Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-Ethernet link aggregation configuration | 342.75 KB |
Contents
Configuring Ethernet link aggregation
About Ethernet link aggregation
Ethernet link aggregation application scenario
Aggregate interface, aggregation group, and member port
How static link aggregation works
How dynamic link aggregation works
Load sharing modes for link aggregation groups
Restrictions and guidelines: Mixed use of manual and automatic link aggregation configuration
Ethernet link aggregation tasks at a glance
Configuring a manual link aggregation
Restrictions and guidelines for aggregation group configuration
Configuring a Layer 2 aggregation group
Configuring a Layer 3 aggregation group
Configuring a Blade aggregation group
Configuring an aggregate interface
Setting the minimum and maximum numbers of Selected ports for an aggregation group
Configuring the description of an aggregate interface
Setting the MAC address for an aggregate interface
Configuring jumbo frame support
Specifying ignored VLANs for a Layer 2 aggregate interface
Setting the MTU of a Layer 3 aggregate interface
Specifying a Blade type for a Blade aggregate interface
Setting the expected bandwidth for an aggregate interface
Configuring an edge aggregate interface
Configuring physical state change suppression on an aggregate interface
Shutting down an aggregate interface
Restoring the default settings for an aggregate interface
Configuring load sharing for link aggregation groups
Setting load sharing modes for link aggregation groups
Enabling local-first load sharing for link aggregation
Enabling link-aggregation traffic redirection
About link-aggregation traffic redirection
Restrictions and guidelines for link-aggregation traffic redirection
Enabling link-aggregation traffic redirection globally
Display and maintenance commands for Ethernet link aggregation
Ethernet link aggregation configuration examples
Example: Configuring a Layer 2 static aggregation group
Example: Configuring a Layer 2 dynamic aggregation group
Example: Configuring Layer 2 aggregation load sharing
Example: Configuring a Layer 3 static aggregation group
Configuring Ethernet link aggregation
About Ethernet link aggregation
Ethernet link aggregation bundles multiple physical Ethernet links into one logical link (called an aggregate link). Link aggregation provides the following benefits:
· Increased bandwidth beyond the limits of a single individual link. In an aggregate link, traffic is distributed across the member ports.
· Improved link reliability. The member ports dynamically back up one another. When a member port fails, its traffic is automatically switched to other member ports.
Ethernet link aggregation application scenario
As shown in Figure 1, Device A and Device B are connected by three physical Ethernet links. These physical Ethernet links are combined into an aggregate link called link aggregation 1. The bandwidth of this aggregate link can reach up to the total bandwidth of the three physical Ethernet links. At the same time, the three Ethernet links back up one another. When a physical Ethernet link fails, the traffic transmitted on the failed link is switched to the other two links.
On a firewall device, you can use Ethernet link aggregation to aggregate Blade interfaces on security engines to increase link bandwidth. For more information about security engine groups, see the context feature in Virtual Technologies Configuration Guide.
Figure 1 Ethernet link aggregation diagram
Aggregate interface, aggregation group, and member port
Each link aggregation is represented by a logical aggregate interface. Each aggregate interface has an automatically created aggregation group, which contains member ports to be used for aggregation. The type and number of an aggregation group are the same as its aggregate interface.
Supported aggregate interface types
An aggregate interface can be one of the following types:
· Layer 2—A Layer 2 aggregate interface is created manually. The member ports in a Layer 2 aggregation group can only be Layer 2 Ethernet interfaces.
· Layer 3—A Layer 3 aggregate interface is created manually. The member ports in its Layer 3 aggregation group can only be Layer 3 Ethernet interfaces.
On a Layer 3 aggregate interface, you can create subinterfaces. A Layer 3 aggregate subinterface processes traffic only for the VLAN numbered with the same ID as the subinterface number.
· Blade—A Blade aggregate interface is created automatically when you create a security engine group. The member ports in a Blade aggregation group can only be Blade interfaces.
The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex mode is the same as that of the Selected member ports. For more information about Selected member ports, see "Aggregation states of member ports in an aggregation group."
Aggregation states of member ports in an aggregation group
A member port in an aggregation group can be in any of the following aggregation states:
· Selected—A Selected port can forward traffic.
· Unselected—An Unselected port cannot forward traffic.
· Individual—An Individual port can forward traffic as a normal physical port. This state is peculiar to the member ports of edge aggregate interfaces. A member port is placed in Individual state if it has not received LACPDUs before the first expiration of the LACP timeout timer after either of the following event occurs:
¡ The aggregate interface is configured as an edge aggregate interface.
¡ The member port goes down and then comes up after it is placed in Unselected or Selected state.
For more information about edge aggregate interfaces, see "Edge aggregate interface."
Operational key
When aggregating ports, the system automatically assigns each port an operational key based on port information, such as port rate and duplex mode. Any change to this information triggers a recalculation of the operational key.
In an aggregation group, all Selected ports have the same operational key.
Configuration types
Port configuration includes the attribute configuration and protocol configuration. Attribute configuration affects the aggregation state of the port but the protocol configuration does not.
Attribute configuration
To become a Selected port, a member port must have the same attribute configuration as the aggregate interface. Table 1 describes the attribute configuration.
Table 1 Attribute configuration
|
Feature |
Attribute configuration |
|
VLAN |
VLAN attribute settings: · Permitted VLAN IDs. · PVID. · Link type (trunk, hybrid, or access). · PVLAN port type (promiscuous, trunk promiscuous, host, or trunk secondary). · IP subnet-based VLAN configuration. · Protocol-based VLAN configuration. · VLAN tagging mode. For information about VLANs, see "Configuring VLANs." |
Protocol configuration
Protocol configuration of a member port does not affect the aggregation state of the member port. MAC address learning and spanning tree settings are examples of the protocol configuration.
Link aggregation modes
An aggregation group operates in one of the following modes:
· Static—Static aggregation is stable. An aggregation group in static mode is called a static aggregation group. The aggregation states of the member ports in a static aggregation group are not affected by the peer ports.
· Dynamic—An aggregation group in dynamic mode is called a dynamic aggregation group. Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol (LACP). The local system and the peer system automatically maintain the aggregation states of the member ports. Dynamic link aggregation reduces the administrators' workload.
How static link aggregation works
Reference port selection process
When setting the aggregation states of the ports in an aggregation group, the system automatically chooses a member port as the reference port. A Selected port must have the same operational key and attribute configurations as the reference port.
The system chooses a reference port from the member ports in up state.
The candidate reference ports are organized into different priority levels following these rules:
1. In descending order of port priority.
2. Full duplex.
3. In descending order of speed.
4. Half duplex.
5. In descending order of speed.
From the candidate ports with the same attribute configurations as the aggregate interface, the one with the highest priority level is chosen as the reference port.
