How to configure a Cisco 3560 switch etherchannel or port channel

Recently I was asked to configure a switch to be used by our help desk staff for imaging new PC’s via PXE boot in preparation for a desktop roll out. Despite passing a CCNA and having some hands-on experience as a 2-and-a-half-line engineer, getting hands on with something is far more valuable than book theory.

This post aims to give you some best practice tips, links and help you avoid all the pitfalls I met whilst configuring a port channel/etherchannel on a new switch.

The below covers how to create a layer 2 VLAN extension using an etherchannel on a new switch. The etherchannel will link to a ‘main’ switch or incumbent switch, the purpose of doing this was to create a build area for PC’s to PXE boot for imaging in isolation from our production switch.

The encapsulation protocol is LCAP and it also contains some tips for troubleshooting if your etherchannel fails to reach an UP/UP state at both ends.

Part 1 – Switches are just a big text file

The prereqs were as follows –

  • Reset the local password (aka password recovery in IOS) and clear the old config.
  •  Create a Layer 2 Etherchannel (or port-channel, both terms mean the same thing in IOS lingo – thanks Cisco).
  • Test it, then light a cigar!

Getting Started/High level steps:

  1. Plug the switch in. Have a laptop with Z-Term or Putty installed. You’ll also need  a console to USB cable because  switches are so cool, they don’t use USB or the kind of connection you’d like them to 🙂
  2. Plug your Console to USB into the Console port on the back of the switch.
  3. Set your connection settings to 9600/8/1 and press return (if using z-term) if using Putty, select your Serial connection and repeat.
  4. Once your connected, follow the below blog on how to reset the password. Cisco 3560 Password Reset
  5. I assume you know a bit of IOS here, if you don’t, just lift it from the attached config at the bottom of the post. The basic steps are:
    1. Wipe VLAN.dat file – this will clear all stored VLAN information on switch and reload the switch.
    2. Set the hostname, domain name, and turn off DNSlookup.
    3. Configure a couple of local user accounts – make sure these match your organizations standardised user accounts.
    4. Configure the virtual-terminal lines i.e. how the connection behaves when you remote connect via Putty/Z-term connect to the switch.
    5. Configure the etherchannel, encapsulation protocol, and bundle in the interfaces that will be used in the channel.
    6. Test!

The config for setting up an etherchannel on a new switch is pasted at the bottom of this page.

Troubleshooting a Layer 2 Etherchannel

Here’s the annoying stuff that’s going to stop your etherchannel from showing UP/UP at both ends of the link. The attached config bundles 2 interfaces into a port channel using LACP protocol to negotiate the channel. Here’s the pitfalls that caused my Etherchannel to fail:

  • Pruning – I only wanted VLAN 100 traffic to be sent along the port channel. By adding pruning via command: switchport trunk allowed vlan 100 I actually caused myself more problems. Try omitting this if your channel fails and instead, allow all VLAN traffic to traverse the link.
  • Encapsulation mismatch – When adding an interface into a port-channel, it  should inherit the settings of the channel (i.e. it’s access mode will change to trunking and it’s encapsulation method to dot1q). Sometimes this doesn’t work and you need to explicitly set either the interfaces bundled in the port-channel, or the port channel itself to trunk. Also, check the encapsulation method on the port-channel, it should be dot1q.  Use the show log command to see encapsulation mis-match errors on interfaces.
  • Protocol mismatch – decide between LACP or PAGP and make sure your port-channel is using the agreed protocol at both ends. A mismatch between the encapsulation modes active/passive/on/desirable/auto = fail to trunk.
  • The port channel won’t negotiate or LACP fails –  Try doing a no shut on the port channel first. Then, no shut  against the interfaces that are bundled into the port-channel in unison example: interface range gi01-2 to select your channel member interfaces, then shut , no shut. 99% of the time this put the channel into an UP/UP state.


