11-02-2018 05:58 AM
We have an ASR 1002 and a CAT 9500 switch connected via port channel with two physical interfaces. We issued "cts manual" command on interfaces, it caused port channel to flap, unless the port channel mode is set to "on". Does anyone have it configured and working with LACP?
Solved! Go to Solution.
11-02-2018 12:44 PM - edited 11-02-2018 12:44 PM
I just gave it a try, and the commands take for me on 16.6.4.
Are you trying to add the interface back in to the port channel while the second interface is still part of the PO1? I tried to replicate your error by adding the first int back to the PO while the second was still there and yet to be configured with cts manual, it gave me the error you saw. It worked when both are removed from the PO.
DEV9300SW001(config-if)#channel-group 1 mode ac
Command rejected: conflicts with CTS incompatibility detected on interface
The process we use when adding cts manual to production PO's is to first take both links out of the PO, then temporarily shut one down. Apply cts manual to all, add them back in to the PO, bring up the second link. We have seen cases where engineers have applied cts manual to one of 4 ports on two links and cause a spanning tree loop.
12-18-2018 01:24 PM - edited 12-18-2018 01:27 PM
I've come across this specific issue and that particular error message before. What I noticed was that for an LACP port-channel, you cannot have one member port configured for CTS and another port configured without it. Here are the steps I had to perform to configure CTS on port-channels that were already in production:
1 - Disable port <a> on 9500
2 - Disable port <a> on router (ours was an isr4431, but same procedure applies)
3 - Remove both ports from their respective port-channels
4 - Configure CTS manual on both ports
5 - Configure new IP in a different subnet; also configure anything else needed for routing to converge over the individual ports
6 - Enable port <a> on 9500 and and port <a> on router
7 - Wait for routing to converge
8 - Disable port <b> on 9500
9 - Disable port <b> on router
10 - Remove 9500 port <b> from port-channel, configure with CTS manual, and then re-add to port-channel
11 - Configure CTS manual on the router port <b> (didn't have to remove and re-add from port-channel)
12 - Enable 9500 port <b> and router port <b>
13 - Wait for routing to reconverge on the port-channel with CTS enabled on their member ports
14 - Disable port <a> on 9500 and port <a> on router
15 - Remove IP address (and any routing config) from 9500 port <a>, configure CTS manual, and configure for port-channel
16 - Remove IP address (and any routing config from router port <a>, configure CTS manual, and configure for port-channel
17 - Enable 9500 port <a> and router port <a>
18 - At this point all ports should be members of their respective port-channels and have CTS enabled
Needless to say, this was not a very fun endeavor but worked successfully for me at one of our new sites. BTW, we used this same process with layer 2 port-channels down to our access switches without the need for configuring IPs and routing on the <a> ports while running in individual mode and let RSTP sort out which ports were used while doing the switchover.
11-02-2018 07:47 AM
In production CTS manual could be enabled by removing one link from port-channel and adding the cts configuration and put it back to port-channel and then repeat the same for the next link. This should work. Give it a try.
11-02-2018 07:58 AM
let me draft a SOP:
1) remove #1 physical interface from port-channel
2) add cts manual command on #2 physical interface
3) re-add #1 physical interface back to port-channel
4) remove #2 physical interface from port-channel
5) add cts manual to #1 physical interface
6) add #2 physical interface back to port-channel
Is this correct?
11-02-2018 08:00 AM
Yes, that is correct.
11-02-2018 09:45 AM
we got the following when we added interface back to port channel:
switch (config-if)#cts manual
switch (config-if-cts-manual)#propagate sgt
switch (config-if-cts-manual)#policy static sgt 10 trusted
switch (config-if-cts-manual)#exit
switch (config-if)#channel-group 1 mode active
Command rejected: conflicts with CTS incompatibility detected on interface
switch (config-if)#
11-02-2018 10:57 AM
That seems odd. I think the issue is with ASR there but not the 9500. Are you using sub-interfaces on the ASR?
11-02-2018 11:02 AM
No.
11-02-2018 12:36 PM
No. ASR took CTS manual command and joint the port channel group without any issue.
11-02-2018 12:44 PM
The issue here is negotiating with ASR. Any way I believe this to be a defect. Can you please open a TAC case or if internal a CDETS?
11-02-2018 01:33 PM
yes, I will open a TAC case on coming Monday.. thank you.
11-02-2018 11:28 AM
Do you want to share the full interface config with us? I would also try it without the propagate sgt. I threw cts manual on a dev 9300 I have here and it doesn't appear to be required.
interface TenGigabitEthernet1/1/7
cts manual
policy static sgt 2 trusted
end
DEV9300SW001#sh cts int te1/1/7
Global Dot1x feature is Disabled
Interface TenGigabitEthernet1/1/7:
CTS is enabled, mode: MANUAL
IFC state: INIT
Authentication Status: NOT APPLICABLE
Peer identity: "unknown"
Peer's advertised capabilities: ""
Authorization Status: INCOMPLETE
Peer SGT: 2:TrustSec_Devices
Peer SGT assignment: Trusted
SAP Status: NOT APPLICABLE
Propagate SGT: Enabled
Cache Info:
Expiration : N/A
Cache applied to link : NONE
11-02-2018 12:33 PM
the interface only has "no ip address". And I tried "no propagate SGT" as well. Have you try to add that interface to a port channel group to see you get the error message? That problem showed up when I did that. It would not let the interface to be on the port channel group.
11-02-2018 12:44 PM - edited 11-02-2018 12:44 PM
I just gave it a try, and the commands take for me on 16.6.4.
Are you trying to add the interface back in to the port channel while the second interface is still part of the PO1? I tried to replicate your error by adding the first int back to the PO while the second was still there and yet to be configured with cts manual, it gave me the error you saw. It worked when both are removed from the PO.
DEV9300SW001(config-if)#channel-group 1 mode ac
Command rejected: conflicts with CTS incompatibility detected on interface
The process we use when adding cts manual to production PO's is to first take both links out of the PO, then temporarily shut one down. Apply cts manual to all, add them back in to the PO, bring up the second link. We have seen cases where engineers have applied cts manual to one of 4 ports on two links and cause a spanning tree loop.
11-02-2018 01:35 PM
I will try that again to remove 2 interfaces from PO first. configure both with CTS commands and add both back to PO. I will do it on coming Monday. Thank you.
11-26-2018 07:40 AM
I have tested successful with Mode On. As we know, Mode On may cause a lot of network problems or issues. That's why we have LACP and PagP. Is it a matter of sequence of steps to implement cts manual on port-channel with LACP? Or TrustSec cts manual would not work on port channel using LACP (IEEE standard) at all?
I appreciate all your help. just want to get it going.. hopefully I do not have to change from Mode Active back to Mode On.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide