802.1X on Etherchannels

We are deploying ISE and everything seems to be working just fine.
We have a series of servers accessing the network using etherchannels.
We are complete aware that 802.1X is not recommended for Servers but we would like to activate it for a proof of concept.
Is there a way (or work around) to activate 802.1X in a port-channel?
Thanks for your help!

Hello vbuendia, I wonder if we know each other?
802.1x is not supported on port-channels. You can potentially look into SGA for securing servers in your environment.
Here is a snip-it from the 15.x configuration guide:
The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3
routed ports, but it is not supported on these port types:
– Trunk port—If you try to enable 802.1x authentication on a trunk port, an error message
appears, and 802.1x authentication is not enabled. If you try to change the mode of an
802.1x-enabled port to trunk, an error message appears, and the port mode is not changed.
– Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1x authentication on a dynamic port, an error message appears,
and 802.1x authentication is not enabled. If you try to change the mode of an 802.1x-enabled
port to dynamic, an error message appears, and the port mode is not changed.
– Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not
enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error
message appears, and the VLAN configuration is not changed.
– EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel
port, an error message appears, and 802.1x authentication is not enabled.
– Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable 802.1x authentication on a port that is a SPAN or RSPAN destination port. However,
802.1x authentication is disabled until the port is removed as a SPAN or RSPAN destination
port. You can enable 802.1x authentication on a SPAN or RSPAN source port.
Thank you for rating!

Similar Messages

  • FWSM Default port channel?

    I'm doing some L2 cleanups across mutliple 6509E environments and I've found something consistent that I can't find in documentation.
    On all my pairs of 6509s where I have FWSMs bundled (6509-A has FWSM-1 is Slot 1 and 6509-B has FWSM-2 in Slot 1) I also have a port channel 305. Obviously when I do a "show run" or "show int desc" I don't see anything in slot one. It's a service module. But the port channel is referencing ports 1/1-6. And it's all in service/up. I was about to delete this as I thought it was some leftover config (TEST 6509s) until I went and saw the same things on our PROD 6509s. Can anyone explain this or provide some documentation on it? Is it cosmetic? Necessary? Can I delete it as part of my audit cleanup? Don't want to mess with it even in TEST without some information. Nothing on google that's clear and I can't find anything on CCO.
    6509-1#sho etherch 305 summ
    Flags:  D - down        P - bundled in port-channel
            I - stand-alone s - suspended
            H - Hot-standby (LACP only)
            R - Layer3      S - Layer2
            U - in use      N - not in use, no aggregation
            f - failed to allocate aggregator
            M - not in use, no aggregation due to minimum links not met
            m - not in use, port not aggregated due to minimum links not met
            u - unsuitable for bundling
            d - default port
            w - waiting to be aggregated
    Number of channel-groups in use: 11
    Number of aggregators:           11
    Group  Port-channel  Protocol    Ports
    ------+-------------+-----------+-----------------------------------------------
    305    Po305(SU)        -        Gi1/1(P)       Gi1/2(P)       Gi1/3(P)      
                                     Gi1/4(P)       Gi1/5(P)       Gi1/6(P)      
    Last applied Hash Distribution Algorithm:   -
    6509-1#sho etherch 305 det 
    Group state = L2
    Ports: 6   Maxports = 8
    Port-channels: 1 Max Port-channels = 1
    Protocol:    -
    Minimum Links: 0
                    Ports in the group:
    Port: Gi1/1
    Port state    = Up Mstr In-Bndl
    Channel group = 305         Mode = On      Gcchange = -
    Port-channel  = Po305       GC   =   -         Pseudo port-channel = Po305
    Port index    = 0           Load = 0x41        Protocol =    -
    Age of the port in the current state: 46d:06h:53m:39s
    Port: Gi1/2
    Port state    = Up Mstr In-Bndl
    Channel group = 305         Mode = On      Gcchange = -
    Port-channel  = Po305       GC   =   -         Pseudo port-channel = Po305
    Port index    = 1           Load = 0x02        Protocol =    -
    Age of the port in the current state: 46d:06h:53m:39s
    Port: Gi1/3
    Port state    = Up Mstr In-Bndl
    Channel group = 305         Mode = On      Gcchange = -
    Port-channel  = Po305       GC   =   -         Pseudo port-channel = Po305
    Port index    = 2           Load = 0x04        Protocol =    -
    Age of the port in the current state: 46d:06h:53m:41s
    Port: Gi1/4
    Port state    = Up Mstr In-Bndl
    Channel group = 305         Mode = On      Gcchange = -
    Port-channel  = Po305       GC   =   -         Pseudo port-channel = Po305
    Port index    = 3           Load = 0x88        Protocol =    -
    Age of the port in the current state: 46d:06h:53m:41s
    Port: Gi1/5
    Port state    = Up Mstr In-Bndl
    Channel group = 305         Mode = On      Gcchange = -
    Port-channel  = Po305       GC   =   -         Pseudo port-channel = Po305
    Port index    = 4           Load = 0x10        Protocol =    -
    Age of the port in the current state: 46d:06h:53m:41s
    Port: Gi1/6
    Port state    = Up Mstr In-Bndl
    Channel group = 305         Mode = On      Gcchange = -
    Port-channel  = Po305       GC   =   -         Pseudo port-channel = Po305
    Port index    = 5           Load = 0x20        Protocol =    -
    Age of the port in the current state: 46d:06h:53m:41s
                    Port-channels in the group:
    Port-channel: Po305
    Age of the Port-channel   = 46d:06h:55m:56s
    Logical slot/port   = 14/11          Number of ports = 6
    GC                  = 0x00000000      HotStandBy port = null
    Port state          = Port-channel Ag-Inuse
    Protocol            =    -
    Fast-switchover     = disabled
    Load share deferral = disabled  
    Ports in the Port-channel:
    Index   Load   Port     EC state        No of bits
    ------+------+------+------------------+-----------
      0     41     Gi1/1    On    2
      1     02     Gi1/2    On    1
      2     04     Gi1/3    On    1
      3     88     Gi1/4    On    2
      4     10     Gi1/5    On    1
      5     20     Gi1/6    On    1
    Time since last port bundled:    46d:06h:53m:41s    Gi1/6
    Last applied Hash Distribution Algorithm:   -
    NOC-SW-ITEST-AGG1#

