What is Port Aggregation?
Port aggregation is a process in which multiple ports of a network device, such as a firewall, a LAN switch or a server are combined together to work as a single LAN port. The benefit of configuring port aggregation on a network device is that the device can support increased throughput while handling heavy network traffic.
For example, in a network device, if two ports of 1GbE each are configured for port aggregation, the total data throughput that the network device can handle would be up to 2GbE.
Port Aggregation in Network Firewalls
Most organizations prefer installing a dedicated external facing firewall device at the perimeter network. Such dedicated firewall device also has multiple internal facing LAN ports. In order to increase the total data throughput, administrators can configure these LAN ports for port aggregation.
Physical Setup for Port Aggregation in Dedicated Firewall
Since port aggregation is a process that requires multiple LAN ports to be configured in such a way that they work as a single virtual LAN port, configuring port aggregation on a dedicated firewall device requires a specific type of physical infrastructure that administrators must set up in order to get the task done successfully. In order to set up the physical infrastructure for port aggregation, security administrators should consider following the below points:
- The very first step that administrators should take in order to configure port aggregation on a firewall device is that they must ensure that the device supports port aggregation.
- Administrators must ensure that the dedicated hardware firewall device has multiple internal facing LAN ports, and the ports are in working condition.
- Once the assessment and verification is done, administrators must connect each participating internal facing LAN port of the dedicated firewall device with a separate LAN cable.
- The other end of each LAN cable must be connected to the ports of a common LAN switch.
Configuring the Firewall Device for Port Aggregation
Once all the physical hardware nodes are in place and are properly connected to their appropriate ports, administrators can then start the port aggregation configuration process on the firewall device. Below are the points that administrators should consider while doing so:
- Verify if the device supports Cisco proprietary Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP).
- Create a Link Aggregation Group (LAG). (Port Aggregation is sometimes also referred to as Link Aggregation).
- Add the desired LAN ports that should participate in the port aggregation process to the LAG of the firewall.
- Assign an IP address to the LAG which would work as a single LAN interface and would transmit and receive network traffic.
Port Aggregation Protocol (PAgP) versus Link Aggregation Control Protocol (LACP)
Port Aggregation Protocol or PAgP is a Cisco proprietary Port aggregation protocol that can be used to configure port aggregation only on Cisco devices.
On the other hand, Link Aggregation Control Protocol or LACP was introduced by IEEE and has the standard of 802.3ad. LACP is not vendor specific and can be used to configure port aggregation on any network device, including the dedicated hardware firewall devices that support port aggregation.
How Port Aggregation Works?
After the physical infrastructure of the network is set up according to the given guidelines and the port aggregation is successfully configured, the port aggregation process uses the round robin method to distribute the network traffic among all the participating LAN ports in an LAG.
For example, if the LAN ports, say L1, L2 and L3, on a dedicated firewall are added to an LAG and are configured to work for port aggregation, the first request from a client computer that is forwarded to the IP address of the LAG of the firewall would be handled by the port L1. The second request that the IP address of the LAG of the firewall receives would be handled by the port L2. Likewise the third request would be handled by the port L3. When the fourth request is received by the IP address of the LAG, it is again handled by the port L1 and so on.
Below are the steps explaining how the port aggregation works:
- A client computer sends a request that is destined to reach the server that may be situated anywhere outside the internal network.
- As soon as the intermediary device, such as a LAN switch S1, receives the request from the client computer, it forwards the request to the IP address that has been assigned to the LAG of the firewall.
- The LAG checks for the next participating LAN port at the firewall device to which the request can be forwarded.
- Once the LAN port is identified, the request is forwarded to the LAN port, which then routes the request packet to the appropriate server/next hop.
Considerations While Configuring Port Aggregation
- The other end of all the cables connected to the participating LAN ports of a LAG of a firewall device must be connected to the LAN ports of the same intermediary device. For example, if three cables are connected to the ports L1, L2 and L3, the other ends of all the cables must be connected to a common switch, say S1.
- To avoid IP conflicts, administrators must ensure that the IP address assigned to the LAG of the firewall has not been already assigned to any other device or node in the network.
- The concept of LAG may not be supported by many devices. However different devices may have different ways to support port aggregation.