What is an etherchannel? It’s a way of taking multiple independent links and bundling them together, so that they appear as one logical connection between two devices. Etherchannels are commonly used between two switches, or between a switch and a host - which allows for both additional bandwidth and fault tolerance/redundancy. In the example today, we’ll be using an etherchannel protocol called Link Aggregation Control Protocol (LACP). LACP is an IEEE standard (802.3ad).

You might be thinking “Wait, wouldn’t multiple links cause a loop? Or trigger Spanning-tree to block ports?”. Not in this case! Etherchannel technologies work around those problems by creating a single logical interface for spanning-tree to worry about. The etherchannel protocol itself worries about loop prevention in between the two devices, so we get multiple ports of non-blocking bandwidth.

For everything we cover in this example, we’ll be using the following topology:

So we have two switches, which are connected together via Eth0/0 and Eth0/1. Each switch has three VLANs configured - 10, 20, and 30.

Configuring an Etherchannel

I’ll only be showing the configuration from the perspective of 0x2142-SW1 - but all configuration is replicated on 0x2142-SW2.

! We'll use the interface range command to apply the etherchannel configuration to
! both Eth0/0 and Eth0/1 at the same time:
0x2142-SW1(config)#int range Eth0/0 - 1

! We specify which etherchannel protocol to use by configuring 'channel-protocol'
! PAgP is a Cisco Proprietary protocol, but we'll be using LACP for this example:
0x2142-SW1(config-if-range)#channel-protocol ?
  lacp  Prepare interface for LACP protocol
  pagp  Prepare interface for PAgP protocol
0x2142-SW1(config-if-range)#channel-protocol lacp

! Next we need to specify a channel-group and mode:
0x2142-SW1(config-if-range)#channel-group 1 mode ?
  active     Enable LACP unconditionally
  auto       Enable PAgP only if a PAgP device is detected
  desirable  Enable PAgP unconditionally
  on         Enable Etherchannel only
  passive    Enable LACP only if a LACP device is detected

0x2142-SW1(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1

0x2142-SW1(config-if-range)#
*Jan 26 01:03:04.532: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up

Let’s talk through a few notes about the above configuration. In order to enable etherchannel, we only need to configure two commands: channel-protocol and channel-group. The channel-protocol command tells the switch which etherchannel protocol to use for negotiation (LACP in this case). The channel-group command provides two necessary components: the group number and mode. The group number is just a device-local identifier for which group to add these ports to. When we specified group 1, the switch adds both Eth0/0 and Eth0/1 into the new logical interface Port-Channel 1.

The etherchannel mode is also important. The two primary options we want to look at for LACP are active and passive. Active tells the switch to preemptively send out LACP negotiation packets. In this case, the switch really wants the ports to become a bundle and will ask it’s partner device for an etherchannel to be formed. Passive mode tells our switch to only negotiate if another device wants to. In this mode, our switch won’t send out any etherchannel negotiation packets unless its partner device does so first.

Generally speaking, the most common configuration is to set the mode on both devices to active. This ensures that both devices actively participate in trying to establish an etherchannel. Placing one device in active and one in passive will work as well. However, if both devices are placed into passive mode, an etherchannel will never form.

Validation

So how do we validate that the etherchannel has formed correctly? One way is using the show etherchannel summary command:

0x2142-SW1#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      N - not in use, no aggregation
        f - failed to allocate aggregator

        M - not in use, minimum links not met
        m - not in use, port not aggregated due to minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

        A - formed by Auto LAG

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Et0/0(P)    Et0/1(P)

From the output above, we see that there is one group configured with the group ID of 1. It shows that both Eth0/0 and Eth0/1 have been added into the Port-channel 1 interface. The (SU) next to the Port-channel interface indicate that the etherchannel is up (U) and configured for layer 2 (S). I mentioned earlier that spanning-tree only worries about the port-channel interface, not the individual member ports. We can also check that out by using the show spanning-tree command:

0x2142-SW1#sh spanning-tree vlan 20
VLAN0020
  Spanning tree enabled protocol rstp
  Root ID    Priority    32788
             Address     aabb.cc00.1000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32788  (priority 32768 sys-id-ext 20)
             Address     aabb.cc00.1000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/2               Desg FWD 100       128.3    Shr
Et0/3               Desg FWD 100       128.4    Shr
<-- Output omitted -->
Po1                 Desg FWD 56        128.65   Shr

Making Configuration Changes to an Etherchannel

Now that we have a working etherchannel - We have a few things that need special attention. The individual port configurations, Eth0/0 and Eth0/1 in this case, need to match at all times! Port configuration mis-matches are going to be an easy way to inadvertently bring down the port-channel. The good thing is that we now have a convenient Port-Channel interface which we can use for configuration. This logical port will replicate any configuration changes to all member ports.

! Let's jump into our Port-Channel 1 interface and configure a trunk for VLAN 20
0x2142-SW1(config)#int po1
0x2142-SW1(config-if)#switchport mode trunk
0x2142-SW1(config-if)#switchport trunk allowed vlan 20
! Now we can check the individual port configs:
0x2142-SW1(config-if)#do sh run int e0/0
Building configuration...

Current configuration : 176 bytes
!
interface Ethernet0/0
 switchport trunk allowed vlan 20
 switchport mode trunk
 channel-protocol lacp
 channel-group 1 mode active
end

0x2142-SW1(config-if)#do sh run int e0/1
Building configuration...

Current configuration : 176 bytes
!
interface Ethernet0/1
 switchport trunk allowed vlan 20
 switchport mode trunk
 channel-protocol lacp
 channel-group 1 mode active
end

Easy enough, right? The configuration changes for the trunk are now on both Eth0/0 and Eth0/1.

Troubleshooting Etherchannels

There is always a possibility that something goes wrong - so let’s take a quick look at some common problems and how to fix them.

Remember how I said that the member port configurations had to match? Here’s what happens if we make a configuration change on only one of the two member ports:

0x2142-SW1(config)#int eth0/1
0x2142-SW1(config-if)#switchport trunk allowed vlan 30
0x2142-SW1(config-if)#
*Jan 28 20:43:55.458: %EC-5-CANNOT_BUNDLE2: Et0/1 is not compatible with Et0/0 and will be suspended (vlan mask is different)

Eth0/1 immediately gets put into a suspended state, and is no longer active in the port-channel interface. In this case the switch gives us a good hint as to what’s wrong - vlan mask is different. Error messages will vary slightly, but a suspended port is easy to fix by comparing individual port configurations and fixing the mismatch.

Here’s another one:

*Jan 28 21:06:07.346: %EC-5-L3DONTBNDL2: Et0/0 suspended: LACP currently not enabled on the remote port.
*Jan 28 21:06:08.009: %EC-5-L3DONTBNDL2: Et0/1 suspended: LACP currently not enabled on the remote port.

This error message can mean a few things - the common one being exactly what it states! Check both sides of the connection, and ensure that LACP is configured on each device. This error message can also occur on certain mismatches - like if one side is running as a Layer 2 etherchannel, but the other side is running as Layer 3.

One more:

Jan 28 20:83:55.458 %ETHPORT-5-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN: Interface port-channel1 is down (No operational members)

The above message is also somewhat self-explanatory. In this case, the switch is unable to bring up the port-channel interface, because none of the underlying member ports are coming online. Troubleshoot what might be wrong with those ports first, then the port-channel should come up.

Hope this was useful! In a later post, we’ll dig into more configuration and considerations - like packet hashing, layer 3 etherchannels, and how packets are weighted between interfaces.

Questions? Drop them in the comments below!

I’ve been making progress going through my CCIE books, and the earlier sections are focusing on layer 1 and layer 2 technologies. A lot of this is review from CCNP studies, but with STP the book starts to get into additional detail on the inner workings of the protocol - which I’m finding to be quite fascinating. It seems like in many of the companies that I’ve worked I’ve found that a majority of the IT staff (whether sysadmins or network admins) don’t really have a good handle on how STP works and why it needs to be tuned. So this post is meant to cover spanning-tree at a very high level, and I’ll include some examples from issues I’ve seen in the past.

So what is spanning-tree protocol anyways?

At it’s very basic level, STP is a communications protocol used between switches to allow them to identify redundant paths in the network. The goal of STP is to figure out what is the most efficient L2 path through the network, then block all other paths to prevent loops. The best way I’ve heard STP explained is that it’s essentially a routing protocol for layer 2. Rather than routers communicating and exchanging routes to determine the best path through a network, all of the switches will talk to determine the best (loop-free) layer 2 path.

STP determines the best layer 2 path - but the best path to what?

When configuring a standard routing protocol (like EIGRP or OSPF), you might have a node that advertises a route for 10.10.10.0/24. All other routers in the network are going to select a best path to the router who originates this advertisement - but how does something like this work when we’re talking about layer 2?

Spanning-tree relies on the concept of having a single root bridge of each network. At the beginning of a spanning-tree process, all switches will hold a quick election to determine who the root bridge is - then each switch will figure out what it’s own best path is to that device. The switch that ultimately becomes the root bridge will be based on the priority set by the administrator - but by default all switches are pre-configured with the same priority. In a tie, the switch with the lowest MAC address will win and become the root bridge.

What does that actually mean? More or less, one switch gets put in charge of defining the best path through the network. All other switches examine all of their redundant paths to the primary switch,  then figure out which of those paths are more preferable than the others. An important note here, is that the “best path” selected is all from the specific viewpoint of whichever switch takes charge.

For an example, let’s use the following topology:

In this example, we have five switches and a firewall - which are used to provide connectivity to two network segments (NET1 and NET2). For each of the two network segments, there are a number of different paths that traffic could take to reach the firewall. Without spanning tree, NET1 might send traffic to SW4, which in turn would forward it to both SW2 and SW3. This sounds like a good thing, since we would use all available paths to try and reach the firewall - but in reality this can cause other problems like the firewall receiving packets out of order.

So for the example above, let’s assume that SW1 becomes our root bridge. SW1 is now in charge of determining what the best path through the network is. It does this by sending out messages on all ports connected to other switches, called Bridge Protocol Data Units (BPDU). In this message, SW1 asserts it’s role as the root bridge - and provides some information for other switches to use for path selection. Each switch will examine the message from SW1 to determine which of it’s uplinks is the most efficient path to SW1. Once each switch does this, it will forward on the message to downstream switches - this time adding in some of it’s own information (or path cost).

After all that is complete, we might be left with the following path below:

The green lines above show the final path that was selected. For NET1 to reach the firewall, it would use SW4, then SW2, then up to SW1. For NET2, it would use SW5 > SW2 > SW1. This leaves the orange links unused. In fact, spanning-tree will place these links into a blocking state. The switches might still listen on those links, just in case their neighbor starts advertising a better path - but they will not forward any data traffic on these connections. In the case of SW2 suddenly failing, SW4 and SW5 would still be aware of their connections through SW3 - and after a brief period would begin using those links to reach the firewall.

This is a very simplistic explanation, and there is a lot more in the background that actually happens during spanning-tree operation. There are a number of different STP standards that a switch can run, each with their own options for configuration and tuning. There are also methods of providing a loop-free path while still utilizing some redundant paths. I plan to cover some more detail on these topics in later posts.

So why should I care about STP?

Remember that part earlier when I said that if STP priority is not configured, then switch with the lowest MAC becomes the root bridge? Well as it turns out, MAC addresses are the hardware addresses configured by the manufacturer - and these addresses increment as they produce new devices. So the lower MAC addresses are typically going to be the oldest equipment in your network. Unfortunately, this can have a dramatic effect on your network traffic if you’re not paying attention to STP.

