Implementing Access Control System (ACS)

Access Control System (ACS)

ACS servers exist to centrally manage the users and control what those users are authorized to do. It can use an external database that already exist and contains usernames and passwords (ie.: Microsoft Active Directory).

The ACS server can be installed to multiple platforms ie.: Windoes server, dedicated physical Cisco appliance, VMWare ESXi server etc..

Identity Services Engine (ISE)

This is an identity and access control policy platform that can validate that a computer meets the requirements of a company’s policy related to virus definition files, service pack levels and so on before allowing the device on the network.

ACS and ISE can be used together.

Protocols between ACS and the router

  • TACACS – Cisco proprietary
    Encrypts the whole communication between the router and the ACS server.
  • RADIUS – open standard
    Encrypts only the password between ACS and the router.


Configuring Routers to Interoperate with an ACS


# aaa new model
# aaa authentication login AUTHEN_via_TACACS group tacacs+ local
# aaa authorization exec Author-Exec_via_TACACS group tacacs+ local
# username admin privilege 15 secret cisco
# tacacs-server host 192.1681.252 key cisco123
# line vty 0 4
(line)# authorization exec Author-Exec_via_TACACS
(line)# login authentication AUTHEN_via_TACACS



aaa new model

This is required on every device.

# aaa authentication login AUTHEN_via_TACACS group tacacs+ local
# username admin privilege 15 secret cisco
# tacacs-server host 192.1681.252 key cisco123
# line vty 0 4
(line)# login authentication AUTHEN_via_TACACS

When a user tries to login to the device the 192.1681.252 TACACS server is going to check the credentials and reply with a pass or fail message. The “group tacacs+ local” part means that the primary login mechanism is the tacacs+ and when it’s not reachable the local authentication will take its place (admin/cisco).

# aaa authorization exec Author-Exec_via_TACACS group tacacs+ local
# line vty 0 4
(line)# authorization exec Author-Exec_via_TACACS

The AAA server will verify whether the router is authorized to gain access to the CLI and on what privilege level is the user placed into. Similarly to authentication if the tacacs+ server is unreachable, it will check locally whether the user is authorized to execute a command.


CCP (Cisco Configuration Professional)

Configure > Router > AAA > AAA Servers and Groups > Servers > Add


Configure > Router > AAA > Authentication Policies > Login > click Add



Configure > Router > AAA > Authorization Policies > EXEC Command Mode > click Add





Add local user
Configure > Router > Router Access > User Accounts/View > click Add




Convergence of routing tables

All convergence depends on the network design and the used technologies!

Routing protocols




Neighbor timers:

Hello: 3 sec
Hold: 15 sec


The best route for EIGRP is called Successor and the second best path is the Feasible Successor.

  • When the Successor fails and there is no Feasible Successor, EIGRP will query it’s neighbors for a route.
  • When the Successor fails and there is a Feasible Successor, EIGRP will switch to the backup path immediately.

Detecting failure

  • Graceful Shutdown / Restart: When the router is reloaded or the interface is administratively shut down the local router will notify it’s direct EIGRP neighbors before shutting down the interface. This way the neighbor can converge the affected routes almost instantly (~1 packet drop).



High availability




Adobe Premier Shortcuts

  • S Snap
  • Space Lejátszás
  • L – Felgyorsítja a videólejátszást (könyebb átnézni a teljes videót)
  • C –  Razer – Fel lehet szeletelni a videóklippet és így különböző sávokként lehet őket kezelni.
  • Sequence/Add edit – A Razer-hez hasonló funckió, de itt az aktuális lejátszási ponthoz teszi a vágást (jó ötlet hotkey-t rendelni hozzá).
  • VMove – Mozgatni tudjuk a sávokat
  • Ripple Delete – Ha van egy üres rész a sávok között, bele tudunk kattintani az üres részbe és Riplle Delete-el össze tudjuk rántani az üres rész utáni tartalmat az előtte lévővel:

Default Timers


Hello timer: 5 seconds
Hold timer: 15 seconds

Modification: This can be modified on interface.

ip hello-interval eigrp <as number> <seconds>


Hello timer: 10 seconds
Hold timer: 40 seconds

Modification: This can be modified on interface.

