Be warned, this is a silly post!
Some other folks and I have been mulling over how to shoehorn some IPS into some network gear. At one point we half jokingly said “well lets just port-channel through the IPS to ourself!” I won’t go into the details, but effectively there is a requirement to ensure that an IPS live between every tier in a data center. So how would one do that? Well… firstly you would probably have some very small subnets/VLANs — /25s or /26s per tier or app. The SVI for these subnets would have to live in something like a VDC or in a separate VRF, you could then put the IPS in between the VDCs/VRFs, thereby forcing everything to traverse through them. In a VDC this is pretty simple and we’ve been doing stuff like this for years, but what if a VDC isn’t an option? How could you do that? Well if you had a bunch of switches, you could trunk between switches and stuff your IPS in between them… but what if you hypothetically had a single switch? Chaos ensues of course!
So basically we ran into this hypothetical scenario and said we could just port-channel to ourself through the IPS. We talked about this and thought that would never work — the LACP system ID would be the same on both ends of the port-channel which, you would think, break the port-channel…. turns out it actually works though! I tested this on my 3560CX at home just for giggles and got the following results:
Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 5 Po5(SU) LACP Gi0/7(P) 6 Po6(SU) LACP Gi0/8(P) Carls_3560CX#sh cdp nei Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID Carls_3560CX.home.com Gig 0/7 171 S I WS-C3560C Gig 0/8 Carls_3560CX.home.com Gig 0/8 171 S I WS-C3560C Gig 0/7 interface GigabitEthernet0/7 switchport trunk allowed vlan 666< switchport mode trunk channel-group 5 mode active end Carls_3560CX#sh run int po5 Building configuration... Current configuration : 89 bytes ! interface Port-channel5 switchport trunk allowed vlan 666< switchport mode trunk End
Again, silly post, obviously not recommending you do this! I did think it was funny enough to share though 🙂 I kind of want to go test it out on the ACI lab now out of morbid curiosity! A packet cap on that link somehow may be interesting too… I still feel like this shouldn’t work, but guess it does!