Port channel as a layer 3 interface
I have just inherited a very complex network and noticed in the config, for a cat-6513 with layer 3, the following:
interface Port-channel34
ip address 10.20.4.10 255.255.255.252
What would be a rationale for making a port-channel a layer 3 port?
thanks.
in the case of a portChannel as an L3 entity, it allows for the added capacity/redundancy of the link as well as provides the layer 3 topology either wanted or in some instances, required, such as when you need to make a multilink connection to a router from your switch.
or perhaps you have a routed core infrastructure created in your L3 environment and you wish to increase the capacity of the links between devices without using VTP/trunking.
Similar Messages
-
Port-Channel binding on vfc interface
Hi there,
I am currently setting up a CNA / Nexus test configuration in a Blade Server chassis.
I am using a Fujitsu CEE switch in the chassis in between CNA and Nexus.
The FJ switch is connected to the Nexus via a port-channel with 8 member ports.
And here comes my problem. I normally bind physical interfaces to my vfcs
When I now try to bind the logical port-channel interface to my vfc it says this is only possible if the channel contains not more than one member port.
If this would work all my CNA WWPNs would be mapped to a single vfc interface.
What now?
I have 18 blades each equipped with one CNA . Means on both of my Nexus fabrics I have to configure 18 vfcs and bind the 36 WWPNs manually to them.
This is really kind of annoying.
Does anybody now if this will be fixed with a future firmware release or if there is any workaround available that makes life easier?
Thanks a lot in advance!You will need to bind the MAC address of the servers to vFC since you cannot bind the same physical interface to multiple vFCs. I am not aware of any alternate upcoming solutions for this. I have seen many many customers do this with Nexus 4000's in IBM bladecenters which houses the servers.
-
Interfaces in port-channel keep err-disabling because of keepalives
Below is the current portchannel that I am having problems with. The interfaces on Switch A keep going into an error disabled state because they receive their own loopback. Cisco says to disable keepalives and that it will fix the problem, but I do not like the idea of disabling keepalives. Has anyone found a solution other than disabling keepalives? Notice that ios's are different, but am not convinced that this is the issue. Also one is PoE and the other isn't. Lastly, i found this article "Keepalives are sent on all interfaces by default in Cisco IOS Software Release 12.1EA-based software. In Cisco IOS Software Release 12.2SE-based software and later, keepalives are not sent by default on fiber and uplink interfaces". I would think trunked interfaces in a port-channel would be uplink interfaces and if this is true, it should be sending out keepalives anyway since i am running the 12.2SE based ios. Thanks for whatever input you may have.
Switch A
C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
System image file is "flash:/c3750e-universalk9-mz.122-55.SE3/c3750e-universalk9-mz.122-55.SE3.bin"
cisco WS-C3750X-48P
Port-channels in the group:
Port-channel: Po52
Age of the Port-channel = 219d:04h:32m:49s
Logical slot/port = 10/39 Number of ports = 4
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = -
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gi1/0/35 On 0
0 00 Gi1/0/36 On 0
0 00 Gi2/0/45 On 0
0 00 Gi2/0/46 On 0
%ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet1/0/35.
%PM-4-ERR_DISABLE: loopback error detected on Gi1/0/35, putting Gi1/0/35 in err-disable state
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel39, changed state to down
%LINK-3-UPDOWN: Interface Port-channel39, changed state to down
Switch B
C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
System image file is "flash:/c3750e-universalk9-mz.122-58.SE2/c3750e-universalk9-mz.122-58.SE2.bin"
cisco WS-C3750X-48
Port-channels in the group:
Port-channel: Po52
Age of the Port-channel = 443d:18h:43m:06s
Logical slot/port = 10/39 Number of ports = 4
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = -
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gi1/0/35 On 0
0 00 Gi1/0/36 On 0
0 00 Gi1/0/45 On 0
0 00 Gi1/0/46 On 0PER CISCO
Symptom:
An interface on a Catalyst switch is errordisabled after detecting a loopback.
Mar 7 03:20:40: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on
GigabitEthernet0/2. The port is forced to linkdown.
Mar 7 03:20:42: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state
to administratively down
Mar 7 03:20:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/2, changed state to down
Conditions:
This might be seen on a Catalyst 2940, 2950, 2950-LRE, 2955, 2970, 3550, 3560
or 3750 switch running 12.1EA or 12.2SE based code.
Workaround:
Disable keepalives by using the no keepalive interface command. This
will prevent the port from being errdisabled, but it does not resolve the root
cause of the problem. Please see section below for more information.