ip ospf hello-interval <seconds>
ip ospf dead-interval <seconds>


eBGP keepalive: 60 seconds
eBGP hold timer: 180 seconds
eBGP time between advertisement: 30 seconds
iBGP time between advertisement: 0 (triggered)

Modification: The timers can be modified per neighbor:

neighbor <ip> timers <keepalive sec> <hold timer sec>


Update: 30 seconds (how often send route update)
Invalid: 180 seconds (if no update from a route until 180 second it goes invalid and hold timer starts to count)
Hold Down: 180 seconds (the route cannot be active again (if new update comes) until hold timer counts down (except new update with better metrics))
Flush: 240 seconds (until removes completely the route)

GRE Tunnels

Keepalive: 10 seconds
Retries: 3 times

Modification: This can be modified on the tunnel interface.

keepalive <seconds> <retries>



Chapter 14 – Managing Switches with SNMP

  • What is the purpose of SNMP?
    • Simple Network Management Protocol shares information about the host router and its activities.
  • What 2 parts do SNMP have?
    • SNMP manager: This is a network management system that polls information from the SNMP agent. This is usually runs on a central location.
    • SNMP agent: The process that runs on the network device being monitored.
  • Where does the switch gather data for SNMP?
    • From the Management Information Base (MIB). Data contained in memory and updated in real time.
  • How does the SNMP manager communicate with the SNMP agent? What is the 4 request type?
    • The communication uses UDP port 161
    • get request: the value of one specific MIB is needed
    • get next request: the next or subsequent value following an initial get request is needed
    • get bulk request: whole table or list of values in a MIB is needed
    • set request: a specific MIB variable needs to be set to a value
  • How can the SNMP agent notify the manager? What communications types exist?
    • The communication uses UDP port 162
    • SNMP trap: News of some event is sent without any acknowledgement that the trap has been received
    • Inform request: News of some event is sent, but the SNMP manager need to acknowledge
  • What are the differences between SNMP versions?
    • SNMPv1:
      • Get/Set requests plus SNMP traps
      • 32 bit variable counters
      • Authentication with clear text community string
    • SNMPv2C:
      • 64 bit variable counters
      • Get/Set requests, SNMP traps + Bulk requests
      • Authentication still with clear text community strings
    • SNMPv3:
      • Authentication through usernames
      • “views” can be used to limit what MIB variables can an SNMP manager read/write
  • What security levels are available in SNMPv3?
    • noAuthNoPriv: SNMP packets are neither authenticated nor encrypted
    • authNoPriv: SNMP packets are authenticated but not encrypted
    • authPriv: SNMP packets are authenticated and encrypted


  • How do you configure SNMPv1?
    • (global)# snmp-server community COMMUNITY [ro|rw] [ACL]
      (global)# snmp-server host HOST COMMUNITY [TRAP-TYPE]
  • How do you configure SNMPv2?
    • (global)# snmp-server community COMMUNITY [ro|rw] [ACL]
      (global)# snmp-server host HOST [informs] version 2c COMMUNITY 
    • The config is almost the same as with SNMPv1, but if you would like to use informs instead of traps, you must use the informs keyword.
  • How do you configure SNMPv3?
    • snmp-server view: You can specify a view for the users, so they can only access a certain part of the MIB.
      (global)# snmp-server view VIEW-NAME OID-TREE
    •  snmp-server-group:
      (global)# snmp-erver group GROUP-NAME v3 { noauth | auth | priv } [read READ-VIEW]  [ write WRITE-VIEW] [notify NOTIFY-VIEW] [access ACL]

      • noauth, auth = Authentication
      • priv = Encryption
    • snmp-server user:
      (global)# snmp-server user USER-NAME  GROUP-NAME v3 auth {md5 | sha} AUTH-PASSWORD priv { des | 3des | aes {128|192|256}} PRIV-PASS [ACL]
    • snmp-server host:
      (global)# snmp-server host HOST-IP [informs] version 3 {noauth | auth | priv} USERNAME [trap-type] 

