Core issue

As per port security guidelines and restrictions, you cannot enable port security on EtherChannels and a secure port cannot belong to an EtherChannel port-channel interface. But, the issue is when you are able to configure the maximum number of secure MAC addresses on a port-channel interface.

In this sample configuration, you can set the aging time and maximum MACs:

interface port-channel 11
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan none
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 3068
switchport port-security aging time 23
spanning-tree portfast trunk
spanning-tree bpdufilter enable

Alternatively, an EtherChannel does not form with ports where the port security feature is enabled.

Resolution

Cisco IOS  allows you to configure the port security features, such as aging time and maximum MACs, but port security is not actually enabled on this port. Hence, the switch basically ignores the configurations.

In order to enable port security, you need the command switchport port-security by itself. Also, if you try on the ports that are part of EtherChannel, the switch does not accept the command and displays an error as this example output shows:

interface Port-channel 10
switchport trunk encapsulation dot1q
switchport trunk allowed vlan none
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 3068
end

Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#interface po10
Switch(config-if)#switch port-security aging time 23
Switch(config-if)#switch port-security
Command rejected: Port-channel10 is channelling.