Policy maps on port-channel sub-interfaces

Similar Messages

• Policy-map on tunnel or physical interface?

  Hi all,
  I have a 3800 headend router which has a number of ipsec tunnels to remote office sites. Our current QoS design applies a policy-map to each tunnel interface to prioritise and shape outbound traffic.
  My question is how does the physical egress interface queue and transmit traffic from tunnel interfaces with this design? For example, if a mixture of large data packets and voice packets from different tunnel interfaces hit the physical interface around the same time what will happen to the voice packets?
  Furthermore, would it be a better to apply the policy-map to the physical interface instead of the tunnel interfaces? What advantages if any would this bring?
  Many thanks.

  If you're shaping each tunnel to the outbound physical bandwidth, yes it would be better to just have the policy, without any shaping, on the physical interface. Again, you'll will either need to depend on a copied ToS value in the outbound packet or use qos pre-classify. (A single physical policy would be much like your QUEUE_DATA if using qos pre-classify.)
  e.g.
  !assumes qos-preclassify
  interface Ethernet0
  service-policy output QUEUE_DATA
  What I thought you might be doing, and you could also do, was shape each tunnel to the far side's ingress bandwidth. This would require a distinct policy, if the shaper values change, for every tunnel interface, or a policy on the physical interface that has a class per tunnel (matches against tunnel destination address).
  e.g.
  !assume local outbound interface not oversubscribed
  policy-map NESTED_QOS_512K
  class class-default
  shape average 512000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_768K
  class class-default
  shape average 768000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_1500K
  class class-default
  shape average 1500000
  service-policy QUEUE_DATA
  interface Tunnel1
  service-policy output NESTED_QOS_786K
  interface Tunnel2
  service-policy output NESTED_QOS_512K
  interface Tunnel3
  service-policy output NESTED_QOS_1500K
  interface Tunnel4
  service-policy output NESTED_QOS_512K
  e.g.
  !assume local outbound interface not oversubscribed
  class-map match-all Tunnel1
  match group (ACL that matches tunnel1 destination address)
  class-map match-all Tunnel2
  match group (ACL that matches tunnel2 destination address)
  policy-map outbound_tunnels
  class Tunnel1
  shape average 768000
  service-policy output QUEUE_DATA
  class Tunnel2
  shape average 512000
  service-policy output QUEUE_DATA
  Interface Ethernet 0
  service-policy outbound outbound_tunnels
  If all the far side bandwidths exceed your local outbound physical bandwidth, then you should have both tunnel policies, that shape each tunnel, and a physical interface policy.
  e.g.
  !assume local outbound interface is oversubscribed
  policy-map NESTED_QOS_512K
  class class-default
  shape average 512000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_768K
  class class-default
  shape average 768000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_1500K
  class class-default
  shape average 1500000
  service-policy QUEUE_DATA
  interface Tunnel1
  service-policy output NESTED_QOS_786K
  interface Tunnel2
  service-policy output NESTED_QOS_512K
  interface Tunnel3
  service-policy output NESTED_QOS_1500K
  interface Tunnel4
  service-policy output NESTED_QOS_512K
  !assumes qos-preclassify
  interface Ethernet0
  service-policy output QUEUE_DATA

• ACE - Policy map bound to multiple interface

  Hello,
  I have a policy map bound to multiple VLAN interfaces. The policy is pretty standard, any traffic hitting the VIP is load balanced.
  Now, is it ok to assign the same policy map / VIP to to multiple VLAN interfaces on a virtual context?
  I addition, I should add that one of the clients hitting the vip are the servers configured in the serverfarm of the context.
  Basically the requirement here is that the rservers are client and server at the same time.
  The problem I have is that when one of the servers send an HTTP request to the VIP, the ACE module reset the connection. I can see the dropped conns counter increasing as i generate requests to the ACE.
  Rdgs,
  Thibault.

