN or bridge, the return traffic from the external interface goes through a single link and is not distributed across links. This occurs because the src/dst MAC addresses do not change in this case.
The Firebox does not support the Layer 3+4 hash policy.
About Firebox Networking Settings