Additional Information:
The problem occurs because the keepalive packet is looped back to the port that
sent the keepalive. There is a loop in the network. Although disabling the
keepalive will prevent the interface from being errdisabled, it will not remove
the loop.
The problem is aggravated if there are a large number of Topology Change
Notifications on the network. When a switch receives a BPDU with the Topology
Change bit set, the switch will fast age the MAC Address table. When this
happens, the number of flooded packets increases because the MAC Address table
is empty. -
My port channel is not coming up can you review my port channel configuration.
SWITCH#
interface Port-channel12
switchport access vlan 513
switchport mode access
endHello,
how are your participating interfaces configured ? They should look like this (assuming you use interfaces FastEthernet0/1 and FastEthernet0/2 for your channel on both devices):
3550-1#
interface FastEthernet0/1
switchport access vlan 513
switchport mode access
channel-group 12 mode on
interface FastEthernet0/2
switchport access vlan 513
switchport mode access
channel-group 12 mode on
interface Port-channel12
switchport access vlan 513
switchport mode access
3550-2#
interface FastEthernet0/1
switchport access vlan 513
switchport mode access
channel-group 12 mode on
interface FastEthernet0/2
switchport access vlan 513
switchport mode access
channel-group 12 mode on
interface Port-channel12
switchport access vlan 513
switchport mode access
Do you have physical connectivity at all ?
Regards,
GP -
Nexus 1010v interfaces, port-channel, Catalyst 6500E VSS
I'm installing a pair of 1010v-X appliances using flexible network option 5 on version 4.2(1)SP1(5.1).
I have all interfaces grouped into a single port channel 6. All interfaces uplink to a pair of Catalyst 6506Es in a VSS (Sup2T).
My question relates to the VSS configuration.
For example, do I set up one port-channel on the VSS and put all 12 interfaces in it? Or, do I set up two port-channels on the VSS and put the active 1010v-X in one port-channel and the standby into another port-channel?
Do I set dot1q trunking up on the port-channel(s) on the VSS?
Thanks.Hi,
What version of IOS are you running on the ASAs?
see table-12-3 in this link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html
Also, since the 4500x are in VSS mode, you need to bundle one link from each switch and use LACP.
HTH -
I want to create a port-channel with 2 10Gbs interfaces on 2 ASA 5585 firewalls, and set them up in a failover pair.
In order to do this, do I simply put two 10Gbs interfaces into a channel and then configure the IP addressing and failover address on the logical port-channel interface? (aka interface po1).
Any limitations with this?Yes, that is exactly what you do..
Create portchannel on switch and ASA
Trunk the vlan on switch side
Create logical interfaces on ASA -
Design help related to ACE to Switch connectivity using Port-Channel
Hi,
I have a Cisco ACE 4710 configured in One-Arm mode. This ACE is getting connected with 2 3750 switches. These 2 3750 switches connected in trunk mode.
ACE is connected to these 3750 switches using Port-channel.
ACE Config:
================================
interface gigabitEthernet 1/1
description One-arm mode port to DMZ Switch 1 port 20
channel-group 1
no shutdown
interface gigabitEthernet 1/2
description One-arm mode port to DMZ Switch 2 port 20
channel-group 1
no shutdown
interface port-channel 1
switchport access vlan 51
port-channel load-balance src-dst-ip
no shutdown
interface vlan 51
ip address 10.40.56.131 255.255.255.128
access-group input everyone
access-group output everyone
nat-pool 1 10.40.56.215 10.40.56.215 netmask 255.255.255.255 pat
service-policy input LB
service-policy input remote-access
no shutdown
===========================================================
The problem is that 3750 switches are not stacked.
Application is working fine. But i am getting a lot of MAC flapping messages..
kindly suggest whether this design is OK or something needs to be done to rectify it...
Attached a small diagram..Hello acharyr123,
I don't think this design is ok, and it would cause mac flapping since the two indepedendent 3750 switches will learn the ace mac addresses off of two different interfaces. The 3750s would have to be stacked so that they would act as one switch then this should work correctly.
Thanks
Joel Lamousnery
TAC CSE -
Hi
I want to configure a port-channel with a downstream 2960x switch. The 6880 does not let me configure a L2 port-channel. On the 6880 when I configure the port-channel first, the the interfaces, during the interface configs the error states either the switchport is L2 or port-channel, or vice versa
I have managed this easily on other switches. Is there any special command on the 6880 to configure a l2 port-channel
Attempted the following configs
2960x
Interface port-channel 1
switchport mode trunk
interface gig 1/0/28
switchport mode trunk
udld port aggressive
channel-protocol lacp
channel-group 1 mode Active
mls qos trust dscp
interface gig 2/0/28
switchport mode trunk
udld port aggressive
channel-protocol lacp
channel-group 1 mode Active
mls qos trust dscp
6880x
interface Tengig 1/5/2
switchport mode trunk
channel-group 11 mode Active
******at this stage when I try to add the switchport mode trunk command as below under the interfac, the error states command rejected, either the switchport is in L3 mode and the port-channel l2 or vice versa
interface Tengig 2/5/2
switchport mode trunk
channel-group 11 mode Active
interface port-channel11
switchport
switchport mode trunkHi,
After adding "channel-group 11 mode Active" to both ports 1/5/2 and 2/5/2.
Now go to the Portchannel interface and add the "switchport mode trunk" there.
int po 11
switchport mode trunk
no sh
now "switchport mode trunk" should propagate to both physical interfaces.
HTH -
So everything I've read on Cisco's documentation here: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329030 says that I can create a port-channel on two physical interfaces that will uplink to a VSS pair. However, the command is not recognized. What am I missing? I've tried executing "channel-group #" on the physical interface and tried creating the port-channel 1st and neither commands exist. I haven't seen it listed anywhere if it is only available after a specific piece of ASA software. If it is the software would someone know what version at a minimum I need to upgrade to? Below is an output from a show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
########### up 43 days 23 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05Hi,
You need software 8.4(1) atleast to be able to configure Port Channel / Etherchannel
Here is the section from the command reference which states this
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html#wp1932200
Naturally in your case if you were to upgrade the ASA to 8.4(x) software it would mean that NAT configuration format would be totally different compared to your software version of 8.0.
- Jouni -
IPS Inline Interface Mode - Can you use a port-channel?
Hi,
I'm trying to determine if you can have a 2-gig Layer-3 Port-channel going thru an IPS 4260 appliance. See attached diagram. Is this possible?
The client I'm working with would prefer not to break this Port-channel into equal-cost 1-gig links (I don't think there will be any performance difference...) However I'm thinking if they want the appliance inline like the diagram shows - they will need to break the port-channel. Is that a correct assumption?
Thanks,
BradYes this is possible.
It will require 2 InLine Interface Pairs on the sensor and both pairs should be added into the same Virtual Sensor.
The 4260 will not be aware that etherchannels are used on both sides, and does not need to be aware.
This may,however, require manual enablement of the etherchannels.
Also keep in mind that the performance in this setup will be limited to what the IPS-4260 is able to perform with that traffic.
If the IPS is only able to monitor 1 Gbps (which is its rating for Transactional traffic tests), then having the 2 InLine Interface Pairs will not give them any more performance than a single pair would.
If the IPS is able to monitor more than 1Gbps of their traffic (it is rated at 2Gbps for Media Rich tests), then the additional pair will allow the sensor to get to the above 1 Gbps monitoring.
If the 4260 is not able to keep with the traffic, then an upgrade to a 4270 using the same deployment setup may be necessary.
NOTE: This also assumes that only the left or right path are actively passing traffic at any one time. If both paths are passing traffic, then asymmetric traffic patterns can result. if asymmetric traffic is seen, then another deployment should be considered, or specifial configuration be placed on the sensors.
NOTE: This setup only works when a single sensor is used within the etherchannel. (1 sensor on each etherchannel, 2 sensors in your diagram because you have 2 etherchannels).
You can not place 2 sensors in the same etherchannel (would mean 4 sensors in your diagram).
This is because the balancing being done from the lower switch can not be guaranteed to match that being done from the top switch. A mismatch in balancing could lead to asymmetric patterns.
With a single sensor, the same virtual sensor sees all traffic regardless of which interface the packet comes in on, so a single sensor is fine. But with 2 sensors, the client traffic might get sent to a different sensor than the server traffic. -
Maximum number of interfaces in Port Channel on Nexus 5596
Let me preface this by saying I am not a network expert....
I noticed that our customer had configured a port channel on their Nexus 5596 comprised of 16 interfaces. I thought the maximum number of interfaces in a port channel was 8 interfaces? I see in the Nexus 7000 documentation that if you configure 16 interfaces, the remaining 8 will be in "hot standby." Is this the same behavior on the Nexus 5000 series?
