Configure Inline Network Link Aggregation Group (LAG)
Refer to the following sections that provide details about the inline network LAG, its limitations, and instructions on how to configure the inline network LAG:
About Inline Network LAG |
Inline Network LAG—Rules and Notes |
Configure Inline Network LAG |
About Inline Network LAG
A Link Aggregation Group (LAG) is a method of combining a number of physical ports together to make a single high-bandwidth data path, and thereby implement the traffic load sharing among the member ports in the group and to enhance the connection reliability. If you have a LAG in your network that must be inspected inline, the Flexible inline network LAG feature allows you to group the inline networks as one logical entity, instead of creating separate inline networks for each link in the LAG. Moreover, you can configure a flexible inline map with the inline network LAG as the source.
Traffic from the inline network LAG is grouped and sent to the inline tools with the same VLAN ID. The return traffic from the inline tools is hashed to the other side of the inline network LAG so that the incoming and the outgoing inline networks are different.
Each inline networks in an inline network LAG has their own specific forwarding states and traffic path settings. When one member link in the LAG goes down, the traffic is sent to the other member links.
Inline Network LAG—Rules and Notes
Keep in mind the following when working with inline network LAG:
You cannot combine protected and unprotected inline networks, or inline networks with different speed in an inline network LAG. |
Inline TLS/SSL Decryption is not supported using Inline Network LAG. Use an Inline Network Bundle instead |
Note: It is highly recommended that the first flexible inline map bypasses the LACP/PAgP protocols between the inline network peers.
Refer to the example below:
# Flex Bypass Map configuration for Inbound and Outbound TLS/SSL Decryption:
------------------------------------------------------------------------------------------------------------------------------------------------------------
Flex-iN-MAP-L0-BYPASS-High-Priority-L2-L3-Network-Service-Traffic-Between-iN-NET-A-and-iN-NET-B-peers
rule add pass macdst 01:80:C2:00:00:00 ff:ff:ff:ff:ff:ff comment STP RST
rule add pass macdst 01:00:0c:cc:cc:cd ff:ff:ff:ff:ff:ff comment PVST+ RPVST+
rule add pass ethertype 8809 macdst 01:80:c2:00:00:02 FF:FF:FF:FF:FF:FF comment LACP
rule add pass macdst 01:00:0c:cc:cc:cc ff:ff:ff:ff:ff:ff comment CDP_DTP_PAgP_UDLD_VTP
rule add pass macdst 01:80:c2:00:00:0e ff:ff:ff:ff:ff:ff comment LLDP
rule add pass ipdst 224.0.0.2 255.255.255.255 portdst 1985 bidir comment HSRP
rule add pass ipdst 224.0.0.102 255.255.255.255 portdst 1985 bidir comment HSRPv2
rule add pass protocol 70 ipdst 224.0.0.18 255.255.255.255 comment VRRP
rule add pass protocol 59 comment OSPF-hex-59=decimal-89
rule add pass protocol 58 comment EIGRP-hex-58=decimal-88
rule add pass protocol tcp portdst 179 bidir comment BGP
rule add pass protocol udp portdst 520 bidir comment RIPv1
rule add pass protocol udp portdst 521 bidir comment RIPv2
------------------------------------------------------------------------------------------------------------------------------------------------------------
# Other Flex Inline Maps for Inbound and Outbound TLS/SSL Decryption:
------------------------------------------------------------------------------------------------------------------------------------------------------------
Flex-iN-Map-L1-DROP-QUIC-Traffic-protocol-udp-portdst-80+443
rule add drop protocol udp prtdst 80 bidir
rule add drop protocol udp prtdst 443 bidir
Flex-iN-Map-L1-PASS-INBOUND-Decrypt-SSL-Traffic-protocol-tcp+ip+prtdst-80+443-bidir-to-Inline+OoB-Tools
rule add pass protocol tcp ipdst 192.0.2.100 255.255.255.255 prtdst 80 bidir comment "Support StartTLS for HTTP (RFC 2817) midstream SSL/TLS decryption"
rule add pass protocol tcp ipdst 192.0.2.100 255.255.255.255 prtdst 443 bidir
# Important Note:
# PATH: FM: Traffic > Orchestration > Inline Flow > Flexible Inline Canvas > Inline SSL App >
# Inline SSL App Name: Flex-INBOUND-SSL-Policy > starttls add l4port 80 (see flex-image-1 below)
Flex-iN-Map-L1-PASS-OUTBOUND-Decrypt-SSL-Traffic-protocol-tcp-to-Inline+OoB-Tools
rule add pass protocol tcp comment "Gigamon does not support QUIC UDP 443 + UDP 80 protocol decryption and should be dropped to force TLS/SSL traffic to the TCP protocol"
Flex-iN-Map-L2-PASS-IPv4-NON-SSL-Traffic-to-Inline+OoB-Tools rule add pass ipver 4
Flex-iN-Map-Collector-BYPASS-ALL-Remaining-Traffic-Between-iN-NET-A-and-iN-NET-B-peers
Configure Inline Network LAG
Before you configure an inline network LAG, ensure that you configure the required inline network ports and inline networks. Refer to Configure Inline Network Ports and Inline Network.
To configure an inline network LAG:
1. | On the left navigation pane, go to Physical > Orchestrated Flows >Inline Flows, and then click Configuration Canvas to create a new Flexible Inline Canvas. |
2. | In the Flexible Inline Canvas that is displayed, select the required device for which you want to configure the inline network LAG. |
3. | Click the ‘+’ icon next to the Inline Network LAG option to create a new inline network LAG. |
4. | In the Properties pane that appears on the right, enter the name and description of the inline network LAG in the Alias and Description fields. |
5. | From the Inline Networks drop-down list, select the required inline networks that need to be part of the inline network LAG. |
6. | From the Traffic Path drop-down list, select one of the following options: |
Bypass—All traffic arriving at Port A of the inline network is directly forwarded to Port B of the inline network. Similarly, all traffic arriving at Port B of the inline network is directly forwarded to Port A of the inline network. |
Drop—Traffic is not exchanged between the inline network ports (all traffic coming to these ports is dropped). |
Bypass with Monitoring—All traffic is forwarded as a forced bypass value and a copy of the traffic is also forwarded to the inline tools. A traffic map must first be configured between the inline network and the inline tool to have the traffic forwarded with no traffic taken from the inline tools. |
To Inline Tool—Traffic is forwarded to the sequence of inline tools. |
7. | Select the Link Failure Propagation check box if you want to bring down a port when its pair goes down. |
8. | Select the Physical Bypass check box if you want the traffic to flow directly between Port A and Port B of the inline network pair when a device or a module is powered down. |
9. | If there is a group of links, which are part of a port channel that use LACP, select the Bypass Link Aggregation Control Protocol and Link Layer Discovery Protocol check box to maintain the port channel functionality on the links that are connected to inline network LAG ports. |
Note: Inline Network LAG needs a bypass map to handle LACP bypass.
Note: When the Bypass LACP and LLDP checkbox is enabled, all protocol packets with MAC Destination 01-80-C2-XX-XX-XX are bypassed.
10. | If there is a group of links, which are part of a port channel that supports CDP, select the Bypass Cisco Discovery Protocol check box to maintain the CDP discovery functionality on the links that are connected to inline network LAG ports. |
Note: Inline Network LAG needs a bypass map to handle CDP bypass.
Note: When CDP/LLDP bypass is enabled, the CDP/LLDP neighborship discovery will not be established on the respective inline networks.
11. | Click OK to save the configuration. |
12. | Drag the Inline Network LAG object to the canvas. |
13. | Configure the required flexible inline maps and then, click Deploy. |