LACP and LLDP Pre-Negotiation for Active/Passive
HA
If a firewall uses LACP or LLDP, negotiation of those
protocols upon failover prevents sub-second failover. However, you
can enable an interface on a passive firewall to negotiate LACP
and LLDP prior to failover. Thus, a firewall in
Passive or
Non-functional HA
state can communicate with neighboring devices using LACP or LLDP.
Such pre-negotiation speeds up failover.
All firewall models except VM-Series firewalls support a pre-negotiation
configuration, which depends on whether the Ethernet or AE interface
is in a Layer 2, Layer 3, or virtual wire deployment. An HA passive
firewall handles LACP and LLDP packets in one of two ways:
Active—The firewall has LACP or LLDP configured
on the interface and actively participates in LACP or LLDP pre-negotiation,
respectively.
Passive—LACP or LLDP is not configured on the interface
and the firewall does not participate in the protocol, but allows
the peers on either side of the firewall to pre-negotiate LACP or
LLDP, respectively.
The following table displays which deployments are supported
on Aggregate Ethernet (AE) and Ethernet interfaces.
| Interface Deployment | AE Interface | Ethernet Interface |
|---|
LACP in Layer 2 | Active | Not supported |
LACP in Layer 3 | Active | Not supported |
LACP in Virtual Wire | Not supported | Passive |
LLDP in Layer 2 | Active | Active |
LLDP in Layer 3 | Active | Active |
LLDP in Virtual Wire | Active | - Active if LLDP itself is configured.
- Passive if LLDP itself is not configured.
|
Pre-negotiation is not supported on subinterfaces or tunnel interfaces.
