Skip to content
MikroTik RouterOS Docs

RouterOS Bonding and Link Aggregation

RouterOS Bonding and Link Aggregation

Section titled “RouterOS Bonding and Link Aggregation”

RouterOS bonding combines two or more Ethernet interfaces into a single logical interface. Depending on mode, bonding provides redundancy, increased aggregate throughput across flows, or both.

Choosing a Mode

Section titled “Choosing a Mode”
ModeUse caseSwitch requirement
802.3adBandwidth aggregation with dynamic negotiationLACP on peer
active-backupFailover redundancy with no switch coordinationNone
balance-rrRound-robin throughput (accepts reordering)Static LAG on peer

The key distinction: active-backup uses only one link at a time — backup links carry no traffic until failover. 802.3ad distributes flows across all member links simultaneously using LACP. balance-rr sends packets sequentially across members without flow awareness.

Prerequisites

Section titled “Prerequisites”

Slave interfaces must be clean before adding them to a bond:

  • No IP addresses assigned
  • Not members of a bridge
  • Not configured as VLAN parents
# Remove IPs from future slave interfaces
/ip address remove [find interface=ether1]
/ip address remove [find interface=ether2]


# Remove from bridge if currently a bridge port
/interface bridge port remove [find interface=ether1]
/interface bridge port remove [find interface=ether2]

Once added as bond slaves, do not configure IP addresses or bridge membership on the slave interfaces directly — use the bond interface instead.

802.3ad (LACP) Mode

Section titled “802.3ad (LACP) Mode”

How It Works

Section titled “How It Works”

802.3ad uses the Link Aggregation Control Protocol (LACP) to dynamically negotiate a Link Aggregation Group (LAG) with the peer. Both sides exchange Link Aggregation Control Protocol Data Units (LACPDUs) to agree on which ports are active members. Traffic is distributed across active ports using a hash of flow identifiers.

LACP requires the peer switch to also run LACP. If either side is misconfigured, ports fall back to individual (single-link) operation.

RouterOS Configuration

Section titled “RouterOS Configuration”
/interface bonding
add name=bond-lacp \
    mode=802.3ad \
    slaves=ether1,ether2 \
    lacp-rate=1sec \
    transmit-hash-policy=layer-2-and-3 \
    link-monitoring=mii \
    mii-interval=100ms

Assign the IP to the bond interface, not the slaves:

/ip address add address=10.0.0.1/24 interface=bond-lacp

LACP Parameters

Section titled “LACP Parameters”

lacp-rate — how often LACPDUs are exchanged:

ValueIntervalUse when
1secEvery 1 secondFaster failure detection (recommended)
30secsEvery 30 secondsPeer switch requires slow rate

lacp-mode — negotiation role (RouterOS 7.x):

ValueBehavior
activeInitiates LACP negotiation (default, recommended)
passiveResponds only — both ends passive will not form a LAG

lacp-user-key — an administrative key (0–65535) to partition which ports can aggregate together. Ports with different keys will not form a LAG even if physically connected.

Transmit Hash Policy

Section titled “Transmit Hash Policy”

The hash policy determines which member link carries a given flow. Because RouterOS can only control outbound hashing, inbound distribution depends on the peer switch’s own configuration.

PolicyFields hashedBest for
layer-2Source + destination MACSimple L2 switching environments
layer-2-and-3MAC + IP addressesMixed L2/L3 traffic (default)
layer-3-and-4IP + TCP/UDP port numbersHigh-flow-count environments

Single-flow limit: A single TCP or UDP connection always travels on one member link. Aggregate throughput gains appear only across multiple simultaneous flows to different destinations.

# Switch to layer-3-and-4 for better distribution on a routing device
/interface bonding set bond-lacp transmit-hash-policy=layer-3-and-4

Partner Switch Configuration

Section titled “Partner Switch Configuration”

Cisco IOS / IOS-XE

Section titled “Cisco IOS / IOS-XE”
interface GigabitEthernet0/1
 channel-group 1 mode active
 no shutdown


interface GigabitEthernet0/2
 channel-group 1 mode active
 no shutdown


interface Port-channel1
 switchport mode trunk
 switchport trunk allowed vlan all

Both member ports must have identical VLAN configuration, MTU, speed, and duplex. Mixed-speed ports will not aggregate.

Cisco NX-OS

Section titled “Cisco NX-OS”
feature lacp


interface Ethernet1/1-2
  channel-group 1 mode active
  no shutdown


interface port-channel1
  switchport mode trunk

Juniper

Section titled “Juniper”
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 aggregated-ether-options lacp periodic fast
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0

Generic Requirements

Section titled “Generic Requirements”

Regardless of vendor, the partner switch must meet these requirements:

RequirementDetail
LAG protocolLACP dynamic (not static)
LACP modeAt least one end must be active; passive/passive will not form
Member port settingsIdentical speed, duplex, MTU on all member ports
VLAN/trunk configAll member ports must have identical VLAN membership
LACP rateMust be compatible with lacp-rate configured in RouterOS

Active-Backup Mode

Section titled “Active-Backup Mode”

How It Works

Section titled “How It Works”

Active-backup keeps one slave forwarding traffic while the others remain in standby. The bond interface presents a single MAC address to the network. On link failure, RouterOS promotes the next available slave — no switch-side coordination is required.

