LearnNetwork
EtherChannel, port security, DHCP snooping

EtherChannel, port security, DHCP snooping

11 min

Three short topics that every CCNA candidate needs and every working network has.

EtherChannel — bundle links for capacity and resilience

Two switches connected by a single 1 Gbps link give you 1 Gbps and a single point of failure. EtherChannel (a Cisco term; the IEEE standard is LAG — Link Aggregation Group) bundles 2–8 physical links into one logical interface. The bundle:

  • Has aggregate bandwidth of the sum of its members (up to a point — single-flow hashing limits per-flow throughput to one member).
  • Survives the loss of any member without a topology change at L3 or STP.
  • Appears as one interface to STP, so doesn't trigger blocking.

Two negotiation protocols:

| Protocol | Standard | Who | |---|---|---| | LACP | 802.3ad / 802.1AX | Multi-vendor — use this | | PAgP | Cisco proprietary | Cisco-only — avoid |

Configure on Cisco:

Cisco IOSLACP EtherChannel
[object Object]

Mode rules: active (LACP) ↔ active works. activepassive works. passivepassive does not. For PAgP: desirabledesirable or desirableauto. onon is a hard-coded bundle with no negotiation — risky but sometimes used.

Port security — lock a port to known MACs

The MAC address table can be poisoned. Port security lets you cap how many distinct source MACs a port accepts and what happens on violation.

Cisco IOSPort security on an access port
[object Object]

| Setting | Effect | |---|---| | maximum N | Allow at most N MACs | | mac-address sticky | Auto-learn and add the first N MACs to running-config | | violation protect | Silently drop frames from extra MACs | | violation restrict | Drop + log + counter | | violation shutdown (default) | Err-disable the port — needs admin to bring back up |

The maximum 2 is common for desks with an IP phone: phone + PC = 2 MACs.

DHCP snooping — stop the rogue DHCP server

A rogue DHCP server on the LAN can hand out wrong gateways and DNS, intercepting all traffic from victims. DHCP snooping designates which ports are allowed to respond to DHCP — typically just the uplinks toward the real DHCP server. Replies from anywhere else are dropped.

Cisco IOSDHCP snooping on a switch
[object Object]

DHCP snooping also builds a binding table — MAC, IP, port, VLAN, lease time — which feeds two other useful features:

  • Dynamic ARP Inspection (DAI) — only accepts ARP replies that match the snooping binding. Stops ARP spoofing dead.
  • IP Source Guard — only accepts IP traffic from sources matching the binding. Stops IP spoofing on the access edge.

These three (DHCP snooping → DAI → IP Source Guard) together form the standard L2 anti-spoof stack on a modern access switch.

What to remember

  • EtherChannel / LAG bundles links — use LACP for multi-vendor compatibility.
  • Port security caps MACs per port; pair with sticky learning and restrict violation.
  • DHCP snooping trusts only specific uplinks for DHCP replies, builds a binding table that feeds DAI and IP Source Guard.