EtherChannel (LACP) Configuration

When you need more bandwidth between two switches than a single link provides, the natural instinct is to add a second cable. But Spanning Tree Protocol (STP) will block all but one of those links to prevent loops — leaving extra bandwidth unused. EtherChannel solves this by bundling multiple physical links into a single logical channel that STP sees as one interface. All bundled links carry traffic simultaneously, and if one fails the others continue without STP reconvergence.

LACP (Link Aggregation Control Protocol) — defined in IEEE 802.3ad — is the open standard negotiation protocol for EtherChannel. It is the recommended protocol for all modern networks and the one tested on the CCNA 200-301 exam. This lab covers LACP configuration end-to-end, including trunk EtherChannel, verification, and troubleshooting. For a conceptual overview see EtherChannel Overview, PAgP vs LACP, and EtherChannel Load Balancing.

Before starting, complete Trunk Port Configuration (802.1Q) and Spanning Tree Protocol — Root Bridge Election.

1. EtherChannel — Key Concepts

Benefits of EtherChannel

Benefit	Explanation
Increased bandwidth	Multiple links carry traffic simultaneously — 2× GigabitEthernet = 2 Gbps logical link
Redundancy	If one physical link fails, traffic shifts to remaining links instantly — no STP reconvergence delay
STP treats it as one link	STP sees the port-channel as a single interface — no links are blocked
Simplified management	Configuration applied to the logical port-channel interface applies to all member ports
Load balancing	Traffic is distributed across member links based on a configurable hashing algorithm (src-dst MAC, IP, port)

EtherChannel Protocols — LACP vs PAgP vs Static

Protocol	Standard	Modes	Use Case
LACP	IEEE 802.3ad (open standard)	`active` / `passive`	✅ Recommended — works between any vendor's switches
PAgP	Cisco proprietary	`desirable` / `auto`	⚠️ Cisco-only environments — not on CCNA exam focus
Static (On)	No negotiation	`on`	⚠️ No negotiation — both ends must match exactly. No fault detection.

LACP Modes

Mode	Behavior	Forms EtherChannel With
`active`	Actively sends LACP negotiation frames — initiates the bundle	`active` or `passive`
`passive`	Waits for the other side to initiate LACP negotiation	`active` only

Two passive ports facing each other will NOT form an EtherChannel — both are waiting for the other to initiate. At least one side must be active. This mirrors the DTP dynamic auto vs dynamic auto scenario in trunk configuration.

EtherChannel Requirements — Must Match on Both Ends

Parameter	Must Match?	Notes
Speed and duplex	✅ Yes	All member ports must run at the same speed
Duplex	✅ Yes	Must all be full duplex
VLAN configuration	✅ Yes	Access VLAN or trunk allowed VLANs must match
Trunking mode	✅ Yes	All ports must be access or all must be trunk
Native VLAN	✅ Yes (for trunks)	Native VLAN must match across both switches
Port-channel number	❌ No	SW1 can use port-channel 1 and SW2 can use port-channel 2 — they do not need to match

2. Lab Scenario & Topology

NetsTuts_SW1 and NetsTuts_SW2 are connected with two GigabitEthernet links. Both links will be bundled into a single EtherChannel trunk using LACP, creating a 2 Gbps logical trunk link.

  ┌─────────────────┐                        ┌─────────────────┐
  │  NetsTuts_SW1   │                        │  NetsTuts_SW2   │
  │                 │  Gi0/1 ══════ Gi0/1    │                 │
  │  Port-Channel 1 │  Gi0/2 ══════ Gi0/2    │  Port-Channel 1 │
  │  (Trunk)        │                        │  (Trunk)        │
  └─────────────────┘                        └─────────────────┘

  Logical result: Port-Channel 1 ←→ Port-Channel 1 (2 Gbps trunk)
  EtherChannel Protocol: LACP
  SW1 mode: active    SW2 mode: passive
  Trunk: 802.1Q, Native VLAN 999, Allowed VLANs: 10,20,30

Parameter	NetsTuts_SW1	NetsTuts_SW2
Physical ports	Gi0/1, Gi0/2	Gi0/1, Gi0/2
Port-channel number	1	1
LACP mode	active	passive
Link type	Trunk (802.1Q)	Trunk (802.1Q)
Native VLAN	999	999
Allowed VLANs	10, 20, 30	10, 20, 30

3. Step 1 — Configure EtherChannel on NetsTuts_SW1

The correct sequence is critical: configure the physical member ports first (group them into the channel and set LACP mode), then configure the logical port-channel interface for trunk settings. Never configure trunk settings on physical ports that will be part of an EtherChannel — always configure them on the port-channel interface.

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Step 1: Group physical ports into EtherChannel ───────
NetsTuts_SW1(config)#interface range GigabitEthernet0/1 - 2
NetsTuts_SW1(config-if-range)#description EtherChannel-to-SW2
NetsTuts_SW1(config-if-range)#channel-group 1 mode active
NetsTuts_SW1(config-if-range)#exit

! Creating a port-channel interface Port-channel1
! ── Step 2: Configure the port-channel interface ─────────
NetsTuts_SW1(config)#interface port-channel 1
NetsTuts_SW1(config-if)#description EtherChannel-Trunk-to-SW2
NetsTuts_SW1(config-if)#switchport trunk encapsulation dot1q
NetsTuts_SW1(config-if)#switchport mode trunk
NetsTuts_SW1(config-if)#switchport nonegotiate
NetsTuts_SW1(config-if)#switchport trunk allowed vlan 10,20,30
NetsTuts_SW1(config-if)#switchport trunk native vlan 999
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

IOS automatically creates the port-channel 1 interface when channel-group 1 is applied to the physical ports. Trunk configuration is applied to the port-channel, which pushes it down to all member physical interfaces.

channel-group Command Breakdown

Command Element	Meaning
`channel-group 1`	Assigns this port to EtherChannel bundle number 1. Creates `port-channel 1` automatically if it does not exist.
`mode active`	LACP mode — actively sends LACP frames to negotiate the bundle. Recommended — ensures EtherChannel forms even if remote side is passive.
`mode passive`	LACP mode — waits for the remote side to initiate. Will only form if the other end is `active`.
`mode on`	Static EtherChannel — no negotiation protocol. Both sides must be `on`. Not recommended.

4. Step 2 — Configure EtherChannel on NetsTuts_SW2

NetsTuts_SW2>en
NetsTuts_SW2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Step 1: Group physical ports into EtherChannel ───────
NetsTuts_SW2(config)#interface range GigabitEthernet0/1 - 2
NetsTuts_SW2(config-if-range)#description EtherChannel-to-SW1
NetsTuts_SW2(config-if-range)#channel-group 1 mode passive
NetsTuts_SW2(config-if-range)#exit

! Creating a port-channel interface Port-channel1
! ── Step 2: Configure the port-channel interface ─────────
NetsTuts_SW2(config)#interface port-channel 1
NetsTuts_SW2(config-if)#description EtherChannel-Trunk-to-SW1
NetsTuts_SW2(config-if)#switchport trunk encapsulation dot1q
NetsTuts_SW2(config-if)#switchport mode trunk
NetsTuts_SW2(config-if)#switchport nonegotiate
NetsTuts_SW2(config-if)#switchport trunk allowed vlan 10,20,30
NetsTuts_SW2(config-if)#switchport trunk native vlan 999
NetsTuts_SW2(config-if)#end
NetsTuts_SW2#wr
Building configuration...
[OK]
NetsTuts_SW2#

SW2 is configured with LACP passive mode — it waits for SW1 (which is active) to initiate. All trunk parameters are identical on both switches — native VLAN 999, allowed VLANs 10, 20, 30.