· If multiple ports have the same priority level, the port that has been Selected (if any) is chosen. If multiple ports with the same priority level have been Selected, the one with the smallest port number is chosen.
· If multiple ports have the same priority level and none of them has been Selected, the port with the smallest port number is chosen.
Setting the aggregation state of each member port
After the reference port is chosen, the system sets the aggregation state of each member port in the static aggregation group.
Figure 2 Setting the aggregation state of a member port in a static aggregation group
After the limit on Selected ports is reached, the aggregation state of a new member port varies by following conditions:
· The port is placed in Unselected state if the port and the Selected ports have the same port priority. This mechanism prevents traffic interruption on the existing Selected ports. A device reboot can cause the device to recalculate the aggregation states of member ports.
· The port is placed in Selected state when the following conditions are met:
¡ The port and the Selected ports have different port priorities, and the port has a higher port priority than a minimum of one Selected port.
¡ The port has the same attribute configurations as the aggregate interface.
Any operational key or attribute configuration change might affect the aggregation states of link aggregation member ports.
Dynamic link aggregation
About this task
Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol (LACP).
LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices. Each member port in a dynamic aggregation group can exchange information with its peer. When a member port receives an LACPDU, it compares the received information with information received on the other member ports. In this way, the two systems reach an agreement on which ports are placed in Selected state.
LACP functions
LACP offers basic LACP functions and extended LACP functions, as described in Table 2.
|
Category |
Description |
|
Basic LACP functions |
Implemented through the basic LACPDU fields, including the system LACP priority, system MAC address, port priority, port number, and operational key. |
|
Extended LACP functions |
Implemented by extending the LACPDU with new TLV fields. Extended LACP can implement LACP MAD for the IRF feature. For more information about IRF and the LACP MAD mechanism, see Virtual Technologies Configuration Guide. |
LACP operating modes
LACP can operate in active or passive mode.
When LACP is operating in passive mode on a local member port and its peer port, both ports cannot send LACPDUs. When LACP is operating in active mode on either end of a link, both ports can send LACPDUs.
LACP priorities
LACP priorities include system LACP priority and port priority, as described in Table 3. The smaller the priority value, the higher the priority.
|
Type |
Description |
|
System LACP priority |
Used by two peer devices (or systems) to determine which one is superior in link aggregation. In dynamic link aggregation, the system that has higher system LACP priority sets the Selected state of member ports on its side. The system that has lower priority sets the aggregation state of local member ports the same as their respective peer ports. |
|
Port priority |
Determines the likelihood of a member port to be a Selected port on a system. A port with a higher port priority is more likely to become Selected. |
LACP timeout interval
The LACP timeout interval specifies how long a member port waits to receive LACPDUs from the peer port. If a local member port has not received LACPDUs from the peer within the LACP timeout interval plus 3 seconds, the member port considers the peer as failed.
The LACP timeout interval also determines the LACPDU sending rate of the peer. LACP timeout intervals include the following types:
· Short timeout interval—3 seconds. If you use the short timeout interval, the peer sends one LACPDU per second.
· Long timeout interval—90 seconds. If you use the long timeout interval, the peer sends one LACPDU every 30 seconds.
Methods to assign interfaces to a dynamic link aggregation group
You can manually assign interfaces to a dynamic link aggregation group. Alternatively, you can use automatic link aggregation for two devices to automatically create a dynamic link aggregation between them by using LLDP.
How dynamic link aggregation works
Choosing a reference port
The system chooses a reference port from the member ports in up state. A Selected port must have the same operational key and attribute configurations as the reference port.
The local system (the actor) and the peer system (the partner) negotiate a reference port by using the following workflow:
1. The two systems determine the system with the smaller system ID.
A system ID contains the system LACP priority and the system MAC address.
a. The two systems compare their LACP priority values.
The lower the LACP priority, the smaller the system ID. If the LACP priority values are the same, the two systems proceed to step b.
b. The two systems compare their MAC addresses.
The lower the MAC address, the smaller the system ID.
2. The system with the smaller system ID chooses the port with the smallest port ID as the reference port.
A port ID contains a port priority and a port number. The lower the port priority, the smaller the port ID.
a. The system chooses the port with the lowest priority value as the reference port.
If the ports have the same priority, the system proceeds to step b.
b. The system compares their port numbers.
The smaller the port number, the smaller the port ID.
The port with the smallest port number and the same attribute configurations as the aggregate interface is chosen as the reference port.
Setting the aggregation state of each member port
After the reference port is chosen, the system with the smaller system ID sets the state of each member port on its side.
Figure 3 Setting the state of a member port in a dynamic aggregation group
The system with the greater system ID can detect the aggregation state changes on the peer system. The system with the greater system ID sets the aggregation state of local member ports the same as their peer ports.
When you aggregate interfaces in dynamic mode, follow these guidelines:
· A dynamic link aggregation group chooses only full-duplex ports as the Selected ports.
· For stable aggregation and service continuity, do not change the operational key or attribute configurations on any member port.
· When a member port changes to the Selected or Unselected state, its peer port changes to the same aggregation state.
· After the Selected port limit is reached, a newly joining port becomes a Selected port if it is more eligible than a current Selected port.
Edge aggregate interface
Dynamic link aggregation fails on a server-facing aggregate interface if dynamic link aggregation is configured only on the device. The device forwards traffic by using only one of the physical ports that are connected to the server.
To improve link reliability, configure the aggregate interface as an edge aggregate interface. This feature enables all member ports of the aggregation group to forward traffic. When a member port fails, its traffic is automatically switched to other member ports.
After dynamic link aggregation is configured on the server, the device can receive LACPDUs from the server. Then, link aggregation between the device and the server operates correctly.
An edge aggregate interface takes effect only when it is configured on an aggregate interface corresponding to a dynamic aggregation group.
Load sharing modes for link aggregation groups
In a link aggregation group, traffic can be load shared across the Selected ports based on any of the following modes:
· Per-flow load sharing—Distributes traffic on a per-flow basis. The load sharing mode classifies packets into flows and forwards packets of the same flow on the same link. This mode can be one of or a combination of the following traffic classification criteria:
¡ Source or destination IP.
¡ Source or destination MAC.
¡ Source or destination port number.
¡ MPLS label.
¡ Protocol number.
· Bandwidth usage-based load sharing—Distributes a data flow to the Selected port that had the lowest bandwidth usage when the first packet of that data flow arrived. In this mode, each flow is identified by an IP five-tuple (source and destination IP addresses, source and destination ports, and protocol). For packets that do not contain the IP five-tuple, the default load sharing mode applies.