    The connection between the FWSM and the switch is a 6-GB 802.1Q trunking EtherChannel. This EtherChannel is automatically created when you install the FWSM.
    http://cisconetwork.org.ua/1587051893/ch04lev1sec1.html
    http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/switch.pdf
    Thanks
    Ajay

  • Cat6509 Etherchannel to AIX

    Due to the following log messages last Friday night and discovering our AIX connections are Link Aggregated, I am attempting to connection 4 ports to AIX VIO servers using etherchannel. Have not had any success as of yet.
    sh log | i %MAC_MOVE-SP-4-NOTIF
    Jan 25 16:13:06: %MAC_MOVE-SP-4-NOTIF: Host 0a5d.3c1e.8002 in vlan 1 is flapping between port Gi2/19 and port Gi2/20 - 172.25.3.44
    Jan 25 16:13:06: %MAC_MOVE-SP-4-NOTIF: Host 0a5d.3e72.4902 in vlan 1 is flapping between port Gi2/19 and port Gi2/20 - 172.25.3.31
    Jan 25 16:13:06: %MAC_MOVE-SP-4-NOTIF: Host 0a5d.3ade.7902 in vlan 1 is flapping between port Gi2/19 and port Gi2/20 - 172.25.3.41
    Anyone have knowledge or experience with this? Thank you ahead for any assistance.
    Configuration: Cat6509
    int port-channel 23
    switchport
    switchport mode access
    no sh
    int Gi2/22
    switchport
    switchport mode access
    switchport access vlan 1
    spanning-tree portfast
    channel-group 23 mode active
    int Gi2/24
    switchport
    switchport mode access
    switchport access vlan 1
    spanning-tree portfast
    channel-group 23 mode active
    Configuration: AIX
    EtherChannel / Link Aggregation: ent5
    Status: Available
    Attributes:
    adapter_names   ent0,ent1      EtherChannel Adapters
    alt_addr  0x000000000000       Alternate EtherChannel Address
    auto_recovery   yes                 Enable automatic recovery after failover
    backup_adapter  NONE           Adapter used when whole channel fails
    hash_mode       default            Determines how outgoing adapter is chosen
    interval        long                     Determines interval value for IEEE 802.3ad mode
    mode            standard             EtherChannel mode of operation
    netaddr         0                        Address to ping
    noloss_failover yes                  Enable lossless failover after ping failure
    num_retries     3                     Times to retry ping before failing
    retry_time      1                      Wait time (in seconds) between pings
    use_alt_addr    no                   Enable Alternate EtherChannel Address
    use_jumbo_frame no               Enable Gigabit Ethernet Jumbo Frames

