Chapter 9 – Configuring Switch Interfaces

Author
  • Chapter explains how to change operation of switch interfaces, how to change speed, duplex, or disable interface, or how to add a security feature (port security) which monitors incoming frames and source MAC address and decides what to do with them 

Configuring Switch Interfaces

  • interface = port 
  • lets begin with port speed, duplex and text description 

Configuring Speed Duplex and Description: 

  • Switch interfaces will auto-negotiate what speed to use by default.  
  • However, we can configure speed and duplex settings with duplex (auto, full, half) and speed (auto, 10, 100, 1000) subcommands. 
Example 9-1 Configuring speed, duplex, and description on Switch Emma Emma# configure terminal Enter conf iguration commands, one per line . Emma (config) # interface FastEthernet 0/1 Emma (config-if) # duplex full Emma (config-if) # speed 100 End with CNTL/Z. Emma (config-if) # description Printer on 3rd floor, here Emma (config-if) # exit Preset to 100/ full Is connected Emma (config) # #iterface range FastEthernet 0/11 29 Emma (config-if-range) # description end-users connect here Emma (config-if-range) # AZ Emma #

IMPORTANCE OF SHOW INTERFACES STATUS COMMAND 

Example 9-2 Displaying Interface Status Emma# show interfaces status Port Fa0/2 FaO/3 Fao/q FaO/5 FaO/6 FaO/7 FaO/8 FaO/9 FaO/10 Fao/O FaO/12 FaO/13 FaO/14 FaO/15 FaO/16 FaO/17 FaO/18 Name Status Printer on 3rd f164 notconnect end -users end -users end -users end-users end-users end-users end-users end -users connect connect connect connect connect connect connect connect notconnect notconnect connected notconnect connect ed notconnect notconnect notconnect notconnect notconnect notconnect notconnect notconnect notconnect notconnect notconnect notconnect VI an 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Dupl ex Oil auto auto -full auto a-full auto auto auto auto auto auto auto auto auto auto auto auto Speed 100 auto auto a-100 auto a-100 auto auto auto auto auto auto auto auto auto auto auto auto Type 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX 10/100BaseTX
  • Auto means that port auto negotiated, 
  • Not connect – it’s not connected 
  • a-full and a-100 – auto negotiated settings that switch collected 

Configuring multiple interfaces with the interface range command: 

  • interface range FastEthernet 0/11 – 20 (selects range of interfaces and waits for input to configure them) 

Administratively controlling interface state with shutdown: 

  • # shutdown (to disable) (shut) 
  • # no shutdown (to enable) (no shut) 
  • # show interfaces status (outputs table of interfaces) 
  • # show interfaces (outputs more info about each interface) 

USE NO COMMAND TO REVERT THE COMMAND AND LEAVE IT AS DEFAULT 

Auto negotiation: 

  • Cisco switches default to a setting of duplex auto and speed auto 
  • As a result, interfaces try to automatically determine the speed and duplex. 
  • Using auto-negotiation = leave interface on speed and duplex default settings 

Auto negotiation under working conditions: 

  • End devices must use the same standard or they cant correctly send data 
  • If a PC transmits at 100Base T and switch receives on 1000BaseT, it would not work 
  • IEEE auto-negotiation protocol helps LAN to support multiple speeds. 
  • IEEE 802.3u defines the protocol that lets two UTP Ethernet nodes on a link negotiate so that they each choose to use the same speed and duplex settings.  
  • Each node will pick up best settings and fastest speed 
Autonegotiation Enabled 10 Result: 10 Full 1 0/100/1000 10/100 Result: 100 Full 10/100/1000 10/100/1000 Result: 1000 Full 1 0/100/1000 Autonegotiation Enabled, 10/100/1000 Ports

Auto-negotiation results when only one node uses auto-negotiation: 

KEY TOPIC: 

  • Speed: sense the speed (without auto-negotiation) but if that fails, use the IEEE default (slowest supported speed, often 10Mbps) 
  • Duplex: use the IEEE defaults. If speed = 10 or 100 then use half-duplex, otherwise use full-duplex
Manual Settings, Autonegotiation Disabled 10/100 FO/I Settings: 100 Full Result: 100 Half 10/100/1000 Settings: 1000 Full Result: FO/2 1000 Full 10/100 Settings: 10 Half Result: FO/3 10 Half Autonegotiation Enabled, 10/100/1000 Ports

PC1 shows a classic and unfortunately common end result: a  duplex mismatch. The two nodes (PC1 and SW1’s port F0/1) both use 100 Mbps, so they can send data.  