Chapter 13 – Logging Switch Activity

Syslog Messages

  • What is the format of a Syslog message?
    • Timestamp
    • Facility code: This is an identifier that specifies the switch function or module that has generated the message.
    • Severity: A number to 0 – 7
    • Mnemonic: A category within the facility code
    • Message Text: Description of the event.
    • syslog
  • What does each severity level mean?
    • message loggging
  • How can you modify the severity level of logging (into internal buffer)?
    • Default: 6 = Informational
    • (global)# logging buffered SEVERITY-LEVEL
  • How can you change the log size of the internal buffer?
    • Same command but the number start from 4096
    • (global)# logging buffered SIZE
  • How can you modify the severity level for the console port? What is the default value?
    • Default: 7 = Debugging
    • (global)# logging console SEVERITY
  • What port and what protocol do syslog use?
    • Port 514
    • Protocol: UDP
  • Why do the syslog server need to send acknowledge messages?
    • Because the communication is using UDP and the switch cannot know whether the log message arrived to the server.
  • How do you configure remote syslog?
    • (global)# logging host IP
      (global)# logging trap SEVERITY
  • What is the problem with interface state changes and remote syslog (on an access layer switch)? 
    • Every time when host devices start/stop the switch will send syslog messages to the server.
    • no logging event link-status


Adding Time Stamps to Syslog Messages

  • How do you configure time zone on a switch?
    • (global)# clock timezone  NAME OFFSET-HOURS
  • How do you configure summer time?
    • (global)# clock summer-time NAME recurring
  • How do you configure time?
    • clock set HH:MM:SS
  • What is a stratum value?
    • Stratum number indicates the number of NTP “hops” needed to reach the top.
    • Range: 0-15
  • What are the 4 modes that NTP can propagate time?
    • Server (or NTP master): Can be configured using
      (global)#ntp master STRATUM  
    • Client: Synchronizes its time with the NTP server.
      (global)#ntp server IP
    • Peers: This is called symmetric mode. Peers exchange time synchronization information with each other.
      This is often used between two or more servers operating as mutually redundant group.
      (global)#ntp peer IP
    • Broadcast/multicast: The NTP server pushes time information out to any listening device.
      (interface) ntp broadcast client
  • What is the difference between ntp version 3 and 4? Which one is default?
    • Version 3 is default
    • Version 4 give IPv6 capabilities
  • If you specify more than 1 ntp server, how can you decide which should be the primary?
    • (global)# ntp server IP prefer [version 3|4]
  • How can you verify NTP functionality?
    • show ntp status
    • show ntp associations


  • How can you secure NTP?
    • (global)# ntp authentication-key KEY-NUMBER md5 KEY-STRING
      (global)# ntp authenticate
      (global)# ntp trusted-key KEY-NUMBER
      (global)# ntp server IP-ADDRESS key KEY-NUMBER
  • What else security method are you aware of? How can you configure it?
    • Using ACLs
    • (global)# access-list ACL-NUM permit IP MASK
      (global)# ntp access-group {serve-only | serve | peer | query-only } ACL-NUM
    • serve-only: Only synchronization request permitted
    • serve:  Synchronization and control requests are permitted. The device is not permitted to synchronize its own time clock.
    • peer: Synchronization and control requests are permitted. The device can synchronize its own time clock.
    • query-only: Only control queries permitted.
  • What is SNTP?
    • Simplified Network Time Protocol
    • When a device is configured as SNTP, it operates as an NTP client only. Other devices cannot synchronize with its clock.
  • How can you configure SNTP?
    • The same way as NTP, but with the keyword “sntp” instead of “ntp”.


  • How can you add timestamps to the log?
    • (global)# service timestamps log datetime [localtime] [show-timezone] [msec] [year]
    • The “localtime” parameter will use the locally configured timezone.
      By default UTC is set.

Chapter 12 – Configuring DHCP

Using DHCP with a Multilayer Switch

  • How does DHCP negotiation work? What steps do it have?
    • DHCP discovery (client): Without any valid source IP the client sends a broadcast message to find a working DHCP server.
    • DHCP offer (server): The server sends a reply destined to the client’s MAC address offering:
      • IP address
      • subnet mask
      • default gateway
      • some additional parameters
        The server sends a broadcast since the client do not have an IP yet, only the MAC.
    • DHCP request (client): The client makes an official request for the proposed IP/subnet/gateway.. This is still a broadcast.
    • DHCP ACK (server): The server sends an acknowledgement, so the client can start using the IP.
  • How do you configure a DHCP server?
    • (global)# ip dhcp excluded-address STAR-IP END-IP
      (global)# ip dhcp pool POOL-NAME
      (dhcp)# network IP SUBNET-MASK
      (dhcp)# default-router IP [IP2] [IP3] ...
      (dhcp)# lease {infinite | days { hours { minutes }}}
  • How can you verify DHCP activites?
    • show ip dhcp binding


