Configuring the Ethernet Management Port and EtherChannel on the Supervisor Card

First Published: March 18, 2013

Last Updated: August 26, 2015

Ethernet Management Port

The Ethernet management port, also referred to as the "Fa1" or "fastethernet1" port is a Layer 3 host port to which a personal computer (PC) or laptop can be connected. It supports speeds of 10/100Mbps in Auto-negotiation mode.

Note The Cisco RF Gateway 10 cannot route packets from the Fa1 port to a network port, and back to the Fa1 port.

The Fa1 port does not support routing. However, routing protocols should be enabled on the Fa1 port when the PC is multiple hops away from the Cisco RF Gateway 10.

Warning The FastEthernet port is not intended for heavy traffic load since it is not connected to the switching fabric on the supervisor. It is a simple NIC-style interface to which the CPU has software-level access. The “fa1” port is directly connected to the CPU. This implies that traffic on “fa1” port adversely affects the CPU performance. You should not use this port for data traffic under any circumstance. Moreover, the CPU is an easy target for Denial-of-Service attacks through the “fa1” port. You need to build your network topology such that the “fa1” port is restricted to management traffic only.

Ethernet Management Interface and Management Vrf

The Cisco RF Gateway 10 automatically places the Fa1 interface on a separate routing domain (or the VRF domain), called the Management VRF. The Fa1 interface cannot be configured on any other routing domain. Also, no other interface can be configured on the Management VRF.

On bootup the Fa1 port assumes the following default configuration:

ip vrf Mgmt-vrf
!
interface FastEthernet1
ip vrf forwarding Mgmt-vrf
speed auto
duplex auto
 
Caution The Ethernet management port is intended for an out-of-band access only. Like the console port, the Ethernet management port has direct access to critical resources on the Cisco RF Gateway 10. Connecting this port to an in-band network might cause performance degradation and vulnerability to a denial of service attack.

How to Use the Ethernet Management Port

Use the Ethernet management port instead of the Cisco RF Gateway 10 console port for network management. When managing a Cisco RF Gateway 10, connect the PC to the Ethernet management port on the Cisco RF Gateway 10 Supervisor Engine.

Note When connecting a PC to the Ethernet management port, you must assign an IP address.

Because the management port is placed in management Vrf, you should be aware of the VRF-related commands required for the following tasks:

Note Commands specific to the Management VRF are mentioned below. All additional configuration necessary to make the feature work should be performed.

Ping

If you want to ping an IP address that is reachable through an fa1 port, enter the following command:

RFGW10# ping vrf mgmtVrf ip address

 

For example:

RFGW10# ping vrf mgmtVrf 20.20.20.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

TraceRoute

RFGW10# traceroute vrf mgmtVrf ip address
 

For example:

RFGW10# traceroute vrf mgmtVrf 20.20.20.1
 

Type escape sequence to abort.

Tracing the route to 20.20.20.1
1 20.20.20.1 0 msec 0 msec *

Telnet

If you want to Telnet to a remote Cisco RF Gateway 10 through the Fa1 port, enter the following command:

RFGW10# telnet word /vrf mgmtVrf

word—IP address or hostname of a remote system

Following is an example illustrating how to use this command:

RFGW10# telnet 20.20.20.1 /vrf mgmtVrf
Trying 20.20.20.1... Open
User Access Verification
Password:
RFGW10> en
Password:
RFGW10#

TFTP

If you want to use the Fa1 port for TFTP operation, configure the Fa1 port as the source interface for TFTP as follows:

RFGW10(config)# ip tftp source-interface fastEthernet1

FTP

If you want to use an Fa1 port for an FTP operation, configure the Fa1 port as the source interface for FTP as follows:

RFGW10(config)# ip ftp source-interface fastEthernet1

SSH

If you want to initiate SSH from the Cisco RF Gateway 10 through the Fa1 port, enter the following command:

RFGW10# ssh -l login name -vrf mgmtVrf ip address

 

For example:

RFGW10# ssh -l xyz -vrf mgmtVrf 20.20.20.1

SSO Model

On a redundant chassis, management port behavior differs from that of a standard Ethernet port in that each supervisor engine possesses a management port, and only the port on the active supervisor engine is enabled. The management port on the standby supervisor engine is always disabled; it cannot switch any kind of traffic.

When a switchover occurs, the management port of the standby supervisor engine (now, active) is enabled and can be used to switch traffic, while the management port on the "old" active supervisor engine is disabled.

Note The Cisco IOS configuration for the management port is synchronized between the two supervisor engines. Under Cisco IOS, they possess the same IP address. To avoid address overlapping during a switchover on a redundant chassis, you should assign a different IP address on the management port from the one you assigned to the same port in the ROMMON configuration.

Restrictions for the Ethernet Management Port

Do not point the route to the Ethernet Management VRF interface. Instead, use the management VRF to add routes for the interface.

Use the following command to add routes:

ip route vrf vrf-name prefix mask [ next-hop-address ] [ interface interface-number ] [ global ] [ distance ]

Router# ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.27.140.1
 
Router# ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 GigabitEthernet0/0 172.25.140.1

Supported Features on the Ethernet Management Port

The Ethernet management port supports these features:

  • Telnet with passwords
  • TFTP
  • Secure Shell (SSH)
  • DHCP-based autoconfiguration
  • SNMP (only the ENTITY-MIB and the IF-MIB)
  • IP ping
  • Interface features

Speed-autonegotiation

Duplex mode-autonegotiation

  • Cisco Discovery Protocol (CDP)
  • IPv4 access control lists (ACLs)
  • Routing protocols (RIP, OSPF)
Caution Before enabling a feature on the Ethernet management port, ensure that the feature is supported. If you try to configure an unsupported feature on an Ethernet management port, the feature might not work properly, and the Cisco RF Gateway 10 might crash.

Note Effective with Cisco IOS-XE Release 3.2.2SQ, all features that use Fa1 now need to be VRF-aware.

Configuring the Ethernet Management Port

To specify the Ethernet management port, enter fastethernet1.

To disable the port, use the shutdown interface configuration command. To enable the port, use the

no shutdown interface configuration command.

To determine the link status to the PC, you can monitor the LED for the Ethernet management port:

  • The LED is green (on) when the link is active.
  • The LED is off when the link is down.
  • The LED is amber when there is a POST failure.

To display the link status, use the show interfaces fastethernet 1 privileged EXEC command.

Using SNMP to Configure the Ethernet Management Port

The following is an example to show configuration of the Ethernet Management port with the source interface pointing to the management interface:

RFGW10# configure terminal
RFGW10(config)# snmp-server source-interface traps fastEthernet 1
RFGW10(config)# snmp-server host 10.78.179.150 vrf Mgmt-vrf version 2c public
RFGW10(config)# snmp-server host 10.78.179.150 vrf Mgmt-vrf version 2c public udp-port 8999

Configuration Examples for the Ethernet Management Port

This example shows how to display ARP entries related to Management VRF:

RB1-RFGW# show ip arp vrf Mgmt-vrf
 
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.78.179.180 - 44d3.ca6e.9de7 ARPA FastEthernet1
Internet 10.78.179.166 125 f0f7.55b2.d190 ARPA FastEthernet1
 

This example shows how to display the Cisco Discovery Protocol (CDP) status for the Ethernet Management Interface:

RB1-RFGW# show cdp interface fastEthernet 1
 
FastEthernet1 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
RB1-RFGW#
 

This example shows a sample route entry for the Management VRF:

RB1-RFGW# show ip route vrf Mgmt-vrf 10.78.179.150
 
Routing entry for 10.78.179.128/26
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via FastEthernet1
Route metric is 0, traffic share count is 1

About EtherChannel

EtherChannel provides automatic recovery for the loss of a link by redistributing the load across the remaining links. If a link fails, EtherChannel redirects traffic from the failed link to the remaining links in the channel without intervention. EtherChannel bundles up to eight individual Ethernet links into a single ink that provides an aggregate bandwidth.

