Troubleshooting Static and Dynamic EtherChannels for CCNP 350-401 ENCOR
1. Why EtherChannel Troubleshooting Matters for ENCOR
EtherChannel feels straightforward right up until the outage bridge starts humming. For CCNP ENCOR, Cisco wants more than a memory dump of commands. You need to spot why a bundle formed, why it didn’t, why only one member is actually doing the work, why the port-channel says “up” while users are still grumbling, and whether you’re looking at protocol formation, Layer 2 forwarding, Layer 3 adjacency, or just a bad cable in the wrong place.
That’s not academic. In enterprise networks, EtherChannel is everywhere: access uplinks, distribution interconnects, server links, firewall handoffs, wireless controller uplinks, routed core links. And when a bundle breaks, it rarely does the polite thing. Capacity disappears, a VLAN vanishes, a routing neighbor goes missing, or—my favorite nightmare—a static bundle quietly creates a loop. The exam loves this kind of mess.
2. EtherChannel Refresher and Mode Compatibility
EtherChannel lumps several physical links into one logical interface for redundancy and bandwidth, while STP sees only the logical port-channel instead of individually blocking parallel links. LACP was standardized in 802.3ad and now lives under IEEE 802.1AX. PAgP is Cisco-only. Static EtherChannel? No negotiation. None. Zero conversation.
For Layer 2 bundles, the port-channel carries access or trunk traffic. For Layer 3 bundles, both the physical members and the logical Port-channel interface need no switchport, and the IP address belongs on the port-channel only—not on the members. That part trips people up more than it should.
| Side A | Side B | Result | Exam-safe interpretation |
|---|---|---|---|
| on | on | Works | Only if other parameters match. |
| active | active | Works | LACP forms normally. |
| active | passive | Works | Active initiates, passive responds. |
| passive | passive | Fails | No LACP initiator. |
| desirable | desirable | Works | PAgP forms normally. |
| desirable | auto | Works | Desirable initiates. |
| auto | auto | Fails | No PAgP initiator. |
| LACP | PAgP | Fails | Different protocols. |
| on | LACP active/passive | Mismatch | Treat as failure for ENCOR. |
| on | PAgP desirable/auto | Platform-dependent / not recommended | For ENCOR, treat static/dynamic mixing as a mismatch. |
The exam-safe rule is painfully simple: make the methods match on both sides. In real life, LACP is usually the safer bet than mode on because it checks the peer and cuts down on accidental misbundling.
3. How to Verify EtherChannel Quickly
Start with show etherchannel summary. It’s the fastest way to tell “bundle formed” from “bundle is doing interpretive dance.” Common flags vary by platform, but these are the ones worth knowing:
- P = bundled in port-channel
- I = stand-alone
- s = suspended
- H = hot-standby, typically LACP
- D = down
- U = in use
- R = Layer 3
- S = Layer 2
- M = minimum links not met
- w = waiting to be aggregated
Switch# show etherchannel summary Group Port-channel Protocol Ports 1 Po1(SU) LACP Gi1/0/1(P) Gi1/0/2(P) 3 Po3(SU) PAgP Gi1/0/5(P) Gi1/0/6(I)
That second bundle is limping. The logical interface is still up, but only one member is really in the game. Whether a degraded bundle stays up depends on the platform and whether port-channel min-links is in play.
Then split the problem apart:
- No port-channel or no bundled members: check mode compatibility, protocol state, and interface consistency.
- Port-channel up but member missing: check mismatches, LACP key issues, feature incompatibility, or physical errors.
- Port-channel up but traffic broken: check trunk/access parameters, STP state on the logical interface, or Layer 3/routing issues.
4. Core Troubleshooting Workflow
Use this order—roughly, anyway:
- Confirm intended type: static, LACP, or PAgP.
- Check
show etherchannel summaryandshow etherchannel detail. - First, pin down what kind of problem you’re really chasing: is it a Layer 2 issue, a Layer 3 issue, or just a plain old physical problem on one of the links? Honestly, that distinction saves a lot of time.
- Compare member and port-channel configuration on both ends.
- Check protocol-specific outputs:
show lacp neighbor,show lacp internal, orshow pagp neighbor. - Validate trunks, VLANs, and STP on the
Port-channel, not just the members. - Check logs, counters, UDLD, and errdisable conditions.
- If it’s Layer 3, verify routing adjacency only after the bundle itself is healthy.
The big mental shift is this: formation first, forwarding second. Ask, “Did the bundle form correctly?” Then, only then, “Is traffic behaving the way it should?”
5. Interface Consistency, Inheritance, and Fatal Mismatches
Most bundle-level settings belong on the logical port-channel, while member links should stay clean and consistent. But inheritance is not a magical law of the universe—features and platforms vary—so check the running config instead of assuming.
