Lab 10 – Spanning Tree Protocol
"Adventures in the show spanning-tree command."

[Default STP Behavior | Advanced PVST+ Configuration | Implementing MST | Per-VLAN Spanning-Tree Load Balancing | Port Level Tuning to Control STP Behavior | Configuring Fast EtherChannel]

Remember to work as a team for these labs.  Most of them use only one DS, so you should at least be able to split into two teams and still be able to have all the switches you need.  If you have more teams, share the access to the distribution layer switches and set up your links.

For the first part of this lab, you will need to use two access layer switches, and share one distribution layer switch with other teams.  The setup for this lab is to use the links that connect from the AL-switches to the DL-switches.  Depending on what DL-Switch you use, the access layer ports on the AL-switches will be 11 and 12, or 13 and 14.  Use the diagrams to figure out which ports to configure.  Any time the lab wants you to set up ports for access mode, and configure VLANS for those ports, you should use the ports 2 and 3 that connect to the routers of your pod. 

Part 1: Default STP Behavior
[http://www.cs.rpi.edu/~kotfid/switching/ch3/3_10_1/index.html]

The logical layout we will use for Part 1 is as follows, with two access layer switches, and a central distribution layer switch:

Note that in our labs, the switching fabric contains many extra connections aside from the logical connections shown above. To get accurate results, you must ensure that all extra switchports are manually SHUT DOWN in the configuration. Leaving ports up that are not part of your configuration often creates unexpected results when you test your configs. The following graphic shows how the above logical network can be applied to our switch layout.

Your first step in all these labs should be to erase any previous configuration on the switches. Be sure to first shut down all ports, then erase the vlan.dat file to reset the vlan databases. Sample commands for this are here.

Once you've reset the configuration, begin by doing the basic switch configuration, including hostname and line configuration (password/timeout/etc).

Now, bring up the ports connecting your two access switches to your DS switch. No configuration is necessary yet, just no shut them. Spanning-tree will run automatically as soon as the ports are activated. Verify this using the show spanning-tree command on your switches:








Note: If you're seeing weird VLANs in your spanning-tree, chances are you did not shut down your ports properly and clear the VLAN and VTP status. Shut down all your ports, and clear the vlan database as described above. If you've done so properly, the show vlan command will only display numbered VLAN 1. If you still cannot get rid of the old VLANs, ask a TA for assistance.

Take a minute to examine the various fields in the output. Notice how one of the switches has been elected the root of the spanning tree. Also, notice how one port is set to blocking mode (BLK) between each of the two switches to prevent loops. These settings can be affected by changing spanning priorities, but that is beyond the scope of this section. Make sure you check out the link above and your text book reading to understand what factors cause the selection of the root bridge and blocking ports, as it may appear on the exam.

[Sample Configs]
Part 2: Advanced PVST+ Configuration
 [http://www.cs.rpi.edu/~kotfid/switching/ch3/3_10_3/index.html]

This section builds upon the switch configurations used in the previous section, so it is not necessary to reset your switches.

Excerpt from the Cisco PDF (above):
The switch with the lower Bridge ID (BID) is used to determine the root bridge priority. The BID consists of the root bridge priority and the MAC address assigned to the switch. The BID is not a real number. The root bridge priority is expressed in decimal form and the MAC address is expressed in HEX. The default bridge priority has a value of 32768. The current Root Bridge in the above sample output is ALSwitch2 because it has a lower MAC address. The root bridge priority is at the beginning of the BID. The bridge priority is a very large number. The root bridge priority will always determine the length of the BID because the MAC address is a fixed length. Newer Cisco switches default to PVST. VLAN 1 will be used for this configuration. The available priority value range is 0 to 61440 in increments of 4096. The default value is 32768. The lower the number, the more likely the switch will be chosen as the root switch. Valid priority values are 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. All other values are rejected. For Catalyst 3550 switches with the extended system ID release 12.1(8)EA1 and later, the spanning-tree vlan 1 root primary command can be used to set the switch priority to 24576. If all other switches in the VLAN have the default priority, this switch will become the root bridge for VLAN 1.

Now, use the command spanning-tree vlan 1 root primary on your distribution switch to set it as the root bridge:



Use the show spanning-tree command again, and verify the changes that occur:



The switch should now be acting as the root. Also notice that the priority of the distribution switch changed as a result of the configuration. Also, notice that none of the distributions switch's ports are blocking now. All ports on the root bridge are designated and will always be forwarding. Issue a show spanning-tree on your access switches as well, and note all changes from the initial configuration.