Because the bond’s MAC stays constant (by default equal to the first slave’s MAC), failover is invisible to the upstream switch. The switch MAC table does not need to update.

RouterOS Configuration

Section titled “RouterOS Configuration”
/interface bonding
add name=bond-ab \
    mode=active-backup \
    slaves=ether3,ether4 \
    primary=ether3 \
    link-monitoring=mii \
    mii-interval=100ms

primary sets the preferred active slave. RouterOS returns to this interface when it recovers (default primary-reselect behavior is always).

Failover Behavior

Section titled “Failover Behavior”

When the active slave loses link:

  1. MII or ARP monitoring detects the failure within one mii-interval or arp-interval cycle.
  2. RouterOS selects the next available slave in the slaves list (or the one marked primary if it is available).
  3. Traffic resumes on the new active slave within milliseconds.
  4. An unsolicited ARP is sent from the bond interface to update switches and remote hosts.

MAC address handling:

By default (fail-over-mac=none), all slaves share the bond’s MAC address. This prevents upstream switch port-security violations when the active port changes. Optionally:

fail-over-macBehavior
noneBond MAC assigned to all slaves (default, recommended)
activeActive slave uses its own MAC; bond MAC changes on failover
followAll slaves follow the active slave’s MAC

Warning: Some switches flag MAC address changes on a port as a security violation (port-security). If using fail-over-mac=active, verify the upstream switch permits MAC changes.

Section titled “Requiring Multiple Links Up”
# Bond goes down unless at least 2 slaves are active
/interface bonding set bond-ab min-links=2

This is useful for active-backup bonds where you want the entire bond to fail (triggering a routing failover) rather than limp along on a degraded single link.

Switch-Side Requirements

Section titled “Switch-Side Requirements”

Active-backup requires no LAG configuration on the switch. Each slave connects to the switch as an independent access or trunk port. The switch sees two normal ports — only one carries traffic at any given time.

Balance-RR Mode

Section titled “Balance-RR Mode”

How It Works

Section titled “How It Works”

Balance round-robin (balance-rr) distributes outbound packets across slaves sequentially — first packet on ether1, second on ether2, third on ether1, and so on. This can increase aggregate throughput but causes out-of-order packet delivery, which TCP handles through reordering but with some performance cost.

RouterOS Configuration

Section titled “RouterOS Configuration”
/interface bonding
add name=bond-rr \
    mode=balance-rr \
    slaves=ether5,ether6 \
    link-monitoring=mii \
    mii-interval=100ms

Switch-Side Requirements

Section titled “Switch-Side Requirements”

Critical: balance-rr does not use LACP. The peer switch must use static port aggregation with no LACP.

VendorStatic aggregation
Ciscochannel-group X mode on (no LACP)
JuniperUse force-up on ae interface instead of LACP
GenericDisable LACP; enable static trunk/LAG

If the switch has LACP enabled while RouterOS uses balance-rr, the switch will reject or drop packets because the out-of-order delivery pattern conflicts with LACP’s flow expectations, causing instability or packet loss.

Limitations

Section titled “Limitations”
  • Out-of-order delivery may degrade TCP throughput for latency-sensitive connections.
  • Per-flow throughput remains limited to one member link’s bandwidth — balance-rr helps only across many simultaneous flows or with UDP workloads.
  • No hardware offload on CRS switch-chip platforms.
Section titled “Link Monitoring”

Link monitoring detects when a slave interface has failed. Without it, RouterOS cannot trigger failover.

Section titled “MII Monitoring (Recommended)”

MII monitoring reads the physical link state directly from the NIC driver. It detects a cable unplug or switch port shutdown within one interval.

# In the bonding configuration
link-monitoring=mii
mii-interval=100ms    # Check every 100ms (default)

MII is the recommended method because it is deterministic, low-overhead, and works for all bonding modes.

ARP Monitoring

Section titled “ARP Monitoring”

ARP monitoring sends ARP requests to one or more target IP addresses. The slave is considered up only if ARP replies arrive. This detects failures beyond the physical link (e.g., a misconfigured upstream device that has link but cannot route).

link-monitoring=arp
arp-interval=200ms
arp-ip-targets=10.0.0.254

Multiple targets can be specified (comma-separated). The slave is considered up if any target responds.

Note: ARP monitoring does not work reliably with 802.3ad mode. Use MII for LACP bonds.

Combining MII and ARP

Section titled “Combining MII and ARP”

RouterOS allows both:

link-monitoring=arp+mii
arp-interval=200ms
arp-ip-targets=10.0.0.254
mii-interval=100ms

A slave is considered down only if both conditions indicate failure. Useful for active-backup WAN uplinks where you want to detect routing failures, not just physical link drops.