  • What is Manual Address Binding?
    • This way the DHCP server will give the same IP address for a specific host.
  • How do you configure manual address binding?
    • (global)# ip dhcp pool POOL-NAME
      (dhcp)# host IP  MASK
      (dhcp)# client-identifier ID
      (dhcp)# hardware-address MAC
  • What is a DHCP option?
    • In some cases the clients need more information than simple IP, mask, gateway… You can specify these information with DHCP options:
      (dhcp)# option OPTION-NUMBER
  • What is DHCP relay?
    • In case the DHCP server is located outside of the LAN, you have the chance to forward the DHCP broadcast messages as unicast packets to the DHCP server.
  • How do you configure it?
    • (interface)# ip helper-address IP


Configuring DHCP to Support IPv6

  • How does Statless Autoconfiguration work (IPv6)?
    • The client will receive a globally unique address (advertised from the router) and fill the rest 64bits with EUI-64.
      EUI-64:  First half of the MAC address (24 bits) + FFFE (16 bits) + second half of the MAC (24 bits)
    • The router periodically send the advertisements but the client can request also.
  • How do you configure Stateless Autoconfiguration?
    • You don’t really have to. Just configure a L3 interface with IPv6 address on the switch and the rest is automated.


  • Why do we need DHCPv6 if we already have Stateless Autoconfiguration?
    • Because the client might need additional information, but Stateless Autoconfiguration can provide the basic information (ie.: DNS server address)
  • How do you configure a DHCPv6?
    • (global)# ipv6 dhcp pool POOL-NAME
      (dhcpv6)# address prefix IPV6-PREFIX
      (dhcpv6)# dns-server DNS-ADDRESS
      (dhcpv6)# domain-name NAME
      (global)# interface INTERFACE-NAME
      (interface)# ipv6 address IP
      (interface)# ipv6 dhcp server POOL-NAME
      (interface)# no shut
  • What is DHCPv6 Lite? 
    • It combines Stateless Autoconfiguration with DHCPv6.
      The clients use Stateless Autoconfig to get their IP, but will receive other information from the server.
  • How do you configure DHCPv6 Lite?
    • The interface command “ipv6 nd other-config-flag” will notify the clients that they should receive their IP from Stateless Autoconfiguration and not DHCPv6.
    • (global)# ipv6 dhcp pool NAME
      (dhcp)# dns-server DNS-ADDRESS
      (dhcp)# domain-name DOMAIN
      (global)# interface INTERFACE-NAME
      (interface)# ipv6 address IP
      (interface)# ipv6 dhcp server POOL-NAME
      (interface)# ipv6 nd other-config-flag
      (interface)# no shut
  • How do you configure DHCPv6 Relay ?
    • (interface)# ipv6 dhcp relay destination IPV6
  • How do you verify IPv6 DHCP?
    • show ipv6 dhcp pool