    Hi,
    The configuration you've applied to the switches is to enable a standards based Cisco EtherChannel i.e., IEEE 802.3ad (now IEEE 802.1ax) using the Link Aggregation Control Protocol (LACP).
    From reading the IBM AIX Configuring an EtherChannel documentation, the way I understand the AIX configuration you've pasted above, it's not running IEEE 802.3ad Link Aggregation with LACP. I believe mode is the important setting here, and the aforementioned document states the following:
    Mode: You can choose from the following modes:
    standard: In this mode the EtherChannel uses an algorithm to choose which adapter it will send the packets out on. The algorithm consists of taking a data value, dividing it by the number of adapters in the EtherChannel, and using the remainder (using the modulus operator) to identify the outgoing link. The Hash Mode value determines which data value is fed into this algorithm (see the Hash Mode attribute for an explanation of the different hash modes). For example, if the Hash Mode is standard, it will use the packet's destination IP address. If this is 10.10.10.11 and there are 2 adapters in the EtherChannel, (1 / 2) = 0 with remainder 1, so the second adapter is used (the adapters are numbered starting from 0). The adapters are numbered in the order they are listed in the SMIT menu. This is the default operation mode.
    round_robin: In this mode the EtherChannel will rotate through the adapters, giving each adapter one packet before repeating. The packets may be sent out in a slightly different order than they were given to the EtherChannel, but it will make the best use of its bandwidth. It is an invalid combination to select this mode with a Hash Mode other than default. If you choose the round-robin mode, leave the Hash Mode value as default.
    netif_backup: To enable Network Interface Backup Mode, you can configure multiple adapters in the primary EtherChannel and a backup adapter. For more information, see Configuring Network Interface Backup.
    8023ad: This options enables the use of the IEEE 802.3ad Link Aggregation Control Protocol (LACP) for automatic link aggregation. For more details about this feature, see IEEE 802.3ad Link Aggregation configuration.
    You may want to check with the server team again and confirm that they have the same understanding of an aggregate link as you have. With the setup you've shown applied to the Catalyst switch I think they should be running the AIX server with the mode configured as 802.3ad.
    Regards

  • Split Etherchannel Clusters

    I am looking for documentation on how to set up a series of "split Etherchannel" connections. I believe that this can be done with 802.3ad (LACP), but I need some specific documentation on the subject.
    In a split LACP environment, an Etherchannel group is divided between two core switches and those core switches coordinate L2 communication via an Inter-Switch Trunk. I need to be able to "layer" this configuration to create a "cluster of clusters".
    See the attached diagram.
    I need to understand the proper Cisco terminology for this structure, and I need a reference to documentation on how to set it up using 6500 switches as the "core".
    Thanks.

    LACP is the IEEE, standarized, version of PAgP (ciscos proprietary portAggregationProtocol)
    as with PAgP, LACP cannot be configured to create an etherChannel bundle of links divided across multiple switches.
    a LACP channel must be comprised of ports with the same parameters, within a single chassis. you cannot create an etherChannel with 2 ports from SwitchA bundled with 2 ports from SwitchB to another endpoint(switch3).
    see this link for more info on etherChannel configuration:
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e6d3.html

  • ASA5550 port channel configuration ERROR: nameif not allowed on empty etherchannel interface