  Thibault,
  the RESET is probably comming from the server.
  If the server sends a SYN to the VIP, the packet is nated and forwarded to another server which sees a packet coming from a neighbor server (not ACE) and sends the SYN/ACK directly to the client(rserver).
  This one is expecting a packet from the VIP and not the server itself and sends a RST.
  You need to enable client nat for server opening connections to the vip.
  Gilles.

• Fabric Interconnect Uplink port channeling...

  Hi,
  We setup port channel of two 10G uplink interfaces on each Fabric Interconnect. Everything is running as expected.
  However we noticed that under 'Port-Channel # (Fabric #)' setting on LAN tap, 'Admin Speed' was set to '10Gbps'.
  Should we leave this configuration as is or match to the maximum bandwidth of port Channel we set up (20Gbps)?
  I only see four options on each port channel configuration, 1 Gbps, 10Gbps, 20Gbps and 40Gbps so I'm not sure if we should change this setting.
  Thank you                   

  Hello,
  You do not need to change the speed ( admin ). 20 Gbps configuration is applicable for certain server models.
  --------  NXOS output -----------------
  FI-A(nxos)# sh run int port-channel 1
  interface port-channel1
    description U: Uplink
    switchport mode trunk
    speed 10000
  FI-A(nxos)# show int port-channel 1
  port-channel1 is up
    Hardware: Port-Channel, address: 547f.ee67.e0fb (bia 547f.ee67.e0fb)
    Description: U: Uplink
    MTU 1500 bytes, BW 20000000 Kbit, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA
    Port mode is trunk
    full-duplex, 10 Gb/s
  FI-A(nxos)# sh int bri
  Port-channel VLAN  Type Mode   Status  Reason                    Speed  Protocol
  Interface                                                               
  Po1          1     eth  trunk  up      none                       a-10G(D)  lacp
  There is cosmetic defect where we list the operational speed as 10 Gbps instead of 20Gbps
  FI-A /eth-uplink/fabric # show port-channel detail
  Port Channel:
      Port Channel Id: 1
      Name: FIA
      Admin State: Enabled
      Oper State: Up
     Speed: 10 Gbps
      Oper Speed: 10 Gbps
      State Reason:
      flow control policy: default
  HTH
  Padma

• Config port channel across different type of media

  Please help with the question if we could config port channel across different media type such as Gigabit and Ethernet 10/100 ports ? thanks in advance.

  Hello,
  no, that is not possible.
  When assigning interfaces to a specific port channel, the interfaces must be all Fast
  Ethernet or all Gigabit Ethernet. You cannot mix interface types within a single port
  channel.
  Check the following link:
  Configuring the EtherChannel
  http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4840g/ios_12/config/4840ec.pdf
  HTH,
  GP

• How to troubleshooting port channel in N7K

   i find N5K
  http://www.cisco.com/c/en/us/support/docs/switches/nexus-5000-series-switches/116199-technote-stp-00.html
  i notice distribution switch has root  guard block log
  does it mean that looping has occured yesterday?
  i use command below do not have yesterday record
  show spanning-tree internal event-history tree 1 brief | in "2015:03:15 10"
  first core is root switch
  now port channel shutdown in first core and use port channel in second core. How can i see which problem has occurred in port channel ?
  how to know which port has problem ?
  how to know which vlan caused the problem ?
  we notice one of access switch has lost config, will it affect the distribution layer switch?
  i remember that yesterday i just get log with filezilla after configure notebook same vlan and same network with the testing access switch

  Not sure if youre after the portchannel bandwidth or port-channel speed... If you really want to get an insight on the bandwidth usage, get SNMP on both sides, actively monitor the port channel and interfaces (real time by frequent polling)
  And you could get two endpoints @ 10 gb nics that are bundled, then 'thrash' the link, end to end. I use iperf, you could use big ftp transfers to test and see what performance is. You'll get the rate / speed in which the links are operating 'end to end'
  It may mean that the ports are @10gb full duplex, but the overall bandwidth is 20gb
  Sent from Cisco Technical Support iPhone App