It's possible to control which ports are placed in blocking and forwarding mode by configuring a cost on each link. After setting the DS as root, there will be one blocking port on each access switch. The switches have chosen the higher port numbers to block on each switch. The default port costs on our links are all set to 19. Now we'll force the higher numbered ports into the forwarding state by changing the port costs. To do so, use the spanning-tree cost interface command on each access switch interface. Set the lowered number port to cost 100 and the higher numbered port to 1. Now, show spanning-tree again, and observe the effects:



It is good practice to adjust the link costs in the distribution layer switch to match those on the access switches.

Excerpt from the Cisco PDF (above):
PVST+ is automatically enabled on 802.1Q trunks. No user configuration is required. The external spanning-tree behavior on access ports and Inter-Switch Link (ISL) trunks is not affected by PVST+. Cisco IOS supports a maximum of 128 spanning-tree instances.

Let's add a couple more VLANs to our distribution switch. Enter the vlan database and add two new VLANs, vlan 10 named "Accounting" and vlan 20 named "Marketing".



Then, do yet another show spanning-tree.



As the name implies, there is now a different spanning tree per each VLAN configured. Notice that since port costs apply to the interface and not the VLAN, they're uniform across all VLANs. Other settings, such as root bridge, are set per VLAN, and therefore they may be different between the different spanning tree instances on a switch.

Excerpt from the Cisco PDF (above):
The STP hello timers can be adjusted to decrease the convergence time. Use the diameter keyword to specify the Layer 2 network diameter. The diameter is the maximum number of switch hops between any two end stations in the Layer 2 network. When the network diameter is specified, the switch automatically sets an optimal hello time, forward-delay time, and maximum-age time for the network. This can significantly reduce STP convergence time. Use the hello keyword to override the automatically calculated hello time. Use the show spanning-tree vlan 1 bridge command to check the current STP timers.

Use the show spanning-tree vlan 1 bridge command on your DS switch, and make note of the max age and delay. Enter the spanning-tree vlan 1 root primary diameter 2 on the DS, and use the show command again. What values changed, and by how much?
Excerpt from the Cisco PDF (above):
Only the forward delay and the max aging times were changed. The root command with the diameter option should be used to change the STP timers. Default STP timers should not be changed without careful consideration, and if changed, they should be changed only from the Root Bridge.
The following commands can be used to change the STP timers:
• spanning-tree vlan vlan-id hello-time seconds
• spanning-tree vlan vlan-id forward-time seconds
• spanning-tree vlan vlan-id max-age seconds

[Sample Configs]

Part 3: Implementing MST
 [http://www.cs.rpi.edu/~kotfid/switching/ch3/3_10_4/index.html]

This section uses a different topology from the previous sections. Since this configuration requires two distribution switches, you will need to cooperate with other teams to complete it.

You should begin by erasing all previous configurations. As always, this involves shutting down all ports and erasing the vlan configuration. This section will use a special VTP configuration as follows:

Switch VTP Domain VTP Mode
DS1 lab10 Server
DS2 lab10 Client
P1S1 lab10 Client
P2S1 lab10 Client

Excerpt from the Cisco PDF (above):
PVST is the default STP behavior. However, it has two disadvantages. First, PVST is a Cisco proprietary protocol so it cannot work with other vendor products. Second, PVST creates spanning-tree instances for every VLAN. This can be very processor intensive. MST will be implemented to reduce the processor utilization and load balancing will be provided over the distribution layer switches.

Configure all four links as trunk links using 802.1q encapsulation. The access switches do not support setting the encapsulation type, so it is only necessary to set 802.1q on the distribution switches. All links should be set to mode trunk.

Now, configure five VLANs on your VTP server switch (DS1):

VLAN
Name
10
Accounting
20
Marketing
30
Engineering
40
HumanResource
50
GraphicDesign

Verify your configuration using show vlan on all the switches. The clients should configure themselves automatically. The VLANs should not yet have any ports assigned to them. If your VLANs aren't transferring properly, use show vtp status and show vtp counter to make sure the configuration matches the table above. If it does not, you probably did not reset the switch configurations properly at the beginning. This script can help.