Thank you.Same behavior on the 5500 series and other Cisco switches like 3750, 3850 , etc..
HTH -
Hi all,
I was wondering if you may be able to help me, hopefully I will provide enough information.
The background to my problem is this. Every Tuesday morning around 10AM we were experiencing network slowdowns, after many weeks fault finding I have narrowed it down to two backup jobs and two vlans. These are quite substantial backup jobs each 100GB in size.
The servers that are being backed-up are behind an ISA server which is controlling the routing for the subnets that these servers use. The ISA servers are load balanced using Microsoft NLB. It is thought by our security expert that this is the best way to secure these servers.
On our core switch (6513) we have a static route pointing to these subnets and the vlans are defined. Here is the basic config of one of the vlans:-
interface Vlan121
description DB vlan
no ip address
ip flow ingress
ip flow egress
end
ip route 192.168.221.0 255.255.255.0 192.168.219.10
I have managed to stop the flooding going to the user switches by denying the 121 vlan on the port-channels. The issue is still apparent however on our top of rack switches (server switches). The reason for this is, there are servers that require vlan 121 on nearly every top of rack switch.
If anyone can recommend a solution to this problem other than limiting vlans, I would greatly appreciate it.
If you require any further information, please let me know.
Kind regards,
Jamie.Hi Jon, let me see if I can answer your questions.
There are four VLANs that reside behind the ISA VLAN -121, 122, 123 and 124. Any traffic that requires access to these VLANs have to pass through the ISA because the ISA dcontrols all the routing for the subnets associated with these VLANs.
The server that we are backing up lives on a VLAN 124 and the actual backup server lives on a VLAN outside of the protected VLANs. For the sake of argument lets say that the backup server is shown as the PC on VLAN 156.
When the 90GB backup is initiated, the traffic propagates to all trunk ports throughout the network. I see traffic running at 500Mbps and it can last for up to 20 hours.
I have managed to stop the flood to all the user switches by denying the VLANs stated above. The problem is, I can't deny those VLANs to other top of rack switches because there is at lease one server in each switch that requires one of the VLANs.
In a nutshell, when large amounts of traffic pass through VLAN 666 (ISA) we see it flood to all trunk ports. We think this could be due to the nature of MLB forming a virtual MAC address. The core doesn't know about the MAC address so it sends a unicast flood to find out where it is.
If you have any ideas please let me know.
J. -
ASA5550 port channel configuration ERROR: nameif not allowed on empty etherchannel interface
Hi All,
I am having problem when configure port channel on asa5550
IOS ver asa914-k8.bin also in ver 9.02 and 8.47.
Please let me know how can I solve this problem.
UK-LON-FW(config)# int port-channel 3
UK-LON-FW(config-if)# vlan 245
^
ERROR: % Invalid input detected at '^' marker.
UK-LON-FW(config-if)# nameif secure
ERROR: nameif not allowed on empty etherchannel interface.
UK-LON-FW(config-if)#
here is my interfaces configuration:
interface GigabitEthernet0/0
description fw1:G0/0 to uk-lon-gw1:e1/8 fw2:G0/0 to uk-lon-gw2:e1/9 outside zone
channel-group 1 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
description fw1:G0/1 to uk-lon-gw2:e1/8 fw2:G0/1 to uk-lon-gw1:e1/9 outside zone
channel-group 1 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
description fw1:G0/2 to uk-lon-sw1a:1 fw2:G0/2 to uk-lon-sw1a:2 dmz
channel-group 2 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
description fw1:G0/3 to uk-lon-sw1b: fw2:G0/3 to uk-lon-sw1b:2 dmz
channel-group 2 mode on
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.10.51.18 255.255.254.0
interface GigabitEthernet1/0
description fw1:G1/0 to uk-lon-sw1a:3 fw2:G1/0 to uk-lon-sw1a:4 secure zone
no nameif
no security-level
no ip address
interface GigabitEthernet1/1
description fw1:G1/1 to uk-lon-sw1b:3 fw2:G1/1 to uk-lon-sw1b:4 secure zone
no nameif
no security-level
no ip address
interface GigabitEthernet1/2
description LAN Failover Interface
no nameif
no security-level
no ip address
interface GigabitEthernet1/3
description STATE Failover Interface
no nameif
no security-level
no ip address
interface Port-channel1
description outside zone
no nameif
no security-level
no ip address
interface Port-channel1.5
description outside zone Bundle FW:G0/0-G0/1 connect to GW1:e1/8-GW2:e1/8
vlan 5
nameif outside
security-level 0
ip address 216.239.105.5 255.255.255.128 standby 216.239.105.6
interface Port-channel2
description dmz Bunlde uk-lon-fw:G0/2-3 to sw1a:1-2 sw1b:1-2
no nameif
no security-level
no ip address
interface Port-channel2.105
description dmz
vlan 105
nameif dmz
security-level 50
ip address 216.239.105.193 255.255.255.192 standby 216.239.105.194
interface Port-channel3
description secure zone Bunlde uk-lon-fw:G1/0-1 to sw1a:3-3 sw1b:3-4
no nameif
security-level 100
ip address 10.254.105.1 255.255.255.0 standby 10.254.105.2
UK-LON-FW(config-if)#Hi Marvin,
Thank you for your answer. I did everything but it did not work. Turn out it is a bug ver 8.45 will let you created the sub logical interface but actually it did not work right. Verson 9.x doesn't let you create more than 2 port channel (limitation of ASA5550 hardware).