    Hi All,
    I am having problem when configure port channel on asa5550 
    IOS ver asa914-k8.bin also in ver 9.02   and 8.47.
    Please let me know how can I solve this problem.
    UK-LON-FW(config)# int port-channel 3
    UK-LON-FW(config-if)# vlan 245
                           ^
    ERROR: % Invalid input detected at '^' marker.
    UK-LON-FW(config-if)# nameif secure
    ERROR: nameif not allowed on empty etherchannel interface.
    UK-LON-FW(config-if)#
    here is my interfaces configuration:
    interface GigabitEthernet0/0
    description fw1:G0/0 to uk-lon-gw1:e1/8 fw2:G0/0 to uk-lon-gw2:e1/9 outside zone
    channel-group 1 mode on
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/1
    description fw1:G0/1 to uk-lon-gw2:e1/8 fw2:G0/1 to uk-lon-gw1:e1/9 outside zone
    channel-group 1 mode on
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/2
    description fw1:G0/2 to uk-lon-sw1a:1 fw2:G0/2 to uk-lon-sw1a:2 dmz
    channel-group 2 mode on
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    description fw1:G0/3 to uk-lon-sw1b: fw2:G0/3 to uk-lon-sw1b:2 dmz
    channel-group 2 mode on
    no nameif   
    no security-level
    no ip address
    interface Management0/0
    management-only
    nameif management
    security-level 0
    ip address 10.10.51.18 255.255.254.0
    interface GigabitEthernet1/0
    description fw1:G1/0 to uk-lon-sw1a:3 fw2:G1/0 to uk-lon-sw1a:4 secure zone
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/1
    description fw1:G1/1 to uk-lon-sw1b:3 fw2:G1/1 to uk-lon-sw1b:4 secure zone
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/2
    description LAN Failover Interface
    no nameif   
    no security-level
    no ip address
    interface GigabitEthernet1/3
    description STATE Failover Interface
    no nameif
    no security-level
    no ip address
    interface Port-channel1
    description outside zone
    no nameif
    no security-level
    no ip address
    interface Port-channel1.5
    description outside zone Bundle FW:G0/0-G0/1 connect to GW1:e1/8-GW2:e1/8
    vlan 5
    nameif outside
    security-level 0
    ip address 216.239.105.5 255.255.255.128 standby 216.239.105.6
    interface Port-channel2
    description dmz Bunlde uk-lon-fw:G0/2-3 to sw1a:1-2 sw1b:1-2
    no nameif
    no security-level
    no ip address
    interface Port-channel2.105
    description dmz
    vlan 105
    nameif dmz
    security-level 50
    ip address 216.239.105.193 255.255.255.192 standby 216.239.105.194
    interface Port-channel3
    description secure zone Bunlde uk-lon-fw:G1/0-1 to sw1a:3-3 sw1b:3-4
    no nameif
    security-level 100
    ip address 10.254.105.1 255.255.255.0 standby 10.254.105.2
    UK-LON-FW(config-if)# 

    Hi Marvin,
    Thank you for your answer.  I did everything but it did not work. Turn out it is a bug ver 8.45 will let you created the sub logical interface but actually it did not work right.  Verson 9.x  doesn't let you create more than 2 port channel (limitation of ASA5550 hardware).
    https://tools.cisco.com/bugsearch/bug/CSCtq62715/?reffering_site=dumpcr 
    Also, you can see the 8.4 release notes were you can see that it is not supported:
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-522232
    Interface Features
    EtherChannel support (ASA 5510 and higher)
    You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
    Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
    We introduced the following commands: channel-group , lacp port-priority , interface port-channel , lacp max-bundle , port-channel min-bundle , port-channel load-balance , lacp system-priority , clear lacp counters , show lacp , show port-channel .

  • Etherchannel support for ASA 5585X

    Hi there , Just trying to find out which all versions of ASA 5585X can support etherchannel features .
    Thanks
    Prabs

    Hi,
    To my understanding any ASA (except ASA5505) from 8.4(1) onwards can use EthernetChannel
    Quote from Cisco document
    Interface FeaturesEtherChannel support (ASA 5510 and higher)You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.We introduced or modified the following screens:Configuration > Device Setup > InterfacesConfiguration > Device Setup > Interfaces > Add/Edit EtherChannel InterfaceConfiguration > Device Setup > Interfaces > Add/Edit InterfaceConfiguration > Device Setup > EtherChannel
    Source:
    http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp43273
    Here is also a link to the "interface" command for Etherchannel
    http://www.cisco.com/en/US/docs/security/asa/command-reference/i3.html#wp1932200
    Hope this helps
    - Jouni

  • Dot 1q trunk on gigabit etherchannel

    I will appreciate any help about the below subject.
    there are two catalyst 2960 switches with two fixed 1000 Base T uplink ports.
    - Both switches have 3 VLANs: VLAN 1, VLAN 2 and VLAN 3 (VLAN 1 is only for management purposes).
    - I will bundle two fixed gigabit uplink ports and get an ether channel with two gigabit bandwidth.
    Can I configure this ether channel as 802.1q trunk port? So computers on same VLANs on different switches can communicate each other? (ether channel and trunk at the same time)
    Before buying the equipment, I feel myself more comfortable if you guys confirm it works.
    Thank you very much in advance.

