EtherChannel, port security, DHCP snooping
11 min
Three short topics that every CCNA candidate needs and every working network has.
EtherChannel — bundle links for capacity and resilience
Two switches connected by a single 1 Gbps link give you 1 Gbps and a single point of failure. EtherChannel (a Cisco term; the IEEE standard is LAG — Link Aggregation Group) bundles 2–8 physical links into one logical interface. The bundle:
- Has aggregate bandwidth of the sum of its members (up to a point — single-flow hashing limits per-flow throughput to one member).
- Survives the loss of any member without a topology change at L3 or STP.
- Appears as one interface to STP, so doesn't trigger blocking.
Two negotiation protocols:
| Protocol | Standard | Who | |---|---|---| | LACP | 802.3ad / 802.1AX | Multi-vendor — use this | | PAgP | Cisco proprietary | Cisco-only — avoid |
Configure on Cisco:
[object Object]Mode rules: active (LACP) ↔ active works. active ↔ passive works. passive ↔ passive does not. For PAgP: desirable ↔ desirable or desirable ↔ auto. on ↔ on is a hard-coded bundle with no negotiation — risky but sometimes used.
Port security — lock a port to known MACs
The MAC address table can be poisoned. Port security lets you cap how many distinct source MACs a port accepts and what happens on violation.
[object Object]| Setting | Effect |
|---|---|
| maximum N | Allow at most N MACs |
| mac-address sticky | Auto-learn and add the first N MACs to running-config |
| violation protect | Silently drop frames from extra MACs |
| violation restrict | Drop + log + counter |
| violation shutdown (default) | Err-disable the port — needs admin to bring back up |
The maximum 2 is common for desks with an IP phone: phone + PC = 2 MACs.
DHCP snooping — stop the rogue DHCP server
A rogue DHCP server on the LAN can hand out wrong gateways and DNS, intercepting all traffic from victims. DHCP snooping designates which ports are allowed to respond to DHCP — typically just the uplinks toward the real DHCP server. Replies from anywhere else are dropped.
[object Object]DHCP snooping also builds a binding table — MAC, IP, port, VLAN, lease time — which feeds two other useful features:
- Dynamic ARP Inspection (DAI) — only accepts ARP replies that match the snooping binding. Stops ARP spoofing dead.
- IP Source Guard — only accepts IP traffic from sources matching the binding. Stops IP spoofing on the access edge.
These three (DHCP snooping → DAI → IP Source Guard) together form the standard L2 anti-spoof stack on a modern access switch.
What to remember
- EtherChannel / LAG bundles links — use LACP for multi-vendor compatibility.
- Port security caps MACs per port; pair with
stickylearning andrestrictviolation. - DHCP snooping trusts only specific uplinks for DHCP replies, builds a binding table that feeds DAI and IP Source Guard.