Config to create an etherchannel on the new switch:

#erase current config#

wr erase or erase startup-config

#erase vlan data#

delete flash:vlan.dat

#set STP priority to low (highest number) so the switch doesn’t become spanning-tree master for the VLAN instance you’re extending set mode to rapid-pvst. enable portfast (this will force ports to forward as soon as they’re up)#

spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 100 priority 61440
spanning-tree portfast default

#set hostname and domain name, disable DNS lookup#

no ip domain-lookup
ip domain-name YOURDOMAIN.COM
vtp mode transparent

#set ip default gateway – *this is the Default gateway on your management VLAN*#

ip default-gateway XX.XX.XX.XX

#Configure the connection lines e.g. virtual terminal (vty), console, set the timeout, turn off the on-screen logging (logging synchronous) and optionally, set the privilege level for the line. 15=admin, 0=read only 1=user exec#

line con 0
logging synchronous
line vty 0 4
exec-timeout 600 0
privilege level 15
logging synchronous
length 0
transport input all
line vty 5 15
login authentication cisco

#create the desired VLAN the etherchannel will extend, this VLAN should be present on the switch your port channel links to#

vlan 100
desc VDI

#create a new etherchannel 10, (number is unique) set encapsulation and set mode to trunk#

conf t
interface Port-channel10
switchport trunk encapsulation dot1q
switchport mode trunk

#assign 2xports to port-channel 10, add descriptions and use LACP protocol for the channel (the active statement defines this)#

conf t
interface range GigabitEthernet0/23-24
description **Uplink to Adjoining Switch**
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active

#verify etherchannel status, if they show (P) they are bundled into a channel=success,#

show etherchannel summary

#create local user accounts#

conf t
username AdminUser privilege 15 secret PasswordHere

#assign the spare ports on your build switch to the VLAN you are creating, set mode to access ports#

int gi1/0/1-22
switchport mode access
switchport access vlan 100

#ensure all the access ports have PortFast enabled explicitly on the port (as well as in the aforementioned spanning tree instance). The below may not be accurate#

int range g0/1-22
spanning-tree portfast enable

#write to config#

wr mem

VDI Gold Image Maintenance – Adding Microsoft Office Add-Ins And Managing Load Behavior

I’ve spent a couple of years learning from scratch (with no prior knowledge of VDI environments) how to package applications, common stumbling blocks, best practices and picked up some very handy tricks along the way, which I’ll share below.

This post gives a newbies understanding of what non-persistent VDI is, what application layer is/does, and how to add Microsoft Office Add-Ins into your gold image.

What  are non-persistent VDI desktops?

Non-persistent desktops mean when you log off, the desktop is destroyed and rebuilt from a template. A persistent desktop means you can log back into the same machine (be it virtual or physical).

A primer on persistent vs non-persistent desktops

What is a master image or ‘Gold image’?

The master image or ‘Gold Image’ is a template that will be cloned to produce your virtual desktop. It contains the chosen OS (typically Windows or Linux), core applications  that are required by everyone in the business (typically MS office, plug-ins, anti-virus and any bespoke business apps that cannot be controlled or added at a later stage). To create a gold image there’s a number of best practices to follow. Read about How To Optimize A Gold Image

What is application layering?

Layering is the technical name for adding another application to a desktop without manually installing it. Common technologies in the marketplace that perform layering (in one way or another) are Microsoft App-V, VMWare Appvolumes, ProfileUnity FlexApp , Citrix XenApp – these tools can visualise an application for streaming/mounting/layering into a desktop that is cloned from your master image. This allows you to provide staff the software they need, when they need and retain control of the licencing, patching, updating and versioning of the software your company uses.

Liquidware’s Application Layering (FlexApp)

Microsoft App-V Overview

VMWare App Volumes

Why use layering? I like installing it!

Over time it’s easy for a typical desktop computer to become a graveyard of applications. A typical small company might have an IT estate of 20-50+ physical computers, each with different software installed on them based on ad-hoc requests from staff. This represents all kinds of challenges (licencing, maintenance, patching levels, vulnerabilities) and, what if someone decides to hot desk without taking their PC with them? Moving your IT to a non-persistent, virtual desktop model lets you work from anywhere,  from (just about) any device.