Use the show spanning-tree command you know so well, and examine the output. Where are the root bridges located and why? The current setup uses the default PVST, which is inefficient since there are now separate spanning trees for each VLAN you created. We can fix this by using MST.
Excerpt from the Cisco PDF (above):
Multiple Spanning-Tree Protocol (MST) uses RSTP for rapid convergence. MST enables VLANs to be grouped into a spanning-tree instance. Each instance has a spanning-tree topology that is independent of the other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic and enables load balancing. This also reduces the number of spanning-tree instances that are required to support a large number of VLANs. MST regions are used to partition the network. All switches in the same region must have the same VLAN-to-instance mapping, the same configuration revision number, and the same name. MST groups a few VLANs into one spanning-tree instance unlike PVST, which has a spanning-tree instance for every VLAN. This reduces the number spanning-tree processes required and enhances the switch performance. MST support 16 instances, numbered 1 through 15. MST is configured in the MST configuration mode. It is enabled in the global configuration mode.

Now let's apply MST to the first DS. You enter MST configuration mode with the spanning-tree mst configuration command. Each instance is mapped to a set of VLANs using instance [number] vlan [startnum]-[endnum]. Map instance 1 to vlans 1 through 50. Name the mst region "region1" with the name command. Finally, set the mst revision to 1 with the revision command. Like with the vlan database, the changes are applied when you exit. You may preview changes before you exit using the show pending command.

DS1(config)#spanning-tree mst configuration
DS1(config-mst)#instance 1 vlan 1-50
DS1(config-mst)#name region1
DS1(config-mst)#revision 1
DS1(config-mst)#show pending
...[output]...
DS1(config-mst)#exit

MST must be enabled on the switch in order to be used. This is accomplished using the spanning-tree mode mst command.

DS1(config)#spanning-tree mode mst

Back to show spanning-tree we go!



Note we now have two instances of MST. MST00 is created by default when MST was enabled. MST01 is the one we just configured (remember, instance 1). The DS should also be the root, because at this point no other switches are running MST...that comes next.

Now, repeat the above MST configuration on the remaining DS and the two access switches. Configuration is identical for all three. Now use show spanning-tree around the switches to understand the spanning tree topology. Take note of where the root is now, and why.

We can manually configure a switch to become the root bridge. We'll do so with DS1.

Excerpt from the Cisco PDF (above):
Configure the distribution layer switch as the root bridge to make the network more efficient. To configure a switch to become the root, use the spanning-tree mst instance-id root global configuration command. This will change the switch priority from the default value of 32768 to a significantly lower value. With the lowest root priority, this switch will become the root switch for the specified spanning-tree instance. When this command is entered, the switch will check the switch priorities of the root switches. The switch will set its own priority for the specified instance to 24576 because of the extended system ID support. If any root switch for the specified instance has a switch priority lower than 24576, the switch will set its own priority to 4096 less than the lowest switch priority.

DS1(config)#spanning-tree mst 1 root primary

Verify the change using show spanning-tree. To simplify, you can view an individual instance using the show spanning-tree mst [instance number] command.

DS1#show spanning-tree mst 1

Excerpt from the Cisco PDF (above):
The [DS1 switch] is now the root bridge with a priority of 24576. Use the spanning-tree mst 1 priority command to manually set the MST root priority. The spanning-tree mst 1 root primary command will dynamically configure the lowest priority.

We can also create secondary root bridges in the network. This adds fault tolerance. If the primary root fails, the secondary acts as a backup root bridge. Use the same command as above, changing primary to secondary:

DS1(config)#spanning-tree mst 1 root secondary

Do a show spanning-tree mst 1, and make note if the different priorities used by the primary and secondary switches. Now we can test our backup root. Kill the interfaces on DS1 with shut commands. Go back to DS2 and examine the spanning tree again. The switch should have become root:



MST is also able to provide load balancing. To enable this, group VLANs into different MST instances. A different root bridge will be selected for each instance. Enter mst configuration, and use the instance command to assign instance 2 to vlans 30 through 60.

DS1(config)#spanning-tree mst configuration
DS1(config-mst)#instance 2 vlan 30-60
DS1(config-mst)#exit

Configure instance 2 on all four switches. Since we're going to load balance, make DS2 the primary root for this instance:

DS2(config)#spanning-tree mst 2 root primary

Use show spanning-tree mst to verify that you now have DS1 as the root for MST01 and DS2 as the root for MST02. Load balancing is now enabled and Part 3 is complete!

[Sample Configs]

Part 4: Per-VLAN Spanning-Tree Load Balancing
[http://www.cs.rpi.edu/~kotfid/switching/ch3/3_10_6/index.html]

This section uses the same topology as the previous section. You should erase your configs to remove all MST configuration, but you may wish to save and recycle your basic port configuration.
Start off by configuring the switches with VTP and VLANS as follows:

Switch VTP Domain VTP Mode
DS1 lab10 Server
DS2 lab10 Client
P1S1 lab10 Client
P2S1 lab10 Client

VLAN
Name
10
Accounting
20
Marketing

Configure 802.1q trunks between DS1 and the two access switches, and between DS2 and the two access switches, as in the previous section. Add ethernet port 0/01 to VLAN 10 and port 0/02 to VLAN 20 on each access switch.

Use show spanning-tree to examine the current spanning tree. What type of STP is currently running? Which switch is root? Is the same switch root for all VLANs?

Excerpt from the Cisco PDF (above):
Set a distribution layer switch as the root bridge to increase network efficiency. To further increase efficiency, split the load between the two distribution layer switches. DLSwitch1 will become the root bridge for VLAN 10 and DLSwitch2 will become the root bridge for VLAN 20. Cisco switches use per-VLAN spanning tree (PVST) by default. The range for the priority value is 0 to 61440 in increments of 4096. The default value is 32768. The lower the number, the more likely the switch will be chosen as the root bridge. Valid priority values are 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. All other values are rejected.

You can set spanning tree priorities with the spanning-tree vlan [vlan number] priority [priority value] command. Use this command to make DS1 the root for VLAN 10 and DS2 the root for VLAN 20. Use a priority of 4096.

DS1(config)#spanning-tree vlan 10 priority 4096
DS2(config)#spanning-tree vlan 20 priority 4096

Use show spanning-tree to verify the changes.

Keep in mind that when purposefully setting a bridge as the root bridge, it's best to use the spanning-tree vlan [vlan number] root primary command. This command will automatically determine the lowest priority on the network and apply it to the given switch. Try changing the priority value on a switch to a low value, then apply the root command to the same VLAN on a different switch. It should automatically apply the next lowest priority value.

[Sample Configs]

Part 5: Port Level Tuning to Control STP Behavior
[http://www.cs.rpi.edu/~kotfid/switching/ch3/3_10_7/index.html]

This section uses the same topology as the previous section. You should erase your configs to remove all STP configuration, but you may wish to save and recycle your basic port configuration.

Excerpt from the Cisco PDF (above):
The purpose of this lab is to use PortFast, UplinkFast, BPDU guard, root guard, and UDLD to control STP behavior on a port.

Scenario:
A new redundant switched network has just been implemented. The default behavior of Spanning-Tree Protocol (STP) has created some undesirable results. The ports take up to 50 seconds to reach forwarding state. This prevents DHCP clients from receiving an IP address during normal boot-up.
PortFast will be used to prevent this problem in the future.

Enabling PortFast can create a security risk in a switched network. A port configured with PortFast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU). An unauthorized device can send BPDUs into the PortFast interface and set a port to blocking. When the port is in blocking state it will accept all BPDUs. This could lead to false STP information that enters the switched network and causes unexpected STP behavior. Bridge Guard Data Unit (BGDU) will be used to prevent unauthorized BPDUs from entering the switched network through PortFast enabled ports.

When the active uplink between the two switches is broken, it takes the redundant link 30 seconds to complete the spanning-tree process before bringing up the backup, or blocked, link. This results in a temporary network outage for users. UplinkFast will be used to reduce STP convergence time.

ALSwitch2 is connected with a slower and more unreliable connection. The network administrator wants to prevent the ALSwitch2 from becoming the root bridge or from being in the path to the root bridge. ALSwitch2 should be avoided as much as possible. Root guard will be used to prevent ALSwitch2 from becoming the root bridge.

ALSwitch1 is connected to the distribution layer with Gigabit Ethernet links. If the transmit or receive link in a fiber cable is disconnected or cut, then it could lead to a unidirectional link. Unidirectional links can transmit or receive data, but not both. Unidirectional links have an adverse effect on the network. Use UniDirectional Link Detection (UDLD) protocol to prevent unidirectional links from occurring.

