ISG Firewall Extreme Switch Link Aggregation

In order to bundle multiple physical ports together, port aggregation can be used. This way the
bandwidth of multiple links can be combined into one virtual aggregate interface.
This aggregate interface can be used as if it is a physical interface, so it can for example be
assigned an IP address and sub-interfaces can be created for it.
This feature is available in ISG series and NetScreen-5000 series firewalls.

This virtual port is known as an aggregate interface. Only Secure Port Modules (SPMs) support
this feature, and you can only aggregate side-by-side ports that reside on the same module.
You must assign one of the following names to the aggregate interface: aggregate1, aggregate2,
aggregate3, or aggregate4.
Aggregation is not allowed across I/O modules.

We have implemented the link aggregation on ISG-2000 firewalls connected with Extreme
Networks Black Diamond switches, operating EXOS 12.3.3.6
Three Giga bit ethernet ports have been grouped togather to provide a combined capacity of 3
Gbps.

On the Black Diamond switches multiple options and load sharing mechanism are available when
it comes to Link aggregation, but the firewall supports only L3.
So from the switch end L3 has to be selected for load sharing.

Example Configurations:
ISG Firewall:
setinterface"aggregate1"zone"Trust"
setinterface"aggregate2"zone"Trust"

setinterfaceethernet1/1aggregateaggregate1
setinterfaceethernet1/3aggregateaggregate1
setinterfaceethernet1/2aggregateaggregate1

setinterfaceethernet2/1aggregateaggregate2
setinterfaceethernet2/2aggregateaggregate2
setinterfaceethernet2/3aggregateaggregate2

setinterface"aggregate1.1"tag100zone"test_A"
setinterface"aggregate2.1"tag1102zone"test_B"
setinterfaceaggregate1.1ip10.1.2.1/23
setinterfaceaggregate1.1:1ip10.1.3.1/23

Extreme Networks EXOS switches:

enablesharing1:48grouping1:48,3:47,10:23algorithmaddressbasedL3

Output from the Firewall:

>getintagg1
Interfaceaggregate1:
descriptionConnected_to_SW01
number45,if_info1474200,if_index0,modenat
linkup,phylinkup/fullduplex/auto
statuschange:3,lastchange:08/16/201113:09:36
Aggregateporthas3members:ethernet1/1;ethernet1/2;ethernet1/3;
vsysRoot,zoneTrust,vrtrustvr,vsd0
dhcpclientdisabled
*ip0.0.0.0/0mac0026.8895.d02d
*manageip0.0.0.0,mac0026.8895.d02d
aggregatebandwidth:physical3000Mbps,configured3000Mbps

SSG series firewalls and NetScreen series firewalls other than NetScreen-5000 series do not
have this possibility.