    HI Friend,
    Yes you can ofcourse do it. You can configure the 2 interfaces first with trunk config and then you configure the 2 interfaces for etherchannel config.
    Check this link it will help you to configure dot1q trunk and etherchannel together on ports.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225sed/scg1/swethchl.htm#wp1154336
    HTH, if yes please rate the post.
    Ankur

  • Etherchannel and link aggregation

    Hi!
    I'm a bit confused now, Sun Trunking supports Cisco Etherchannel, but link aggregation doesn't (if I understand correctly, a with the results of my quick tests).
    Sun Trunking seems to be supporting a certain set of drivers and link aggregation another set.
    Right now I've got a T2000 with 4 X e1000g and 4 X nxge, does anyone knows, if I can use these interfaces with Cisco Etherchannel, or do I absolutely need to use LACP with link aggregation??? The problem is that the network guys don't want us to use LACP (for whatever reason they have)...
    Thank you very much.
    Martin

    I don't know any cisco term referring to "pure" etherchannel, so I don't know how to answer that. Both LACP and PAgP are link management protocols that cisco can use. I'm supposing that you're asking if the cards will work with PAgP management, but I'm not sure.
    This FAQ:
    http://www.sun.com/products/networking/ethernet/suntrunking/faq.xml
    suggests that I've been incorrect about 802.3ad being a "new" thing and that SunTrunking 1.3 also uses it.
    The SunTrunking 1.3 docs here:
    http://docs.sun.com/source/817-3374-11/index.html
    in chapter 1 (Overview) list six cards. I don't think yours are any of them, so SunTrunking is out.
    Because LACP "only" manages the link configuration rather than driving the data, it seems to me that both the link-aggregation and cisco sides could work without LACP being present, but the management of the links might be wonky.
    So without LACP, the links have to be configured manually, but I don't yet see anything that states that the two sides will not communicate if that is done.
    Further, the 'dladm' man page says that one valid lacp mode on the Solaris is "off", so it must have some functionality without LACP. I would imagine that will required some sort of manual link configuration on the cisco side. (The solaris side is not going to do PAgP).
    See also:
    http://www.kabewm.com/2007/02/22/solaris-10-lacp-trunking-w-cisco-6509/
    When the www.opensolaris.org boards come back up, I would recommend posting this question in the "networking" discussion group.
    Darren

  • 3com and cisco switches (802.1q)vlan integration problem - broadcast storm?

    Hi forum,
    we are using 3com switches, the 3com switches implement open vlans, which mean if an ieee 802.1q packet is received at a port and the port is not a member of that vlan, the switch does not perform vlan filtering. if the address is previously learned, it will be forwarded correctly, but if it is not, it will be flooded to all ports within that VLAN.
    my questions:
    1) if another cisco switch connected with the 3com switch are placed in the same vlan, and the 3com switch received a 802.1q packet from a rogue device, it will be flooded to all the ports(including the cisco ports) within that VLANs, will it cause a broadcast storm?
    2) how do i configure the cisco switch to filter off unknown tagged packet on a port? by using vlan prunning?
    3) how do i blocked the broadcast from the 3com switches? using broadcast suppression?
    4) is there a way on the design side to effectly counter this problem?
    Kind regards,
    paul

    It sounds like setup of your 3com switch is not quite up to your requirements. If a port is declared as tagged, it's ok to receive tagged frames for VLAN's that were not previously known on this port. However if your policy requires that only specific VLAN's are permitted on given tagged port, then you need to add some extra command on your 3com switch. Check with documentation and possibly with your 3com support partner.
    As for cisco routers, tagged ports in Cisco-speach are trunks (this might be confusing for you as 3com calls trunks what in Cisco world is known as either Etherchannel or port aggregation). By default a trunk (tagged) port allows any VLAN. If your policy requires so, you can explicitly specify which VLAN's are allowed on given trunk (tagged) port. If a frame arrives with a tag that is not on the allowed list, the frame will be discarded. So you don't need any fancy broadcast supression to block traffic from disallowed vlans coming from your 3com switch to cisco.
    P.S.: Make sure that you don't mistake 'member of VLAN' with 'native VLAN'. Some parts of your message suggest that you do.

  • Switch ports did an up/down sequence after being placed in etherchannel with no cables connected, wierd.

