I’m going to focus on two specific use tasks with EtherChannel.
- Two trunk ports on a switch connecting to two ports on a router, which will be configured as sub-interfaces.
- Enable TrustSec on those ports. This will come into play when we get to the Border/Control Plane node on SDA and we want to connect it to the WAN Edge router (possibly our SD-WAN Edge).
1.1.d i LACP, static
Notice there’s no PAGP on the list, since it’s not supported on most devices anymore. Just one less thing to worry about. For starters we’ll just work with SW2 and R26.
The only real trick to it is the flow is a little different on the router vs the switch.
R26
conf t
!We have to define the port channel interface first.
interface port-channel 1
!And enable TrustSec on the port channel. Unlike the switch, you only apply it to port-channel config. It won’t take the cts commands on the individual channel-group members.
cts manual
policy static sgt 2 trusted
exit
!Now we can add our interfaces gig 0/0/4 and gig 0/0/5 to the channel-group.
interface range gig 0/0/4-5
channel-group 1 mode active
exit
!And since we’re laying the groundwork for SDA, let’s add the VRFs.
vrf definition 1024
rd 1:1024
vrf definition 1025
rd 1:1025
vrf definition 1026
rd 1:1026
!Last bit, we’ll create the sub-interfaces under the port-channel. The tricky part, we have to enable cts manual on all sub-interfaces.
interface port-channel 1.1024
encapsulation dot1q 1024
vrf forwarding 1024
ip add 4.14.24.1 255.255.255.0
cts manual
policy static sgt 2 trusted
!Rinse and repeat for each sub-interface.
interface port-channel 1.1025
encapsulation dot1q 1025
vrf forwarding 1025
ip address 4.14.25.1 255.255.255.0
cts manual
policy static sgt 2 trusted
!1026
interface port-channel 1.1026
encapsulation dot1q 1026
vrf forwarding 1026
ip address 4.14.26.1 255.255.255.0
cts manual
policy static sgt 2 trusted
It’s good practice to shut down these interfaces when applying the TrustSec config. Another thing I’ve seen on some older ASR code is that applying the cts manual command breaks LACP. So if you’re hitting that particular bug, you either have to set it to channel-group mode on, or upgrade the IOS code.
SW2
!Let’s default the interfaces first.
conf t
default interface gig 1/0/8
default interface gig 1/0/9
interface range gig 1/0/8-9
switchport mode trunk
!We have to first apply the cts commands. If we do the channel-group command first, it won’t take the cts commands.
cts manual
policy static sgt 2 trusted
exit
channel-group 1 mode active
!Note, I noticed that on a Cat9300 with current code, PAGP is still an option. It’s not available on the ASR I’m testing with, the only options are LACP and ON.
interface port-channel 1
switchport mode trunk
switchport trunk allowed vlan 1024-1026
!Also note that, unlike the router, you don’t apply the cts commands on the port-channel interface. You only apply it on the physical interfaces.
!Also note that it makes me nuts that sometimes it’s a port-channel, sometimes it’s a channel-group, and sometimes it’s an etherchannel.
Oscorp Labs 