What is the difference between LACP and PAgP?

LACP (Link Aggregation Control Protocol) is an IEEE 802.3ad/802.1AX standard supported by virtually all vendors. PAgP (Port Aggregation Protocol) is Cisco-proprietary. LACP uses active/passive modes while PAgP uses desirable/auto. LACP is recommended for all new deployments, especially in multi-vendor environments.

How many links can a Cisco EtherChannel support?

A Cisco EtherChannel supports up to 8 active member links. With LACP, you can configure up to 16 physical links — 8 active and 8 hot-standby. PAgP and static mode support a maximum of 8 links with no standby capability.

Why are my EtherChannel member ports showing as suspended?

Suspended ports indicate a configuration mismatch. Check that all member ports and the port-channel interface have identical settings: switchport mode, allowed VLANs, native VLAN, speed, duplex, and MTU. Use 'show running-config interface' on both the port-channel and member interfaces to compare.

Can I mix LACP and PAgP modes across a link?

No. Both sides of an EtherChannel must use the same protocol. LACP active/passive cannot negotiate with PAgP desirable/auto. Similarly, mode 'on' (static) cannot be mixed with any negotiation protocol. A protocol mismatch will prevent the channel from forming.

What is the best EtherChannel load-balancing algorithm?

The best algorithm depends on your traffic profile. For most environments, 'src-dst-ip' provides good distribution. On Catalyst 9000 with IOS-XE 17.x, 'src-dst-mixed-ip-port' adds Layer 4 port information for the finest granularity. Use 'test etherchannel load-balance' to simulate and verify flow distribution.

How do I change the load-balancing method on a Cisco switch?

The load-balancing algorithm is a global switch configuration. Use the command 'port-channel load-balance ' in global config mode. For example: 'port-channel load-balance src-dst-ip'. The change takes effect immediately without disrupting existing port-channels, but existing flows may be rehashed to different member links.

Can I configure a Layer 3 EtherChannel on a Catalyst switch?

Yes. Create the port-channel interface with 'no switchport' and assign an IP address. Then configure the physical member interfaces with 'no switchport' and 'channel-group X mode active'. This creates a routed port-channel, shown as 'RU' in the etherchannel summary output.

What does LACP fast rate do and when should I use it?

LACP fast rate sends LACPDUs every 1 second instead of the default 30 seconds. A link failure is detected after 3 missed PDUs (approximately 3 seconds vs 90 seconds). Use LACP fast rate on critical inter-switch links where rapid failover is required. Configure with 'lacp rate fast' on the member interfaces — both sides must match.

How do I add or remove a member from an existing EtherChannel without downtime?

To add a member, configure the new interface with identical switchport/trunk settings as the port-channel, then apply 'channel-group X mode active'. LACP negotiation bundles it non-disruptively. To remove, use 'no channel-group X' on the member interface. Traffic redistributes automatically across the remaining active members.

Should I configure the port-channel interface before or after the member interfaces?

Always configure the port-channel interface first with the desired switchport mode, VLAN, and trunk settings. Then configure member interfaces to match and assign them to the channel-group. This ensures configuration consistency and prevents members from being suspended due to mismatches during the provisioning process.

How does Spanning Tree Protocol interact with EtherChannel?

STP treats an EtherChannel as a single logical link. Only the port-channel interface participates in STP — individual member ports do not send BPDUs. This reduces STP complexity and prevents individual links from being blocked. If the entire port-channel goes down, STP reconverges on the logical interface. Never enable PortFast on port-channel member interfaces connected to switches.

What is LACP system priority and port priority used for?

When more than 8 links are configured in an LACP channel-group, the switch with the lower LACP system-priority decides which 8 ports are active and which are hot-standby. Among those ports, lower LACP port-priority values are preferred as active. Default system-priority and port-priority are both 32768. Set the decision-making switch to a lower system-priority (e.g., 4096) and assign lower port-priorities to your preferred active links.