· Per-packet load sharing—Distributes traffic on a per-packet basis. Traffic is distributed across the Selected member ports in proportion to their expected bandwidth, which is configurable with the bandwidth command.
· Automatic load sharing—Automatically selects a load sharing mode depending on the packet type. For example, the load sharing mode differs between IPv4 packets and Layer 2 packets.
Restrictions and guidelines: Mixed use of manual and automatic link aggregation configuration
To avoid unexpected aggregation issues, do not use manual assignment and automatic link aggregation together. If you use these features together, an automatically assigned member port might move between aggregation groups or undesirably change from Selected to Unselected in some situations.
Ethernet link aggregation tasks at a glance
To configure Ethernet link aggregation, perform the following tasks:
1. Configuring link aggregations
¡ Configuring a manual link aggregation
2. (Optional.) Configuring an aggregate interface
¡ Setting the minimum and maximum numbers of Selected ports for an aggregation group
¡ Configuring the description of an aggregate interface
¡ Setting the MAC address for an aggregate interface
¡ Configuring jumbo frame support
¡ Specifying ignored VLANs for a Layer 2 aggregate interface
To have the system ignore the permit state and tagging mode of a VLAN when it decides Selected ports, perform this task.
¡ Setting the MTU of a Layer 3 aggregate interface
¡ Specifying a Blade type for a Blade aggregate interface
¡ Setting the expected bandwidth for an aggregate interface
¡ Configuring an edge aggregate interface
An edge aggregate interface uses all member ports to forward traffic when the aggregation peer is not enabled with dynamic link aggregation.
¡ Configuring physical state change suppression on an aggregate interface
¡ Shutting down an aggregate interface
¡ Restoring the default settings for an aggregate interface
3. (Optional.) Configuring load sharing for link aggregation groups
¡ Setting load sharing modes for link aggregation groups
¡ Enabling local-first load sharing for link aggregation
4. (Optional.) Enabling link-aggregation traffic redirection
This feature redirects traffic on an unavailable Selected port to the remaining available Selected ports of an aggregation group to avoid traffic interruption.
Configuring a manual link aggregation
Restrictions and guidelines for aggregation group configuration
Layer 2 aggregation group restrictions
You cannot assign an interface to a Layer 2 aggregation group if the redundancy group node feature or MAC authentication is configured on that interface. For more information about redundancy groups, see Virtual Technologies Configuration Guide. For more information about MAC authentication, see Security Configuration Guide.
Layer 3 aggregation group restrictions
You cannot assign an interface to a Layer 3 aggregation group if any features in Table 4 are configured on that interface.
Table 4 Features incompatible with Layer 3 aggregation member interfaces
|
Feature on the interface |
Reference |
|
Reth interface |
Reth interfaces in Virtual Technologies Configuration Guide |
|
Redundancy group node |
Redundancy groups in Virtual Technologies Configuration Guide |
Aggregation member port restrictions
Deleting an aggregate interface also deletes its aggregation group and causes all member ports to leave the aggregation group.
By default, the following restrictions exist:
· You cannot assign both Ethernet interfaces and Ethernet subinterfaces to an aggregation group.
· You cannot create subinterfaces on an Ethernet interface that is in an aggregation group.
· You cannot assign an Ethernet interface that has subinterfaces to an aggregation group.
You cannot create aggregate subinterfaces on an aggregate interface if its aggregation group contains Ethernet subinterfaces. You cannot assign Ethernet subinterfaces to an aggregation group if its aggregate interface has aggregate subinterfaces.
Before you assign an Ethernet subinterface to an aggregation group, verify that the following requirements are met:
· VLAN termination has been configured on the Ethernet subinterface. You cannot modify VLAN termination configuration on the Ethernet subinterfaces in an aggregation group. To configure VLAN termination, use the following commands:
¡ vlan-type dot1q default.
¡ vlan-type dot1q untagged.
¡ vlan-type dot1q vid.
· By default, the Ethernet subinterfaces to be assigned to an aggregation group terminate the same VLAN.
· If you execute the vlan-type dot1q vid vlan-id-list [ loose ] command on an Ethernet subinterface to be assigned to a dynamic aggregation group, specify only one VLAN ID.
Do not assign a reflector port for port mirroring to an aggregation group. For more information about reflector ports, see Network Management and Monitoring Configuration Guide.
Attribute and protocol configuration restrictions
For a link aggregation, attribute configuration changes on the aggregate interface are automatically synchronized to all member ports. If an attribute setting on the aggregate interface fails to be synchronized to a Selected member port, the port might change to the Unselected state. To have the port become Selected again, you can change the attribute configurations on the aggregate interface or the member port. The configurations that have been synchronized from the aggregate interface are retained on the member ports even after the aggregate interface is deleted.
Any attribute configuration change on a member port might affect the aggregation states and running services of the member ports. The system displays a warning message every time you try to change an attribute configuration setting on a member port.
The protocol configurations for an aggregate interface take effect only on the current aggregate interface. The protocol configurations for a member port take effect only when the port leaves its aggregation group.
Configuration consistency requirements
You must configure the same aggregation mode at the two ends of an aggregate link.
· For a successful static aggregation, make sure the ports at both ends of each link are in the same aggregation state.
· For a successful dynamic aggregation, make sure the ports at both ends of a link are assigned to the correct aggregation group. The two ends can automatically negotiate the aggregation state of each member port.
Configuring a Layer 2 aggregation group
Configuring a Layer 2 static aggregation group
1. Enter system view.
system-view
2. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2 static aggregation group numbered the same as that interface.
3. Return to system view.
quit
4. Assign an interface to the Layer 2 aggregation group:
a. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 2 aggregation group.
port link-aggregation group group-id
Repeat the substeps to assign more interfaces to the aggregation group.
5. (Optional.) Set the port priority of the interface.
link-aggregation port-priority priority
The default port priority of an interface is 32768.
Configuring a Layer 2 dynamic aggregation group
1. Enter system view.
system-view
2. Set the system LACP priority.
lacp system-priority priority
By default, the system LACP priority is 32768.
Changing the system LACP priority might affect the aggregation states of the ports in a dynamic aggregation group.
3. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2 static aggregation group numbered the same as that interface.
4. Configure the aggregation group to operate in dynamic mode.
link-aggregation mode dynamic
By default, an aggregation group operates in static mode.
5. Return to system view.
quit
6. Assign an interface to the Layer 2 aggregation group:
a. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 2 aggregation group.
port link-aggregation group group-id
Repeat these substeps to assign more Layer 2 Ethernet interfaces to the aggregation group.
7. Set the LACP operating mode for the interface.
¡ Set the LACP operating mode to passive.
lacp mode passive
¡ Set the LACP operating mode to active.
undo lacp mode
By default, LACP is operating in active mode.
8. (Optional.) Set the port priority for the interface.
link-aggregation port-priority priority
The default setting is 32768.
9. (Optional.) Set the short LACP timeout interval (3 seconds) for the interface.
lacp period short
By default, the long LACP timeout interval (90 seconds) is used by the interface.
To avoid traffic interruption during an ISSU, do not set the short LACP timeout interval before performing the ISSU. For more information about ISSU, see Fundamentals Configuration Guide.
Configuring a Layer 3 aggregation group
Configuring a Layer 3 static aggregation group
1. Enter system view.
system-view
2. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same as that interface.
3. Return to system view.
quit
4. Assign an interface to the Layer 3 aggregation group:
a. Enter Layer 3 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 3 aggregation group.
port link-aggregation group group-id
Repeat the substeps to assign more interfaces to the aggregation group.
5. (Optional.) Set the port priority of the interface.
link-aggregation port-priority priority
The default port priority of an interface is 32768.
Configuring a Layer 3 dynamic aggregation group
1. Enter system view.
system-view
2. Set the system LACP priority.
lacp system-priority priority
By default, the system LACP priority is 32768.
Changing the system LACP priority might affect the aggregation states of the ports in the dynamic aggregation group.
3. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same as that interface.
4. Configure the aggregation group to operate in dynamic mode.
link-aggregation mode dynamic
By default, an aggregation group operates in static mode.
5. Return to system view.
quit
6. Assign an interface to the Layer 3 aggregation group:
a. Enter Layer 3 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 3 aggregation group.
port link-aggregation group group-id
Repeat these two substeps to assign more Layer 3 Ethernet interfaces to the aggregation group.
7. Set the LACP operating mode for the interface.
¡ Set the LACP operating mode to passive.
lacp mode passive
¡ Set the LACP operating mode to active.
undo lacp mode
By default, LACP is operating in active mode.
8. (Optional.) Set the port priority of the interface.
link-aggregation port-priority priority
The default setting is 32768.
9. (Optional.) Set the short LACP timeout interval (3 seconds) for the interface.
lacp period short
By default, the long LACP timeout interval (90 seconds) is used by the interface.
To avoid traffic interruption during an ISSU, do not set the short LACP timeout interval before performing the ISSU. For more information about ISSU, see Fundamentals Configuration Guide.
Configuring a Blade aggregation group
About this task
A Blade aggregation group is automatically created when you create a security engine group, which is automatically assigned the lowest available ID. The Blade aggregation group has the same number as the security engine group. By default, a device has Blade aggregation group 1.
After the Blade aggregation group is created, you must add security engines to the security engine group. Then the device automatically assigns the Blade interfaces on the security engines to the aggregation group.
When you delete a security engine group, its Blade aggregation group is automatically deleted.
For more information about security engine groups, see Virtual Technologies Configuration Guide.
Restrictions and guidelines
A Blade aggregation group can operate only in static mode.
You cannot delete the default Blade aggregate interface (Blade-Aggregation 1), because the default security engine group 1 cannot be deleted.
Procedure
1. Enter system view.
system-view
2. Create a security engine group and enter security engine group view.
blade-controller-team blade-controller-team-name [ id blade-controller-team-id ]
By default, a security engine group exists with a name of Default and an ID of 1. Its Blade aggregation group is numbered 1.
A Blade aggregation group with the same ID is automatically created when you create a security engine group.
For more information about this command, see context commands in Virtual Technologies Command Reference.
3. Add a security engine to the security engine group.
In standalone mode:
location blade-controller slot slot-number cpu cpu-number
In IRF mode:
location blade-controller chassis chassis-number slot slot-number cpu cpu-number
By default, all security engines belong to the default security engine group. A user-configured security engine group do not contain any security engines.
After a security engine is added to a user-configured security engine group, the system automatically assigns the Blade interface on the security engine to the corresponding Blade aggregation group.
Configuring an aggregate interface
Most settings that can be made on Layer 2 or Layer 3 Ethernet interfaces can also be made on Layer 2 or Layer 3 aggregate interfaces.
Setting the minimum and maximum numbers of Selected ports for an aggregation group
About this task
The bandwidth of an aggregate link increases as the number of Selected member ports increases. To avoid congestion, you can set the minimum number of Selected ports required for bringing up an aggregate interface.
This minimum threshold setting affects the aggregation states of aggregation member ports and the state of the aggregate interface.
· When the number of member ports eligible to be Selected ports is smaller than the minimum threshold, the following events occur:
¡ The eligible member ports are placed in Unselected state.
¡ The link layer state of the aggregate interface becomes down.
· When the number of member ports eligible to be Selected ports reaches or exceeds the minimum threshold, the following events occur:
¡ The eligible member ports are placed in Selected state.
¡ The link layer state of the aggregate interface becomes up.
The maximum number of Selected ports allowed in an aggregation group is limited by either manual configuration or hardware limitation, whichever value is smaller.
You can implement backup between two ports by performing the following tasks:
· Assigning two ports to an aggregation group.
· Setting the maximum number of Selected ports to 1 for the aggregation group.
Then, only one Selected port is allowed in the aggregation group, and the Unselected port acts as a backup port.
Restrictions and guidelines
The minimum and maximum numbers of Selected ports must be the same between the local and peer aggregation groups.
For an aggregation group, the maximum number of Selected ports must be equal to or higher than the minimum number of Selected ports.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Set the minimum number of Selected ports for the aggregation group.
link-aggregation selected-port minimum min-number
By default, the minimum number of Selected ports is not specified for an aggregation group.
4. Set the maximum number of Selected ports for the aggregation group.
link-aggregation selected-port maximum max-number
By default, the maximum number of Selected ports for an aggregation group is 16.
Configuring the description of an aggregate interface
About this task
You can configure the description of an aggregate interface for administration purposes, for example, describing the purpose of the interface.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
¡ Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Configure the interface description.
description text
By default, the description of an interface is interface-name Interface.
Setting the MAC address for an aggregate interface
About this task
Typically, all aggregate interfaces on a device use the same MAC address, and aggregate interfaces on different devices use different MAC addresses. However, you must set different MAC addresses for aggregate interfaces on a device in some situations.
A Layer 3 aggregate interface and its subinterfaces use the same MAC address. When you modify the MAC address of the aggregate interface, the MAC addresses of its subinterfaces are also modified.
