RE: Changing Etherchannel configurations the safe way

Persio,

I would change the remote side first in one terminal window on the port channel and let it get pushed to the members, while making the same change to the local end a second or two later. The document you provided _I think_ is referring to making changes to a particular member after bringing up the port channel. As you've already found out, you do run a risk of ports going into err-disable / shutdown or losing the entire port-channel. To prevent the channel from going down and staying down, you might consider using an EEM script to watch for syslog port-channel / port down messages and trigger your allowed-list on the ports and doing a shut / no shut on them. The EEM, combined with a 'rel in 5' should keep you out of any real danger in accessing the switch again.

I would lab up the EEM though and see if it can keep you out of trouble.

event manager applet port-channel
 event syslog occurs 1 pattern "%EC-5-CANNOT_BUNDLE2"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "in range f0/19-20 , po1"
action 4.0 cli command "swi t a v 3-8,11"
action 5.0 cli command "shut"
action 6.0 cli command "no shut"
action 7.0 syslog msg "port-channel reconfigured"

If you want more thorough examples of EEM, check out Ivan's blog: http://blog.ioshints.info or http://wiki.nil.com/Category:EEM

You'll want to test this, of course, to make sure nothing blows up. In my own internal testing and real world experience, I have the most luck making the change at the port-channel. Making range changes and using TACACS+ authorization can cause some sequencing errors get your EC killed before all the commands take.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Persio Pucci
Sent: Saturday, August 15, 2009 12:10 AM
To: Cisco certification
Subject: OT: Changing Etherchannel configurations the safe way

Hi guys,

need your thoughts on this:

I am going to change the "allowed vlan" list on several PortChannel
interfaces. Would like to hear your thought on the best/safest way of doing
that.

One problem is that some of the switches are only reachable via the
portchannel (and therefore via the member interfaces), so if anything goes
wrong (for instance, a configuration mismatch on each end) the portchannel
will go down.

I read on one Cisco pdf
(link<http://www.cisco.com/en/US/docs/switches/blades/3120/software/release/12.2_40_ex/configuration/guide/swethchl.pdf>,
page 11) that the allowed vlan list should actually be changed on the member
interfaces also (changing on the Po only will not do it).

One of my thoughts were to do the changes on the startup config and then
merge it to the running config, so they are all applied at once at the
remote side. Will try my best to do it in synchrony to the local side, but
if timming is not good enough, at least I still have connection to the side
that also needs to be configured.

We've tried pushing the configs using SNMP and it worked on some cases, but
in another case it did not go so well and impacted a whole site.

Tks.

Blogs and organic groups at http://www.ccie.net
Received on Sat Aug 15 2009 - 09:11:59 ART