Use the same VTP and VLAN configuration as we used in Part 4. Scroll up if you didn't save your configs. Use 802.1q trunking to create the same inter-switch topology.

Make DS1 the root bridge for all three VLANs with a priority of 4096.

DS1(config)#spanning-tree vlan 1 priority 4096
DS1(config)#spanning-tree vlan 10 priority 4096
DS1(config)#spanning-tree vlan 20 priority 4096

Verify that DS1 is the root with show spanning-tree.

Normally, STP causes delays on all ports as it goes through the various states of initialization. This can be a problem for access ports, where a delay of 30 to 50 seconds can occur before the switch can actually begin forwarding traffic for that port.

Connect to one of the routers attached to an access port on one of the access switches. On the access switch, enter the debug spanning-tree events command. Now bring up the ethernet interface on the router. Use the debug output on the access switch to determine how long it takes the port to enter the forwarding state.

To avoid this we use PortFast. Configure PortFast on your access ports with the spanning-tree portfast interface configuration command.



Now that PortFast is on, shut the router ethernet port again. Do a no shut, and again use the debug output to observe the time it takes the port to enter forwarding. What's the difference in time?

Next we'll configure UplinkFast between the access switches and the distribution switches. Again, use the debug spanning-tree events option to examine how long it takes the uplink ports to begin forwarding when you shut the current active port. Then enable uplinkfast. To do so, use the spanning-tree uplinkfast interface command. Shut and no shut an interface once again, and observe the change in forwarding delay.

The show spanning-tree summary total command offers lots of information about STP. Use it on the access switches to verify that UplinkFast is enabled. It will also tell you how many UplinkFast transitions have occurred...you should manually have triggered one or two with shut/no shut.

Excerpt from the Cisco PDF (above):
When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. PortFast-enabled interfaces do not receive BPDUs in a valid configuration. The receipt of a BPDU by a PortFast enabled interface indicates an invalid configuration such as the connection of an unauthorized device. The BPDU guard feature blocks BPDUs by placing the interface in the ErrDisable state. The BPDU guard feature provides a secure response to invalid configurations because the interface must be manually placed back in service.

To enable BPDU guard, use the spanning-tree portfast bpduguard configuration command. Enable it on your access switches. Now to test it, change the type of one of your uplink ports to mode access with portfast enabled. BPDU guard will kick in, and shut down the port.



To bring the port back up, manually shut it. Put back the trunk configuration, then no shut it.
Excerpt from the Cisco PDF (above):
Prevent ALSwitch2 from becoming the root or from being in the path to the root.

The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. STP can reconfigure itself in this type of topology and select a customer switch as the STP root switch. The root-guard feature can be configured on interfaces that connect to switches outside of the customer network. STP calculations can be used to identify an interface in the customer network as the root port. Root guard will place this interface in the root-inconsistent or blocked state to prevent the customer switch from becoming the root switch or from being in the path to the root.

Uplinkfast is incompatible with RootGuard, so you must disable it on your access switches. Use the no spanning-tree uplinkfast configuration command to do so.

p1s1(config)#no spanning-tree uplinkfast
p2s1(config)#no spanning-tree uplinkfast

Apply root guard to both DS switches on the links that connect to your second access switch with the spanning-tree guard root interface command.

DS1(config)#int fast 0/27
DS1(config-if)#spanning-tree guard root
DS2(config)#int fast 0/27
DS2(config-if)#spanning-tree guard root

Observe which switches are currently root with show spanning-tree. Now, give your second access switch a lower priority than the current root:

p2s1(config)#spanning-tree vlan 1 priority 0

Which switch is root now? Root Guard should have stopped the access switch from becoming root. Notice the blocking/forwarding states on the guarded links you just configured. How did root guard affect them?

Excerpt from the Cisco PDF (above):
A unidirectional link occurs when traffic sent by the local device is received by the neighbor but traffic from the neighbor is not received by the local device. This indicates that the transmit or receive part of the connection is broken. This can be caused by a cut or disconnected cable. UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect a unidirectional link.
All connected devices must support UDLD for the protocol to identify and disable unidirectional links. When UDLD detects a unidirectional link, it shuts down the affected port and sends out an alert. Unidirectional links can cause a variety of problems such as spanning-tree topology loops.

To enable udld on an interface, use the udld enable interface command. We will not do a simulation of udld in this lab, but it's good to know for exams.