Chapter 11 – Multilayer Switching

  • What is Inter-VLAN routing?
    • When a device transports packets between VLANs that is called Inter-VLAN routing.
  • How do you configure L2 or L3 port operation mode?
    • L2: (interface)# switchport
    • L3: (interface)# no switchport
  • How can you verify it?
    • Layer 2 mode
      Switch1#sho int gi0/2 switchport
      Name: Gi0/2
      Switchport: Enabled
      Administrative Mode: dynamic desirable
      Operational Mode: static access
      Administrative Trunking Encapsulation: negotiate
      Operational Trunking Encapsulation: native
      Negotiation of Trunking: On
      Access Mode VLAN: 1 (default)
      Trunking Native Mode VLAN: 1 (default)
      Administrative Native VLAN tagging: enabled
      Voice VLAN: none
      Administrative private-vlan host-association: none
      Administrative private-vlan mapping: none
      Administrative private-vlan trunk native VLAN: none
      Administrative private-vlan trunk Native VLAN tagging: enabled
      Administrative private-vlan trunk encapsulation: dot1q
      Administrative private-vlan trunk normal VLANs: none
      Administrative private-vlan trunk associations: none
      Administrative private-vlan trunk mappings: none
      Operational private-vlan: none
      Trunking VLANs Enabled: ALL
      Pruning VLANs Enabled: 2-1001
      Capture Mode Disabled
      Capture VLANs Allowed: ALL
      Protected: false
      Appliance trust: none
    • Layer 3 mode:
      Switch1#sho int gi0/2 switchport
      Name: Gi0/2
      Switchport: Disabled
  • How can you create VLAN interface 100 on a brand new Multilayer Switch?
    • First create the vlan:
      (global)# vlan 100
      (vlan)#  exit
    • Then create the VLAN interface:
      (global)# interface vlan 100
      (interface)# ip address
      (interface)# no shut
    • Creating a VLAN interface will NOT create the VLAN itself.
  • When does an SVI become active?
    • When at least 1 L2 port, which is assigned to the same VLAN, becomes active and STP has converged.
  • What is SVI autostate?
    • None of the switching or routing fuctions can use the SVI interface until the SVI becomes active.
  • How can you disable SVI autostate, so it become active even if L2 ports are down?
    • (interface)# switchport autostate exclude
  • What is FIB?
    • Forwarding Information Base
    • The calculations of the routing table are inserted into the FIB, so when the switch receives a packet it can easily examine the destination and find the longest match in the FIB.
    • When the L3 engines sees changes in the routing topology it sends an update to the FIB.
    • If a next-hop address is changed / aged out of the ARP table, it send update to the FIB
  • How can you find a prefix in the CEF?
    • sho ip cef IP-ADDRESS MASK
    • or you can do a wider “search”
      show ip cef IP-ADDRESS MASK longer-prefixes
  • What happens when a packet cannot be switched in hardware according to the FIB?
    • Those packets are marked as: CEF punt
    • They are sent to the L3 engine for further processing
  • What can cause such situation (CEF punt)? 
    • entry cannot be located in FIB
    • FIB is full
    • TTL has expired
    • MTU exceeded, packet must be fragmented
    • ICMP redirect is involved
    • encapsulation type not supported
    • packets are tunneled
    • ACL with log option triggered
    • NAT needed
  • What types of CEF do you know of? How do they work?
    • aCEF (Accelerated CEF): Only a portion of the FIB is downloaded to them at any time because they are not capable of storing the entire FIB.
      This way the CEF is accelerated on the line cards, but not necessarily at sustained wire-speed rate.
    • dCEF (Distributed CEF):  FIB is replicated across multiple independent L3 forwarding engines.  A central L3 engine maintains the routing table and generates the FIB, which is then dynamically downloaded in full to each of the line cards.

Adjacency Table

  • What is adjacency table?
    • FIB contains the L3 next-hop address for each entry.
    • Adjacency table contains the L2 information for every FIB next-hop.
  • How can you verify it?
    • SW1#show  adjacency 
      Protocol Interface                 Address
      IP       GigabitEthernet0/1/6
      IP       GigabitEthernet0/1/6
      IP       GigabitEthernet0/1/7
      IP       GigabitEthernet0/1/7 (incomplete)
      IP       GigabitEthernet0/1/7


  • What does “CEF glean” mean?
    • When an ARP entry does not exists, the FIB entry is marked as CEF glean. So the packet is sent to L3 forwarding engine to generate an ARP request and receive an ARP reply.
  • What type of entries are in the Adjacency table?
    • Null adjacency: Switch packets for the null interface. No response sent to sender.
    • Glean adjacency: Packets sent to L3 engine to generate ARP request
    • Drop adjacency:  Switch packets that cannot be forwarded normally. (checksum error, unresolved address, encapsulation failure etc..).
      Send response back to sender.
      show cef drop
    • Discard adjacency: Packets are discarded because of an ACL or other policy.
      Response sent sometimes (depends on policy)
    • Punt adjacency: Packets are sent to L3 engine for further processing.
      show cef not-cef-switched
  • What is the packet rewrite engine? What does it do?
    • When the next-hop address is decided, the L2 and L3 headers are need to be rewritten. The precomputed entries in the Adjacency table will make this process fast.
      • L2 destination MAC: Changed to the next-hop MAC
      • L2 source MAC: Changed to the outbound L3 switch interface’s MAC
      • L3 IP TTL: Decremented by one
      • L3 IP checksum: Recalculated to include changes in the IP header
      • L2 frame checksum: Recalculated to include L2 and L3 header


