Inspection of Link Aggregated Traffic by Sourcefire FirePOWER and Virtual Appliances

Available Languages

Updated:July 9, 2014
Document ID:117897

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

Link Aggregation has been standardized by IEEE on 802.3ad 802.3ax. Common implementations of Link Aggregation are EtherChannel, Link Aggregation Control Protocol (LACP), Port Aggregation Protocol (PAgP), etc. This article describes how Sourcefire appliances handle link aggregated traffic.

Prerequisites

Requirements

Cisco recommends that you have knowledge on Sourcefire FirePOWER device models, virtual device models, Link Aggregation Control Protocol (LACP), EtherChannel, and Port Aggregation Protocol (PAgP).

Support of Link Aggregation

A Sourcefire appliance is able to work with any standard link aggregation implementations, because a link aggregation protocol does not add any additional data to the packet itself. There are no known issues between the implementation of Sourcefire appliances and any Link Aggregation protocols.

Things to Consider

The following points need to be considered when you deploy a Sourcefire appliance in link aggregated deployment:

  1. If a Sourcefire appliance is in passive mode and all of the links of EtherChannel are being monitored by the same detection engine, then the Link Aggregation configuration does not matter.
  2. If a single detection engine will only be monitoring some of the links or the device is being deployed as an inline device, then it is recommended that the Link Aggregation is configured to use both source and destination MAC addresses. This will avoid the performance problems related to asynchronous routing.
  3. Snort is capable of processing link aggregated traffic with no problem.  However, Snort will not be able to decode the link aggregation control packets sent between the switches.
  4. Load balancing methods in EtherChannel are based on each traffic flow and not on each frame or packet, so the flows are what gets load balanced. The configuration of "Source IP and Destination IP" in EtherChannel may affect load balancing across Sourcefire snort instances. This is only if hashing performed results in a more limited set of IPs to choose from. The usage of "Source MAC and Destination MAC" may help with load distribution.

Known Issue

The following known issue on LACP is reported on all versions prior to and including 5.3.1.1:

In some cases, applying changes to your access control policy, intrusion policy, network discovery policy, or device configuration, or installing an intrusion rule update or update of the vulnerability database (VDB) causes the system to experience a disruption in traffic that uses Link Aggregation Control Protocol (LACP) in fast mode. As a workaround, configure LACP links in slow mode. (112070)

Related Document

Revision History

Revision Publish Date Comments
1.0
09-Jul-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Nazmul Rajib
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products