Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
8475
Views
0
Helpful
1
Comments

Unable to configure the port security feature and user receives the "Command rejected: Port-channel is channelling port" message in Catalyst 6000/6500 Series Switches

TCC_2
Level 10
Level 10

‎06-22-2009 06:08 PM - edited ‎03-01-2019 04:17 PM

Core issue

As per port security guidelines and restrictions, you cannot enable port security on EtherChannels and a secure port cannot belong to an EtherChannel port-channel interface. But, the issue is when you are able to configure the maximum number of secure MAC addresses on a port-channel interface.

In this sample configuration, you can set the aging time and maximum MACs:

interface port-channel 11
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan none
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 3068
switchport port-security aging time 23
spanning-tree portfast trunk
spanning-tree bpdufilter enable

Alternatively, an EtherChannel does not form with ports where the port security feature is enabled.

Resolution

Cisco IOS  allows you to configure the port security features, such as aging time and maximum MACs, but port security is not actually enabled on this port. Hence, the switch basically ignores the configurations.

In order to enable port security, you need the command switchport port-security by itself. Also, if you try on the ports that are part of EtherChannel, the switch does not accept the command and displays an error as this example output shows:

interface Port-channel 10
switchport trunk encapsulation dot1q
switchport trunk allowed vlan none
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 3068
end

Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#interface po10
Switch(config-if)#switch port-security aging time 23
Switch(config-if)#switch port-security
Command rejected: Port-channel10 is channelling.


Labels:
0 Helpful
Comments
mircea.costin1
Level 1
Level 1
‎03-30-2020 11:08 AM

Hello,

But how can a port-channel's port be secured if a malicious user unplugs the cable connecting to both ports (let's presume that we have an etherchannel with 2 ports), and plugs his cable in those disconnected ones, becoming a rogue point for the network.

 

How could this be prevented?

If port-security cannot be configured, can we do something else like in case of link goes down the port puts itself on down state?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents