Understanding network link aggregation
When link aggregation is used, traffic from multiple network ports is combined. The combined traffic can be forwarded to monitoring tools as a single stream of traffic.
Link aggregation combines traffic from multiple network ports into a single stream. The combined traffic can be forwarded to a tool port. Link aggregation brings traffic together from separate sources or locations (for instance, from several devices) and forwards the traffic as one stream to a single monitoring tool. Link aggregation can be enhanced further by using traffic replication, which allows the same traffic stream—aggregated traffic in this case—to be sent to more than one monitoring tool.
Tip! Aggregation occurs any time multiple network ports are connected to the same instance of a rule.
Use link aggregation for visibility of both sides of a link over a single interface. Consider this example scenario: your organization has placed a network TAP at the network edge, in front of the firewall. Behind the firewall is a switch with a SPAN port. Connect both the TAP analyzer link(s) and the SPAN port link of the switch to the Matrix. Finally, assign the links as network ports in the Matrix and connect them to the same layout rule. Visibility from both sides of a network link is achieved (in front of and behind the firewall) over one interface—a single tool port.
Avoid aggregating links that are too saturated to aggregate without oversubscribing a tool port. Aggregating multiple 1 Gb links and forwarding the traffic out a 1 Gb tool port could, in some cases, oversubscribe the tool port and cause packets to drop. In these cases, you might have to enforce packet trimming or filtering to lower the utilization enough that packets do not drop. Another strategy is to aggregate less network links if possible. The best strategy is to ensure any tool port forwarding the aggregate traffic of multiple 1 Gb network ports is a 10 Gb link.
Link aggregation does not create more bandwidth. Regarding the Matrix, link aggregation only refers to combining traffic into a single interface. The links being aggregated do not experience increased throughput or bandwidth capacity.
Link aggregation does not automatically create link redundancy. Although link aggregation may have a role in a link redundancy strategy using the Matrix, aggregating network links does not provide any type of redundancy or high availability. However, if using the Matrix for this purpose, combining link aggregation with traffic replication can help you forward redundant traffic streams to identical tools in case one tool malfunctions.
Link aggregation can affect how efficiently connected tools operate. When monitoring tools require great network visibility to perform efficiently, consolidating the traffic from many locations and sources is valuable to those tools. Plus, by combining link aggregation with traffic replication, the copies of the same combined traffic can be forwarded to different analysis tools.