5. EtherChannel Load Balancing

EtherChannel does not round-robin packets across member links — it uses a hashing algorithm to assign each flow to a specific link. The same flow always travels over the same physical link, ensuring packets arrive in order. The hash input can be configured:

NetsTuts_SW1(config)#port-channel load-balance src-dst-mac

Load-Balance Method	Hash Input	Best For
`src-mac`	Source MAC address only	Many source devices, few destinations
`dst-mac`	Destination MAC address only	Many destination devices
`src-dst-mac`	Source + destination MAC (XOR)	✅ Default on most platforms — good general balance
`src-ip`	Source IP address	Routed traffic from many source IPs
`dst-ip`	Destination IP address	Routed traffic to many destinations
`src-dst-ip`	Source + destination IP (XOR)	✅ Best for routed environments with diverse traffic

Verify current load-balance method:

NetsTuts_SW1#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
        src-dst-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
  IPv4: Source XOR Destination MAC address

6. Verification

show etherchannel summary

The most important EtherChannel verification command — shows all port-channels, their protocol, member ports, and operational state:

NetsTuts_SW1#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      N - not in use, no aggregation
        f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

        A - formed by Auto LAG


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Gi0/1(P)    Gi0/2(P)

Reading the flags: SU = Layer2 (S) and in Use (U) — the port-channel is operational. P on each member port = bundled in port-channel (actively carrying traffic). Protocol shows LACP.

show etherchannel summary — Flag Reference

Flag	Meaning	Good or Bad?
P	Port is bundled and actively in the port-channel	✅ Good — port is working
U	Port-channel interface is in use	✅ Good — EtherChannel is operational
S	Layer 2 EtherChannel	✅ Expected for switch trunks
D	Port is down	❌ Problem — physical link failure
I	Stand-alone — port is not bundled, acting as individual port	❌ Problem — EtherChannel not forming on this port
s	Suspended — port is in EtherChannel but not forwarding (parameter mismatch)	❌ Problem — configuration mismatch between member ports
w	Waiting to be aggregated — LACP negotiation in progress	⚠️ Transitional — should resolve to P

show etherchannel 1 port-channel

NetsTuts_SW1#show etherchannel 1 port-channel
                Channel-group listing:
                ----------------------

Group: 1
----------
                Port-channels in the group:
                ---------------------------

Port-channel: Po1    (Primary Aggregator)

                Age of the Port-channel   = 0d:00h:05m:22s
Port channel flap count = 0
Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------+-----------
  0     00     Gi0/1    Active          0
  1     00     Gi0/2    Active          0

Time since last port bundled:    0d:00h:05m:21s    Gi0/2

Both Gi0/1 and Gi0/2 show EC state "Active" — both LACP members are negotiating and actively participating in the bundle.

show interfaces port-channel 1

NetsTuts_SW1#show interfaces port-channel 1
Port-channel1 is up, line protocol is up (connected)
  Hardware is EtherChannel, address is 0012.3456.0001
  Description: EtherChannel-Trunk-to-SW2
  MTU 1500 bytes, BW 2000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  ...

BW 2000000 Kbit/sec (2 Gbps) — confirms two 1 Gbps links have been successfully bundled. The bandwidth displayed is the sum of all active member ports.

show interfaces trunk — EtherChannel as Trunk

NetsTuts_SW1#show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Po1         on           802.1q         trunking      999

Port        Vlans allowed on trunk
Po1         10,20,30

Port        Vlans allowed and active in the management domain
Po1         10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Po1         10,20,30

STP sees only Po1 — the logical port-channel interface. It has no knowledge of the two individual Gi0/1 and Gi0/2 links inside it. This is how EtherChannel prevents STP from blocking one of the links.

show spanning-tree vlan 10 — EtherChannel in STP

NetsTuts_SW1#show spanning-tree vlan 10

VLAN0010
  ...
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ----
Po1                 Desg FWD 3         128.65   P2p

STP shows Po1 as a single designated port — not two separate Gi interfaces. Cost of 3 reflects the combined 2 Gbps bandwidth of the bundle (lower cost than a single 1 Gbps link at cost 4).