EtherChannel can be configured in three ways.

  • Manual EtherChannel Configuration:

A manually configured EtherChannel forms only when you configure all ports compatibly in the EtherChannel.

  • Port Aggregation Control Protocol (PAgP):

PAgP supports the automatic creation of EtherChannels by exchanging PAgP packets between LAN ports using auto and desirable modes.

  • Link Aggregation Control Protocol (LACP):

LACP supports the automatic creation of EtherChannels by exchanging LACP packets between LAN ports using passive and active modes.

Restrictions for EtherChannel

If improperly configured, some EtherChannel interfaces are disabled automatically to avoid network loops and other problems. Follow these guidelines and restrictions to avoid configuration problems:

  • All Ethernet interfaces on all modules support EtherChannel (maximum of eight interfaces) with no requirement that interfaces be physically contiguous or on the same module.
  • Configure all interfaces in an EtherChannel to operate at the same speed and duplex mode.
  • Enable all interfaces in an EtherChannel. Disabling an interface in an EtherChannel is treated as a link failure, and its traffic is transferred to one of the remaining interfaces in the EtherChannel.
  • An EtherChannel does not form if one of the interfaces is a Switched Port Analyzer (SPAN) destination port.

Note Effective with Cisco IOS-XE Release 3.2.2SQ, only limited Etherchannel functionality using Layer 2 Etherchannel is supported on the Cisco RF Gateway 10.

  • For Layer 2 EtherChannels:

Assign all interfaces in the EtherChannel to the same VLAN, or configure them as trunks.

If you configure an EtherChannel from trunk interfaces, verify that the trunking mode and the native VLAN is the same on all the trunks. Interfaces in an EtherChannel with different trunk modes or different native VLANs can have unexpected results.

An EtherChannel supports the same allowed range of VLANs on all the interfaces in a trunking Layer 2 EtherChannel. If the allowed ranges differ for the selected interfaces, they do not form an EtherChannel.

Interfaces with different Spanning Tree Protocol (STP) port path costs can form an EtherChannel as long they are otherwise compatibly configured. Setting different STP port path costs does not make interfaces incompatible for the formation of an EtherChannel.

  • After you configure an EtherChannel, any configuration that you apply to the port channel interface affects the EtherChannel; any configuration that you apply to the physical interfaces affects only the interface you configure.
  • Storm Control is an exception to this rule. For example, you cannot configure Storm Control on some of the members of an EtherChannel; Storm Control must be configured on all or none of the ports. If you configure Storm Control on only some of the ports, those ports are dropped from the EtherChannel interface (put in suspended state). You should configure Storm Control at the port channel interface level, and not at the physical interface level.
  • A physical interface with port security enabled can join a Layer 2 EtherChannel only if port security is also enabled on the EtherChannel; otherwise the command is rejected.
  • You cannot configure an 802.1X port in an EtherChannel.

Configuring EtherChannels on Cisco RF Gateway 10

These sections describe the configuration of the EtherChannel on the Cisco RF Gateway 10:

Configuring the Cisco RF Gateway 10 EtherChannels

To configure Layer 2 EtherChannels, configure the Ethernet interfaces with the channel-group command. This operation creates the port channel logical interface.

Note Cisco IOS software creates port channel interfaces for Layer 2 EtherChannels when you configure Layer 2 Ethernet interfaces with the channel-group command.

To configure Layer 2 Ethernet interfaces as Layer 2 EtherChannels, perform this task for each interface:

 

Command
Purpose

Step 1
RFGW10(config)# interface { fastethernet | gigabitethernet | tengigabitethernet } slot / port

Selects a physical interface to configure.