From the earlier example, what happened if SW4 became the root bridge? Maybe this was an old Cisco 2950 that someone forgot to replace and it’s just been left in the network. If the STP configuration went unmodified, then this switch would likely become the root bridge of our network. Let’s look at what that path might look like:

So in this case, SW4’s path to the firewall hasn’t changed. However, it’s best path to SW5 and NET2 is through SW3 - which means any traffic from NET2 to the firewall has to follow the path of SW5 > SW3 > SW4 > SW2 > SW1. Not only does that add more layer 2 hops that NET2 has to pass through, but it also adds more (unnecessary) load onto SW4. What happened if SW4 was so old that it still had 100M ports? It might get overwhelmed pretty quickly.

Now you might be thinking, “How often does this really happen”? Well, when I started at my last job they were experiencing a similar issue. The primary building had three floors, each with two Cisco 3548 switches to service users. Each of these switches linked back to a pair of Cisco 4500 core switches. All of the 3548 switches were purchased at the same time (far prior to the 4500s), and it turned out that one of them on the third floor had the lowest MAC address in the network. The entire layer 2 topology was then based on this switch as the central point of the network. This caused the interconnects between the core switches to be put into blocking mode - meaning that if a switch on the second floor needed to connect to the alternate core switch, then it would have to pass traffic through the third floor. A quick change to the spanning-tree priority (during a maintenance period) was all that was needed to put the core switches back in charge.

This doesn’t immediately make spanning-tree a bad technology. As with just about anything in IT, it’s something you need to understand and tune to fit your needs - otherwise you’ll just get less-than-ideal results. At another employer, I actually found out that the previous network administrator had manually disabled all of the redundant paths in the network - because he didn’t understand STP, and therefore thought that any redundant paths would cause a loop. Spanning-tree isn’t something we need to be afraid of - it just needs a little attention.

So next time you’re logged into one of the switches in your network, just run show spanning-tree and double-check that the switch you assume is your root bridge actually is.

Well I hope that this was helpful. As I mentioned earlier, I meant this as a fairly basic overview - but I intend on diving a bit deeper in later posts. The most fascinating part of networking to me is all the details on how things like spanning-tree actually work behind the scenes. Have any spanning-tree stories? Leave a comment below

I first completed my CCNA certification back in August of 2007. After that I started working on certifications pretty heavily, because I wanted to learn as much as I could about networking. I used the certifications as both motivation to learn and a measurable goal of my knowledge. Over the next few years I obtained a number of Cisco’s associate-level certifications, and by April of 2011 I had finally obtained the CCNP.

Later in 2011 I had changed jobs to a company where certifications were not valued as much. Instead, they urged me to return to school and obtain a college degree. This obviously took up enough of my free time that I really couldn’t spend as much time on studying certifications as I wanted to. In 2014 when I needed to re-certify my CCNP, I was just barely able to squeeze together enough time to study for the CCDP ARCH exam. This allowed me to re-certify what I already had, plus gain an additional certification.

Fast forward to early 2017 - I needed to re-certify again. I spent a bit of time trying to figure out what new tests I could study for. If I was going to re-certify then I would rather spend that time learning something new than just re-take a test for something I’ve already done. Unfortunately, I was nearing the end of my college degree program, and I just couldn’t find the time to dedicate to a new certification - so I ended up re-taking the CCNP TSHOOT exam to re-certify.

After I finished the degree program, I opted to finally take a break for a bit. Even just two months later, and I was already considering what to do next in terms of certification studies. I wanted to look at Juniper’s certification line, since I’m more heavily involved in their equipment now - but I also wanted to look at what’s next in terms of Cisco certifications.

Well, I’ve finally made up my mind, and purchased my first set of books to begin studying for the CCIE R&S. I’ve been itching for the past few months to start working on something, but I wasn’t really having much luck  making a final decision. However, I was talking recently with our new manager at work about the potential of going to Cisco Live in 2018. This is something I’ve inquired about multiple times before and had no luck in getting approval to go. Since we have a new manager, the answer has changed to a “Sure, why not?”. Since I found out that Cisco Live offers free certification testing (and the CCIE tests are quite expensive), I decided to use that as my motivation to begin studying.

