Confusing config

Need your help understanding this config, my fellow techies. This is on one of our core routers (Cat 4500), and I just don't get it. Check out this port-channel config:

interface Port-channel4
description *** Server Farm #4 (ThinClient) ***
switchport
switchport access vlan 1200
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 2-8,15,16,18-49,53-74,76-199,201-214,217-1199
switchport trunk allowed vlan add 1201-4094
switchport mode dynamic desirable
end

Can you believe I working on my NP and I can't figure this out... where's that "banging your head against a wall" emoticon? I need it.

This etherchannel is set up as a trunk, and sure enough it's trunking... but I understood that the "switchport" and "switchport access vlan 1200" commands would rule out the possibility of a trunk, and make the channel a member of one vlan... in this case, 1200.

What am I missing?

By the way, port-channel 4 is made up of two ports, and their config's confirm they're in trunk mode... for example:

TCI-C2#sh int g5/13 trunk

Port Mode Encapsulation Status Native vlan
Gi5/13 desirable 802.1q trunk-inbndl (Po4) 999

Port Vlans allowed on trunk
Gi5/13 2-8,15-16,18-49,53-74,76-199,201-214,217-1199,1201-4094

Thanks,
Mike

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

gojericho0

in the show in whats the administrative mode and operational mode?

is it auto-negotiating?

*Edit* from the output above it looks like it did negotiate the trunk with the other switch. If it would stop negotiating and the trunk is broken it should resort back to the access port you have configed

dtlokee

"switchport" command will make it a L2 interface instead of L3 interface, and the "switchport access vlan 1200" says *if* the interface is an access port then it will be in vlan 1200, the command does not make it an access port. If you added the command "switchport mode access" then it will be an access port in vlan 1200, not a trunk. Also if you disabled negoitation with the "switchport nonegotiate" or changed the DTP mode to an incompatible mode it will become and access port in vlan 1200.

mikearama

Ah, got it. I forgot about "mode access". Thanks for the explanations.

joshgibson82

Looks to me like someone didn't clean up an old config. There's no point in having that command in there if it isn't an access port.

dtlokee

joshgibson82 wrote:

Looks to me like someone didn't clean up an old config. There's no point in having that command in there if it isn't an access port.

Perhaps, but what if somone plugged in a device that does not support DTP? Then it will become an access port in the default VLAN (1) which may not be what you wanted. In this case it will drop the device into VLAN 1200 which may be less of a security issue.