LACP and LLDP Pre-Negotiation for Active/Passive
If a firewall uses LACP or LLDP, negotiation of those
protocols upon failover prevents sub-second failover. However, you
can enable an interface on a passive firewall to negotiate LACP
and LLDP prior to failover. Thus, a firewall in Passive or Non-functional HA
state can communicate with neighboring devices using LACP or LLDP.
Such pre-negotiation speeds up failover.
All firewall models except VM-Series firewalls support a pre-negotiation
configuration, which depends on whether the Ethernet or AE interface
is in a Layer 2, Layer 3, or virtual wire deployment. An HA passive
firewall handles LACP and LLDP packets in one of two ways:
—The firewall has LACP or LLDP configured
on the interface and actively participates in LACP or LLDP pre-negotiation, respectively.
—LACP or LLDP is not configured on the interface
and the firewall does not participate in the protocol, but allows
the peers on either side of the firewall to pre-negotiate LACP or
The following table displays which deployments are supported
on Aggregate Ethernet (AE) and Ethernet interfaces.
LACP in Layer 2
LACP in Layer 3
LACP in Virtual Wire
LLDP in Layer 2
LLDP in Layer 3
LLDP in Virtual Wire
Active if LLDP itself is configured.
Passive if LLDP itself is not configured.
Pre-negotiation is not supported on subinterfaces or tunnel interfaces.