Etherchannel and Dot1x

dtlokee

In the 3560 configuration guide it states:

If EtherChannels are configured on switch interfaces, remove the EtherChannel configuration from the interfaces before globally enabling IEEE 802.1x on a switch by using the dot1x system-auth-control global configuration command.

I understand an interface in an EtherChannel group can't be configured for dot1x authentication, and the default state of the interface is force authorized. This seems to imply system-auth-control command will remove the EtherChannel configurations, but that's not the case. It also implies you can't have EtherChannels on a switch that is configured for dot1x. I can't seem to find the case where this applies, does anyone have an idea what the case is here it's referencing?

Turgon

Have you labbed it up?

From my understanding the global command dot 1x system-auth-control enables IEEE 802.1x authentication on the switch. One interpretation is that it shouldn't affect your etherchannels at all.

You must remove the etherchannels before you enable 802.1x globally.
You can't configure etherchannel for dot1x authentication.

So see if you are able to create etherchannels on a switch after you have enabled 802.1x auth globally.

dtlokee

Yeah I have labbed it up and you can create and remove EtherChannels while dot1x is globally enabled. You can globally enable dot1x after you have created EtherChannels and it has no affect on the EtherChannels. That is why the statement makes no sense to me, I can't find what it applies to. The only thing that you cannot do is use the "dot1x port-control auto" command on the EtherChannels, or any dot1x command on the EtherChannels for that matter, which is what I would expect.