Verification Command Summary

Command	What It Confirms
`show etherchannel summary`	All port-channels, protocol, member ports, and operational flags (P/U/S/D/I/s)
`show etherchannel [num] port-channel`	Detailed port-channel info including LACP state of each member port
`show interfaces port-channel [num]`	Logical interface status and combined bandwidth of the bundle
`show etherchannel load-balance`	Current load-balancing method configured on the switch
`show interfaces trunk`	Confirms port-channel appears as a trunk (Po1) with correct VLANs and native VLAN
`show spanning-tree vlan [id]`	Confirms STP sees Po1 as a single interface — no individual member ports visible
`show lacp neighbor`	LACP neighbor details — confirms remote switch identity and port states

7. Troubleshooting EtherChannel

Problem	Symptom in show etherchannel summary	Cause	Fix
EtherChannel not forming	Ports show I (stand-alone) instead of P	Both sides set to LACP `passive` — neither initiates, or mismatched protocols (one side LACP, other PAgP or static)	Set at least one side to LACP `active`. Verify both sides use the same protocol
Port suspended	Member port shows s (suspended)	Configuration mismatch — speed, duplex, VLAN, or trunk mode differs between member ports	Check all member ports on both sides — they must all have identical speed, duplex, and VLAN settings. Check with `show running-config interface [int]`
Port-channel down	Port-channel shows D (down)	All physical member links are down	Check physical cables and interface status with `show interfaces GigabitEthernet0/1`
Only one link bundled	One port shows P, other shows I	Second port has a different configuration — different VLAN or speed settings prevent it from joining the bundle	Ensure all member ports have identical switchport and speed configurations before assigning to the channel-group
Trunk VLANs not passing	EtherChannel is up but certain VLANs not working	Trunk configuration applied to physical ports instead of port-channel interface, or allowed VLAN list mismatch	Remove trunk config from physical ports — apply all trunk settings to `interface port-channel [num]` only
Static mode mismatch	Port-channel not forming — no protocol shown	One side is `mode on` (static) and the other uses LACP or PAgP	Both sides must use the same mode. For static: both `on`. For LACP: one `active` + one `passive` or both `active`

Common configuration mistake: Configuring trunk settings (VLAN allowed list, native VLAN, encapsulation) on the physical member interfaces instead of the port-channel interface. Always configure trunk parameters on interface port-channel [num] — the settings propagate to member ports automatically. Conflicting settings on physical ports will prevent the EtherChannel from forming or keep ports in suspended state.

Key Points & Exam Tips

EtherChannel bundles multiple physical links into one logical port-channel interface — STP sees it as a single link, so no links are blocked.
LACP (IEEE 802.3ad) is the open-standard protocol for EtherChannel negotiation — recommended for all environments. PAgP is Cisco-proprietary. Static (on) uses no negotiation. See also PortFast & BPDU Guard for access-port STP optimisations that complement EtherChannel on trunk links.
LACP modes: active initiates negotiation; passive waits. Two passive ports will never form an EtherChannel — at least one side must be active.
All member ports in an EtherChannel must have identical speed, duplex, VLAN, trunking mode, and native VLAN settings — any mismatch suspends the port or prevents the bundle from forming.
Always configure trunk settings (VLAN allowed list, native VLAN, encapsulation) on the port-channel interface, not on the individual physical ports.
The port-channel number does not need to match between switches — SW1 can use port-channel 1 and SW2 can use port-channel 2 and they will still form a bundle.
In show etherchannel summary: P = bundled and active, U = port-channel in use, I = stand-alone (not bundled), s = suspended (mismatch).
EtherChannel distributes traffic using a hash algorithm (not round-robin) — the same flow always travels the same physical link, ensuring in-order delivery.
The logical port-channel bandwidth equals the sum of all active member links — two 1 Gbps links = 2 Gbps port-channel bandwidth.
If one member link fails, traffic automatically shifts to remaining links without STP reconvergence — this is the key redundancy advantage over standalone links.