A bit about virtualizing your apps…

Citrix Application Layering Explained

Given what we’ve learned  so far, app layering sounds like the golden bullet for desktop delivery but it’s not quite the case. Lots of applications designed for Windows call upon files and frameworks that sit within the operating system (C++ libraries, .NET frameworks, Windows patching/OS files and .dll’s…you name it) – although a layered application can still read these files in the OS, you’ll often find apps that require Windows features like .NET Framework or a specific Microsoft KB update patch, and typically these cannot be virtualized using layer and must be installed into your image.

It’s important to try to discover what is installed in your current desktop estate per-use case. Each business will have dozens of use-cases, before you can move to a virtual platform you need to understand what your base image should contain.

 I recently discovered we could not package Microsoft Dynamics CRM Outlook 2011 plugin using FlexApp because it relies on Windows Foundation Identity service amongst other bizarre Microsoft prerequisites. 

We were forced to add the plug-in into the company’s master image, and find a method for toggling it on/off for those who required it…

Installing a Microsoft Office add-in on your Master Image and controlling load behaviour

  1. Find out how to control the load behavior – the best way to do this is to use the registry. All applications write to the machine registry when they’re installed.
  2. Open run > regedit
  3. In this example we’ll look at a Microsoft Office Add-in. Browse to HKEY_Local_Machine\Software\Microsoft\Office\Excel\AddIns (the other suite apps will have their own keys within the \Office\ Root. This location is also valid under HKEY_Current_User. Some vendors use locations like HKLM\Software\VendorName
  4. Search the registry for ‘LoadBehaviour’ or ‘Behavior’ or the plug-in name – we want to first find the key that controls it, then test if it works.
    1. Typically the registry data value of 0 is ‘Disabled’ – the plugin will not load when MS Office is opened. If LoadBehavior=1 this is enabled.  Other values such as 3 are common – vendor documentation can inform you on what the values are and how that affects the plugin. Here’s an example
    2. Now you understand load behaviour, you can configure group policy to set the value in the registry (as a machine or user policy) based on which users you want the plugin to be enabled for.
      1. Example: Create a new GPO that uses User > Preferences > Registry that includes Enable and Disable load behaviours based on a user group membership.  If the user is a member of PowerPivotExcel then set the registry value under HKEY_Local_Machine\Software\Microsoft\Office\Excel\AddIns\LoadBahavior to 1 (enable). Create another policy preference to default  the load behaviour for all users to 0 – remmeber, we always want this plugin to be disabled unless somebody needs  it, so you must configure a default rule.
        1. Alternatively, you can set the load behaviour to 0 in HKLM settings when you first install the plugin. In a linked clone environment, your master image will be cloned with this default behaviour in place.

Application troubleshooting tools

if you have trouble finding which registry keys are changed during an installation these tools can help –

  1. RegShot allows you to take a before-and-after snapshot of your registry and see a historical view of file system changes.
  2. ProcMon provides a real-time log of all system internal processes.
    1. Ctrl+x to clear the log
    2. Ctrl+E to enable logging
    3. Then use the Filter option to sort the output by Operation >  ‘RegKeyAddValue’ or similar events. This can be used extensively for any other kind of troubleshooting, not just registry related.
  3. WhatChanged is similar to RegShot.

Removing Start Menu Short Cuts in Windows 10

You don’t want all of your users  to see you’ve installed an app that they don’t use.

Removing Start Menu Shortcuts

Another location to check is %appdata%\Roaming\Microsoft\Windows\Start Menu

Best Practice Before You Deploy!

  • Check the vendors administrative guide for any command line switches that can be used during the installation to minimise this. Remember, most software developers like to receive as much data about how their product is being used which causes bloat and unwanted features to be included in a ‘default’ installation i.e. diagnostics being sent over your network. Always check the vendor’s installation guide for command line switches or tricks for disabling unwanted features. Be weary!
  • Is the default load behaviour set?
  • Does your method for enabling the plugin work?
  • Is the plugin the desired version, or can it be updated? Microsoft plugins can be patched and updated by running windows update.