Verifying Multilayer Switching

  • How can you check the configured VLANs?
    • sho-vlan.PNG


Chapter 10 – Aggregating Switch Links

Switch Port Aggregation with EtherChannel

  • Why cant we simple use multiple links for redundancy in L2?
    • Simply putting redundant links between 2 devices would not work because STP would Block the redundant ports.
  • How many links can participate in an EtherChannel?
    • 2 – 8
  • How does STP reacts when ports are bundled into an EtherChannel?
    • It switches the port state from Blocking into Forwarding.
  • What happens when a link fails within an EtherChannel?
    • The traffic is automatically moved to an adjacent link. The failover happens in less than a few milliseconds.
  • How can you increase the effectiveness of redundancy when using EtherChannels (beside using multiple links)?
    • Use multiple switches at each end of the EtherChannel (stackable Catalyst).
    • This is called Multichassis EtherChannel (MEC)
  • 2 switch have 5-5 Gigabit interfaces bundled into an EtherChannel. When PC-1 is transferring 10Gbyte of traffic to PC-2 what is the maximal speed it can achieve? Why?
    • 1 Gbps
    • The connections are balanced between the 5 lines but one connection can use 1 line at a time.
  • What are the general configuration requirement of the bundling ports? (!!)

    • the ports must belong to the same VLAN
    • if used as trunk, all ports must be in trunking mode having the same native VLAN and VLAN set
    • the ports must have the same duplex and speed settings
    • the ports must be configured with the identical STP settings
  • How does EtherChannel distributes traffic?
    • EtherChannel not always balances traffic equally
    • The frame distribution can be selected by:
      • source/destination IP address
      • source/destination MAC address
      • TCP/UDP port numbers
  • How does the EtherChannel selects which link should use for a specific connection?
    • It is using a hash algorithm which selects the link:load-distribution-etherchannel.PNG
    • XOR reminder:
    • Conversations between 2 devices always sent on the same link.
    • Useful article
  • What type of EtherChannel Load-Balancing methods do you know of?
    • Method Value Hash Input Hash Operation
      src-ip Source IP address Bits
      dst-ip Destination IP Bits
      src-dst-ip Source and destination IPs XOR
      src-mac Source MAC Bits
      dst-mac Destination MAC Bits
      src-dst-mac Source and destination MACs XOR
      src-port Source port Bits
      dst-port Destination port Bits
      src-dst-port Source and destination ports XOR
  • How can you configure the load balancing method?
    • (global)# port-channel load-balance METHOD
    • By default: src-mac, but it depends on the switch model
  • How can you verify the load balancing method?
    • show etherchannel load-balance
  • What happens if you configure src-ip as balancing method, but the switch receives a non-IP frame (ie.: SNA)?
    • The switch will automatically fall back to the “next-lowest” method (ie.:MAC).
  • Why broadcast/multicast messages do not cause bridging loops?
    • Because broadcast/multicast messages are being balanced the same way as unicast messages.
      A broadcast messages will become part of the hashing calculation to choose an outbound channel link.
  • What are the 2 types of EtherChannel negotiation protocols +1 that is not a protocol?
    • Port Aggregation Protocol (PAgP)
      Cisco propriatary
    • Link Aggregation Control Protocol (LACP)
    • Link Aggregation (LAG) (Cisco calls this EtherChannel) – This is the manual type of link aggregation.
  • How can these protocols operate? What modes do they have?
    • PAgP LACP Negotiation packets sent Characteristics
      On On No All port channeling
      Auto (default) Passive Yes Waits to channel until asked
      Desireable Active Yes Actively asks to form a channel
    • Mnemonic: LACP => LACtiveP,   Active <=> Passive
  • How does PAgP reacts if you modify the VLAN/duplex/speed value of a port which is a member of the EtherChannel?
    • It will reconfigure that parameter for all ports in the bundle
  • How do you configure PAgP?
    • (interface)# channel-protocol pagp
      (interface)# channel-group NUMBER mode { on | auto | desirable } [non-silent]
  • What happens in PAgP silent mode?
    • PAgP will allow ports to be added to the EtherChannel, even if no PAgP packets received from the far end (silent).
    • By default PAgP operates in silent mode.
  • What is the point of silent mode?
    • This allows a switch to form EtherChannel with another device that do not participate in PAgP (ie.: fileserver, network analyzer etc.)
  • How long does the switch waits until it considers the far end device silent?
    • 15 sec
  • When should you use non-silent mode?
    • When you expect a PAgP capable device on the far end.
    • This will require each port to receive PAgP packets before adding them to a channel.
  • What if PAgP is in non-silent mode, but no PAgP packets received?
    • The port will remain in up state but PAgP will report it to STP that the port is down.
  • How can you verify EtherChannel functionality?
    • Switch5#sho etherchannel summary
      Flags:  D - down        P - bundled in port-channel
              I - stand-alone s - suspended
              H - Hot-standby (LACP only)
              R - Layer3      S - Layer2
              U - in use      f - failed to allocate aggregator
              M - not in use, minimum links not met
              u - unsuitable for bundling
              w - waiting to be aggregated
              d - default port
      Number of channel-groups in use: 1
      Number of aggregators:           1
      Group  Port-channel  Protocol    Ports
      1      Po1(SU)         PAgP      Gi0/1(P)    Gi0/2(P)