Next Steps: With EtherChannel providing resilient high-bandwidth inter-switch links, continue to Port Security & Sticky MAC to control which end devices are allowed to connect to access ports. For rapid convergence when a link fails, review RSTP — Rapid Spanning Tree. For routing between VLANs carried on this trunk, see Inter-VLAN Routing — Layer 3 Switch. For voice-specific port configuration, see Voice VLAN Configuration.

TEST WHAT YOU LEARNED

1. SW1 has two links to SW2. Without EtherChannel, what will STP do with these links and what is the result?

A. STP will use both links simultaneously for load balancing B. STP will negotiate the bandwidth and combine both links automatically C. STP will block one link to prevent a loop — only one link carries traffic and the other sits idle in blocking state D. STP will shut down both links and generate an err-disabled error

Correct answer is C. STP prevents loops by blocking redundant paths. With two physical links between two switches, STP sees a loop and places one link in blocking state. Only one link carries traffic — the second link provides redundancy but no bandwidth benefit. EtherChannel solves this by presenting both links to STP as a single logical interface, so STP never blocks either physical link.

2. Both switches are configured with LACP `passive` mode on their EtherChannel ports. What will happen?

A. The EtherChannel forms after a 30-second negotiation timeout B. No EtherChannel forms — both sides are waiting for the other to initiate LACP negotiation C. The ports fall back to PAgP automatically D. The EtherChannel forms as a static bundle without LACP

Correct answer is B. LACP passive mode waits for the remote side to send LACP frames before responding. If both sides are passive, neither sends LACP frames, and no negotiation takes place — the EtherChannel never forms. At least one side must be set to active to initiate the LACP handshake.

3. `show etherchannel summary` shows Gi0/2 with flag I (stand-alone) while Gi0/1 shows P (bundled). What does this indicate?

A. Gi0/2 is a backup port — it only activates if Gi0/1 fails B. Gi0/2 is operating in passive LACP mode C. Gi0/2 is waiting for LACP negotiation to complete D. Gi0/2 has a configuration mismatch preventing it from joining the bundle — it is operating as a standalone independent port, not part of the EtherChannel

Correct answer is D. The I flag means the port is in stand-alone mode — it was assigned to the channel-group but failed to join the bundle due to a parameter mismatch (different speed, VLAN, or trunking configuration). The port is now operating as a completely independent access port, which can cause STP to see it as a separate link — potentially leading to one being blocked. Verify the port's configuration matches all other member ports.

4. An engineer configures trunk settings (allowed VLANs, native VLAN) on the physical member interfaces Gi0/1 and Gi0/2 instead of the port-channel interface. What is the likely result?

A. The EtherChannel may fail to form or member ports may be suspended — trunk parameters must be configured on the port-channel interface, not on the physical member ports B. The configuration is accepted and works correctly — either location is valid C. The physical interface config is copied to the port-channel automatically D. IOS rejects the configuration on physical member ports

Correct answer is A. When ports are assigned to a channel-group, their Layer 2 parameters should be configured on the port-channel interface — which then pushes the settings to all member ports. If you configure trunk settings directly on individual physical member ports before assigning them, conflicts can arise when the port-channel interface is created, causing ports to be suspended or the bundle to fail to form. Always: (1) assign to channel-group, (2) configure on port-channel.

5. What does the combined bandwidth shown in `show interfaces port-channel 1` represent when two 1 Gbps links are bundled?

A. 1 Gbps — bandwidth is not increased, only redundancy is added B. 1 Gbps — the switch uses only one link at a time and switches on failure C. 2 Gbps — the logical port-channel bandwidth equals the sum of all active member link speeds D. 4 Gbps — full-duplex doubles the effective bandwidth of each link

Correct answer is C. When member links are bundled, IOS adds their speeds together for the logical port-channel bandwidth. Two 1 Gbps (1000 Mbps) GigabitEthernet links produce a 2 Gbps (2,000,000 Kbps) port-channel. This combined bandwidth is reflected in show interfaces port-channel 1 as "BW 2000000 Kbit/sec". STP also uses this combined bandwidth to calculate a lower port cost, making the EtherChannel preferred over individual lower-bandwidth links.

