LACP and Active-Backup Bonding
LACP and Active-Backup Bonding
Section titled “LACP and Active-Backup Bonding”RouterOS bonding combines multiple physical Ethernet interfaces into one logical interface. Two modes dominate real-world deployments: active-backup for transparent failover and 802.3ad (LACP) for bandwidth aggregation. This guide covers both in depth, including switch-side configuration, LACP negotiation parameters, and monitoring.
For a reference of all seven bonding modes and all properties, see Bonding. For complete worked examples, see Bonding Examples.
Choosing a Mode
Section titled “Choosing a Mode”| Need | Recommended Mode |
|---|---|
| Failover with no switch coordination required | active-backup |
| Bandwidth aggregation with a managed switch | 802.3ad (LACP) |
| Static LAG without LACP protocol overhead | balance-xor |
| Highest throughput, packet reordering acceptable | balance-rr |
The most important distinction: active-backup uses only one link at a time — backup links carry no traffic until failover occurs. LACP uses all links simultaneously, distributing flows by hash.
Active-Backup
Section titled “Active-Backup”Active-backup activates exactly one slave at a time. When the active link fails, the bonding driver promotes a standby slave and traffic resumes. No switch configuration is needed — the connected switch sees a single MAC address at any moment.
Basic Setup
Section titled “Basic Setup”# Create the bond with ether1 as preferred primary/interface bondingadd name=bond1 mode=active-backup slaves=ether1,ether2 primary=ether1 \ link-monitoring=mii mii-interval=100ms
# Assign address to the bonded interface, not the physical ports/ip address add address=10.0.1.1/24 interface=bond1The primary parameter designates which slave is preferred when both links are up. When the primary recovers after a failure, it automatically reassumes active status.
MAC Failover Behavior
Section titled “MAC Failover Behavior”By default, the bond MAC address changes to match whichever slave becomes active. This causes a brief disruption as connected switches update their MAC tables. To maintain the primary interface MAC throughout failover:
/interface bonding set bond1 fail-over-mac=activeWith fail-over-mac=active, the bond always presents the primary interface MAC. Connected switches see no MAC change on failover, producing more transparent behavior.
Requiring Multiple Links Up
Section titled “Requiring Multiple Links Up”The min-links parameter prevents the bond from coming up unless a minimum number of slaves are active. Use this to avoid operating on a degraded configuration:
# Bond stays down unless at least 1 slave is up (default: 0 = no minimum)/interface bonding set bond1 min-links=1Link Monitoring for Active-Backup
Section titled “Link Monitoring for Active-Backup”MII monitoring is recommended for active-backup on direct connections. It checks physical carrier state and detects failures within one mii-interval.
/interface bonding set bond1 link-monitoring=mii mii-interval=50msFor upstream path validation (detecting failures beyond the immediate link), use ARP monitoring with a reachable target:
/interface bonding set bond1 link-monitoring=arp arp-interval=100ms \ arp-ip-targets=10.0.1.254ARP monitoring marks a slave active when it receives any packet (not only ARP replies), so any traffic from the target keeps the link alive.
802.3ad (LACP)
Section titled “802.3ad (LACP)”LACP (Link Aggregation Control Protocol) forms a Link Aggregation Group (LAG) dynamically by exchanging LACP PDUs with the connected switch. All member links carry traffic simultaneously, with flows distributed by a hash of packet headers.
A single TCP/UDP flow always maps to one physical member — LACP increases bandwidth across multiple concurrent flows, not the throughput of a single connection.
Basic Setup
Section titled “Basic Setup”/interface bondingadd name=bond-lacp mode=802.3ad slaves=ether1,ether2,ether3,ether4 \ lacp-rate=1sec transmit-hash-policy=layer-2-and-3 \ link-monitoring=mii mii-interval=100ms
/ip address add address=10.0.2.1/24 interface=bond-lacpLACP Negotiation Parameters
Section titled “LACP Negotiation Parameters”lacp-rate
Section titled “lacp-rate”Controls how frequently LACP PDUs are exchanged with the peer.
| Value | PDU interval | Failover detection |
|---|---|---|
30secs | Every 30 s | ~90 s (default) |
1sec | Every 1 s | ~3 s |
Set lacp-rate=1sec whenever fast failover matters. Both sides must agree — if RouterOS sends fast PDUs and the switch expects slow, the LAG may not form or will cycle.
/interface bonding set bond-lacp lacp-rate=1seclacp-mode
Section titled “lacp-mode”Controls whether RouterOS actively initiates LACP negotiation or waits for the peer to initiate.
| Value | Behavior |
|---|---|
active | Sends LACP PDUs unconditionally (default) |
passive | Sends LACP PDUs only in response to peer PDUs |
Two passive endpoints will never form a LAG. If unsure of the switch configuration, leave RouterOS in active mode.
/interface bonding set bond-lacp lacp-mode=activelacp-user-key
Section titled “lacp-user-key”Available in RouterOS v7.3+. Sets the upper 10 bits of the LACP port key, allowing multiple LAGs to coexist on one device without key collision.
/interface bonding set bond-lacp lacp-user-key=1Transmit Hash Policy
Section titled “Transmit Hash Policy”The hash policy determines which physical link carries each flow. A poor hash produces uneven distribution; a flow-aware hash spreads traffic better.
| Policy | Inputs | Best for |
|---|---|---|
layer-2 | Src+dst MAC | L2 switching environments |
layer-2-and-3 | MAC + IP | Mixed L2/L3 traffic (recommended default) |
layer-3-and-4 | IP + port | Environments with many flows to same destinations |
encap-2-and-3 | Inner MAC+IP for tunnels | VXLAN/GRE encapsulated traffic |
encap-3-and-4 | Inner IP+port for tunnels | Encapsulated flows |
/interface bonding set bond-lacp transmit-hash-policy=layer-2-and-3On devices with hardware offloading (CRS3xx, CRS5xx, CCR2116, CCR2216), the hash policy is fixed by the switch chip and cannot be changed manually.