    Hi Everyone
    I created an etherchannel on two ports (2960 switch) and placed them into an etherchannel.  Did the same on the other switch Cisco 3020 blade chassis switch.  Without connecting any cables the 2960 had done an up/down sequence as though a cable had been connected and yet this had not been done.  Can someone try and help with what could be the technical explanation of this interesting phenomena.  the etherchannel was a trunk and the ports were sitting in vlan 200 and this vlan was also configured as the native vlan for the trunk.
    Please,  please help - any comment is appreciated.
    Sydney

    Hi EveryoneI
    created an etherchannel on two ports (2960 switch) and placed them into
    an etherchannel.  Did the same on the other switch Cisco 3020 blade
    chassis switch.  Without connecting any cables the 2960 had done an
    up/down sequence as though a cable had been connected and yet this had
    not been done.  Can someone try and help with what could be the
    technical explanation of this interesting phenomena.  the etherchannel
    was a trunk and the ports were sitting in vlan 200 and this vlan was
    also configured as the native vlan for the trunk.Please,  please help - any comment is appreciated.Sydney
    Hi Sydney,
    It can be possible that speed and duplex setting between the switches are not in sync. Configure all interfaces in an EtherChannel to operate at the same speeds and duplex modes.Enable all interfaces in an EtherChannel. If you shut down an interface in an EtherChannel, it is treated as a link failure, and its traffic is transferred to one of the remaining interfaces in the EtherChannel.
    For EtherChannels:
    –Assign all interfaces in the EtherChannel to the same VLAN, or configure them as trunks.
    –If you configure an EtherChannel from trunk interfaces, verify that the trunking mode (802.1Q) is the same on all the trunks. Inconsistent trunk modes on EtherChannel interfaces can have unexpected results.
    –An EtherChannel supports the same allowed range of VLANs on all the interfaces in a trunking Layer 2
    Hope to help
    If helpful do rate the post
    Ganesh.H

  • 802.3ad on ce-1000-4

    Is it possible to do 802.3ad on a ce-1000-4 card in a cisco 15454?  I have scoured the online information, and i can only find information on how to set up etherchannel or portchannel on catalyst switches and cisco routers.  as it is, our entire network from the first piece of equipment past the 15454 and out is all redundant using either vrrp, 802.3ad or some other redundancy (possibly vendor specific).  the only point of failure is this card in the cisco.  I have messed about alittle in the java interface for the 15454 and i admit im not super familiar with it... but it didnt stick out.
    a bit more information, we recently upgraded from a 15454 that supported up to oc-3 to the 10G support model, and with this upgrade came the newest software to that date (about 8 months ago).  the port on the ce-1000-4 card is connected to my switch network, and interally using gfp (generic framing protocol) for ethernet over sonet to an oc12 card (i believe mrc) where we have hot standby oc-12 for redundancy.  at any rate, this is something i have been fighting with, and slightly worried about for several months, and cannot find the answer.  the fight is that the ad links are not only for fault tolerance, but for scalability.  we arent in immediate need of more than 1gig aggregate throughput.... but the office is constantly mutating as we add equipment and aquire companies.  the ad links make me able to physically move equipment without downtime... locally, but i still have full "internet" downtime when i make the final move off the equipment.
    thanks in advance for any help/answers you are able to provide.
    eli

    If the equipment on each side of the 15454 network that is being connected through the 15454 CE card can run 802.3ad, then you could install a second CE-card in each 15454 and use 1 GE interface from the Ethergroup to CE-card #1 and one GE interface from the Ethergroup to CE-card #2 (tried to diagram below).
    Switch #1 -------- GE #1 Etherchannel Group 1 -------- CE card #1 / OC-n ------------- OC-n / CE card #1 ------------- Switch #2
    Switch #1 -------- GE #2 Etherchannel Group 1 -------- CE card #2 / OC-n ------------- OC-n / CE card #2 ------------- Switch #2
    The 15454 CE circuits would be oblivious to the fact that the network is running Etherchannl as it creates a dumb pipe for the Ethernet link.  Depending on your bandwidth requirements, the CE circuits could be carried over a single optical link, like an OC-48 or multiple OC-n circuits, using virtual concatonation (VCAT) supported by the CE card; with the option for protected or unprotected SONET circuits.
    The above network would provide protection against a single CE card failure.
    I hope this helps!
    Tom

  • Etherchannel or Aggregated ports between switch and AIX server

    I have a problem with the configuration of an etherchannel or port aggregation between an 4507 Catalyst switch and a server running AIX 5.2 maintenance level 4. The two ports on the switch are on the same blade.
    I tried configuring etherchannel with the command
    config-if# channel-group XX mode on
    and I tried configuring 802.3ad with the command
    config-if# channel-group XX mode activ
    but in both cases, as soon as I configured the second port, connection went down (I monitored with pings).
    On the AIX, I tried configuring modes "round-robin" and "802.3ad" with both switch configurations, but the result was the same.
    Does anyone has experience with this kind of configuration?
    thanks,
    Antoine

    Hi amaitre
    Could you setting  the etherchannel with the AIX Server?
    I configured in my switch 4510 with a AIX, but the 2 ports with channel-group keep in suspend. This is the configuration
    interface Port-channel2
    description ## LACP AIX ##
    switchport
    switchport access vlan 100
    load-interval 30
    interface GigabitEthernet4/20
    description  ## LACP AIX ##
    switchport access vlan 100
    channel-protocol lacp
    channel-group 2 mode active
    spanning-tree portfast
    interface GigabitEthernet4/21
    description ## LACP AIX ##
    switchport access vlan 100
    channel-protocol lacp
    channel-group 2 mode active
    spanning-tree portfast
    This configuration works with a server Dell with windows 2008.
    The schema is 1 switch 4510 with etherchannel to AIX.
    Thanks!

  • 4 wifi bridges vs EtherChannel on switches

    he environment:
    L2 SWITCH
    | |
    AP AP
    AP AP
    | |
    L2 SWITCH
    I've configured load-balancing src-mac on 1st side (pc lan) and dst-mac on the other side (router lan).
    "The default is to use the source MAC address. This default means that all packets that the switch receives on a non-Fast EtherChannel port with the same MAC source address that have a destination of the MAC addresses on the other side of the channel take the same link in the channel. Use source-based forwarding when many stations that are attached to the Catalyst 2900XL/3500XL send to a few stations, such as a single router, on the other side of the Fast EtherChannel"
    Need to know which EtherChannel L2 protocol (on switches catalyst 2950) use for combine 4 54Mbps Wireless AP (AIR-BR1310G-E-K9) to increase
    wireless bandwidth, load sharing, load balancing and redundancy the L2 protocol.
    I know that with EtherChannel solution I can't manage the bridges, but if I use EtherChannel on switches and only 1 bridge go down (maybe only the radio) the etherchannel is "aware of that L2 failure" (the port-channel check the other side)?
    It's better to use "Link Aggregation Control Protocol (LACP) / 802.3ad" or "Port Aggregation Protocol (PAgP)" ?
    Regards
    Roberto Taccon

    HelloI have a couple of uc520s2 - esw - 520-24p 2 - esw - 520-48p1 - 3560x switchthe 3560x is our core switch. my uplinks between the core and the 4 esw. i was able to get the etherchannels configured and "working" however the fact that the vlan 1 on the esw is the native vlan, i change the native vlan to be vlan 20 and i'm really struggling with thisI have 5 vlans configured on the 4 esw switches data, voice, management, servers, guest. i can't get the intervlan routing to work properly on the esw. If i configure any vlan on the 3560 i have access to the management vlanhowever if i connect my pc to any port on the esw switches i don't have access to the management vlan at all. for some reason intervlan routing isn't properly working. if i want to have access to the management vlan on the esw switches i need to assign a port on the esw to be on the management vlanif i use the common scenario, all the ports being voice + data, i can't manage any of the switches at allwhat else should i do to get this fixed ?is it something on the ether channels or am i missing something else ?thanks
    Hi,
    Can you put up your network in diagramtic representation view, do that it will be helpful for more understanding.
    Ganesh.H

  • Catalyst 3850 Cross-Stack EtherChannel

    On 3850 configuration guide, I came across PAgP desirable mode is not supported in the switch stack (cross-stack EtherChannel).
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/layer2/configuration_guide/b_lay2_3se_3850_cg/b_lay2_3se_3850_cg_chapter_0101.html
    But on Q&A document, it mentioned 3850 supports PAgP.
    Q.    What cross-stack EtherChannel link bundling protocols are supported?
    A.     The Cisco Catalyst 3850 supports Cisco Port Aggregation Protocol (PAgP) and industry-standard IEEE 802.3ad Link Aggregation Control Protocol (LACP). Other 3750 Series Switches support only LACP for cross-stack EtherChannel.
    Seems like both statements are contradicting.
    Can someone shed some light on this?
    Thank you.