For example, in a spanning tree network, the BPDUs sent by Layer 2 aggregate interfaces on a device have the same source MAC address. A third-party device might handle these BPDUs as attack packets and drop them. To resolve this issue, set different MAC addresses for the Layer 2 aggregate interfaces.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
¡ Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber
3. Assign a MAC address to the aggregate interface.
mac-address mac-address
By default, all aggregate interfaces on the device use the same MAC address. The default MAC address of an aggregate interface varies by device.
Configuring jumbo frame support
About this task
An aggregate interface might receive frames larger than the maximum frame size allowed by an interface during high-throughput data exchanges, such as file transfers. These frames are called jumbo frames.
How an aggregate interface processes jumbo frames depends on whether jumbo frame support is enabled on the interface.
· If configured to deny jumbo frames, the aggregate interface discards jumbo frames.
· If enabled with jumbo frame support, the aggregate interface performs the following operations:
¡ Processes jumbo frames within the allowed length.
¡ Discards jumbo frames that exceed the allowed length.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Allow jumbo frames.
jumboframe enable [ size ]
By default, an aggregate interface allows jumbo frames within 9216 bytes to pass through.
If you execute this command multiple times, the most recent configuration takes effect.
Disabling the default action of selecting a Selected port for dynamic aggregation groups that have not received LACPDUs
About this task
The default port selection action applies to dynamic aggregation groups.
This action automatically chooses the port with the lowest ID from among all up member ports as a Selected port if none of them has received LACPDUs before the LACP timeout interval expires.
After this action is disabled, a dynamic aggregation group will not have any Selected ports to forward traffic if it has not received LACPDUs before the LACP timeout interval expires.
Procedure
1. Enter system view.
system-view
2. Disable the default port selection action.
lacp default-selected-port disable
By default, the default port selection action is enabled for dynamic aggregation groups.
Specifying ignored VLANs for a Layer 2 aggregate interface
About this task
By default, to become Selected, the member ports must have the same VLAN permit state and tagging mode as the corresponding Layer 2 aggregate interface. To have the system ignore the permit state and tagging mode of a VLAN when choosing Selected ports, specify the VLAN as an ignored VLAN.
Restrictions and guidelines
This feature takes effect only when the link type of a Layer 2 aggregate interface is hybrid or trunk.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Specify ignored VLANs.
link-aggregation ignore vlan vlan-id-list
By default, a Layer 2 aggregate interface does not ignore any VLANs.
Setting the MTU of a Layer 3 aggregate interface
About this task
The MTU of an interface affects IP packets fragmentation and reassembly on the interface.
Procedure
1. Enter system view.
system-view
2. Enter Layer 3 aggregate interface or subinterface view.
interface route-aggregation { interface-number | interface-number.subnumber }
3. Set the MTU.
mtu size
The default setting is 1500 bytes.
Specifying a Blade type for a Blade aggregate interface
About this task
A Blade aggregation group with a number in the range of 1 to 255 cannot forward traffic correctly if the corresponding security engine group contains multiple types of security engines. To ensure correct traffic forwarding, you must specify a Blade type for the Blade aggregate interface. After you perform this task, only Blade interfaces that match the specified Blade type can join the Blade aggregation group. Blade interfaces that do not match the Blade type are automatically removed from the Blade aggregation group.
Procedure
1. Enter system view.
system-view
2. Enter Blade aggregate interface view.
interface blade-aggregation interface-number
3. Specify a Blade type for the Blade aggregate interface.
link-aggregation blade blade-type
|
|
CAUTION: When you specify a Blade type for the Blade aggregate interface, make sure the type matches that of each Blade interface in the Blade aggregation group. A mismatch might cause network interruption. |
Setting the expected bandwidth for an aggregate interface
About this task
Expected bandwidth is an informational parameter used only by higher-layer protocols for calculation. You cannot adjust the actual bandwidth of an interface by performing this task.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
¡ Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Set the expected bandwidth for the interface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
Configuring an edge aggregate interface
Restrictions and guidelines
This configuration takes effect only on aggregate interface in dynamic mode.
Link-aggregation traffic redirection cannot operate correctly on an edge aggregate interface. For more information about link-aggregation traffic redirection, see "Enabling link-aggregation traffic redirection."
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Configure the aggregate interface as an edge aggregate interface.
lacp edge-port
By default, an aggregate interface does not operate as an edge aggregate interface.
Configuring physical state change suppression on an aggregate interface
About this task
The physical link state of an aggregate interface is either up or down. Each time the physical link of an interface comes up or goes down, the system immediately reports the change to the CPU. The CPU then performs the following operations:
· Notifies the upper-layer protocol modules (such as routing and forwarding modules) of the change for guiding packet forwarding.
· Automatically generates traps and logs to inform users to take the correct actions.
To prevent frequent physical link flapping from affecting system performance, configure physical state change suppression. You can configure this feature to suppress link-down events, link-up events, or both. If an event of the specified type persists when the suppression interval expires, the system reports the event to the CPU.
Restrictions and guidelines
On an interface, you can configure different suppression intervals for link-up and link-down events. If you execute the link-delay command multiple times for an event type, the most recent configuration takes effect on that event type.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Configure physical state change suppression.
link-delay [ msec ] delay-time [ mode { up | updown } ]
By default, each time the physical link of an aggregate interface goes up or comes down, the system immediately reports the change to the CPU.
To suppress only link-down events, do not specify the mode keyword. To suppress only link-up events, specify the mode up keywords. To suppress both link-down and link-up events, specify the mode updown keywords.
Shutting down an aggregate interface
Restrictions and guidelines
Shutting down or bringing up an aggregate interface affects the aggregation states and link states of member ports in the corresponding aggregation group as follows:
· When an aggregate interface is shut down, all its Selected ports become Unselected and all member ports go down.
· When an aggregate interface is brought up, the aggregation states of all its member ports are recalculated.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
¡ Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Shut down the interface.
shutdown
By default, an interface is not manually shut down.
Restoring the default settings for an aggregate interface
Restrictions and guidelines
|
|
CAUTION: The default command might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you execute it on a live network. |
The default command might fail to restore the default settings for some commands for reasons such as command dependencies and system restrictions.
To resolve this issue:
1. Use the display this command in interface view to identify these commands.
2. Use their undo forms or follow the command reference to restore their default settings.
3. If the restoration attempt still fails, follow the error message instructions to resolve the issue.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
¡ Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Restore the default settings for the aggregate interface.
default
Configuring load sharing for link aggregation groups
Setting load sharing modes for link aggregation groups
About this task
You can set the global or group-specific load sharing mode. A link aggregation group preferentially uses the group-specific load sharing mode. If the group-specific load sharing mode is not available, the group uses the global load sharing mode.