Markit Wall Street Office – Packaging, Deployment And Tricks You Should Know!

If you use WSO you’ll know it’s a strange creature depending on how you have  your environment configured.

Administrator won’t maximise!


Occasionally WSO Admin might refuse to maximise on a desktop and sit in the task bar waiting to be killed off. This is often caused by the users profile data in SQL becoming smelly. To cleanse this, run the following script in SQL Management Studio against your WSO FCSCommon database:





Wipe my profile in Wall Street  Office

A more comprehensive script for cleansing a user profile involves running the following. Note – log the user out of WSO before running this.



Packaging Bloomberg Professional for VDI using AppVolumes or Liquidware FlexApp


The following post runs through how to install and package Bloomberg Professional for a VDI environment. The below example uses Liquidware’s FlexApp to do this, but the ideas below are applicable to AppVolumes with VMware DEM to manage the post-deployment script.

Version: This is intended for users of Bloomberg Anywhere and covers how to package and deploy Bloomberg Professional (Full Terminal).

Bloomberg Professional contains Office Tools (MS Office Add-In) and a full standalone desktop client.

Install on your capture VM

  1. Download the Bloomberg Full Terminal Installation  

2. Run the installer on your provisioning VM selecting Private IP Network as the environment type.

3. Launch the software and click past the connection wizard until you reach the login screen – you don’t want your users to see/do this!

4. Bloomberg has minimum requirements of Read/Write to the following HKLM registry key and subkeys. If you have UAC enabled, you need to set permissions against these keys to allow users R/W access to:


These permissions can’t be captured using AppVolumes or FlexApp because they’re machine-level settings, so we need to use a post-deployment script to add the permissions to the registry after the app has mounted to the desktop at logon time.

There’s a few methods for doing this and at the time we

Configure a post-deployment script using subinacl

The following script should be saved as a .bat file.

1. Download SubinACL

2. Extract the subinacl.exe to a network folder that your users can access.

3. Create the post-deployment script and deploy it, there’s a few ways to do this:

For Liquidware FlexApp – add this script as a post-deployment script – see this guide: ‘App Package Scripts’ section

For AppVolumes –  ideally you should use DEM (formerly UEM) to run the script elevated, at logon or you may need to use Group Policy to run a logon script and scope it against the Bloomberg users.

Another (untested!) option, you could try editing the snapvol.cfg file within AppVolumes – if this works for you, please let me know!

The below can be copied into a .bat file to be executed after the application has been deployed to your VDI desktop(s).

\\\netlogon\AFolderShare\Scripts\subinacl.exe /subkeyreg “HKEY_LOCAL_MACHINE\Software\wow6432node\Bloomberg L.P.” /grant=Everyone=F


1. Ensure subinacl and the .bat script sit in the same folder, ideally your netlogon share. If storing elsewhere, ensure the logged on user has rights to read/execute from that location.

2. Typically Bloomberg allows you to perform an APOD creation – this installs a generic license key which then lets a Bloomberg Anywhere user log in. If you need to configure this follow these steps: once you’ve installed the app on your capture VM, type CONN in the Bloomberg window to see the connection wizard. Under the Connections tab, click Submit. This will create a generic key code and allow the user to login using their Anywhere login creds

Bloomberg Minimum Requirements and File Rights.

3. Your Bloomberg users might not want the Office Add-Ins – to disable these, for ideas on how to disable office add-ins and manage load behavior

3. If your placing a shortcut to Bloomberg on the desktop, create this in: C:\Users\Public\Public Desktop 

4. Bloomberg requires updating every 3 months, add this to your maintenance schedule!





Welcome to Desktop Surgery – The End User Computing Blog For Aspiring Techies

This blog is largely a dumping ground where I can validate the hours spent pouring over IT virtualization and EUC challenges, hopefully saving you time and effort whilst learning some new tricks.

It will also contain anything else that’s useful for EUC and desktop support technicians.