6. Why does EtherChannel use a hash algorithm for load balancing instead of round-robin distribution?

A. Round-robin is not supported on Cisco switches B. Hashing ensures all packets in the same flow travel the same physical link — preventing out-of-order delivery that would degrade TCP performance C. Round-robin would overload the primary link while keeping secondary links idle D. Hash-based distribution uses less CPU than round-robin

Correct answer is B. If packets from the same TCP session arrived via different physical links with different latencies, they could arrive out of order at the destination. TCP treats out-of-order segments as potential packet loss and triggers retransmission and congestion control, severely degrading performance. By using a consistent hash on source/destination MAC or IP, all packets in the same flow always use the same physical link — guaranteeing in-order delivery.

7. What happens to EtherChannel traffic if one of the two member physical links fails?

A. The entire port-channel goes down and STP reconvergence begins B. The port-channel goes down briefly then recovers after STP recalculates C. Traffic is lost for 30 seconds while LACP renegotiates D. Traffic automatically shifts to the remaining active link instantly — the port-channel stays up with reduced bandwidth and STP reconvergence is not triggered

Correct answer is D. EtherChannel provides link-level redundancy within the bundle. When one member link fails, the port-channel interface remains up and traffic is redistributed across the remaining active links immediately — no STP reconvergence is needed because STP still sees a single port-channel interface (which is still up). The bandwidth drops from 2 Gbps to 1 Gbps but connectivity is maintained without interruption.

8. SW1 is configured with `channel-group 1 mode on` and SW2 is configured with `channel-group 1 mode active` (LACP). Will the EtherChannel form?

A. No — static mode (on) and LACP (active) are incompatible. Both sides must use the same protocol or static mode. B. Yes — mode on accepts any negotiation protocol from the other side C. Yes — LACP active negotiates with static mode automatically D. Partially — SW1's physical ports bundle but SW2's ports show stand-alone

Correct answer is A. EtherChannel protocols are not compatible with each other. mode on means static — no protocol frames are sent or expected. If SW2 is sending LACP frames while SW1 expects no protocol frames, the bundle cannot form. For EtherChannel to work: both sides must either be LACP (active/passive combination), both PAgP (desirable/auto combination), or both static (on/on). Mixing protocols results in stand-alone ports.

9. The port-channel number does not need to match between SW1 and SW2. Which statement correctly explains why?

A. The port-channel number is only used for local CLI identification and has no meaning in LACP frames B. LACP automatically synchronizes port-channel numbers between switches C. The port-channel number is a locally significant identifier only — LACP uses MAC addresses and port IDs to identify and match physical member ports between switches, not the channel-group number D. Port-channel numbers must always match — the lab topology requirement is incorrect

Correct answer is C. The channel-group number (which determines the port-channel interface number) is locally significant — it is just a way for the switch to group its own ports together. LACP identifies members across switches using MAC addresses and port IDs exchanged in LACP data units (LACPDUs). SW1's port-channel 1 and SW2's port-channel 2 can form a bundle without any conflict.

10. A network engineer needs to verify that the remote switch forming an LACP EtherChannel is the correct device. Which command shows the neighbor's system ID and port information?

A. show etherchannel summary B. show lacp neighbor C. show interfaces port-channel 1 D. show spanning-tree vlan 10

Correct answer is B. show lacp neighbor displays the LACP system ID (MAC address), port ID, and operational state of the remote switch participating in the LACP bundle. This is the command to verify you are forming the EtherChannel with the intended device — useful for confirming correct cabling and identifying unexpected neighbors.

Back to Home