EtherChannel Configuration – Complete Guide

1. EtherChannel Overview and Configuration Roadmap

EtherChannel bundles multiple physical Ethernet links into a single logical Port-Channel interface. All member links carry traffic simultaneously, STP treats the bundle as one link (no ports blocked), and if any member link fails the Port-Channel stays up with traffic automatically redistributed.

  Physical reality:               Logical view (STP, routing, VLANs):
  SW-A  Gi0/1 ──────── Gi0/1 SW-B    SW-A ══════════ SW-B
        Gi0/2 ──────── Gi0/2              Port-Channel1
        Gi0/3 ──────── Gi0/3              3 × 1 Gbps = 3 Gbps
        Gi0/4 ──────── Gi0/4              One MAC, one STP port cost

Configuration Checklist — Steps in Order

Step	Action	Command
1	Verify all member ports have identical speed, duplex, mode, and VLAN config	`show interfaces Gi0/1` / `show run int Gi0/1`
2	Select channel-group number (1–6 or 1–48 depending on platform) and protocol mode	`channel-group 1 mode active`
3	Configure the Port-Channel logical interface (switchport/IP settings)	`interface port-channel 1`
4	Set the load-balancing hash method globally	`port-channel load-balance src-dst-ip`
5	Verify formation and member status	`show etherchannel summary`

2. Member Port Requirements — What Must Match

Before adding ports to an EtherChannel, every physical member port must have an identical configuration in all of the following parameters. A single mismatch causes the port to show as suspended (s) or stand-alone (I) and prevents it from joining the bundle.

Parameter	Must Match Across All Members?	Notes
Speed	Yes	All members must negotiate or be hardcoded to the same speed (e.g., 1 Gbps)
Duplex	Yes	All must be full-duplex; half-duplex ports cannot join an EtherChannel
Switchport mode	Yes	All must be access mode OR all must be trunk mode — cannot mix
Access VLAN (access mode)	Yes	All access ports must be in the same VLAN
Trunk encapsulation	Yes	All trunk ports must use the same encapsulation (dot1q)
Allowed VLANs (trunk mode)	Yes	Allowed VLAN list must be identical across all trunk members
Native VLAN (trunk mode)	Yes	Native VLAN must match on all trunk members
STP settings	Yes	PortFast, BPDU Guard, and path cost should match across members

Best practice — configure the Port-Channel interface first. Configure all switchport/IP settings on interface port-channel N and those settings propagate automatically to member ports when they join. Configuring individual member ports directly risks inconsistency and is harder to maintain.

3. Layer 2 EtherChannel — Trunk Mode (Switch-to-Switch Uplink)

The most common EtherChannel use case: bundling uplinks between access and distribution switches, or between distribution and core switches, carrying multiple VLANs on a trunk.

Complete LACP Trunk EtherChannel — Both Switches

! ════════════════════════════════════════════════════════
! SWITCH A — LACP Active Trunk EtherChannel
! ════════════════════════════════════════════════════════

Switch-A(config)# interface range GigabitEthernet0/1 - 4

! Step 1: Set trunk encapsulation BEFORE setting mode on some platforms
Switch-A(config-if-range)# switchport trunk encapsulation dot1q

! Step 2: Set port to trunk mode
Switch-A(config-if-range)# switchport mode trunk

! Step 3: Define allowed VLANs on the trunk
Switch-A(config-if-range)# switchport trunk allowed vlan 10,20,30,40

! Step 4: Set native VLAN (must match other side)
Switch-A(config-if-range)# switchport trunk native vlan 999

! Step 5: Add to channel-group with LACP active mode
Switch-A(config-if-range)# channel-group 1 mode active
Switch-A(config-if-range)# exit

! Step 6: Configure the Port-Channel logical interface
Switch-A(config)# interface port-channel 1
Switch-A(config-if)# switchport trunk encapsulation dot1q
Switch-A(config-if)# switchport mode trunk
Switch-A(config-if)# switchport trunk allowed vlan 10,20,30,40
Switch-A(config-if)# switchport trunk native vlan 999
Switch-A(config-if)# exit

! Step 7: Set load-balance method (global — applies to all EtherChannels)
Switch-A(config)# port-channel load-balance src-dst-ip


! ════════════════════════════════════════════════════════
! SWITCH B — must mirror Switch A's configuration
! ════════════════════════════════════════════════════════

Switch-B(config)# interface range GigabitEthernet0/1 - 4
Switch-B(config-if-range)# switchport trunk encapsulation dot1q
Switch-B(config-if-range)# switchport mode trunk
Switch-B(config-if-range)# switchport trunk allowed vlan 10,20,30,40
Switch-B(config-if-range)# switchport trunk native vlan 999
Switch-B(config-if-range)# channel-group 1 mode active    ! or passive
Switch-B(config-if-range)# exit

Switch-B(config)# interface port-channel 1
Switch-B(config-if)# switchport trunk encapsulation dot1q
Switch-B(config-if)# switchport mode trunk
Switch-B(config-if)# switchport trunk allowed vlan 10,20,30,40
Switch-B(config-if)# switchport trunk native vlan 999
Switch-B(config-if)# exit

Switch-B(config)# port-channel load-balance src-dst-ip

4. Layer 2 EtherChannel — Access Mode (Server Connection)

When bundling links from a switch to a server (NIC bonding / 802.3ad), the ports run in access mode on a single VLAN. This is common for high-bandwidth server uplinks in data centres.

! ════════════════════════════════════════════════════════
! ACCESS MODE EtherChannel — server uplink in VLAN 100
! ════════════════════════════════════════════════════════

Switch(config)# interface range GigabitEthernet0/5 - 8
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 100
Switch(config-if-range)# channel-group 2 mode active
Switch(config-if-range)# spanning-tree portfast        ! Server port — safe to use portfast
Switch(config-if-range)# exit

Switch(config)# interface port-channel 2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 100
Switch(config-if)# spanning-tree portfast
Switch(config-if)# exit

Switch(config)# port-channel load-balance src-dst-ip

Server NIC teaming / bonding: For the server side, configure NIC bonding in IEEE 802.3ad (LACP) mode in the OS: Linux uses bonding driver with mode=4 (802.3ad) or mode=2 (balance-xor); Windows uses NIC Teaming with "Switch Independent" or "LACP" mode. The switch must be configured for LACP active to match.

5. PAgP EtherChannel Configuration

PAgP is Cisco-proprietary. Use it only in legacy all-Cisco environments or when explicitly required. Configuration is identical to LACP except for the mode keywords (desirable / auto).

! ════════════════════════════════════════════════════════
! PAgP EtherChannel — Switch A (Desirable)
! ════════════════════════════════════════════════════════

Switch-A(config)# interface range FastEthernet0/1 - 4
Switch-A(config-if-range)# switchport mode trunk
Switch-A(config-if-range)# switchport trunk encapsulation dot1q
Switch-A(config-if-range)# switchport trunk allowed vlan 1-100
Switch-A(config-if-range)# channel-group 1 mode desirable    ! PAgP active
Switch-A(config-if-range)# exit

Switch-A(config)# interface port-channel 1
Switch-A(config-if)# switchport mode trunk
Switch-A(config-if)# switchport trunk encapsulation dot1q
Switch-A(config-if)# switchport trunk allowed vlan 1-100
Switch-A(config-if)# exit

! ════════════════════════════════════════════════════════
! Switch B — Desirable or Auto (either works with Desirable)
! ════════════════════════════════════════════════════════

Switch-B(config)# interface range FastEthernet0/1 - 4
Switch-B(config-if-range)# switchport mode trunk
Switch-B(config-if-range)# switchport trunk encapsulation dot1q
Switch-B(config-if-range)# switchport trunk allowed vlan 1-100
Switch-B(config-if-range)# channel-group 1 mode desirable    ! or: mode auto
Switch-B(config-if-range)# exit

Switch-B(config)# interface port-channel 1
Switch-B(config-if)# switchport mode trunk
Switch-B(config-if)# switchport trunk encapsulation dot1q
Switch-B(config-if)# switchport trunk allowed vlan 1-100
Switch-B(config-if)# exit

6. Static EtherChannel — Mode On

Static EtherChannel forces the bundle without any negotiation protocol. Both sides must be configured as mode on — mixing on with LACP or PAgP modes on the other side will prevent the channel from forming.

! ════════════════════════════════════════════════════════
! Static EtherChannel — both sides MUST be "mode on"
! Use when connecting to non-Cisco devices that don't
! support PAgP or LACP, or when protocol overhead is unwanted
! ════════════════════════════════════════════════════════

Switch-A(config)# interface range GigabitEthernet0/1 - 2
Switch-A(config-if-range)# switchport mode trunk
Switch-A(config-if-range)# switchport trunk encapsulation dot1q
Switch-A(config-if-range)# channel-group 1 mode on              ! No negotiation
Switch-A(config-if-range)# exit

Switch-A(config)# interface port-channel 1
Switch-A(config-if)# switchport mode trunk
Switch-A(config-if)# switchport trunk encapsulation dot1q

! ─────── Other side ─────────────────────────────────────
Switch-B(config)# interface range GigabitEthernet0/1 - 2
Switch-B(config-if-range)# switchport mode trunk
Switch-B(config-if-range)# switchport trunk encapsulation dot1q
Switch-B(config-if-range)# channel-group 1 mode on              ! Must also be "on"
Switch-B(config-if-range)# exit

Static mode risk: Without negotiation, misconfiguration goes undetected. If one side loses its EtherChannel config (e.g., after a reload), the other side continues sending on all member ports as a bundle while the far side sees individual links — potentially creating a bridging loop. Prefer LACP for all new deployments.

7. Layer 3 EtherChannel — Routed Port-Channel

A Layer 3 EtherChannel assigns an IP address directly to the Port-Channel interface, making it a routed link rather than a switched trunk. This is used between distribution and core layer devices in a routed campus design, or in data-centre spine-leaf fabrics.

! ════════════════════════════════════════════════════════
! LAYER 3 EtherChannel — routed Port-Channel with IP
! ════════════════════════════════════════════════════════

! Switch A
Switch-A(config)# interface range GigabitEthernet0/1 - 2

! Convert to routed (Layer 3) port — removes switchport config
Switch-A(config-if-range)# no switchport
Switch-A(config-if-range)# channel-group 1 mode active          ! LACP
Switch-A(config-if-range)# exit

! Configure IP on the Port-Channel logical interface
Switch-A(config)# interface port-channel 1
Switch-A(config-if)# no switchport                              ! Ensure routed mode
Switch-A(config-if)# ip address 10.1.1.1 255.255.255.252        ! /30 point-to-point
Switch-A(config-if)# no shutdown
Switch-A(config-if)# exit

! ─────── Switch B ────────────────────────────────────────
Switch-B(config)# interface range GigabitEthernet0/1 - 2
Switch-B(config-if-range)# no switchport
Switch-B(config-if-range)# channel-group 1 mode active
Switch-B(config-if-range)# exit

Switch-B(config)# interface port-channel 1
Switch-B(config-if)# no switchport
Switch-B(config-if)# ip address 10.1.1.2 255.255.255.252
Switch-B(config-if)# no shutdown
Switch-B(config-if)# exit


! ════════════════════════════════════════════════════════
! Verification — Layer 3 EtherChannel
! ════════════════════════════════════════════════════════

Switch-A# show etherchannel summary
! Port-Channel shows "RU" = Layer 3 (R), in use (U)
! Group  Port-channel  Protocol    Ports
! 1      Po1(RU)         LACP      Gi0/1(P) Gi0/2(P)

Switch-A# show ip route
! C  10.1.1.0/30 is directly connected, Port-channel1

Switch-A# ping 10.1.1.2     ! Verify connectivity across routed EtherChannel

Layer 3 EtherChannel and STP: Routed Port-Channels (marked "R") do not participate in STP — they are Layer 3 interfaces, not switched ports. There is no STP port cost, no blocked ports, and no risk of STP topology changes from Layer 3 Port-Channels. The "R" vs "S" flag in show etherchannel summary distinguishes Layer 3 from Layer 2.

8. Advanced EtherChannel Options

min-links — Minimum Active Members to Keep Port-Channel Up

! If fewer than N member links are active, bring the Port-Channel down entirely.
! Prevents a degraded channel from being used when most links have failed.
! Useful when connected to load balancers or firewalls that need consistent bandwidth.

Switch(config)# interface port-channel 1
Switch(config-if)# port-channel min-links 2
! Port-Channel1 goes down if fewer than 2 members are active

max-bundle — Limit Active LACP Members

! LACP allows up to 16 configured ports but only 8 active.
! max-bundle limits how many ports are active at once.
! Remaining ports stay in LACP hot-standby (H flag).

Switch(config)# interface port-channel 1
Switch(config-if)# lacp max-bundle 4
! Only 4 of the configured LACP ports will be active; rest are standby

LACP Fast Timer

! LACP default: PDUs every 30 seconds (slow mode)
! Fast mode: PDUs every 1 second — faster failure detection

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# lacp rate fast      ! Send LACPDUs every 1 second

! Note: both sides should use the same rate for predictable behaviour

EtherChannel Guard

! Protects against misconfiguration loops — err-disables port if
! one side has EtherChannel and the other does not

Switch(config)# spanning-tree etherchannel guard misconfig    ! Recommended on all switches

! Auto-recovery after misconfiguration is fixed:
Switch(config)# errdisable recovery cause etherchannel-misconfig
Switch(config)# errdisable recovery interval 300

9. Load Balancing Configuration

The load-balancing hash method determines how traffic is distributed across member links. Set globally — applies to all EtherChannels on the switch.

! View current method
Switch# show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
        src-dst-ip

! Change the method
Switch(config)# port-channel load-balance src-dst-ip          ! Best for L3 traffic
Switch(config)# port-channel load-balance src-dst-mac         ! Best for pure L2 traffic
Switch(config)# port-channel load-balance src-dst-ip          ! (recommended general purpose)

! Available methods on most Cisco IOS platforms:
!   src-mac           — Source MAC
!   dst-mac           — Destination MAC
!   src-dst-mac       — XOR of source and destination MAC
!   src-ip            — Source IP
!   dst-ip            — Destination IP
!   src-dst-ip        — XOR of source and destination IP (recommended)
!   src-port          — Source TCP/UDP port
!   dst-port          — Destination TCP/UDP port
!   src-dst-ip-l4port — IP + Layer 4 ports (most granular; data centre)

! Test which physical port a specific flow would use
Switch# test etherchannel load-balance interface port-channel 1 ip 192.168.1.10 10.0.0.5
Would select Gi0/2 of Po1

10. Verification — Annotated show Commands

show etherchannel summary — Primary Verification Command

Switch# show etherchannel summary

Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        M - not in use, minimum links not met

Number of channel-groups in use: 2
Number of aggregators:           2

Group  Port-channel  Protocol    Ports
------+-------------+-----------+------------------------------------------
1      Po1(SU)         LACP      Gi0/1(P)  Gi0/2(P)  Gi0/3(P)  Gi0/4(P)
2      Po2(RU)         LACP      Gi0/5(P)  Gi0/6(P)

! Interpreting the flags:
!  Po1(SU) — Port-Channel 1: S=Layer 2 switched, U=in use (channel is up and active)
!  Po2(RU) — Port-Channel 2: R=Layer 3 routed,   U=in use
!  Gi0/1(P) — GigabitEthernet0/1: P=bundled and active member of port-channel
!  (I)      — stand-alone: port has channel-group config but NOT in channel
!  (s)      — suspended: port config inconsistent with Port-Channel (speed/VLAN mismatch)
!  (H)      — Hot-standby: LACP standby port, ready to activate on member failure
!  (D)      — down: port is physically down or administratively shut

show etherchannel detail — Deep Inspection

Switch# show etherchannel 1 detail

Channel-group listing:
-----------------------
Group: 1
----------
Group state = L2
Ports: 4   Maxports = 16
Port-channels: 1 Max Port-channels = 16
Protocol:   LACP
Minimum Links: 0

                Ports in the group:
                -------------------
Port: Gi0/1
------------
Port state    = Up Mstr Assoc In-Bndl          ! Up, in bundle
Channel group = 1           Mode = Active       ! LACP active mode
Port-channel  = Po1         GC   = -    Pseudo port-channel = Po1
Port index    = 0           Load = 0x00
Flags:  S - Device is sending Slow LACPDUs     F - Device is sending fast LACPDUs
        A - Device is in active mode.           P - Device is in passive mode.

Timers: CURRENT_WHILE_TIMER not running
Flags:  SA
LACP port     Admin    Oper    Admin    Oper
State         Priority Priority Key      Key
Desg/Nbr 32768   32768    0x1     0x1

LACP port     Admin    Oper    Admin    Oper
State         Priority Priority Key      Key
Partner 32768   32768    0x1     0x1     ! Partner priority must match for active selection

show etherchannel load-balance and test

! Show configured load-balance method
Switch# show etherchannel load-balance

! Show per-member traffic counters (key for diagnosing hash imbalance)
Switch# show interfaces port-channel 1 etherchannel

! Test hash result for a specific IP pair
Switch# test etherchannel load-balance interface port-channel 1 ip 10.0.1.5 10.0.2.10
Would select Gi0/3 of Po1

show lacp neighbor — Verify LACP Peer Information

Switch# show lacp neighbor

Flags:  S - Device is requesting Slow LACPDUs
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode

Channel group 1 neighbors

Partner's information:
                  LACP port    Admin   Oper    Port    Port
Port      Flags   Priority     Key     Key     Number  State
Gi0/1     SA      32768        0x1     0x1     0x102   0x3D
Gi0/2     SA      32768        0x1     0x1     0x103   0x3D
Gi0/3     SA      32768        0x1     0x1     0x104   0x3D
Gi0/4     SA      32768        0x1     0x1     0x105   0x3D

Full Verification Command Reference

show etherchannel summary              ! Overview — all channels, protocol, port status flags
show etherchannel 1 detail             ! Full detail for group 1: ports, LACP state, timers
show etherchannel 1 port-channel       ! Port-Channel logical interface details
show etherchannel load-balance         ! Current hash method
show interfaces port-channel 1         ! Port-Channel interface counters (in/out/errors)
show interfaces port-channel 1 etherchannel  ! Per-member traffic counters
show interfaces GigabitEthernet0/1 etherchannel  ! Per-port EtherChannel membership detail
show lacp neighbor                     ! Remote LACP system/port info for all channels
show lacp internal                     ! Local LACP port states, priorities, key values
show pagp neighbor                     ! Remote PAgP system/port info
show pagp internal                     ! Local PAgP state
show run interface port-channel 1      ! Running config of Port-Channel interface
show run interface GigabitEthernet0/1  ! Running config of a member port

11. EtherChannel and Spanning Tree

EtherChannel's interaction with STP is one of its most important operational characteristics. Understanding it prevents loops and optimises the campus network.

Aspect	Behaviour
STP topology view	STP treats the entire Port-Channel as a single logical link — one port, one port cost. No member ports are blocked by STP.
Port cost	STP port cost is based on the Port-Channel's aggregate bandwidth. A 4 × 1 Gbps Port-Channel has a cost equivalent to a 4 Gbps link.
Member link failure	If one member link fails, the Port-Channel stays up. STP sees no topology change. Traffic redistributes across remaining members transparently.
Port-Channel failure	If all member links fail (Port-Channel goes down), STP detects a topology change and reconverges — same as a single link failure.
Misconfiguration risk	If one side bundles ports into EtherChannel but the other side does not, a bridging loop can form. Enable EtherChannel Guard (`spanning-tree etherchannel guard misconfig`) to prevent this.

  STP root election and path cost with EtherChannel:

  Root ══════════════ SW-A      (Port-Channel, STP cost = 4 Gbps aggregate)
       ─────────────  SW-B      (Single link, STP cost = 1 Gbps)

  SW-A's path to root via Port-Channel has lower STP cost → preferred path
  SW-B's single link has higher cost → blocked or used as backup