Step 2
RFGW10(config-if)# channel-group port_channel_number mode {active | on | auto | passive | desirable }

Configures the interface in a port channel and specifies the PAgP or LACP mode.

If you use PAgP, enter the keywords auto or desirable.

If you use LACP, enter the keywords active or passive.

Step 3
RFGW10(config-if)# end

Exits configuration mode.

Step 4
RFGW10# show running-config interface { fastethernet | gigabitethernet } slot / port
 
RFGW10# show interface { fastethernet | gigabitethernet | tengigabitethernet } slot / port etherchannel

Verifies the configuration.

This example shows how to configure TenGigabit interface into port channel 1 with mode on :

RFGW10# configure terminal
RFGW10(config)# interface tengigabitethernet 9/9
RFGW10(config-if-range)# channel-group 1 mode on
RFGW10(config-if-range)# end
RFGW10# end
 
 
RFGW10# show running-config interface tengigabit 9/9
 
Building configuration...
 
Current configuration : 178 bytes
!
interface TenGigabitEthernet9/9
switchport trunk allowed vlan 80-88
switchport mode trunk
load-interval 30
channel-group 1 mode on
end
 

This example shows how to verify the configuration of port channel interface 1:

RFGW10# show running-config interface port-channel 1
 
Building configuration...
 
Current configuration : 127 bytes
!
interface Port-channel1
switchport
switchport trunk allowed vlan 80-88
switchport mode trunk
flowcontrol receive on
end
 

These two examples show how to verify the configuration of TenGigabit Ethernet:

RFGW10# show interfaces tenGigabitEthernet 9/9 etherchannel
 
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On Gcchange = -
Port-channel = Po1 GC = - Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = -
 
Age of the port in the current state: 0d:02h:47m:58s
 

This example shows how to verify the configuration of port channel interface 2 after the interfaces have been configured:

RFGW10# show etherchannel 1 port-channel
 
Port-channels in the group:
---------------------------
 
Port-channel: Po1
------------
 
Age of the Port-channel = 1d:07h:15m:35s
Logical slot/port = 15/1 Number of ports = 2
GC = 0x00000000
Port state = Port-channel Ag-Inuse
Protocol = -
Port security = Disabled
 
Ports in the Port-channel:
 
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Te9/9 On 0
1 00 Te10/9 On 0
 
Time since last port bundled: 0d:02h:48m:38s Te10/9
Time since last port Un-bundled: 0d:02h:50m:37s Te10/9

Removing the TenGigabit Interface

 

Command
Purpose

Step 1
RFGW10(config)# interface { fastethernet | gigabitethernet | tengigabitethernet } slot / port

Selects a physical interface to configure.

Step 2
RFGW10(config-if)# no channel-group

Removes the interface from the port channel interface.

Step 3
RFGW10(config-if)# end

Exits configuration mode.

Step 4
RFGW10# show running-config interface { fastethernet | gigabitethernet | tengigabitethernet } slot / port
RFGW10# show interface { fastethernet | gigabitethernet | tengigabitethernet } slot / port etherchannel

Verifies the configuration.

This example shows how to remove TenGigabit interfaces from port channel 1:

RFGW10# configure terminal
RFGW10(config)# interface tengigabitethernet 9/9
RFGW10(config-if)# no channel-group 1
RFGW10(config-if)# end

Removing an EtherChannel

Note If you remove an EtherChannel, the member ports are shut down and removed from the channel group.

 

Command
Purpose

Step 1
RFGW10(config)# no interface port-channel port_channel_number

Removes the port channel interface.

Step 2
RFGW10(config)# end

Exits configuration mode.

Step 3
RFGW10# show etherchannel summary

Verifies the configuration.

This example shows how to remove port channel 1:

RFGW10# configure terminal
RFGW10(config)# no interface port-channel 1
RFGW10(config)# end