Go L@CP Yourself!

3-minute read
tidbit

Be warned, this is a silly post!

Some other folks and I have been mulling over how to shoehorn some IPS into some network gear. At one point we half jokingly said “well lets just port-channel through the IPS to ourself!” I won’t go into the details, but effectively there is a requirement to ensure that an IPS live between every tier in a data center. So how would one do that? Well… firstly you would probably have some very small subnets/VLANs – /25s or /26s per tier or app. The SVI for these subnets would have to live in something like a VDC or in a separate VRF, you could then put the IPS in between the VDCs/VRFs, thereby forcing everything to traverse through them. In a VDC this is pretty simple and we’ve been doing stuff like this for years, but what if a VDC isn’t an option? How could you do that? Well if you had a bunch of switches, you could trunk between switches and stuff your IPS in between them… but what if you hypothetically had a single switch? Chaos ensues of course!

So basically we ran into this hypothetical scenario and said we could just port-channel to ourself through the IPS. We talked about this and thought that would never work – the LACP system ID would be the same on both ends of the port-channel which, you would think, break the port-channel…. turns out it actually works though! I tested this on my 3560CX at home just for giggles and got the following results:

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
5      Po5(SU)         LACP      Gi0/7(P)
6      Po6(SU)         LACP      Gi0/8(P)

Carls_3560CX#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

Carls_3560CX.home.com
               Gig 0/7           171              S I   WS-C3560C Gig 0/8
Carls_3560CX.home.com
                Gig 0/8           171              S I   WS-C3560C Gig 0/7



interface GigabitEthernet0/7
 switchport trunk allowed vlan 666<
 switchport mode trunk
 channel-group 5 mode active
end
Carls_3560CX#sh run int po5
Building configuration...
Current configuration : 89 bytes
!
interface Port-channel5
 switchport trunk allowed vlan 666<
 switchport mode trunk
End

Again, silly post, obviously not recommending you do this! I did think it was funny enough to share though :) I kind of want to go test it out on the ACI lab now out of morbid curiosity! A packet cap on that link somehow may be interesting too… I still feel like this shouldn’t work, but guess it does!