Monitoring and Verification

Section titled “Monitoring and Verification”

Bond Status Overview

Section titled “Bond Status Overview”
/interface bonding monitor bond-lacp

Key fields in the output:

FieldDescription
modeActive bonding mode
active-portsSlaves currently forwarding traffic
inactive-portsSlaves in standby or down
lacp-system-idNegotiated LACP system MAC (802.3ad only)
lacp-system-priorityLACP system priority (802.3ad only)

Live Monitoring

Section titled “Live Monitoring”
# Continuous monitoring (Ctrl+C to stop)
/interface bonding monitor bond-lacp


# Single snapshot
/interface bonding monitor bond-lacp once

Slave Status

Section titled “Slave Status”
# Show each slave's link state
/interface bonding monitor-slaves bond-lacp

LACP Negotiation Details

Section titled “LACP Negotiation Details”
# View actor and partner LACP state per port
/interface bonding lacp print detail

Fields to verify in LACP output:

FieldExpectedIssue if wrong
partner-system-idNon-zero MACLACP not reaching peer
distributingyesPort is not in LAG — check config mismatch
collectingyesPort not receiving — check physical/VLAN
defaultednoyes means peer LACP PDUs not received
expirednoyes means PDU timeout — check lacp-rate match

Traffic Statistics

Section titled “Traffic Statistics”
# Per-interface byte/packet counters
/interface print stats where name~"ether1|ether2"


# Bond-level statistics
/interface print stats where name=bond-lacp

Compare bytes-sent across slave interfaces to verify traffic distribution. Significant imbalance suggests a hash policy mismatch or that traffic is dominated by a small number of flows.

Troubleshooting

Section titled “Troubleshooting”

LACP Not Forming (No Active Ports)

Section titled “LACP Not Forming (No Active Ports)”

Symptoms: active-ports is empty; defaulted=yes in LACP detail.

Checklist:

  1. Both sides must run LACP — static aggregation on the switch will not pair with 802.3ad on RouterOS.
  2. At least one end must be in active mode — passive/passive will not initiate negotiation.
  3. Verify lacp-rate matches on both ends, or that the switch accepts the rate RouterOS sends.
  4. Check physical-layer: all member ports must have identical speed, duplex, and MTU.
  5. Check logs: /log print where message~"bond\|lacp\|link"

Only One Port Active in 802.3ad

Section titled “Only One Port Active in 802.3ad”

Symptoms: active-ports shows one port; others are inactive.

Causes:

  • The switch has the ports in different port-channel groups.
  • MTU or VLAN mismatch on one member port.
  • lacp-user-key differs between ports on the RouterOS side.

Fix: Verify all member ports on both sides share the same channel-group/aggregation ID, identical VLAN config, and matching MTU.

Low Throughput Despite Multiple Ports

Section titled “Low Throughput Despite Multiple Ports”

Symptoms: Bond has 2× 1G slaves but throughput is limited to ~1G.

Cause: Traffic is dominated by a single flow (single TCP session). One flow maps to one hash bucket and uses only one member link.

Fix: Adjust transmit-hash-policy=layer-3-and-4 for better distribution across more flows. Verify multiple simultaneous flows exist in the traffic pattern.

Active-Backup Not Failing Over

Section titled “Active-Backup Not Failing Over”

Symptoms: Active slave goes down; traffic stops instead of switching to backup.

Checklist:

  1. Verify link-monitoring=mii or link-monitoring=arp is configured — monitoring disabled means no failover detection.
  2. Ensure the backup slave is not carrying an IP address or bridge port assignment directly.
  3. Check that min-links is not set higher than the number of available slaves.
  4. Confirm the backup slave itself shows link up: /interface print where name=ether4

Switch Security Violation on Failover

Section titled “Switch Security Violation on Failover”

Symptoms: After active-backup failover, traffic stops; switch logs show port-security violation.

Cause: The switch saw a new MAC address appear on a port it had previously associated with a different MAC.

Fix: Use fail-over-mac=none (default) so the bond MAC does not change on failover. Or configure the switch to allow MAC address changes on the relevant ports.

Packet Loss with balance-rr

Section titled “Packet Loss with balance-rr”

Symptoms: Reachability drops intermittently; switch shows errors.

Cause: Switch has LACP enabled and is rejecting out-of-order packets from balance-rr.

Fix: Disable LACP on the switch side and configure static aggregation (mode on in Cisco terms).

Using the Bond Interface

Section titled “Using the Bond Interface”

Once the bond is configured, use it like any physical interface:

# Route with bond as uplink
/ip address add address=203.0.113.1/30 interface=bond-lacp


# Add bond to a bridge
/interface bridge port add bridge=br-main interface=bond-lacp


# VLAN on top of bond
/interface vlan add name=vlan100 vlan-id=100 interface=bond-lacp
Section titled “Related Documentation”