https://tools.cisco.com/bugsearch/bug/CSCtq62715/?reffering_site=dumpcr
Also, you can see the 8.4 release notes were you can see that it is not supported:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-522232
Interface Features
EtherChannel support (ASA 5510 and higher)
You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
We introduced the following commands: channel-group , lacp port-priority , interface port-channel , lacp max-bundle , port-channel min-bundle , port-channel load-balance , lacp system-priority , clear lacp counters , show lacp , show port-channel . -
ASR 1006 shaping\policing on port-channel interfaces
Hello
I encountered a problem - ASR 1006 ignores shaping\policing configuration on a port-channel interfaces.
If I configure:
policy-map Shaping
class class-default
shape average 100000
interface TenGigabitEthernet0/0/0
no ip address
channel-group 1 mode active
interface Port-channel1.10
encapsulation dot1Q 10
ip address 1.0.0.1 255.255.255.0
service-policy output Shaping
With such configuration shaping doesn't work. But it works on ordinary tenGigabit interfaces...
I've tried several ios xe versions.. no changes
Are there any ristrictions with shaping on Port-channel interfaces?Hi,
Traditional QoS will not work for etherchannels. Please read to find suitable config for your case.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-mqc-xe-3s-book/qos-eth-int.html#GUID-6137A7B8-B2D1-4024-8AC9-E7EBEDD868C6 -
Storm Control on Port-Channel Interfaces (6500 platform)
Hello.
I cannot find it anywhere in the documentation for the Cisco 6500 platform (IOS). The question is this: When calculating the percentage of broadcast passing through a Port-Channel interface, which total bandwidth figure is used by the switch? For example:
a. If we have a bundle of 4 Gig interfaces in a PortChannel with Storm-Control applied, the threshold will be calculated over 4Gb/s or 1Gb/s?
b. If the same PortChannel for some reason loses 2 of the uplinks in the Bundle, will the calculation be made over 4Gb/s, 2Gb/s or 1Gb/s?
Thanks!Hi Leo,
I can't find any reference to this at the moment, but my thoughts are that it will be based on a single member port of the port-channel.
Remember that a port-channel is logically a single link and so a broadcast is only sent on one of the links of the port-channel and not all of them. The decision as to which link is used will be the same as for any other frame i.e., the broadcast address is used within the hashing calculation to choose the physical port.
If the storm-control values are determined based upon the aggregate bandwidth, and changes as links are added/removed from the agregate, then the suppression threshold values for link carrying the broadcasts is never going to be correct.
Regards
Maybe you are looking for
-
I've created a JApplet that contains a JTextArea. I was wondering how the user could copy text from the area into the clipboard. Pressing Ctrl-C works in appletviewer, but not in Internet Explorer or Mozilla. I tried using SystemClipboard, but I gues
-
iPad1 can not install software 4.3.2 update - message - due to corrupt backup - but when I go to delete backup there is no backup in the device section of itunes under preferences
-
How do you tell if remote desktopis installed on my ipad
i need help in finding if remote desktop has been installed on my computer
-
Maintaining different values for Accounting Type (KOART)
Hi experts, I have several accounting tcodes such as FBV0, FB03, FB08, FV65,FV60 in one parent role. FV60, FV65 are added to this role as FBV0 is checking internally for this authorization object. All these tcodes share a same object F_BKPF_KOA whi
-
Default Storage location from the Material master
Can we default the storage location from the material master into the reservation line item in trasaction MB21?