Setting the global link-aggregation load sharing mode
1. Enter system view.
system-view
2. Set the global link-aggregation load sharing mode.
link-aggregation global load-sharing mode { destination-ip | source-ip } *
By default, link aggregation groups distribute Layer 2 traffic based on source and destination MAC addresses and distribute Layer 3 and Layer 4 traffic based on source and destination IP addresses.
Setting the group-specific load sharing mode
1. Enter system view.
system-view
2. Enter aggregate interface view.
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
¡ Enter Blade aggregate interface view.
interface blade-aggregation interface-number
3. Set the load sharing mode for the aggregation group.
link-aggregation load-sharing mode { { destination-ip | destination-mac | destination-port | ip-protocol | source-ip | source-mac | source-port } * | per-packet }
By default, an aggregation group uses the global link-aggregation load sharing mode.
Enabling local-first load sharing for link aggregation
About this task
Use local-first load sharing in a multidevice link aggregation scenario to distribute traffic preferentially across member ports on the ingress slot.
When you aggregate ports on different member devices in an IRF fabric, you can use local-first load sharing to reduce traffic on IRF links, as shown in Figure 4. For more information about IRF, see Virtual Technologies Configuration Guide.
Figure 4 Load sharing for multidevice link aggregation in an IRF fabric
Procedure
1. Enter system view.
system-view
2. Enable local-first load sharing for link aggregation globally.
link-aggregation load-sharing mode local-first
By default, local-first load sharing is enabled globally.
Enabling link-aggregation traffic redirection
About link-aggregation traffic redirection
This feature operates on dynamic link aggregation groups. It redirects traffic on a Selected port to the remaining available Selected ports of an aggregation group if the port is shut down by using the shutdown command or the slot that hosts the port reboots.
|
|
NOTE: The device does not redirect traffic to member ports that become Selected during the traffic redirection process. |
This feature ensures zero packet loss for known unicast traffic, but does not protect unknown unicast traffic.
Restrictions and guidelines for link-aggregation traffic redirection
Link-aggregation traffic redirection applies only to dynamic link aggregation groups.
To prevent traffic interruption, enable link-aggregation traffic redirection at both ends of the aggregate link.
To prevent packet loss that might occur at a reboot, do not enable the spanning tree feature together with link-aggregation traffic redirection.
Link-aggregation traffic redirection does not operate correctly on an edge aggregate interface.
Enabling link-aggregation traffic redirection globally
1. Enter system view.
system-view
2. Enable link-aggregation traffic redirection globally.
link-aggregation lacp traffic-redirect-notification enable
By default, link-aggregation traffic redirection is disabled globally.
Display and maintenance commands for Ethernet link aggregation
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display information about aggregate interfaces. |
display interface [ { blade-aggregation | bridge-aggregation | route-aggregation } [ interface-number ] ] [ brief [ description | down ] ] |
|
Display the local system ID. |
display lacp system-id |
|
Display the global or group-specific link-aggregation load sharing modes. |
display link-aggregation load-sharing mode [ interface [ { blade-aggregation | bridge-aggregation | route-aggregation } interface-number ] ] |
|
Display forwarding information for the specified traffic flow. |
In standalone mode: display link-aggregation load-sharing path interface { bridge-aggregation | route-aggregation } interface-number ingress-port interface-type interface-number [ route ] { { destination-ip ip-address | destination-ipv6 ipv6-address } | { source-ip ip-address | source-ipv6 ipv6-address } | destination-mac mac-address | destination-port port-id | ethernet-type type-number | ip-protocol protocol-id | source-mac mac-address | source-port port-id | vlan vlan-id } * slot slot-number [ cpu cpu-number ] In IRF mode: display link-aggregation load-sharing path interface { bridge-aggregation | route-aggregation } interface-number ingress-port interface-type interface-number [ route ] { { destination-ip ip-address | destination-ipv6 ipv6-address } | { source-ip ip-address | source-ipv6 ipv6-address } | destination-mac mac-address | destination-port port-id | ethernet-type type-number | ip-protocol protocol-id | source-mac mac-address | source-port port-id | vlan vlan-id } * chassis chassis-number slot slot-number [ cpu cpu-number ] |
|
Display detailed link aggregation information about link aggregation member ports. |
display link-aggregation member-port [ interface-list | auto ] |
|
Display summary information about all aggregation groups. |
display link-aggregation summary |
|
Display detailed information about the specified aggregation groups. |
display link-aggregation verbose [ { blade-aggregation | bridge-aggregation | route-aggregation } [ interface-number ] ] |
|
Clear statistics about the specified aggregate interfaces. |
reset counters interface [ { blade-aggregation | bridge-aggregation | route-aggregation } [ interface-number ] ] |
|
Clear LACP statistics about the specified link aggregation member ports. |
reset lacp statistics [ interface interface-list ] |
Ethernet link aggregation configuration examples
Example: Configuring a Layer 2 static aggregation group
Network configuration
As shown in Figure 5, configure a Layer 2 static aggregation group on both Device A and Device B to aggregate the links between them.
Procedure
1. Configure interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to operate in Layer 2 mode.
<DeviceA> system-view
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/4
[DeviceA-if-range] port link-mode bridge
[DeviceA-if-range] quit
2. Create VLAN 10, and assign interface GigabitEthernet 1/0/4 to VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 1/0/4
[DeviceA-vlan10] quit
3. Configure a Layer 2 static aggregation group:
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLANs 1 and 10.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 1 10
[DeviceA-Bridge-Aggregation1] quit
# Assign interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1.
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/3
[DeviceA-if-range] port link-aggregation group 1
[DeviceA-if-range] quit
4. Configure interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 as trunk ports and assign them to VLANs 1 and 10.
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/3
[DeviceA-if-range] port link-type trunk
[DeviceA-if-range] port trunk permit vlan 1 10
[DeviceA-if-range] quit
5. Add interfaces to security zones.
[DeviceA] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/4 vlan 10
[Device-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[Device-security-zone-Untrust] import interface bridge-aggregation 1 vlan 1 10
[Device-security-zone-Untrust] quit
6. Configure a security policy:
Configure rules to permit traffic between the Trust and Untrust security zones, so the devices can communicate with each other:
# Configure a rule named trust-untrust to permit the packets sent from the Trust security zone to the Untrust security zone.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] quit
# Configure a rule named untrust-trust to permit the packets sent from the Untrust security zone to the Trust security zone.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
7. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/1 S 32768 1
GE1/0/2 S 32768 1
GE1/0/3 S 32768 1
The output shows that link aggregation group 1 is a Layer 2 static aggregation group that contains three Selected ports.