Switch-Side Configuration
Section titled “Switch-Side Configuration”LACP requires matching configuration on the connected managed switch. The RouterOS bond will not aggregate until the switch forms the LAG.
Cisco IOS / IOS-XE (EtherChannel with LACP):
interface GigabitEthernet1/0/1 channel-group 1 mode active!interface GigabitEthernet1/0/2 channel-group 1 mode active!interface Port-channel1 description RouterOS LACP bondBoth ends in active mode is valid and recommended. mode passive on the switch works only if RouterOS is active.
Cisco NX-OS (Port-channel with LACP):
feature lacp!interface Ethernet1/1 channel-group 1 mode activeinterface Ethernet1/2 channel-group 1 mode active!interface port-channel1 description RouterOS LACP bondJuniper EX / QFX:
set interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic fastset interfaces ge-0/0/0 ether-options 802.3ad ae0set interfaces ge-0/0/1 ether-options 802.3ad ae0Use periodic fast to match RouterOS lacp-rate=1sec.
Generic / vendor-neutral checklist:
- All member ports must operate at the same speed and duplex
- Member ports must be in the same VLAN or trunk configuration
- Switch must have LACP enabled on the port-channel (not static/manual LAG)
- LACP rate (fast/slow) must match on both sides
- System priority and port priorities rarely need tuning unless multi-chassis scenarios
LACP on MikroTik-to-MikroTik Links
Section titled “LACP on MikroTik-to-MikroTik Links”When bonding between two RouterOS devices directly, configure both sides identically:
# Both routers/interface bondingadd name=bond-lacp mode=802.3ad slaves=ether1,ether2 \ lacp-rate=1sec transmit-hash-policy=layer-2-and-3 \ link-monitoring=mii mii-interval=100msOne side may be lacp-mode=passive if desired, but active on both is fine.
Monitoring Bonded Links
Section titled “Monitoring Bonded Links”Bond Status Overview
Section titled “Bond Status Overview”/interface bonding print detailShows configuration, active slaves, and whether the bond is running.
Live Monitoring
Section titled “Live Monitoring”/interface bonding monitor bond1Key fields in the output:
| Field | Meaning |
|---|---|
active-ports | Currently carrying traffic |
inactive-ports | Standby or failed members |
lacp-partner-system-id | Partner switch system MAC (802.3ad only) |
lacp-partner-key | Partner aggregation key (must match) |
For continuous monitoring:
/interface bonding monitor bond1 interval=1 count=30Slave Status
Section titled “Slave Status”/interface bonding monitor-slaves bond1Shows per-slave state including link status and LACP negotiation state for each member port.
LACP Negotiation Details
Section titled “LACP Negotiation Details”/interface bonding lacp print detailShows actor and partner system IDs, keys, port priorities, and PDU counters per slave. Use this to verify the switch is responding and keys match.
If lacp-partner-system-id is all zeros, the peer is not sending LACP PDUs — check that LACP is enabled on the switch port-channel.
Traffic Statistics
Section titled “Traffic Statistics”/interface bonding print stats/interface print stats where name~"ether"Compare rx/tx counters on individual member interfaces to assess distribution. Severely uneven distribution indicates a hash policy mismatch — adjust transmit-hash-policy or the switch hash algorithm.
Troubleshooting
Section titled “Troubleshooting”LAG Forms But Only One Link Carries Traffic
Section titled “LAG Forms But Only One Link Carries Traffic”The switch is likely using a hash policy that maps all flows from this source to one port. Try changing transmit-hash-policy to layer-3-and-4 and confirm the switch uses a similar algorithm. Some switches default to source-MAC only hashing.
LACP Not Forming (Bond Shows No Active LACP Ports)
Section titled “LACP Not Forming (Bond Shows No Active LACP Ports)”- Verify switch has LACP enabled on the correct port-channel, not static LAG
- Confirm
lacp-ratematches the switch fast/slow setting - Check that all member ports are the same speed and duplex
- Run
/interface bonding lacp print detail— zero partner system ID means no PDUs received from switch - Verify member interfaces are physical ports, not VLANs or bridges
Active-Backup Not Failing Over
Section titled “Active-Backup Not Failing Over”- Confirm link-monitoring is set:
link-monitoring=miiorlink-monitoring=arp - With MII monitoring, verify the driver reports carrier state correctly using
/interface ethernet print detail - With ARP monitoring, confirm the target IP is reachable and responding
- Check
mii-intervalorarp-interval— intervals that are too long delay detection
Slaves Added as Wrong Interface Type
Section titled “Slaves Added as Wrong Interface Type”Bond slaves must be physical Ethernet interfaces. Adding VLAN interfaces, bridge ports, or wireless interfaces as bond slaves causes unpredictable behavior and monitoring failures.
# Verify slaves are physical Ethernet/interface ethernet print where name~"ether"# All bond slaves should appear hereRelated Documentation
Section titled “Related Documentation”- Bonding — Complete property reference and all seven modes
- Bonding Examples — Full configuration scenarios
- Multi-Chassis Link Aggregation Group — MLAG for cross-switch LAGs
- VRRP — Gateway-level redundancy independent of bonding