So here goes nothing! My current goal date is June 10th of 2018. By that date I want to be 100% confident in my ability to take and pass the CCIE R&S written exam. I half had the notion of trying to shoot for being prepared for the lab by then, but eight months might be a little too tight of a timeline - at least given what I’ve read from other people’s experiences. So I’ll shoot for the written test by then, with the intent of scheduling the lab soon after.

My current plan is to read through the CCIE R&S Official Cert Library first, then use that as a gauge to see what I know I’ll need a refresh on some of the content from that. I also know that IS-IS is included in the CCIE, which is something that was removed from the CCNP right before I started studying for it. However, it was actually still part of the CCNA content when I took that - so I have a very basic level of understanding. Outside of that - most of my current and recent jobs have focused heavily on switching technologies and less on routing. I’ve been working quite substantially with BGP, but not much with internal routing protocols - so that’s another point where I’ll likely spend additional time.

I know I definitely have a lot to learn, and it’s going to be a long several months of study. Obtaining the CCIE certification has been one of my goals since nearly the beginning of my networking career. I’m really excited by actually getting the chance to work towards that goal. I’m sure I’ll be writing a bit here and there as I go through my studies, so look forward to that!

If you have any insight you wish to share, please leave a comment below.

Wish me luck!

When I got my CCNA certification, I was only two months out of high school. I had just finished two years of the Cisco Networking Academy coursework, and I had no idea what that would actually mean for me. I went and took the certification exam mostly because I felt that like that was the only way to validate what I had learned during the two year class. I failed it once or twice, which nearly discouraged me enough to not try again. However, I ended up passing the test and becoming Cisco certified on August 27th, 2007.

Obtaining that certification didn’t immediately make me valuable to anyone. However, it definitely helped to get my resume in front of a number of people who probably wouldn’t have taken a look otherwise. At the time, I had no college degree and absolutely no real-world networking experience. I owe that CCNA cert for helping me get my first job - but after that it was up to me to prove my worth.

It’s amazing to sit back and realize that ten years has passed already. So much has happened, so much has changed. I spent the first three or four years of my career studying hard to additional Cisco certs, which I used as motivation to learn more about networking. Certifications can be great for validating what you know, but it’s the real-world skill that really pays off in the end. Even with my original intent to become a network admin, I’ve ended up wearing a lot of hats and picking up more of a variety of skills than I ever thought I would. It’s definitely been a good thing though, since it has allowed me to get a better understanding of other systems - which in turn helps me to better support them as a network admin.

Even though today I don’t really manage much in the way of Cisco equipment, the original skills that I learned in the Cisco Networking Academy program have given me a great base knowledge to work with. All of the fundamental networking skills I learned have translated quite well to other vendors and products. I’ve spent the past few years working with Brocade, Juniper, Check Point, and a number of other vendors - and I feel like I have had a much easier time picking up the new skills than I might have had otherwise.

Today I still hold and maintain my Cisco certifications - and I plan to continue doing so for the foreseeable future. Someday I would like to achieve a CCIE/CCDE-level certification, but for now I am happy with what I have and what these certifications have helped me to achieve in my career.

Thanks for reading - here is to hoping for the next ten years to be just as good as the last.

So now that I’ve had a bit to sit back and take a break, I’m starting to begin itching toward certification studies again. I really enjoy certifications because they give me a goal to work towards, and I can study the materials at my own pace.

For reference, I currently hold the following active certifications:

Cisco: CCNA, CCNA Security, CCNA Voice (retired), CCDA, CCNP, CCDP

I’ve been looking a bit at the Cisco Cloud and Data Center certification tracks, since I’m dealing a lot more with the Nexus switching line and data center technologies overall - but after reviewing the cert syllabus, I’m not really feeling very strongly toward those. I’m also hesitant because it would mean starting back over at the CCNA-level for the new tracks and working my way back up to the CCNP-level. I’ve also previously considered getting my CCNP Security, but I’m not actively working in Cisco ASA firewalls much any more.

The only next choice in the Cisco world would be going for the CCIE R&S or the CCDE. I’ve been considering for a long time that I would eventually like to get there, but those certifications also require a significant investment of time and money. I definitely think the information and skills I would learn along the way would be worth it, and I’m beginning to really consider this an option in the near future. I’ve spent a bit of time reviewing the exam topics listed on Cisco’s site, and debating which of the two would be a better first choice.