12. Troubleshooting EtherChannel

Symptom / Output	Likely Cause	Diagnostic & Fix
Ports show `(I)` — stand-alone	LACP passive–passive or PAgP auto–auto (neither side initiates); protocol mismatch (PAgP vs LACP); or mixing `on` with a negotiation mode	`show etherchannel summary` — confirm protocol. `show run int Gi0/1` — check channel-group mode on both sides. Ensure at least one side is `active` (LACP) or `desirable` (PAgP).
Ports show `(s)` — suspended	Physical port config mismatch — speed, duplex, VLAN, trunk encapsulation, or allowed VLANs differ between member ports or vs Port-Channel	`show etherchannel 1 detail` — look for "Incompatible" flags. Compare `show run int Gi0/1` vs `show run int Gi0/2` and vs Port-Channel config. Ensure all match exactly.
Port-Channel is up but only one member carries traffic	Hash imbalance — few unique source/destination IP pairs causing all flows to map to one link	`show interfaces port-channel 1 etherchannel` — compare per-member counters. Use `test etherchannel load-balance` with representative flows. Switch to `src-dst-ip-l4port` for more entropy.
Port err-disabled with `etherchannel-misconfig`	EtherChannel Guard triggered — one side has EtherChannel configured, the other does not (or different group numbers)	Fix the remote switch configuration to match. Then re-enable the port: `interface Gi0/1 → shutdown → no shutdown`. Or use `errdisable recovery cause etherchannel-misconfig` for auto-recovery.
Port-Channel shows `(M)` — minimum links not met	`port-channel min-links N` is configured but fewer than N member links are active	Check `show etherchannel summary` — count active (P) members. Fix failed physical links or lower `min-links` threshold.
EtherChannel flapping repeatedly	Unstable physical cable, LACP PDU timeout, port config being changed while channel is active, or STP topology change loop	`show log` — look for link-up/down and LACP/PAgP events. Check cable quality. Avoid changing member port config while bundle is active. Use `debug lacp all` in lab to trace PDU exchange.

Step-by-Step Troubleshooting Flow

  EtherChannel not forming?
  │
  ├─ Are the physical links up?
  │   → show interfaces Gi0/1 | include line
  │   Fix: check cables, SFPs, remote port config
  │
  ├─ Do both sides have channel-group configured?
  │   → show run interface Gi0/1
  │   Fix: add channel-group N mode active
  │
  ├─ Same channel-group number on both sides?
  │   → compare show run on both switches
  │   Fix: ensure same group number (e.g., both use channel-group 1)
  │
  ├─ Same protocol? (LACP vs LACP, PAgP vs PAgP, On vs On)
  │   → show etherchannel summary
  │   Fix: match protocols — never mix PAgP with LACP
  │
  ├─ Compatible modes? (at least one active/desirable)
  │   → show run interface Gi0/1
  │   Fix: change passive→active or auto→desirable on one side
  │
  ├─ Ports show (s) suspended after forming?
  │   → show etherchannel 1 detail → look for "Incompatible"
  │   Fix: match all port parameters (speed/duplex/VLAN/trunk) exactly
  │
  └─ Channel up but traffic problems?
      → show interfaces port-channel 1 etherchannel (per-member counters)
      → test etherchannel load-balance interface port-channel 1 ip src dst
      Fix: adjust port-channel load-balance method

13. Common Configuration Mistakes

Configuring member ports individually instead of via Port-Channel.
Changes made directly to a member port (e.g., adding a VLAN to Gi0/1's trunk but not Gi0/2 or the Port-Channel) create inconsistency and can suspend ports. Always make configuration changes on the Port-Channel interface and let them propagate to members.
Forgetting no switchport for Layer 3 EtherChannel.
If you configure an IP address on a Port-Channel without first running no switchport on both the member ports and the Port-Channel interface, the interface remains in Layer 2 mode and rejects the IP address. Always verify with show interfaces port-channel 1 — it should show "Internet address" not "Switchport: Enabled."
Using mode on on one side and active on the other.
Static (on) ignores all LACP PDUs. LACP active sends PDUs but receives no response (the other side never replies). No EtherChannel forms. on–on and active/passive–active/passive must be internally consistent.
Mismatched VLAN allowed lists on trunk member ports.
After adding VLANs to some member ports (via switchport trunk allowed vlan add) but not others, ports become suspended. The most common trigger: using switchport trunk allowed vlan 10,20 on Gi0/1 but switchport trunk allowed vlan 10,20,30 on Gi0/2. Fix by re-applying the allowed VLAN list uniformly on the Port-Channel interface.
Forgetting to configure the Port-Channel interface itself.
Adding channel-group 1 mode active to physical ports creates the Port-Channel, but the logical Port-Channel interface has no configuration until you explicitly enter interface port-channel 1 and configure it. An unconfigured Port-Channel may default to access mode VLAN 1 regardless of member port settings on some platforms.

14. Key Points & Exam Tips

EtherChannel = multiple physical links → one logical Port-Channel. STP sees one link; all members carry traffic simultaneously.
All member ports must have identical: speed, duplex, switchport mode, VLAN(s), native VLAN, trunk encapsulation.
LACP modes: active (initiates) and passive (responds). At least one side must be active — passive–passive = no channel.
PAgP modes: desirable (initiates) and auto (responds). At least one side must be desirable — auto–auto = no channel.
mode on = static, no negotiation. Both sides must be on. Mixing on with active/passive = no channel.
Configure trunk/access/IP settings on Port-Channel interface, not individual member ports.
Load balance method: port-channel load-balance src-dst-ip is best general purpose. Verify: show etherchannel load-balance. Test: test etherchannel load-balance interface port-channel 1 ip src dst.
Layer 3 EtherChannel: requires no switchport on both members and Port-Channel. Shows as "R" in show etherchannel summary. Does not participate in STP.
min-links: port-channel min-links N — Port-Channel goes down if fewer than N members active. Shows as "(M)" in summary.
max-bundle: lacp max-bundle N — limits active LACP members; rest become hot-standby "(H)".
EtherChannel Guard: spanning-tree etherchannel guard misconfig — err-disables port when misconfiguration detected (one side bundled, other not).
Summary flags: P=bundled (active), I=stand-alone (not in channel), s=suspended (config mismatch), H=hot-standby, D=down, S=Layer 2, R=Layer 3, U=in use.