Cisco EtherChannel Configuration: LACP, PAgP, and Static

Introduction

EtherChannel (also called a port-channel or link aggregation group) bundles multiple physical Ethernet links into a single logical link, providing increased bandwidth, redundancy, and simplified STP topology. Cisco supports three negotiation methods: LACP (IEEE 802.3ad / 802.1AX), PAgP (Cisco proprietary), and Static (on). This run book walks through every step — from planning to verification — on Catalyst switches running IOS 15.x and IOS-XE 16.x/17.x.

1. EtherChannel Fundamentals

1.1 Why EtherChannel?

Bandwidth aggregation — Up to 8 active member links (e.g., 8 × 1 Gbps = 8 Gbps logical link).
Redundancy — If one member fails, traffic redistributes across remaining members without STP reconvergence.
Single STP instance — STP sees only the port-channel interface, reducing BPDUs and potential loops.
Simplified management — Configuration applied to the port-channel propagates to all members.

1.2 Negotiation Protocols at a Glance

Feature	LACP (802.3ad)	PAgP (Cisco)	Static (on)
Standard	IEEE 802.1AX	Cisco Proprietary	None
Modes	active / passive	desirable / auto	on / on
Max Active Links	8 (+ 8 standby)	8	8
Multi-vendor	Yes	No	Yes (risky)
Recommended	Yes	Legacy only	Lab / specific cases

1.3 Member Port Requirements

All member interfaces must share identical:

Speed and duplex
Switchport mode (access or trunk) and allowed VLANs
Native VLAN (if trunk)
STP cost / priority per VLAN
MTU (especially important on Nexus / IOS-XE platforms)
No SPAN destination, port-security, or 802.1X on member ports (unless specifically supported)

Golden Rule: Configure the port-channel interface first, then assign members. This ensures consistent propagation and avoids mismatches that suspend the bundle.

2. Lab Topology

Throughout this run book we use two Catalyst 9300 switches:

         SW1 (C9300-48P)                    SW2 (C9300-48P)
    Gi1/0/1  ─────────────────────  Gi1/0/1
    Gi1/0/2  ─────────────────────  Gi1/0/2
    Gi1/0/3  ─────────────────────  Gi1/0/3
    Gi1/0/4  ─────────────────────  Gi1/0/4
              Po1  ◄──────────►  Po1

Objective: 4 × 1 GbE LACP trunk carrying VLANs 10, 20, 30, and management VLAN 1.

3. Layer 2 EtherChannel with LACP

3.1 Configure SW1 (LACP Active)

SW1# configure terminal

! Step 1 — Create the port-channel interface
SW1(config)# interface Port-channel1
SW1(config-if)# description LACP-Trunk-to-SW2
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 1,10,20,30
SW1(config-if)# switchport trunk native vlan 1
SW1(config-if)# no shutdown
SW1(config-if)# exit

! Step 2 — Assign physical members
SW1(config)# interface range GigabitEthernet1/0/1 - 4
SW1(config-if-range)# description Po1-Member-to-SW2
SW1(config-if-range)# switchport mode trunk
SW1(config-if-range)# switchport trunk allowed vlan 1,10,20,30
SW1(config-if-range)# switchport trunk native vlan 1
SW1(config-if-range)# channel-group 1 mode active
SW1(config-if-range)# no shutdown
SW1(config-if-range)# end
SW1# write memory

3.2 Configure SW2 (LACP Active)

SW2# configure terminal

SW2(config)# interface Port-channel1
SW2(config-if)# description LACP-Trunk-to-SW1
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan 1,10,20,30
SW2(config-if)# switchport trunk native vlan 1
SW2(config-if)# no shutdown
SW2(config-if)# exit

SW2(config)# interface range GigabitEthernet1/0/1 - 4
SW2(config-if-range)# description Po1-Member-to-SW1
SW2(config-if-range)# switchport mode trunk
SW2(config-if-range)# switchport trunk allowed vlan 1,10,20,30
SW2(config-if-range)# switchport trunk native vlan 1
SW2(config-if-range)# channel-group 1 mode active
SW2(config-if-range)# no shutdown
SW2(config-if-range)# end
SW2# write memory

Tip: Using
active
on both sides is the best practice. One side
active
+ the other
passive
also works, but both
passive
will never form a channel.

