cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8864
Views
0
Helpful
16
Replies

ISE CTS Manual Commands on Port Channel with LACP Issue.

dyuen001
Level 1
Level 1

We have an ASR 1002 and a CAT 9500 switch connected via port channel with two physical interfaces.  We issued "cts manual" command on interfaces, it caused port channel to flap, unless the port channel mode is set to "on".  Does anyone have it configured and working with LACP?

2 Accepted Solutions

Accepted Solutions

I just gave it a try, and the commands take for me on 16.6.4.

Are you trying to add the interface back in to the port channel while the second interface is still part of the PO1? I tried to replicate your error by adding the first int back to the PO while the second was still there and yet to be configured with cts manual, it gave me the error you saw. It worked when both are removed from the PO.

DEV9300SW001(config-if)#channel-group 1 mode ac
Command rejected: conflicts with CTS incompatibility detected on interface

The process we use when adding cts manual to production PO's is to first take both links out of the PO, then temporarily shut one down. Apply cts manual to all, add them back in to the PO, bring up the second link. We have seen cases where engineers have applied cts manual to one of 4 ports on two links and cause a spanning tree loop.

View solution in original post

I've come across this specific issue and that particular error message before. What I noticed was that for an LACP port-channel, you cannot have one member port configured for CTS and another port configured without it. Here are the steps I had to perform to configure CTS on port-channels that were already in production:

 

1 - Disable port <a> on 9500

2 - Disable port <a> on router (ours was an isr4431, but same procedure applies)

3 - Remove both ports from their respective port-channels

4 - Configure CTS manual on both ports

5 - Configure new IP in a different subnet; also configure anything else needed for routing to converge over the individual ports

6 - Enable port <a> on 9500 and and port <a> on router

7 - Wait for routing to converge

8 - Disable port <b> on 9500

9 - Disable port <b> on router

10 - Remove 9500 port <b> from port-channel, configure with CTS manual, and then re-add to port-channel

11 - Configure CTS manual on the router port <b> (didn't have to remove and re-add from port-channel)

12 - Enable 9500 port <b> and router port <b>

13 - Wait for routing to reconverge on the port-channel with CTS enabled on their member ports

14 - Disable port <a> on 9500 and port <a> on router

15 - Remove IP address (and any routing config) from 9500 port <a>, configure CTS manual, and configure for port-channel

16 - Remove IP address (and any routing config from router port <a>, configure CTS manual, and configure for port-channel

17 - Enable 9500 port <a> and router port <a>

18 - At this point all ports should be members of their respective port-channels and have CTS enabled

 

Needless to say, this was not a very fun endeavor but worked successfully for me at one of our new sites. BTW, we used this same process with layer 2 port-channels down to our access switches without the need for configuring IPs and routing on the <a> ports while running in individual mode and let RSTP sort out which ports were used while doing the switchover.

View solution in original post

16 Replies 16

kthumula
Cisco Employee
Cisco Employee

In production CTS manual could be enabled by removing one link from port-channel and adding the cts configuration and put it back to port-channel and then repeat the same for the next link. This should work. Give it a try.

let me draft a SOP:

 

1) remove #1 physical interface from port-channel

2) add cts manual command on #2 physical interface 

3) re-add #1 physical interface back to port-channel

4) remove #2 physical interface from port-channel

5) add cts manual to #1 physical interface

6) add #2 physical interface back to port-channel

 

Is this correct?

Yes, that is correct.

 

we got the following when we added interface back to port channel:

 

switch (config-if)#cts manual

switch (config-if-cts-manual)#propagate sgt

switch (config-if-cts-manual)#policy static sgt 10 trusted

switch (config-if-cts-manual)#exit

switch (config-if)#channel-group 1 mode active

Command rejected: conflicts with CTS incompatibility detected on interface

switch (config-if)#

 

That seems odd. I think the issue is with ASR there but not the 9500. Are you using sub-interfaces on the ASR?

No. 

 

 

No.  ASR took CTS manual command and joint the port channel group without any issue.

The issue here is negotiating with ASR. Any way I believe this to be a defect. Can you please open a TAC case or if internal a CDETS?

yes, I will open a TAC case on coming Monday..  thank you.

Do you want to share the full interface config with us? I would also try it without the propagate sgt.  I threw cts manual on a dev 9300 I have here and it doesn't appear to be required. 


interface TenGigabitEthernet1/1/7
cts manual
policy static sgt 2 trusted
end

DEV9300SW001#sh cts int te1/1/7
Global Dot1x feature is Disabled
Interface TenGigabitEthernet1/1/7:
CTS is enabled, mode: MANUAL
IFC state: INIT
Authentication Status: NOT APPLICABLE
Peer identity: "unknown"
Peer's advertised capabilities: ""
Authorization Status: INCOMPLETE
Peer SGT: 2:TrustSec_Devices
Peer SGT assignment: Trusted
SAP Status: NOT APPLICABLE
Propagate SGT: Enabled
Cache Info:
Expiration : N/A
Cache applied to link : NONE

 

the interface only has "no ip address".  And I tried "no propagate SGT" as well.  Have you try to add that interface to a port channel group to see you get the error message?  That problem showed up when I did that.  It would not let the interface to be on the port channel group.

 

I just gave it a try, and the commands take for me on 16.6.4.

Are you trying to add the interface back in to the port channel while the second interface is still part of the PO1? I tried to replicate your error by adding the first int back to the PO while the second was still there and yet to be configured with cts manual, it gave me the error you saw. It worked when both are removed from the PO.

DEV9300SW001(config-if)#channel-group 1 mode ac
Command rejected: conflicts with CTS incompatibility detected on interface

The process we use when adding cts manual to production PO's is to first take both links out of the PO, then temporarily shut one down. Apply cts manual to all, add them back in to the PO, bring up the second link. We have seen cases where engineers have applied cts manual to one of 4 ports on two links and cause a spanning tree loop.

I will try that again to remove 2 interfaces from PO first.  configure both with CTS commands and add both back to PO.  I will do it on coming Monday.  Thank you.

I have tested successful with Mode On.  As we know, Mode On may cause a lot of network problems or issues.  That's why we have LACP and PagP.  Is it a matter of sequence of steps to implement cts manual on port-channel with LACP?  Or TrustSec cts manual would not work on port channel using LACP (IEEE standard) at all?

 

I appreciate all your help.  just want to get it going..  hopefully I do not have to change from Mode Active back to Mode On.