15. EtherChannel Configuration Quiz

1. A network engineer configures four GigabitEthernet ports on Switch A with `channel-group 1 mode active` and the Port-Channel as a trunk. On Switch B, the same four ports are configured with `channel-group 1 mode passive` and the Port-Channel as a trunk. Three ports show `(P)` in `show etherchannel summary` but one port shows `(I)`. What is the most likely cause for the stand-alone port?

A. LACP passive–active does not form — both sides must be active for LACP to work B. The Port-Channel interface was not created on Switch B, causing one port to remain stand-alone C. That specific port has a configuration inconsistency (different speed, duplex, or VLAN setting) preventing LACP negotiation from completing on that port, while the other three ports with matching config bundled successfully D. The channel-group number must be different on each switch — both using group 1 causes a conflict

Correct answer is C. Active–Passive is a valid LACP combination — three ports forming successfully confirms the protocol and modes are compatible. The fourth port showing (I) stand-alone indicates an issue specific to that port. The most common cause: a physical configuration difference on that one port — different speed auto-negotiated, a VLAN setting that differs from the other members, or the port's trunk allowed list was individually modified. Use show etherchannel 1 detail to see the specific reason and show run interface Gi0/4 to compare its config against the working ports. Fix the mismatch and the port will join the bundle automatically.

2. An engineer runs `show etherchannel summary` and sees: `Po1(SU) LACP Gi0/1(P) Gi0/2(P) Gi0/3(s) Gi0/4(P)` A few minutes earlier, the engineer added VLAN 50 to Gi0/3's trunk using `switchport trunk allowed vlan add 50` directly on Gi0/3. What caused Gi0/3 to become suspended, and what is the correct fix?

A. Adding a VLAN to a trunk port forces a re-negotiation of LACP — wait 30 seconds and Gi0/3 will rejoin B. VLAN 50 does not exist in the VLAN database — create VLAN 50 with vlan 50 and the port will rejoin C. Gi0/3 was configured with a different native VLAN during the VLAN add operation D. Gi0/3's allowed VLAN list now differs from the Port-Channel interface (which still allows the original list). The fix: apply the VLAN change on the Port-Channel interface — interface port-channel 1 → switchport trunk allowed vlan add 50 — which propagates uniformly to all members

Correct answer is D. When you modify a member port's VLAN allowed list directly (instead of on the Port-Channel), you create an inconsistency between that port and the Port-Channel interface. The switch detects the mismatch and suspends the port (shows "s"). The correct procedure is always to make VLAN and trunk changes on the Port-Channel logical interface: interface port-channel 1 → switchport trunk allowed vlan add 50. This ensures the change applies identically to the Port-Channel and all member ports simultaneously. If you've already modified an individual member, the quickest fix is to re-apply the complete allowed VLAN list on the Port-Channel, which will re-sync all members.

3. A network administrator configures a Layer 3 EtherChannel between two distribution switches for a routed uplink to the core. After configuration, `show etherchannel summary` shows `Po1(SU)` instead of the expected `Po1(RU)`. The IP address configured on `interface port-channel 1` is missing. What step was forgotten?

A. The channel-group number must match the VLAN number for routed port-channels to work B. no switchport was not configured on the member ports and/or the Port-Channel interface — without it, they remain in Layer 2 mode (S flag) and reject IP address configuration C. LACP must be set to passive mode for Layer 3 EtherChannels to work D. The ip routing command was not enabled globally on the switch

Correct answer is B. Cisco IOS switch interfaces default to Layer 2 (switchport) mode. The "S" flag in show etherchannel summary confirms the Port-Channel is still in Layer 2 switched mode. To convert to a Layer 3 routed interface, you must run no switchport on both the physical member ports AND the Port-Channel logical interface. Without this, the interface remains a switchport and the IOS rejects any IP address configuration with an error. After adding no switchport to the Port-Channel, the flag changes from "S" to "R" and you can assign an IP address. Verify with show interfaces port-channel 1 — it should say "Internet address" once correctly configured.

4. An operations team configures a 6-port LACP EtherChannel between two core switches to provide high availability. They want exactly 4 ports active at any time, with 2 in hot-standby ready to activate instantly if any active link fails. Which commands achieve this?

A. lacp max-bundle 4 under interface port-channel 1, and set lower lacp port-priority values on the 4 preferred ports — LACP selects the 4 highest-priority ports as active; the other 2 become hot-standby (H) B. port-channel min-links 4 limits the active members to 4 and puts the other 2 in standby automatically C. Configure only 4 ports with mode active and leave the other 2 as mode passive — passive ports become standby automatically D. Use PAgP instead of LACP — PAgP supports standby configuration with the pagp standby command

Correct answer is A. LACP hot-standby links are configured using two mechanisms together: (1) lacp max-bundle 4 on the Port-Channel interface limits the maximum number of simultaneously active members to 4. (2) lacp port-priority on individual ports determines which 4 are selected as active — the 4 ports with the lowest port-priority values (highest priority) become active members; the remaining 2 ports with default (higher) priority values become hot-standby, shown as "(H)" in show etherchannel summary. PAgP (option D) does not support standby links — this is exclusively a LACP feature. min-links (option B) brings down the channel below a threshold, not the same as standby.