Example: Configuring a Layer 2 dynamic aggregation group
Network configuration
As shown in Figure 6, configure a Layer 2 dynamic aggregation group on both Device A and Device B to aggregate the links between them.
Procedure
1. Configure interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to operate in Layer 2 mode.
<DeviceA> system-view
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/4
[DeviceA-if-range] port link-mode bridge
[DeviceA-if-range] quit
2. Create VLAN 10, and assign interface GigabitEthernet 1/0/4 to VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 1/0/4
[DeviceA-vlan10] quit
3. Configure a Layer 2 dynamic aggregation group:
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port, assign it to VLANs 1 and 10, and set the link aggregation mode to dynamic.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 1 10
[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation1] quit
# Assign interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1.
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/3
[DeviceA-if-range] port link-aggregation group 1
[DeviceA-if-range] quit
4. Configure interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 as trunk ports and assign them to VLANs 1 and 10.
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/3
[DeviceA-if-range] port link-type trunk
[DeviceA-if-range] port trunk permit vlan 1 10
[DeviceA-if-range] quit
5. Add interfaces to security zones.
[DeviceA] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/4 vlan 10
[Device-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[Device-security-zone-Untrust] import interface bridge-aggregation 1 vlan 1 10
[Device-security-zone-Untrust] quit
6. Configure a security policy:
Configure rules to permit traffic between the Trust and Untrust security zones, so the devices can communicate with each other:
# Configure a rule named trust-untrust to permit the packets sent from the Trust security zone to the Untrust security zone.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] quit
# Configure a rule named untrust-trust to permit the packets sent from the Untrust security zone to the Trust security zone.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
7. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Oper-Key Flag
--------------------------------------------------------------------------------
GE1/0/1 S 32768 1 {ACDEF}
GE1/0/2 S 32768 1 {ACDEF}
GE1/0/3 S 32768 1 {ACDEF}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
GE1/0/1 1 32768 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/2 2 32768 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/3 3 32768 1 0x8000, 000f-e267-57ad {ACDEF}
The output shows that link aggregation group 1 is a Layer 2 dynamic aggregation group that contains three Selected ports.
Example: Configuring Layer 2 aggregation load sharing
Network configuration
As shown in Figure 7, perform the following tasks:
· Configure Layer 2 static aggregation groups 1 and 2 on Device A and Device B, respectively.
· Configure link aggregation groups 1 and 2 to load share traffic across aggregation group member ports.
¡ Configure link aggregation group 1 to load share packets based on source MAC addresses.
¡ Configure link aggregation group 2 to load share packets based on destination MAC addresses.
Procedure
1. Configure interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 to operate in Layer 2 mode.
<DeviceA> system-view
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/5
[DeviceA-if-range] port link-mode bridge
[DeviceA-if-range] quit
2. Create VLAN 10, and assign interface GigabitEthernet 1/0/5 to VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 1/0/5
[DeviceA-vlan10] quit
3. Configure Layer 2 aggregation groups:
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLANs 1 and 10, and configure it to load share packets based on source MAC addresses..
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 1 10
[DeviceA-Bridge-Aggregation1] link-aggregation load-sharing mode source-mac
[DeviceA-Bridge-Aggregation1] quit
# Assign interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to link aggregation group 1.
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/2
[DeviceA-if-range] port link-aggregation group 1
[DeviceA-if-range] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 2 as a trunk port and assign it to VLANs 1 and 10, and configure it to load share packets based on destination MAC addresses..
[DeviceA] interface bridge-aggregation 2
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 1 10
[DeviceA-Bridge-Aggregation1] link-aggregation load-sharing mode destination-mac
[DeviceA-Bridge-Aggregation1] quit
# Assign interfaces GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to link aggregation group 2.
[DeviceA] interface range gigabitethernet 1/0/3 to gigabitethernet 1/0/4
[DeviceA-if-range] port link-aggregation group 2
[DeviceA-if-range] quit
4. Configure interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 as trunk ports and assign them to VLANs 1 and 10.
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/4
[DeviceA-if-range] port link-type trunk
[DeviceA-if-range] port trunk permit vlan 1 10
[DeviceA-if-range] quit
5. Add interfaces to security zones.
[DeviceA] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/5 vlan 10
[Device-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[Device-security-zone-Untrust] import interface bridge-aggregation 1 vlan 1 10
[Device-security-zone-Untrust] import interface bridge-aggregation 2 vlan 1 10
[Device-security-zone-Untrust] quit
6. Configure a security policy:
Configure rules to permit traffic between the Trust and Untrust security zones, so the devices can communicate with each other:
# Configure a rule named trust-untrust to permit the packets sent from the Trust security zone to the Untrust security zone
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] quit
# Configure a rule named untrust-trust to permit the packets sent from the Untrust security zone to the Trust security zone
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
7. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/1 S 32768 1
GE1/0/2 S 32768 1
Aggregate Interface: Bridge-Aggregation2
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/3 S 32768 2
GE1/0/4 S 32768 2
The output shows that:
· Link aggregation groups 1 and 2 are both load-shared Layer 2 static aggregation groups.
· Each aggregation group contains two Selected ports.
# Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface
Bridge-Aggregation1 Load-Sharing Mode:
source-mac address
Bridge-Aggregation2 Load-Sharing Mode:
destination-mac address
The output shows that:
· Link aggregation group 1 distributes packets based on source MAC addresses.
· Link aggregation group 2 distributes packets based on destination MAC addresses.
Example: Configuring a Layer 3 static aggregation group
Network configuration
As shown in Figure 8, configure a Layer 3 static aggregation group on both Device A and Device B to aggregate the links between them.
Procedure
1. Configure a Layer 3 static aggregation group:
# Create Layer 3 aggregate interface Route-Aggregation 1, and assign an IP address to the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] ip address 192.168.2.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1.
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/3
[DeviceA-if-range] port link-aggregation group 1
[DeviceA-if-range] quit
2. Assign an IP address to interface GigabitEthernet 1/0/4.
[DeviceA] interface GigabitEthernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] ip address 192.168.1.2 24
[DeviceA-GigabitEthernet1/0/4] quit
3. Configure settings for routing.
This example configure a static route for PC B, and the next hop is 192.168.2.2.
