cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Unable to configure the port security feature and user receives the "Command rejected: Port-channel is channelling port" message in Catalyst 6000/6500 Series Switches

7227
Views
0
Helpful
1
Comments

Core issue

As per port security guidelines and restrictions, you cannot enable port security on EtherChannels and a secure port cannot belong to an EtherChannel port-channel interface. But, the issue is when you are able to configure the maximum number of secure MAC addresses on a port-channel interface.

In this sample configuration, you can set the aging time and maximum MACs:

interface port-channel 11
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan none
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 3068
switchport port-security aging time 23
spanning-tree portfast trunk
spanning-tree bpdufilter enable

Alternatively, an EtherChannel does not form with ports where the port security feature is enabled.

Resolution

Cisco IOS  allows you to configure the port security features, such as aging time and maximum MACs, but port security is not actually enabled on this port. Hence, the switch basically ignores the configurations.

In order to enable port security, you need the command switchport port-security by itself. Also, if you try on the ports that are part of EtherChannel, the switch does not accept the command and displays an error as this example output shows:

interface Port-channel 10
switchport trunk encapsulation dot1q
switchport trunk allowed vlan none
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 3068
end

Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#interface po10
Switch(config-if)#switch port-security aging time 23
Switch(config-if)#switch port-security
Command rejected: Port-channel10 is channelling.


Comments
Beginner

Hello,

But how can a port-channel's port be secured if a malicious user unplugs the cable connecting to both ports (let's presume that we have an etherchannel with 2 ports), and plugs his cable in those disconnected ones, becoming a rogue point for the network.

 

How could this be prevented?

If port-security cannot be configured, can we do something else like in case of link goes down the port puts itself on down state?