5. A switch log shows:
`%PM-4-ERR_DISABLE: etherchannel-misconfig error detected on Po1, putting Gi0/1 in err-disable state`
The network team recently replaced Switch B. What is the most likely root cause, and what is the recovery procedure?

A. Switch B's replacement hardware uses a different LACP version — upgrade IOS to fix the compatibility issue B. The VLAN database on Switch B needs to be re-synchronised with Switch A before the EtherChannel can re-form C. The replacement Switch B was not configured with EtherChannel — it sees individual links while Switch A still sends as a bundle, creating a loop detected by EtherChannel Guard. Fix: configure EtherChannel on Switch B, then re-enable the err-disabled port on Switch A D. EtherChannel Guard incorrectly triggered — disable it with no spanning-tree etherchannel guard misconfig to restore connectivity

Correct answer is C. EtherChannel Guard triggers when it detects that the local switch has a bundled Port-Channel but the remote switch treats the same physical links as individual ports. This is exactly what happens after replacing a switch without restoring its EtherChannel configuration — the new Switch B operates each port independently, while Switch A sends all traffic as a bundle across what it thinks is one logical link. The resulting topology mismatch can cause frames to duplicate and STP to detect a loop, hence the err-disable. Recovery steps: (1) Configure EtherChannel on the replacement Switch B to match Switch A. (2) Re-enable the err-disabled port: interface Gi0/1 → shutdown → no shutdown. Never disable EtherChannel Guard (option D) — it protects against real bridging loops.

6. Which command correctly configures the load-balance method for EtherChannel on a Cisco IOS switch, and at which configuration level is it applied?

A. ip load-sharing per-flow under interface port-channel 1 B. port-channel load-balance src-dst-ip in global configuration — this applies globally to all EtherChannels on the switch, not per-channel C. channel-group 1 load-balance src-dst-ip under each member interface D. lacp load-balance src-dst-ip in global configuration

Correct answer is B. The EtherChannel load-balance method is configured globally on Cisco IOS switches with port-channel load-balance <method> in global configuration mode (not under interface or channel-group). This setting applies to all EtherChannel groups on the switch — there is no per-channel load-balance configuration on standard IOS platforms. The method you choose determines which header fields are hashed to select which member link a given frame uses. Verify with show etherchannel load-balance. Test a specific flow's assignment with test etherchannel load-balance interface port-channel 1 ip src dst.

7. An engineer is configuring a 4-port EtherChannel trunk and accidentally runs `switchport trunk allowed vlan 10,20` on the Port-Channel interface, but earlier had configured `switchport trunk allowed vlan 10,20,30,40` on each individual member port. What effect does this have on the member ports?

A. No effect — Port-Channel configuration and member port configuration are managed independently B. The member ports override the Port-Channel — the trunk still allows VLANs 10, 20, 30, 40 C. The Port-Channel config and member port configs are merged — the trunk allows the union of both lists (10, 20, 30, 40) D. The Port-Channel configuration propagates to all member ports, overwriting their individual allowed VLAN lists to match the Port-Channel — the trunk now allows only VLANs 10, 20 on all members

Correct answer is D. On Cisco IOS, the Port-Channel logical interface is the authoritative configuration source for the bundle. When you configure the Port-Channel interface, those settings propagate to and override the individual member port configurations. In this scenario, running switchport trunk allowed vlan 10,20 on

interface
                  port-channel 1

will update all four member ports (Gi0/1–Gi0/4) to allow only VLANs 10 and 20, removing VLANs 30 and 40 from their allowed lists. This propagation behaviour is both a feature (consistent config) and a risk (unintended changes). Always verify the Port-Channel config before applying to avoid unintentionally removing VLANs from production trunks.

8. A network engineer needs to ensure that if more than 2 member links fail in a 4-link EtherChannel to a critical firewall, the Port-Channel goes down completely rather than continuing to operate with only 1 or 2 links (which the firewall cannot handle at reduced bandwidth). Which command achieves this?

A. port-channel min-links 3 under interface port-channel 1 — if fewer than 3 links are active, the Port-Channel is brought down entirely B. lacp max-bundle 2 — limits the channel to 2 active links and brings it down if exceeded C. channel-group 1 min-links 3 under each member interface D. spanning-tree port-channel min-active 3 in global configuration

Correct answer is A. The port-channel min-links N command, configured under the Port-Channel interface, specifies the minimum number of active member links required for the Port-Channel to remain up. If the number of active members drops below N, the Port-Channel interface is brought down (shown as "(M)" in show etherchannel summary) — which triggers routing/STP convergence to a backup path. In this scenario, port-channel min-links 3 means: 4 links = normal operation, 3 links = still up (one failure tolerated), 2 links = Port-Channel goes down and traffic fails over. This protects the firewall from receiving reduced-bandwidth traffic that could overload it. lacp max-bundle (option B) limits maximum active links, not minimum — it does not bring down the channel.

9. Which statement correctly describes the relationship between an EtherChannel and Spanning Tree Protocol in a properly functioning Layer 2 network?