    Hi, adimakmur 
    Cisco Catalyst 3850 Cross-Stack EtherChannel can be PAgP+ and can be used for VSS dual active detection.
    In last deployment of 3850 we use Cross-Stack EtherChannel and use it as trusted for VSS dual active detection.
    c6500-V#sh switch virtual dual-active pagp
    PAgP dual-active detection enabled: Yes
    PAgP dual-active version: 1.1
    ----skiped----
    Channel group 106 dual-active detect capability w/nbrs
    Dual-Active trusted group: Yes
              Dual-Active     Partner              Partner   Partner
    Port      Detect Capable  Name                 Port      Version
    Te1/7/7   Yes             c3850-307            Te1/1/3   1.1
    Te2/7/7   Yes             c3850-307            Te2/1/3   1.1
    ---skiped----
    c6500-V#sh etherchannel 106  protocol 
    Protocol:  PAgP
    c3850-307#sh etherchannel port-channel 
                    Channel-group listing: 
    Group: 1 
                    Port-channels in the group: 
    Port-channel: Po1
    Age of the Port-channel   = 235d:20h:50m:10s
    Logical slot/port   = 12/1          Number of ports = 2
    GC                  = 0x00010001      HotStandBy port = null
    Port state          = Port-channel Ag-Inuse 
    Protocol            =   PAgP
    Port security       = Disabled
    Ports in the Port-channel: 
    Index   Load   Port     EC state        No of bits
    ------+------+------+------------------+-----------
      0     00     Te1/1/3  Desirable-Sl       0
      0     00     Te2/1/3  Desirable-Sl       0
    Time since last port bundled:    169d:04h:58m:49s    Te1/1/3
    Time since last port Un-bundled: 169d:05h:00m:47s    Te1/1/3

  • ISE 1.2 - WLC 5508 (7.5x) - Windows 7 802.1X

    Hi ,
    We deployed ISE 1.2 (patch 3) with 5580 WLC to authenticate machines and users using 802.1x .
    We are experiencing a strange issue - randomly some machines authenticate fine over wireless and we are able to see logs on ISE and nexst day the same machine stops authenticating itself and ISE doesnt generate any log.. seems like somehow no request is coming to ISE.
    we have checked all the settings including wireless settings ,services, 802.1x settings on the laptop but struggling to find the a reason why randomly machine would work and then not work.
    whenever a machine works we see all the logs but when a machine doesnt work no log is generated in ise.
    has anyone experienced a similar issue?
    Thanks

    Thanks, we have figured it out.
    Machine Auth timer would expire after 12 hours and ISE had another setting where it would blacklist the client and supress logs for an hour if it sees more then certain amount of failed authentication attempts.
    Thanks

Maybe you are looking for

  • Create pop up menus

    I am updating my website and have the home page complete...I think. The other pages have not been updated yet because I am trying to figure out the best way to create an easy to update pop-up menu similar to what is currently on all the pages except

  • I have a USB cable for my iPod touch 4th gen. I have tried almost everything to make my windows computer find my iPod touch but its not finding it. Any help on this issue?

    I have a USB cable for my iPod touch 4th gen. I have tried almost everything to make my windows computer find my iPod touch but its not finding it. Any help on this issue?

  • Reimport MobileMe Galleries After 9.3.1?

    Had a MobileMe account with many galleries, and when I opened v9.3 last week it asked to migrate those galleries to iPhoto. Of course (before 9.3.1), the photos were all placed in a new Event "From MobileMe" with an Album "From Mobile Me" with sub-al

  • Error with emcli setup

    All emcli commands give the following error: Error: Some required configuration is missing, corrupt, inaccessible, or insecure (access permissions are too liberal). Resolve the problem and run setup. java.io.IOException: No locks available at sun.nio

  • Dualscreen/dock options Oct. 2013 model.

    Hello guys. First and foremost, is this connection possible? 2x Thunderbolt/mini-displayport (left side of MBP) -> DisplayPort monitors Or do I have to rely on Matrix Dualhead2go, USB/DVI adapters, or anything else? Maybe I have to use one mini-displ