[Sample Configs]

Part 6: Configuring Fast EtherChannel
[http://www.cs.rpi.edu/~kotfid/switching/ch3/3_10_5/index.html]

This section of the lab involves configuring Fast EtherChannel links between switches (read: no more spanning-tree!). There is a different topology for this part, which requires two access switches but only one DS. Clear all configurations before beginning this section.


We will use Fast EtherChannel to combine the two 100mb ethernet links between an access layer and distribution layer switch into a single 200 mb full-duplex link, effectively doubling the bandwidth available between the switches. Remember that because of spanning tree, without EtherChannel enabled only one of the two parallel links would be active at a time to prevent routing loops. EtherChannel allows the switches to view the two physical connections as a single logical connection.

Configure VTP and VLANs as follows:
Switch VTP Domain VTP Mode
DS1 lab10 Server
P1S1 lab10 Client
P2S1 lab10 Client

VLAN
Name
10
Accounting
20
Marketing

Make the first couple ports on each access switch your access ports. Add a port that connects the access switch to router 1 to VLAN 10 and a port that connects the switch to router 2 to VLAN 20.

P1S1(config)#interface fast 0/01
P1S1(config-if)#switchport mode access
P1S1(config-if)#switchport access vlan 10
P1S1(config-if)#no shut
P1S1(config-if)#interface fast 0/02
P1S1(config-if)#switchport mode access
P1S1(config-if)#switchport access vlan 20
P1S1(config-if)#no shut

Do the same to access switch 2, adding a couple router-connected ports to the different VLANs as access ports. Configure all four inter-switch links as 802.1q trunk links. There should be two parallel links between your first access switch and the DS, and two more between the second access switch and the DS.

Excerpt from the Cisco PDF (above):
An EtherChannel is composed of individual Fast EtherChannel (FEC) or Gigabit EtherChannel (GEC) links, which are bundled into a single logical link, as shown in the graphic. GEC provides fullduplex bandwidth of up to 16 Gbps between a switch and another switch or host. FEC provides the ability to combine eight 100-Mbps full duplex links for a 1.6-Gbps full duplex link.

With the configuration as it is now, one link is active and one is blocked by STP. Now we'll enable EtherChannel to activate both parallel links simultaneously. Each group is configured using the channel-group [group number] mode desirable interface command. Add both links between your first access switch and the DS to channel group 1.

P1S1(config)#interface range fast 0/07 - 08
P1S1(config)#channel-group 1 mode desirable

P2S1(config)#interface range fast 0/07 - 08
P2S1(config)#channel-group 1 mode desirable

DS1(config)#interface range fast 0/25 - 26
DS1(config-if-range)#channel-group 1 mode desirable
Creating a port-channel interface Port-channel 1
DS1(config-if-range)#interface range fast 0/27 - 28
DS1(config-if-range)#channel-group 2 mode desirable
Creating a port-channel interface Port-channel 2

Use the show etherchannel summary and show etherchannel brief commands to verify your new etherchannels.
Excerpt from the Cisco PDF (above):
Verify the port aggregation protocol (PAgP) operation.

The PAgP facilitates the automatic creation of EtherChannels by exchanging packets between Ethernet interfaces. By using PAgP, the switch learns the identity of partners capable of supporting PAgP and learns the capabilities of each interface. It then dynamically groups similarly configured interfaces into a single logical link, channel, or aggregate port. These interfaces are grouped based on hardware, administrative, and port parameter constraints. For example, PAgP groups the interfaces with the same speed, duplex, native VLAN, VLAN range, trunking status, and trunking type. After grouping the links into an EtherChannel, PAgP adds the group to the spanning tree as a single switch port.

Use the show pagp neighbor command on the DS to verify PagP operation.
Excerpt from the Cisco PDF (above):
EtherChannel balances the traffic load across the links in a channel. This is accomplished by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel. EtherChannel load balancing can use either source MAC or destination MAC address forwarding.

The load balancing decision is based on source MAC address by default.

You can use the show etherchannel load-balance command to view the type of load balancing enabled. Try it...

Finally, you can manually configure the type of load balancing used on the etherchannel. To do so, use the port-channel load-balance [type] configuration command. Try setting the load balancing to dst-mac. Use show etherchannel load-balance to view the new load balancing type.

That's it! :)

[Sample Configs]