• 6880X VSS Port-Channel

  Hi
  I was trying to configure two 6800x switches as a VSS pair, Ive done this on 4500x switches before and worked a treat. when setting up a L2 port-channel, for some reason it puts the ports into routed mode and does not allow me to build a L2 port-channel.
  So I add the following config for the port-channel
  Interface port-channel 10
  Description VSL_Link
  switchport
  switch virtual link 2
  no shut
  Interface range Tengig 1/1 – 1/2
  Description VSL_Link
  switchport mode trunk
  channel-group 10 mode on
  Now as soon as I type the channel-group 10 mode on, it gives an error
  "Command rejected  (Port-channel10): Either port is L2 and port-channel is L3, or vice-versa"
  I managed to create a L2 port-channel on a 4500x, will the 6800x only allow me to create a l3 port channel. 

  Hi 
  I tried this config on the 4500x and it worked, now I have also added the switchport mode trunk command to both the port-channel and interface and still getting the same error. 
  When I do sh int status, the ports are showing as routed
  I cleared the config and first set both interface as trunks, then when I do the channel-group 10 mode on command, it accepts the command an automatically creates the port-channel, but the interfaces show as routed.
  This is my first time using a 6880x, when i logged into it, the default hostname is set to Router. I was expecting it to be named Switch, not that the hostname affects the config but makes me wonder, is the config different for the 6880x as opposed to other L3 switches

• MDS9513 Add ISL to Port Channel problem.

  Hi Experts,
  I have a problem when add a new ISL to an existing Port Channel config.
  The ISL port is up state and correctly configured like another ports in port channel.
  Looks bellow the error:
  MDS1300M6A# show port-channel summary
  Interface                 Total Ports        Oper Ports        First Oper Port
  port-channel 1                 4                 4                  fc12/48
  port-channel 2                 2                 2                  fc6/47
  MDS1300M6A# show port-channel database
  port-channel 1
      Administrative channel mode is active
      Operational channel mode is active
      Last membership update failed: port not compatible [Resources Unavailable]
      First operational port is fc12/48
      4 ports in total, 4 ports up
      Ports:   fc12/48  [up] *
               fc10/48  [up]
               fc11/48  [up]
               fc9/48   [up]
  Anyone seen this?
  Tks
  Wellington

  That did the trick - specifically setting the port channel to rate-mode shared.  Certainly solved the problem as far as getting all the deisred ports up in the channel, but where I still have a knowledge gap is the operational difference between dedicated and shared.  Are there any Cisco docs (beyond the command reference guide to toggle the feature) that explains why you'd choose one versus the other, and what it means from a design perspective?
  On a different note, while I'm no expert, here's some background to consider for others who may encounter the same issue (whether on UCS or a Nexus 5K).  I  (and our network team) come from an IOS background, so while the IOS "parts" of NX-OS are pretty familiar, the SAN "parts" of NX-OS are a little new.  We're also more CLI oriented, and while not impossible to configure via CLI, in our environment, the GUI for UCS seems to be more popular across the board - and we're still learning that piece as well.
  Our storage team is very familiar with SAN-OS, so they're very comfortable with the SAN "parts" of NX-OS.  But, they're very used to configuring the MDS switches via the GUI, which is what got us off track a bit.  In our scenario, creating a SAN port channel on the MDS via the GUI didn't give us the option for setting "switchport rate-mode shared"  Not saying it's not there in the GUI, but we certainly couldn't find it.
  Long story short, if the configuration of the SAN port channel on the MDS is in question, check it via the CLI and make any necessary changes there as a quick workaroud.

