LACP and LLDP Pre-Negotiation for Active/Passive HA

If a firewall uses LACP or LLDP, negotiation of those protocols upon failover prevents sub-second failover. However, you can enable an interface on a passive firewall to negotiate LACP and LLDP prior to failover. Thus, a firewall in Passive or Non-functional HA state can communicate with neighboring devices using LACP or LLDP. Such pre-negotiation speeds up failover.
All firewall models except VM-Series firewalls support a pre-negotiation configuration, which depends on whether the Ethernet or AE interface is in a Layer 2, Layer 3, or virtual wire deployment. An HA passive firewall handles LACP and LLDP packets in one of two ways:
  • Active
    —The firewall has LACP or LLDP configured on the interface and actively participates in LACP or LLDP pre-negotiation, respectively.
  • Passive
    —LACP or LLDP is not configured on the interface and the firewall does not participate in the protocol, but allows the peers on either side of the firewall to pre-negotiate LACP or LLDP, respectively.
The following table displays which deployments are supported on Aggregate Ethernet (AE) and Ethernet interfaces.
Interface Deployment
AE Interface
Ethernet Interface
LACP in Layer 2
Active
Not supported
LACP in Layer 3
Active
Not supported
LACP in Virtual Wire
Not supported
Passive
LLDP in Layer 2
Active
Active
LLDP in Layer 3
Active
Active
LLDP in Virtual Wire
Active
  • Active if LLDP itself is configured.
  • Passive if LLDP itself is not configured.
Pre-negotiation is not supported on subinterfaces or tunnel interfaces.

Recommended For You