A. STP blocks all but one member port in the EtherChannel to prevent loops — only one physical link carries traffic at a time B. EtherChannel disables STP on its member ports entirely — STP is not aware of EtherChannel links C. STP treats the Port-Channel as a single logical link — all physical members are active simultaneously with no ports blocked, and STP calculates path cost based on the aggregate Port-Channel bandwidth D. EtherChannel replaces STP — enabling EtherChannel between two switches removes the need to run Spanning Tree between them

Correct answer is C. This is the fundamental EtherChannel–STP relationship. STP operates on the Port-Channel logical interface, not on individual member ports. From STP's perspective, the four physical links look like one link — the Port-Channel. STP sends BPDUs on the Port-Channel interface and calculates port cost based on the aggregate bandwidth (a 4 × 1 Gbps EtherChannel has a lower STP cost than a single 1 Gbps link). All four physical member links carry traffic simultaneously — no STP blocking of individual members. STP still runs on the Port-Channel to prevent loops between switches at the topology level (option D is wrong). The key benefit: EtherChannel avoids STP from wasting links, not from disabling STP entirely.

10. An engineer verifies an EtherChannel with `show etherchannel summary` and sees all member ports showing `(P)` (bundled) but the switch has very uneven per-port traffic — one port carries 85% of total traffic and three ports carry 5% each. The traffic is HTTP/HTTPS from many clients to a single web server IP. What is the most likely cause, and what change would best improve distribution?

A. One physical port has a higher-speed interface than the others — replace it with a matching port B. The current hash method (likely src-dst-ip or dst-ip) produces only one unique hash value because all traffic has the same destination IP (one web server). Changing to src-dst-ip-l4port adds source port numbers to the hash, generating unique values per TCP session and spreading load across all four ports C. Increase the number of member ports from 4 to 8 to provide more paths for the traffic D. Configure LACP fast timers to detect and rebalance flows more frequently

Correct answer is B. This is a classic hash imbalance scenario. With a single destination IP (one web server), a pure dst-ip hash always produces the same result — all traffic hashes to the same member port. Even src-dst-ip produces limited entropy when one side (destination) is constant, because XOR with a fixed value still maps many source IPs to the same hash bucket. Adding Layer 4 port numbers via src-dst-ip-l4port (or the equivalent src-dst-mixed-ip-port) dramatically increases entropy: every unique TCP connection from a client has a different ephemeral source port (1024–65535), generating unique hash values even when source and destination IPs are the same. Verify the fix with test etherchannel load-balance using multiple src/dst port pairs.

← Back to Home

EtherChannel Configuration – Complete Guide

1. EtherChannel Overview and Configuration Roadmap

Configuration Checklist — Steps in Order

2. Member Port Requirements — What Must Match

3. Layer 2 EtherChannel — Trunk Mode (Switch-to-Switch Uplink)

Complete LACP Trunk EtherChannel — Both Switches

4. Layer 2 EtherChannel — Access Mode (Server Connection)

5. PAgP EtherChannel Configuration

6. Static EtherChannel — Mode On

7. Layer 3 EtherChannel — Routed Port-Channel

8. Advanced EtherChannel Options

min-links — Minimum Active Members to Keep Port-Channel Up

max-bundle — Limit Active LACP Members

LACP Fast Timer

EtherChannel Guard

9. Load Balancing Configuration

10. Verification — Annotated show Commands

show etherchannel summary — Primary Verification Command

show etherchannel detail — Deep Inspection

show etherchannel load-balance and test

show lacp neighbor — Verify LACP Peer Information

Full Verification Command Reference

11. EtherChannel and Spanning Tree

12. Troubleshooting EtherChannel

Step-by-Step Troubleshooting Flow

13. Common Configuration Mistakes

14. Key Points & Exam Tips

15. EtherChannel Configuration Quiz

4. An operations team configures a 6-port LACP EtherChannel between two core switches to provide high availability. They want exactly 4 ports active at any time, with 2 in hot-standby ready to activate instantly if any active link fails. Which commands achieve this?

5. A switch log shows: %PM-4-ERR_DISABLE: etherchannel-misconfig error detected on Po1, putting Gi0/1 in err-disable state The network team recently replaced Switch B. What is the most likely root cause, and what is the recovery procedure?

6. Which command correctly configures the load-balance method for EtherChannel on a Cisco IOS switch, and at which configuration level is it applied?

7. An engineer is configuring a 4-port EtherChannel trunk and accidentally runs switchport trunk allowed vlan 10,20 on the Port-Channel interface, but earlier had configured switchport trunk allowed vlan 10,20,30,40 on each individual member port. What effect does this have on the member ports?

9. Which statement correctly describes the relationship between an EtherChannel and Spanning Tree Protocol in a properly functioning Layer 2 network?

5. A switch log shows:
`%PM-4-ERR_DISABLE: etherchannel-misconfig error detected on Po1, putting Gi0/1 in err-disable state`
The network team recently replaced Switch B. What is the most likely root cause, and what is the recovery procedure?

7. An engineer is configuring a 4-port EtherChannel trunk and accidentally runs `switchport trunk allowed vlan 10,20` on the Port-Channel interface, but earlier had configured `switchport trunk allowed vlan 10,20,30,40` on each individual member port. What effect does this have on the member ports?