• 2960x port channel bandwidth command workaround

  Folks:
  I am looking for a work around - Currently I have a four member 2960x switch stack - I have Ten 1/0/1 and Ten 3/0/1 in a port-channel; however, when I try to set the 'bandwidth' on PO1 interface to 20000000 I receive an error, which corresponds being out of range, due to the links being 10Gbps.
  Is there a work around so my PO1 interface reflects the correct bandwidth?
  Switch I am using and version of software
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960X-48TD-L   15.0(2)EX5            C2960X-UNIVERSALK9-M
  Thank you
  JJ

  The tx-/rxload is probably the least of your problems. Assuming we're talking about a L2 port-channel the interface BW is base for spanning tree cost calculation. With a BW 10000000 kbit/s STP would consider the port-channel equal to a single 10GE link and could possibly decide to block your port-channel for a less favorable link.
  That being said, the port-channel is supposed to have the correct BW corresponding to the number of bundled links without any need for manual user configuration.
  I suppose it is either a software bug or there is an interface not bundled correctly. 
  Post the result of 'show etherc sum' here to check.
  Regards

• ASR 1006 shaping\policing on port-channel interfaces

  Hello
  I encountered a problem - ASR 1006 ignores shaping\policing configuration on a port-channel interfaces.
  If I configure:
  policy-map Shaping
   class class-default
    shape average 100000
  interface TenGigabitEthernet0/0/0
   no ip address
   channel-group 1 mode active
  interface Port-channel1.10
   encapsulation dot1Q 10
   ip address 1.0.0.1 255.255.255.0
   service-policy output Shaping
  With such configuration shaping doesn't work. But it works on ordinary tenGigabit interfaces...
  I've tried several ios xe versions.. no changes
  Are there any ristrictions with shaping on Port-channel interfaces?

  Hi,
  Traditional QoS will not work for etherchannels. Please read to find suitable config for your case.
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-mqc-xe-3s-book/qos-eth-int.html#GUID-6137A7B8-B2D1-4024-8AC9-E7EBEDD868C6

• 1 policy-map for more than 1 physical interface

  Hi,
  the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
  In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
  Right now I have configured a 3750 with:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  policy-map TEST
  class EveryMAC
  set dscp default
  mac access-list extended everythingL2
  permit any any
  interface GigabitEthernet1/0/1
  description port #1
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface GigabitEthernet1/0/2
  description port #2
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface Vlan123
  service-policy input TEST
  And at the 'other side' a 2950 works with the following config:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  mac access-list extended everythingL2
  permit any any
  interface FastEthernet0/1
  description port #A
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
  thanks in advance
  Mark

  Only thing i can think of is instead of using a MAC ACL , u cud jus use the default class
  Policy Map Test
  class class-default
  police 56000 8000 exceed-action drop
  Class Map match-any class-default (id 0)
  Match any
  You would be saving a MAC-ACL ;-).

• ASA5550 port channel configuration ERROR: nameif not allowed on empty etherchannel interface

  Hi All,
  I am having problem when configure port channel on asa5550 
  IOS ver asa914-k8.bin also in ver 9.02   and 8.47.
  Please let me know how can I solve this problem.
  UK-LON-FW(config)# int port-channel 3
  UK-LON-FW(config-if)# vlan 245
                         ^
  ERROR: % Invalid input detected at '^' marker.
  UK-LON-FW(config-if)# nameif secure
  ERROR: nameif not allowed on empty etherchannel interface.
  UK-LON-FW(config-if)#
  here is my interfaces configuration:
  interface GigabitEthernet0/0
  description fw1:G0/0 to uk-lon-gw1:e1/8 fw2:G0/0 to uk-lon-gw2:e1/9 outside zone
  channel-group 1 mode on
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/1
  description fw1:G0/1 to uk-lon-gw2:e1/8 fw2:G0/1 to uk-lon-gw1:e1/9 outside zone
  channel-group 1 mode on
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/2
  description fw1:G0/2 to uk-lon-sw1a:1 fw2:G0/2 to uk-lon-sw1a:2 dmz
  channel-group 2 mode on
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  description fw1:G0/3 to uk-lon-sw1b: fw2:G0/3 to uk-lon-sw1b:2 dmz
  channel-group 2 mode on
  no nameif   
  no security-level
  no ip address
  interface Management0/0
  management-only
  nameif management
  security-level 0
  ip address 10.10.51.18 255.255.254.0
  interface GigabitEthernet1/0
  description fw1:G1/0 to uk-lon-sw1a:3 fw2:G1/0 to uk-lon-sw1a:4 secure zone
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/1
  description fw1:G1/1 to uk-lon-sw1b:3 fw2:G1/1 to uk-lon-sw1b:4 secure zone
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/2
  description LAN Failover Interface
  no nameif   
  no security-level
  no ip address
  interface GigabitEthernet1/3
  description STATE Failover Interface
  no nameif
  no security-level
  no ip address
  interface Port-channel1
  description outside zone
  no nameif
  no security-level
  no ip address
  interface Port-channel1.5
  description outside zone Bundle FW:G0/0-G0/1 connect to GW1:e1/8-GW2:e1/8
  vlan 5
  nameif outside
  security-level 0
  ip address 216.239.105.5 255.255.255.128 standby 216.239.105.6
  interface Port-channel2
  description dmz Bunlde uk-lon-fw:G0/2-3 to sw1a:1-2 sw1b:1-2
  no nameif
  no security-level
  no ip address
  interface Port-channel2.105
  description dmz
  vlan 105
  nameif dmz
  security-level 50
  ip address 216.239.105.193 255.255.255.192 standby 216.239.105.194
  interface Port-channel3
  description secure zone Bunlde uk-lon-fw:G1/0-1 to sw1a:3-3 sw1b:3-4
  no nameif
  security-level 100
  ip address 10.254.105.1 255.255.255.0 standby 10.254.105.2
  UK-LON-FW(config-if)# 