4. Layer 2 EtherChannel with PAgP

PAgP is Cisco-proprietary. Use it only when both sides are Cisco and there is a specific requirement.

! SW1 — PAgP Desirable
SW1(config)# interface Port-channel2
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 40,50
SW1(config-if)# exit

SW1(config)# interface range Gi1/0/5 - 6
SW1(config-if-range)# switchport mode trunk
SW1(config-if-range)# switchport trunk allowed vlan 40,50
SW1(config-if-range)# channel-group 2 mode desirable
SW1(config-if-range)# end

! SW2 — PAgP Desirable (or auto)
SW2(config)# interface Port-channel2
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan 40,50
SW2(config-if)# exit

SW2(config)# interface range Gi1/0/5 - 6
SW2(config-if-range)# switchport mode trunk
SW2(config-if-range)# switchport trunk allowed vlan 40,50
SW2(config-if-range)# channel-group 2 mode desirable
SW2(config-if-range)# end

PAgP mode compatibility:

desirable
+
desirable
→ Channel forms
desirable
+
auto
→ Channel forms
auto
+
auto
→ Channel does NOT form

5. Static EtherChannel (mode on)

No negotiation protocol — both sides must be set to

on

. Use with caution; there is no detection of misconfigurations.

SW1(config)# interface Port-channel3
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 99
SW1(config-if)# exit

SW1(config)# interface range Gi1/0/7 - 8
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 99
SW1(config-if-range)# channel-group 3 mode on
SW1(config-if-range)# end

! Mirror config on SW2 with channel-group 3 mode on

Warning:
mode on
cannot be mixed with LACP or PAgP modes. It sends no negotiation frames, so a cabling mistake can cause a loop.

6. Layer 3 EtherChannel (Routed Port-Channel)

Useful for switch-to-switch or switch-to-router routed links (no switchport).

SW1(config)# interface Port-channel10
SW1(config-if)# no switchport
SW1(config-if)# ip address 10.0.0.1 255.255.255.252
SW1(config-if)# no shutdown
SW1(config-if)# exit

SW1(config)# interface range Gi1/0/9 - 10
SW1(config-if-range)# no switchport
SW1(config-if-range)# no ip address
SW1(config-if-range)# channel-group 10 mode active
SW1(config-if-range)# no shutdown
SW1(config-if-range)# end

! SW2
SW2(config)# interface Port-channel10
SW2(config-if)# no switchport
SW2(config-if)# ip address 10.0.0.2 255.255.255.252
SW2(config-if)# no shutdown
SW2(config-if)# exit

SW2(config)# interface range Gi1/0/9 - 10
SW2(config-if-range)# no switchport
SW2(config-if-range)# no ip address
SW2(config-if-range)# channel-group 10 mode active
SW2(config-if-range)# no shutdown
SW2(config-if-range)# end

Verify with:

SW1# ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)

7. LACP System Priority and Port Priority

LACP supports up to 16 member links — 8 active and 8 hot-standby. The switch with the lower system priority decides which ports are active.

7.1 Set LACP System Priority

! Make SW1 the LACP decision-maker (lower = better, default 32768)
SW1(config)# lacp system-priority 4096

7.2 Set LACP Port Priority

! Prefer Gi1/0/1 and Gi1/0/2 as active; Gi1/0/3-4 standby
SW1(config)# interface range Gi1/0/1 - 2
SW1(config-if-range)# lacp port-priority 100

SW1(config)# interface range Gi1/0/3 - 4
SW1(config-if-range)# lacp port-priority 200

Lower port-priority = preferred as active member. Default is 32768.

7.3 LACP Fast Rate

! Send LACPDUs every 1 second instead of 30 seconds
SW1(config)# interface range Gi1/0/1 - 4
SW1(config-if-range)# lacp rate fast

This accelerates link-failure detection to approximately 3 seconds (3 missed PDUs).

8. Load-Balancing Algorithm

EtherChannel distributes traffic across member links using a hash. The algorithm is configured globally on the switch (not per port-channel).

8.1 View Current Algorithm

SW1# show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
        src-dst-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
  IPv4: Source XOR Destination IP address
  IPv6: Source XOR Destination IP address

8.2 Change the Algorithm

! Common options on Catalyst IOS / IOS-XE:
!   src-mac           — Source MAC
!   dst-mac           — Destination MAC
!   src-dst-mac       — Source XOR Destination MAC
!   src-ip            — Source IP
!   dst-ip            — Destination IP
!   src-dst-ip        — Source XOR Destination IP  (recommended)
!   src-port          — Source L4 port
!   dst-port          — Destination L4 port
!   src-dst-port      — Source XOR Destination L4 port
!   src-dst-mixed-ip-port — Source XOR Dest IP + L4 port (IOS-XE 16.x+)

SW1(config)# port-channel load-balance src-dst-mixed-ip-port

Best Practice: Use the most granular hash your platform supports.
src-dst-mixed-ip-port
on IOS-XE Catalyst 9000 provides the best distribution for environments with a mix of many TCP/UDP flows.

8.3 Test Which Link a Flow Uses

SW1# test etherchannel load-balance interface Port-channel1 ip 192.168.10.5 192.168.20.10
Would select Gi1/0/3 of Port-channel1

9. Verification Commands

9.1 EtherChannel Summary

SW1# show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use

Group  Port-channel  Protocol    Ports
------+-------------+-----------+------------------------------------------
1      Po1(SU)         LACP      Gi1/0/1(P)  Gi1/0/2(P)  Gi1/0/3(P)  Gi1/0/4(P)
2      Po2(SU)         PAgP      Gi1/0/5(P)  Gi1/0/6(P)
10     Po10(RU)        LACP      Gi1/0/9(P)  Gi1/0/10(P)

SU

= Layer 2, in Use.

RU

= Layer 3 (Routed), in Use.

P

= bundled (active member).

9.2 Detailed LACP Neighbor

SW1# show lacp neighbor
Flags:  S - Device is requesting Slow LACPDUs
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode

Channel group 1 neighbors

Partner's information:
          Partner               Partner
Port      Sys ID                Port Number   Age    Flags
Gi1/0/1   32768,bc67.1c2a.ab00 0x103         3s     FA
Gi1/0/2   32768,bc67.1c2a.ab00 0x104         2s     FA
Gi1/0/3   32768,bc67.1c2a.ab00 0x105         3s     FA
Gi1/0/4   32768,bc67.1c2a.ab00 0x106         2s     FA

9.3 Port-Channel Detail

SW1# show etherchannel 1 detail

9.4 Interface Status

SW1# show interfaces Port-channel1 status
SW1# show interfaces Port-channel1 trunk
SW1# show interfaces Port-channel1 | include BW
  MTU 1500 bytes, BW 4000000 Kbit/sec, DLY 10 usec,

BW = 4000000 Kbit (4 Gbps for 4 × 1 GbE members).

9.5 STP Verification

SW1# show spanning-tree interface Port-channel1
Vlan             Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- ----
VLAN0001         Desg FWD 3         128.65   P2p
VLAN0010         Desg FWD 3         128.65   P2p
VLAN0020         Desg FWD 3         128.65   P2p
VLAN0030         Desg FWD 3         128.65   P2p

10. Troubleshooting Common Issues

10.1 Members Suspended (s flag)

Cause: configuration mismatch between port-channel interface and member, or between the two sides.

SW1# show etherchannel summary
1      Po1(SD)         LACP      Gi1/0/1(s)  Gi1/0/2(s)  Gi1/0/3(s)  Gi1/0/4(s)

Fix — Compare configurations:

SW1# show running-config interface Gi1/0/1
SW1# show running-config interface Port-channel1

! Ensure VLAN list, native VLAN, mode, speed all match.
! On IOS-XE, also check:
SW1# show interfaces Gi1/0/1 etherchannel

10.2 Stand-alone (I flag)

The port fell out of the bundle. Check physical layer (cable, SFP), or the remote side has no matching channel-group config.

