Step 1
|
Choose
.
|
Step 2
|
Click Edit () next to the device where you want to configure the routed LAG interface.
In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.
|
Step 3
|
Choose
Add Aggregate Interface from the
Add drop-down menu.
|
Step 4
|
Click
Routed to display the routed LAG interface options.
|
Step 5
|
If you want to apply a security zone, do one of the following:
|
Step 6
|
Specify a virtual router:
- Choose an existing virtual
router from the
Virtual Router
drop-down list.
- Choose
New to add a
new virtual router;
Adding Virtual Routers.
|
Step 7
|
Check the
Enabled check box to allow the routed LAG interface
to handle traffic.
If you clear the check box, the interface becomes disabled so
that users cannot access it for security purposes.
|
Step 8
|
From the
Mode drop-down list, choose an option to designate
the link mode, or choose
Autonegotiation to specify that the LAG interface is
configured to auto negotiate speed and duplex settings.
Mode settings
are available only for copper interfaces.
Interfaces on
8000 Series
appliances do not support half-duplex options. When links auto negotiate speed,
all active links are selected for the LAG based on the same speed setting.
|
Step 9
|
Choose an option from the
MDI/MDIX drop-down list to designate whether the
interface is configured for MDI (medium dependent interface), MDIX (medium
dependent interface crossover), or Auto-MDIX.
MDI/MDIX
settings are available only for copper interfaces.
By default, MDI/MDIX is set to Auto-MDIX, which automatically
handles switching between MDI and MDIX to attain link.
|
Step 10
|
Enter a maximum transmission unit (MTU) in the
MTU field.
The range of MTU values can
vary depending on the model of the managed device and the interface type.
Caution
|
Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy
configuration changes, temporarily interrupting traffic inspection. Inspection is interrupted on all non-management interfaces,
not just the interface you modified. Whether this interruption drops traffic or passes it without further inspection depends
on the model of the managed device and the interface type. See Snort® Restart Traffic Behavior for more information.
|
|
Step 11
|
If you want to allow the LAG interface to respond to ICMP
traffic such as pings and traceroute, check the
Enable Responses check box next to
ICMP.
|
Step 12
|
If you want to enable the LAG interface to broadcast router
advertisements, check the
Enable Router Advertisement check box next to
IPv6 NDP.
|
Step 13
|
Click
Add to add an IP address.
|
Step 14
|
In the
Address field, enter the routed LAG interface’s IP
address and subnet mask using CIDR notation.
Note the
following:
-
You cannot add network and broadcast addresses, or the static
MAC addresses 00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF.
-
You cannot add identical IP addresses, regardless of subnet
mask, to interfaces in virtual routers.
|
Step 15
|
If your organization uses IPv6 addresses and you want to set the
IP address of the LAG interface automatically, check the
Address Autoconfiguration check box next to the
IPv6 field.
|
Step 16
|
For
Type, choose either Normal or SFRP.
|
Step 17
|
If you chose
SFRP for
Type, set options as described in
SFRP.
|
Step 18
|
Click
OK.
Note
|
When adding an IP address to a routed interface of a
7000 or 8000 Series
device in a high-availability pair, you must add a corresponding IP address to
the routed interface on the high-availability peer.
|
|
Step 19
|
Click
Add to add a static ARP entry.
|
Step 20
|
Enter an IP address the
IP Address field.
|
Step 21
|
Enter a MAC address to associate with the IP address in the
MAC Address field. Use the standard format (for
example, 01:23:45:67:89:AB).
|
Step 22
|
Click
OK.
|
Step 23
|
Under
Link Aggregation, choose one or more physical
interfaces from
Available Interfaces to add to the LAG bundle.
Tip
|
To remove physical interfaces from the LAG bundle, choose one or more physical interfaces and click the Remove Selected icon . To remove all physical interfaces from the LAG bundle, click the Remove All icon. Deleting the LAG interface from the Interfaces tab also removes the interfaces.
|
|
Step 24
|
Choose a
Load-Balancing Algorithm from the drop-down list.
|
Step 25
|
Choose a
Link Selection Policy from the drop-down list.
Tip
|
Choose
LACP Priority
if you are configuring an aggregate interface between a Firepower System device
and a third-party network device.
|
|
Step 26
|
If you chose
LACP
Priority as the
Link
Selection Policy, assign a value for
System Priority and click the
Configure Interface Priority link to assign a
priority value for each interface in the LAG.
|
Step 27
|
Choose either
Inner or
Outer from the
Tunnel Level drop-down list.
Note
|
The
tunnel level only applies to IPv4 traffic when Layer 3 load balancing is
configured. The outer tunnel is always used for Layer 2 and IPv6 traffic. If
the
Tunnel Level
is not explicitly set, the default is
Outer.
|
|
Step 28
|
Under
LACP, check the
Enabled check box to allow the routed LAG interface
to handle traffic using the Link Aggregation Control Protocol.
If you clear the check box, the LAG interface becomes a static
configuration and the Firepower System will use all of the physical interfaces
for the aggregation.
|
Step 29
|
Click a
Rate radio button to set the frequency that
determines how often LACP control messages are received from the partner
device.
- Click
Slow to receive
packets every 30 seconds.
- Click
Fast to receive
packets every 1 second.
|
Step 30
|
Click a
Mode radio button to establish the listening mode of
the device.
- Click
Active to
initiate negotiations with remote links by sending LACP packets to the partner
device.
- Click
Passive to
respond to LACP packets received.
|
Step 31
|
Click
Save.
|