[DeviceA] ip route-static 192.168.3.1 24 192.168.2.2
4. Add interfaces to security zones.
[DeviceA] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/4
[Device-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[Device-security-zone-Untrust] import interface route-aggregation 1
[Device-security-zone-Untrust] quit
5. Configure a security policy:
Configure rules to permit traffic between PC A and PC B:
# Configure a rule named trust-untrust to permit the packets sent from the Trust security zone to the Untrust security zone.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] source-ip-subnet 192.168.1.0 24
[DeviceA-security-policy-ip-0-trust-untrust] destination-ip-subnet 192.168.3.0 24
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] quit
# Configure a rule named untrust-trust to permit the packets sent from the Untrust security zone to the Trust security zone
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] source-ip-subnet 192.168.3.0 24
[DeviceA-security-policy-ip-1-untrust-trust] destination-ip-subnet 192.168.1.0 24
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
6. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Route-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/1 S 32768 1
GE1/0/2 S 32768 1
GE1/0/3 S 32768 1
The output shows that link aggregation group 1 is a Layer 3 static aggregation group that contains three Selected ports.
Example: Configuring a Layer 3 dynamic aggregation group
Network configuration
As shown in Figure 9, configure a Layer 3 dynamic aggregation group on both Device A and Device B to aggregate the links between them.
Procedure
1. Configure a dynamic aggregation group:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Assign an IP address to Route-Aggregation 1.
[DeviceA-Route-Aggregation1] ip address 192.168.2.1 24
# Set the link aggregation mode to dynamic.
[DeviceA-Route-Aggregation1] link-aggregation mode dynamic
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1.
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/3
[DeviceA-if-range] port link-aggregation group 1
[DeviceA-if-range] quit
2. Assign an IP address to interface GigabitEthernet 1/0/4.
[DeviceA] interface GigabitEthernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] ip address 192.168.1.2 24
[DeviceA-GigabitEthernet1/0/4] quit
3. Configure settings for routing.
This example configure a static route for PC B, and the next hop in the routes is 192.168.2.2.
[DeviceA] ip route-static 192.168.3.1 24 192.168.2.2
4. Add interfaces to security zones.
[DeviceA] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/4
[Device-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[Device-security-zone-Untrust] import interface route-aggregation 1
[Device-security-zone-Untrust] quit
5. Configure a security policy:
Configure rules to permit traffic between PC A and PC B:
# Configure a rule named trust-untrust to permit the packets sent from the Trust security zone to the Untrust security zone.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] source-ip-subnet 192.168.1.0 24
[DeviceA-security-policy-ip-0-trust-untrust] destination-ip-subnet 192.168.3.0 24
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] quit
# Configure a rule named untrust-trust to permit the packets sent from the Untrust security zone to the Trust security zone
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] source-ip-subnet 192.168.3.0 24
[DeviceA-security-policy-ip-1-untrust-trust] destination-ip-subnet 192.168.1.0 24
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
6. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Route-Aggregation1
Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Oper-Key Flag
--------------------------------------------------------------------------------
GE1/0/1 S 32768 1 {ACDEF}
GE1/0/2 S 32768 1 {ACDEF}
GE1/0/3 S 32768 1 {ACDEF}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
GE1/0/1 1 32768 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/2 2 32768 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/3 3 32768 1 0x8000, 000f-e267-57ad {ACDEF}
The output shows that link aggregation group 1 is a Layer 3 dynamic aggregation group that contains three Selected ports.
Example: Configuring Layer 3 aggregation load sharing
Network configuration
As shown in Figure 10, perform the following tasks:
· Configure Layer 3 static aggregation groups 1 and 2 on Device A and Device B, respectively.
· Configure link aggregation groups 1 and 2 to load share traffic across aggregation group member ports.
¡ Configure link aggregation group 1 to load share packets based on source IP addresses.
¡ Configure link aggregation group 2 to load share packets based on destination IP addresses.
Procedure
1. Configure Layer 3 aggregation groups:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Configure Layer 3 aggregation group 1 to load share packets based on source IP addresses.
[DeviceA-Route-Aggregation1] link-aggregation load-sharing mode source-ip
# Assign an IP address to Layer 3 aggregate interface Route-Aggregation 1.
[DeviceA-Route-Aggregation1] ip address 192.168.2.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to aggregation group 1.
[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/2
[DeviceA-if-range] port link-aggregation group 1
[DeviceA-if-range] quit
# Create Layer 3 aggregate interface Route-Aggregation 2.
[DeviceA] interface route-aggregation 2
# Configure Layer 3 aggregation group 2 to load share packets based on destination IP addresses.
[DeviceA-Route-Aggregation2] link-aggregation load-sharing mode destination-ip
# Assign an IP address to Layer 3 aggregate interface Route-Aggregation 2.
[DeviceA-Route-Aggregation2] ip address 192.168.3.1 24
[DeviceA-Route-Aggregation2] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to aggregation group 2.
[DeviceA] interface range gigabitethernet 1/0/3 to gigabitethernet 1/0/4
[DeviceA-if-range] port link-aggregation group 2
[DeviceA-if-range] quit
2. Assign an IP address to interface GigabitEthernet 1/0/5.
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] ip address 192.168.1.2 24
[DeviceA-GigabitEthernet1/0/5] quit
3. Configure settings for routing.
This example configure static routes for PC B, and the next hops in the routes are 192.168.2.2 and 192.168.3.2.
[DeviceA] ip route-static 192.168.4.1 24 192.168.2.2
[DeviceA] ip route-static 192.168.4.1 24 192.168.3.2
4. Add interfaces to security zones.
[DeviceA] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/5
[Device-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[Device-security-zone-Untrust] import interface route-aggregation 1
[Device-security-zone-Untrust] import interface route-aggregation 2
[Device-security-zone-Untrust] quit
5. Configure a security policy:
Configure rules to permit traffic between PC A and PC B:
# Configure a rule named trust-untrust to permit the packets sent from the Trust security zone to the Untrust security zone.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] source-ip-subnet 192.168.1.0 24
[DeviceA-security-policy-ip-0-trust-untrust] destination-ip-subnet 192.168.4.0 24
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] quit
# Configure a rule named untrust-trust to permit the packets sent from the Untrust security zone to the Trust security zone.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] source-ip-subnet 192.168.4.0 24
[DeviceA-security-policy-ip-1-untrust-trust] destination-ip-subnet 192.168.1.0 24
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
6. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Route-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/1 S 32768 1
GE1/0/2 S 32768 1
Aggregate Interface: Route-Aggregation2
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/3 S 32768 2
GE1/0/4 S 32768 2
The output shows that:
· Link aggregation groups 1 and 2 are both load-shared Layer 3 static aggregation groups.
· Each aggregation group contains two Selected ports.
# Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface
Route-Aggregation1 Load-Sharing Mode:
source-ip address
Route-Aggregation2 Load-Sharing Mode:
destination-ip address
The output shows that:
· Link aggregation group 1 distributes packets based on source IP addresses.
· Link aggregation group 2 distributes packets based on destination IP addresses.