SW1# show interfaces Gi1/0/1 status
SW1# show lacp counters

10.3 Incompatible Mode

SW1	SW2	Result
active	active	✅ Forms
active	passive	✅ Forms
passive	passive	❌ No channel
desirable	active	❌ Protocol mismatch
on	active	❌ Protocol mismatch
on	on	✅ Forms (no negotiation)

10.4 Debug Commands

SW1# debug lacp all
SW1# debug etherchannel all
SW1# debug pagp all

! Always disable when done:
SW1# undebug all

10.5 Flapping Members

If members keep bouncing, check:

Physical layer (bad cable, dirty SFP, CRC errors via
show interfaces Gi1/0/x
)
LACP rate mismatch (one side fast, the other slow)
Spanning-tree
PortFast
accidentally enabled on the member port
Unidirectional link — enable UDLD:
udld enable
on member interfaces

11. Security and Hardening

11.1 Limit Channel-Group Misuse

! Prevent unused ports from accidentally joining an EtherChannel
SW1(config)# interface range Gi1/0/20 - 48
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 999
SW1(config-if-range)# shutdown

11.2 LACP Guard (IOS-XE 17.x)

! Err-disable a port if it receives unexpected LACPDUs
SW1(config)# interface Gi1/0/20
SW1(config-if)# spanning-tree bpduguard enable
SW1(config-if)# lacp max-bundle 4

11.3 Storm Control on Port-Channel

SW1(config)# interface Port-channel1
SW1(config-if)# storm-control broadcast level 1.00
SW1(config-if)# storm-control multicast level 1.00
SW1(config-if)# storm-control action shutdown

11.4 Enable UDLD

SW1(config)# udld aggressive

! Or per-interface:
SW1(config)# interface range Gi1/0/1 - 4
SW1(config-if-range)# udld port aggressive

12. Modifying an Existing EtherChannel

12.1 Adding a Member

SW1(config)# interface Gi1/0/11
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 1,10,20,30
SW1(config-if)# switchport trunk native vlan 1
SW1(config-if)# channel-group 1 mode active
SW1(config-if)# no shutdown

The port negotiates LACP and joins the bundle non-disruptively.

12.2 Removing a Member

SW1(config)# interface Gi1/0/4
SW1(config-if)# no channel-group 1

Traffic redistributes to remaining active members immediately.

12.3 Shutting Down the Entire Channel

SW1(config)# interface Port-channel1
SW1(config-if)# shutdown
! This brings down ALL member links simultaneously.

13. Platform-Specific Notes

13.1 Catalyst 9000 (IOS-XE 17.x)

Supports
src-dst-mixed-ip-port
load balancing for best flow distribution.
LACP extended (802.1AX-2014) with fast-rate default support.
Graceful LACP convergence on ISSU upgrade.

13.2 Catalyst 3850/3650 (IOS-XE 16.x)

Max 8 port-channels with 8 members each in some stacking modes.
Use
show platform etherchannel
for ASIC-level verification.

13.3 Catalyst 2960-X/XR (IOS 15.2)

Max 6 EtherChannels.
Load-balance options limited to
src-mac
,
dst-mac
,
src-dst-mac
,
src-ip
,
dst-ip
,
src-dst-ip
.
No
src-dst-mixed-ip-port
.

14. Quick-Reference Cheat Sheet

! ──── LACP Layer 2 Trunk ────
interface Port-channel1
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
!
interface range Gi1/0/1 - 4
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 channel-group 1 mode active

! ──── PAgP Layer 2 Access ────
interface Port-channel2
 switchport mode access
 switchport access vlan 50
!
interface range Gi1/0/5 - 6
 switchport mode access
 switchport access vlan 50
 channel-group 2 mode desirable

! ──── LACP Layer 3 Routed ────
interface Port-channel10
 no switchport
 ip address 10.0.0.1 255.255.255.252
!
interface range Gi1/0/9 - 10
 no switchport
 channel-group 10 mode active

! ──── Global Settings ────
lacp system-priority 4096
port-channel load-balance src-dst-mixed-ip-port
udld aggressive