My other option is pursuing the Juniper side of things. Most of the data centers I manage now are shifting toward Cisco for switching and Juniper for firewalls - so it would certainly benefit me to educate myself further on the Juniper equipment. Until this point, I’ve been just learning on the job by buying Juniper SRX firewalls and figuring it out as I go. My only real hesitation on this would be maintaining two separate lines of certifications. Both Juniper and Cisco enforce a 3-year expiration on their certifications, so I would need to keep on top of both - which isn’t necessarily a bad thing.

So at this point, I really don’t have a clear idea of what I want to do. Those are my current thoughts and options, but I’m having a hard time settling on what would be the best option for me at this time. I definitely want to start studying for something (and potentially take the exam) before the end of this year though, so I would like to figure it out rather soon.

If you have any suggestions or thoughts on the certifications I’ve mentioned, leave me a comment below!

I talked about this briefly in my initial background story posts, but I went straight from Cisco Networking Academy in high school out to working a full time job at a local IT consulting company. By the time I finished high school, I had already passed the Cisco Certified Network Associate (CCNA) exams and become certified. Having that certification is what got me in the door for a number of interviews, and eventually got me the job at the consulting company. At that point, I really didn’t have much else going for me - I didn’t have a college education nor any real-world experience. In my time working at this company, I spent a significant amount of time doing self-study and labs for my certification goals. When I got my CCNP certification, I used it along with the experience I had gathered to get my next job. This new employer was heavily focused on their IT staff needing to have a college education - so they pressured me for a while to go back until I eventually gave in.

I spent a while reviewing many colleges in the area and online, trying to figure out what would meet my needs. I ended up picking out a four-year degree in network security, and opted to go the online-only route because it benefited my schedule better. I packed my classes up to a full-time schedule, because I didn’t want a four-year degree to take any longer than four years. At this point, I also had the benefit that my employer was willing to reimburse 100% of the costs - which certainly helped convince me to go back.

Over the course of the past four years, I have taken many classes that include general IT, development, networking, and security (not including the normal required materials). I found that a significant portion of these classes didn’t directly benefit me. A lot of the material was much more focused toward beginners who haven’t already been working in the field for six years - which is completely understandable. The most I really got out of this was improving my abilities to push myself through work that I didn’t want to do. I did have a few interesting classes, like an Android development course, which I found to be extremely fun even if I probably won’t use the knowledge much.

Four years later and I’m done - did I benefit from it? On some level yes, I think I did. At the time of my degree completion, I have now been Cisco certified for ten years and I’ve been working in networking nearly the same amount of time. I’m already further in my career than I thought I would be at this point, and I’m happy with my position and pay (the degree isn’t going to change either of these things). At this point in time, finishing the degree is not much more than an accomplishment that I can add to my resume. Sure, having the degree on my resume may get me past HR screening for new jobs and opportunities - but it likely won’t actually play much into a company’s decision to hire me.

In the end I think that both certifications and college education are useful - they can both be great indications to an employer that you’ve been trained on certain technologies or fields. However, I think that the actual on-the-job experience is what really matters - and I experienced a direct benefit from getting in the field early and working while all of my friends were still in college. I would not be as far in my career as I am today if I had waited four more years to start working.  Unfortunately, I think that we place a little too much importance on completing a formalized degree program, when equivalent experience and certifications may benefit a company more.

I understand that I had a bit of a unique situation, but I figured it would be worth sharing my experiences and how they have affected my view of college education. I’m still happy that I went through with it and completed the degree, but you won’t see me throwing a big celebration - except that I’m just super glad it’s all finished. At this point, I will take a few months to relax and spend time on hobbies - but I do plan on going back to certification studies (Juniper stuff and likely begin working on a CCIE).

Any thoughts? Comment below with your experiences - I’m interested to see if there are many people who have had similar experiences to me, or possibly even the complete opposite.