  • How do you configure LACP?
    • (global)# lacp system-priority PRIORITY
      (interface)# channel-protocol lacp
      (interface)# channel-group NUMBER mode { on | passive | active }
      (interface)# lacp port-priority PRIORITY
  • What if both switches have the same LACP priority?
    • The lower MAC address is going to be the tie breaker
  • What if you configure more than 8 interfaces in a single channel group?
    • The extra ports are going to be in standby mode. In case an active interface fails the standby will take it’s place.
  • How can you decide which port should be active and which standby?
    • Interfaces with lower port priority are going to be active while interfaces with higher port priority are going to be standby.
    • Default priority: 32768
  • What if no port priority configured?
    • In such case the port with the lower port number is going to be the active one.
  • What is the purpose of EtherChannel Guard?
    • If a misconfiguration is detected on an enabled interface the switch will automatically shut down (err-disabled) the port.
  • How can EtherChannel Guard detect a misconfiguration?
    • etherchannel-guard.PNG
    • It relies on STP
    • Left switch receives BPDUs on all 3 ports even if it’s an EtherChannel. However all 3 BPDUs must have the same “Sending port ID” values (PortchannelX).
      When the switch receives a BPDU on an interface which is a member of an EtherChannel group and the BPDU has other “Sending port ID” value then the BPDUs which were received on the rest of the EtherChannel member interfaces, then it knows there is a misconfiguration.
  • How do you configure and verify it?
    • It is enabled by default
    • (global)# spanning-tree etherchannel guard misconfig
    • show interfaces status err-disabled



  • How can you create a L3 EtherChannel?
    • By using the “no switchport” command on the EtherChannel and physical interfaces
  • What happens when the EtherChannel is configured L3 but the pyhsical interfaces are not?
    • The switch will reject the command!
    • Both of the physical interfaces and the PortChannel must be configured with “no switchport” command.


Troubleshooting an EtherChannel

  • EtherChannel on mode does not send or receive PAgP or LACP packets. Therefore, both ends should be set to on mode before the channel can form.
  • EtherChannel desirable (PAgP) or active (LACP) mode attempts to ask the far end to bring up a channel. Therefore, the other end must be set to either desirable or auto mode.
  • EtherChannel auto (PAgP) or passive (LACP) mode participates in the channel protocol, but only if the far end asks for participation. Therefore, two switches in the auto or passive mode will not form an EtherChannel.
  • PAgP desirable and auto modes default to the silent submode, in which no PAgP packets are expected from the far end. If ports are set to non-silent submode, PAgP packets must be received before a channel will form.


It’s good idea to shut down the future bundle ports before configuring EtherChannel to avoid bridging loop.


Useful commands:

  • show etherchannel summary
  • show etherchannel port
  • show etherchannel load-balance

Blog at

Up ↑