The settings that usually have to line up are things like switchport versus routed mode, the access VLAN, the trunk native VLAN, the allowed VLAN list, MTU, and, where the platform still cares about it, speed and duplex. In practice, these are the details that trip people up the most. Legacy stuff like switchport trunk encapsulation only matters on older platforms; many modern IOS XE Catalyst switches support only 802.1Q and won’t even offer the command.
Some mismatches don’t just cause weird behavior — they stop the bundle from forming at all. The big ones are Layer 2 versus Layer 3 mode, protocol mismatch, an LACP key mismatch, or one side being set for trunk while the other side is still behaving like an access port. Others let the bundle come up but still mangle traffic, like an end-to-end allowed VLAN mismatch. DTP is only adjacent to the story—it negotiates trunking, not EtherChannel. It can make member interfaces inconsistent as trunks, sure, but it is not a channel protocol.
6. Static EtherChannel Troubleshooting
Static EtherChannel with mode on has no negotiation safety net. That’s the danger. If links are miswired, split across the wrong devices, or configured inconsistently, the switch won’t have LACP-style partner validation to save you. Best case, things merely break. Worst case, you get loops, blackholing, or weird asymmetric forwarding that makes everyone stare at the graphing tool in silence.
! Correct Layer 2 static example interface range Gi1/0/1 - 2 switchport switchport mode trunk channel-group 1 mode on interface Port-channel1 switchport mode trunk
Typical static failures: trunk/access mismatch, native VLAN mismatch, Layer 2/Layer 3 mismatch, wrong peer cabling. If a static bundle is acting haunted, check show cdp neighbors detail or show lldp neighbors detail to prove both members land where you think they do. In production, if the static bundle is causing a loop, the safest move is often to shut one member, calm the network down, verify cabling, then bring links back one by one. Slow. Annoying. Effective.
7. LACP Internals for Troubleshooting
LACP is usually the best default because it exchanges LACPDUs and checks the partner. Beyond active and passive, ENCOR candidates should know system ID, system priority, port priority, and key. Ports bundle only when operational parameters line up closely enough, including the LACP key. A mismatch there often leaves a port unselected or suspended.
LACP also has timer behavior. lacp rate fast speeds detection by using faster LACPDU exchange on supported platforms. Some platforms also support active-versus-standby behavior, where only a certain number of links forward and extra links sit in hot-standby.
Switch# show lacp internal Channel group 10 Port Flags Priority Admin Key Oper Key State Gi1/0/1 SA 32768 0xA 0xA selected Gi1/0/2 SP 32768 0xB 0xB standby
This output says Gi1/0/1 is selected and Gi1/0/2 is not forwarding because of operational selection behavior—not because the cable is necessarily broken. Important distinction. A healthy link can be standby because of platform limits, priority, or bundle policy.
If LACP won’t form, look for passive/passive, partner not seen, mismatched keys, one-way control traffic, or physical errors. Useful commands: show lacp neighbor, show lacp internal, and debug lacp events—but only in a controlled lab or maintenance window. Please, not on a live core at 2 p.m.
8. PAgP Troubleshooting
PAgP is Cisco proprietary and increasingly old-school in modern enterprise design, but ENCOR still cares. The logic is simple enough: desirable/desirable works, desirable/auto works, and auto/auto fails. If you see PAgP in an interop or mixed-vendor scenario, that should raise an eyebrow immediately.
Use show pagp neighbor to confirm the peer is learned. If the bundle doesn’t form, check for auto/auto, PAgP versus LACP mismatch, static versus PAgP mismatch, or ordinary Layer 2 inconsistencies like trunk mode and VLAN settings.
9. Layer 2, STP, and Protection Features
STP runs on the logical port-channel, so verify STP on Port-channelX. Still, member state matters operationally. If a member is suspended, it does not forward, and the bundle loses bandwidth even though STP still sees one logical link.
For trunk bundles, check show interfaces trunk and confirm native VLAN and allowed VLAN lists match end-to-end. This is one of those partial-failure situations that’s easy to miss: the port-channel can be up and looking fine, but one VLAN just vanishes because it isn’t allowed consistently across the whole path. For access bundles, make sure the access VLAN matches on all members and on the port-channel. No drift. No “close enough.”
Also keep an eye on protection features. BPDU Guard, Root Guard, Loop Guard, storm-control, port-security, and errdisable conditions can all affect member behavior. If a link is mysteriously dead, use show interfaces status err-disabled, show errdisable recovery, and show logging. For fiber links, add show udld interface; UDLD is a very useful clue when things smell unidirectional.
10. Layer 3 EtherChannel and Routing Troubleshooting
A routed EtherChannel requires both the member interfaces and the logical port-channel to be Layer 3:
ip address 10.10.30.1 255.255.255.252Do not put IP addresses on the physical members. If the bundle itself looks healthy but OSPF, EIGRP, or BGP still won’t come up, then it’s time to shift gears and look at routing problems instead. That usually means subnet mismatch, authentication mismatch, timer issues, passive-interface settings, ACL filtering, or MTU trouble. The routing adjacency forms on the logical port-channel interface, not on the individual physical members. And the load-balancing across those members is a totally separate forwarding decision, so don’t mix the two up.
When you’re testing MTU, check the interface MTU first, then use an extended ping with the DF bit set and larger packet sizes if you need to prove where the break is. That little test can save you a ton of guesswork. That catches cases where the port-channel is up but larger routed packets fail anyway. Sneaky, but common enough.
11. Min-Links, Standby Members, and Load Balancing
One reason EtherChannel gets weird is that a degraded bundle may stay up. Without port-channel min-links, a bundle can often remain operational with fewer active members than designed. With min-links configured, the logical port-channel may drop if too many members fail.
Likewise, some LACP deployments allow standby members or cap the number of actively forwarding links. So yes: a link can be healthy and still not forward. Always check whether the platform is using all members or keeping some in reserve.
On traffic distribution, EtherChannel does not normally split a single flow across multiple links—packet reordering would be a disaster. It chooses an egress member using a platform-specific hash based on configured fields. Uneven utilization is normal, especially with only a few big flows. Use show etherchannel load-balance and interface counters over time, not one lonely snapshot, before declaring a fault.
12. Common Failure Patterns and Best Verification Commands
| Symptom | Likely cause | Best command | Fix |
|---|---|---|---|
| No bundle forms | passive/passive or auto/auto | show etherchannel summary, protocol-specific neighbor command | Make one side active or desirable. |
One member is I or s | Mismatch, key issue, feature conflict, or physical fault | show etherchannel detail, show lacp internal, show logging | Align config or repair the link. |
| Port-channel up but one VLAN fails | Allowed/native VLAN mismatch | show interfaces trunk | Align trunk settings end-to-end. |
| Port-channel up but no routing neighbor | L3 mismatch or routing issue after bundle formation | show ip int brief, routing protocol commands | Fix no switchport, IP placement, MTU, auth, timers, or ACLs. |
| Traffic heavily favors one link | Normal hashing or degraded bundle | show etherchannel load-balance, interface counters | Validate active members and flow pattern before changing design. |
| Odd one-way behavior on fiber | Unidirectional fault | show udld interface, error counters, logs | Repair optics/fiber and revalidate. |
| Links land on two separate switches | Unsupported topology without multi-chassis support | show cdp neighbors detail or show lldp neighbors detail | Recable or use supported technology. |
13. Multi-Switch and Stack Awareness
Standard EtherChannel expects one logical peer. If member links are split across separate devices without supported multi-chassis aggregation, the result is failure—or unstable behavior, which is almost worse. For ENCOR, know the difference between unsupported dual-switch cabling and supported designs such as cross-stack EtherChannel on a switch stack, StackWise Virtual MEC, VSS MEC, or Nexus vPC depending on platform. Recognition is the point, not platform deep-dives.
14. Key Commands and Syslog Clues
Minimum command set:
show etherchannel summaryshow etherchannel detailshow run interface port-channel Xshow run interface GiX/Xshow interfaces trunkshow spanning-tree interface port-channel X detail
Deep-dive command set:
show lacp neighbor,show lacp internal,show pagp neighborshow interfaces counters errorsshow loggingshow cdp neighbors detailorshow lldp neighbors detailshow udld interface
Typical log clues include native VLAN mismatch warnings, EtherChannel suspension due to incompatible parameters, UDLD-driven shutdowns, and repeated link flaps. Logs often tell you why a port left the bundle faster than the summary output alone. Handy little truth-tellers.
15. ENCOR Exam Checklist
Memorize these high-yield points:
on/on,active/active,active/passive,desirable/desirable, anddesirable/autowork.passive/passiveandauto/autofail.- LACP is standards-based; PAgP is Cisco proprietary.
- For ENCOR, treat static/dynamic mixing as a mismatch.
- STP operates on the logical port-channel.
- A port-channel can be up while one or more members are not bundled.
- Both members and the logical interface must be Layer 3 for a routed EtherChannel.
- Uneven traffic is often normal hashing, not a fault.
port-channel min-linksexplains why some degraded bundles stay up and others drop.- LACP is usually safer than
mode onbecause it validates the peer.
16. Conclusion
Good EtherChannel troubleshooting is mostly discipline with a little stubbornness. Verify the protocol, read the flags, compare both ends, check the logical port-channel for STP and routing, and only then go hunting for physical faults. If you remember one habit for ENCOR and for production, make it this: separate bundle formation from forwarding behavior. That’s how you turn “the links are green” into an actual diagnosis.