  Hi Marvin,
  Thank you for your answer.  I did everything but it did not work. Turn out it is a bug ver 8.45 will let you created the sub logical interface but actually it did not work right.  Verson 9.x  doesn't let you create more than 2 port channel (limitation of ASA5550 hardware).
  https://tools.cisco.com/bugsearch/bug/CSCtq62715/?reffering_site=dumpcr 
  Also, you can see the 8.4 release notes were you can see that it is not supported:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-522232
  Interface Features
  EtherChannel support (ASA 5510 and higher)
  You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
  Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
  We introduced the following commands: channel-group , lacp port-priority , interface port-channel , lacp max-bundle , port-channel min-bundle , port-channel load-balance , lacp system-priority , clear lacp counters , show lacp , show port-channel .

• Port-Channel binding on vfc interface

  Hi there,
  I am currently setting up a CNA / Nexus test configuration in a Blade Server chassis.
  I am using a Fujitsu CEE switch in the chassis in between CNA and Nexus.
  The FJ switch is connected to the Nexus via a port-channel with 8 member ports.
  And here comes my problem. I normally bind physical interfaces to my vfcs
  When I now try to bind the logical port-channel interface to my vfc it says this is only possible if the channel contains not more than one member port.
  If this would work all my CNA WWPNs would be mapped to a single vfc interface.
  What now?
  I have 18 blades each equipped with one CNA . Means on both of my Nexus fabrics I have to configure 18 vfcs and bind the 36 WWPNs manually to them.
  This is really kind of annoying.
  Does anybody now if this will be fixed with a future firmware release or if there is any workaround available that makes life easier?
  Thanks a lot in advance!

  You will need to bind the MAC address of the servers to vFC since you cannot bind the same physical interface to multiple vFCs. I am not aware of any alternate upcoming solutions for this. I have seen many many customers do this with Nexus 4000's in IBM bladecenters which houses the servers.

• Asa 5505 sub interface plus ports

  I have never used 5505 I gave used higher firewalls and all of them can do sub interfaces normally we make sub interfaces and vlans are assigned to them I m trying to config 5505 can someone tell me how I can create sub interfaces ? As I saw few config and it seems that you config vlans like switch ??? Secondly all interfaces have to b part of vlan ? Ie outside which is g0/0 ....can I config it as normall routed port ?

  The 5505 is configured nearly the same a a L3-switch. You configure the Vlan-interfaces and assign these to your switch-ports. The switch ports can be configured as access- or as trunk-ports (if you have a SecPlus license).
  You find more on this topic on the Config-Guide:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html

• Interfaces in port-channel keep err-disabling because of keepalives

  Below is the current portchannel that I am having problems with.  The interfaces on Switch A keep going into an error disabled state because they receive their own loopback.  Cisco says to disable keepalives and that it will fix the problem, but I do not like the idea of disabling keepalives.  Has anyone found a solution other than disabling keepalives?  Notice that ios's are different, but am not convinced that this is the issue.  Also one is PoE and the other isn't.  Lastly, i found this article "Keepalives are sent on all interfaces by default in Cisco IOS Software Release 12.1EA-based software. In Cisco IOS Software Release 12.2SE-based software and later, keepalives are not sent by default on fiber and uplink interfaces".  I would think trunked interfaces in a port-channel would be uplink interfaces and if this is true, it should be sending out keepalives anyway since i am running the 12.2SE based ios.  Thanks for whatever input you may have.
  Switch A
  C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
  System image file is "flash:/c3750e-universalk9-mz.122-55.SE3/c3750e-universalk9-mz.122-55.SE3.bin"
  cisco WS-C3750X-48P
  Port-channels in the group:
  Port-channel: Po52
  Age of the Port-channel   = 219d:04h:32m:49s
  Logical slot/port   = 10/39          Number of ports = 4
  GC                  = 0x00000000      HotStandBy port = null
  Port state          = Port-channel Ag-Inuse
  Protocol            =    -
  Port security       = Disabled
  Ports in the Port-channel:
  Index   Load   Port     EC state        No of bits
  ------+------+------+------------------+-----------
    0     00     Gi1/0/35 On                 0
    0     00     Gi1/0/36 On                 0
    0     00     Gi2/0/45 On                 0
    0     00     Gi2/0/46 On                 0
  %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet1/0/35.
  %PM-4-ERR_DISABLE: loopback error detected on Gi1/0/35, putting Gi1/0/35 in err-disable state
  %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
  %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel39, changed state to down
  %LINK-3-UPDOWN: Interface Port-channel39, changed state to down
  Switch B
  C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
  System image file is "flash:/c3750e-universalk9-mz.122-58.SE2/c3750e-universalk9-mz.122-58.SE2.bin"
  cisco WS-C3750X-48
  Port-channels in the group:
  Port-channel: Po52
  Age of the Port-channel   = 443d:18h:43m:06s
  Logical slot/port   = 10/39          Number of ports = 4
  GC                  = 0x00000000      HotStandBy port = null
  Port state          = Port-channel Ag-Inuse
  Protocol            =    -
  Port security       = Disabled
  Ports in the Port-channel:
  Index   Load   Port     EC state        No of bits
  ------+------+------+------------------+-----------
    0     00     Gi1/0/35 On                 0
    0     00     Gi1/0/36 On                 0
    0     00     Gi1/0/45 On                 0
    0     00     Gi1/0/46 On                 0

  PER CISCO
  Symptom:
  An interface on a Catalyst switch is errordisabled after detecting a loopback.
  Mar 7 03:20:40: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on
  GigabitEthernet0/2. The port is forced to linkdown.
  Mar 7 03:20:42: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state
  to administratively down
  Mar 7 03:20:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface
  GigabitEthernet0/2, changed state to down
  Conditions:
  This might be seen on a Catalyst 2940, 2950, 2950-LRE, 2955, 2970, 3550, 3560
  or 3750 switch running 12.1EA or 12.2SE based code.
  Workaround:
  Disable keepalives by using the no keepalive interface command. This
  will prevent the port from being errdisabled, but it does not resolve the root
  cause of the problem. Please see section below for more information.
  Additional Information:
  The problem occurs because the keepalive packet is looped back to the port that
  sent the keepalive. There is a loop in the network. Although disabling the
  keepalive will prevent the interface from being errdisabled, it will not remove
  the loop.
  The problem is aggravated if there are a large number of Topology Change
  Notifications on the network. When a switch receives a BPDU with the Topology
  Change bit set, the switch will fast age the MAC Address table. When this
  happens, the number of flooded packets increases because the MAC Address table
  is empty.