However, PC1, using full duplex, does not attempt to use carrier sense multiple access with collision detection (CSMA/CD) logic and sends frames at any time.  

Switch port F0/1, with half duplex, does use CSMA/CD. As a result, switch port F0/1 will believe collisions occur on the link, even if none physically occur.  

The switch port will stop transmitting, back off, resend frames, and so on. As a result, the link is up, but it performs poorly.  

Port security

  • Port security identifies devices based on their MAC address of the frames that they send.  
  • Port security allows other options as well, including letting you configure the specific MAC addresses allowed to send frames in an interface.  
The following list summarizes these ideas common to all variations of port security: Define a maximum number of source MAC addresses allowed for all frames coming in the interface. Watch all incoming frames, and keep a list of all source MAC addresses, plus a counter of the number of different source MAC addresses. When adding a new source MAC address to the list, if the number of MAC addresses pushes past the configured maximum, a port security violation has occurred. The switch takes action (the default action is to shut down the interface).

Sticky secure MAC addresses

  • Port security provides an easy way to discover the MAC addresses used off each port using a feature called sticky secure mac addresses.  
  • With this feature, port learns the MAC addresses off each port and stores them in the port security configuration (in the running-config file). 
  • This feature helps reduce the big effort of finding out the MAC address of each device 

Configuring port security

  • Port security configuration involves several steps: 
  • Disable negotiation (access or trunk port) 

1) make switch interface either a static access or trunk interface  

# switchport mode access 
# switchport mode trunk 

2) Enable port security  

# switchport port-security 

3) Default maximum number of allowed MAC addresses per port is 1. By using the next command, we can overwrite that. When violation occurs, as default, port will be shutdown (step 4, choose what to do when violation occurs)

# switchport port-security maximum <number> 

4) Choose what to do when security violation occurs. As default, it is shutdown, but others are protect or restrict 

# switchport port-security violation protect 
# switchport port-security violation restrict 
# switchport port-security violation shutdown 

5) Define allowed source MAC address for that interface. We can use this command multiple times to add more MAC addresses 

# switchport port-security mac-address MAC_ADDRESS 

6) Tell switch to sticky learn dynamically learned MAC addresses 

# switchport port-security mac-address sticky 

Verifying port security

# show port-security interface fastEthernet 0/1 
  • inside this command, in output, if we see secure-shutdown state, means that the port has been disabled because of port security violation 

Port Security violation actions

as we said, switch can be configured to use one of three actions when a violation occurs. 

all three cause switch to discard frame, and some have additional options 

actions include sending log messages to console, sending SNMP trap messages to network management station , disabling interface. 

# switchport port-security violation protect 
# switchport port-security violation restrict 
# switchport port-security violation shutdown 
Table 9-2 Actions When Port Security Violation Occurs Option on the switchport port-security violation Command Discards offending traffic Sends log and SNMP messages Increments the violation counter for each violating incoming frame Disables the interface by putting it in an err-disabled state, discarding all traffic *shutdown is the default setting. Protect Restrict Yes No No No Yes Yes Yes No Shutdown* Yes Yes Yes Yes
  • IOS puts the interface in an error-disabled (err-disabled) state, which makes the switch stop all incoming and outgoing frames. 
  • To recover from this state, someone must manually disable the interface with the shutdown and then no shutdown command 

Port security MAC addresses as static and secure, but not dynamic

Once port security is enabled, show mac address-table dynamic command is not available 

Instead, use following: 

# show mac address-table secure - lists MAC addresses associated with ports that use port security 
# show mac address-table static - lists MAC addresses associated with ports that use port security, as well as any other statically defined MAC addresses 
Example 9-9 Using the secure Keyword to See MAC Table Entries When Using Port Security SWI# show mac address-table secure interface FO/2 Mac Address Table VI an 1 Mac Address Type 0200.2222 .2222 STATIC Ports Fao/2 Total Mac Addresses for this criterion: 1 SWI# show mac address-table dynamic Interface fO/# Mac Address Table VI an SWI# Mac Address Type Ports
Table 9-5 Switch Interface Configuration Command interface type port-number interface range type port-number - end-port-number shutdown I no shutdown speed {10 1 100 1 1000 1 auto} duplex {auto I full I half) Mode/Purpose/Description Changes context to interface mode. The type is typically Fast Ethernet or Gigabit Ethernet. The possible port numbers vary depending on the model of switch—for example, Fa0/1, Fa0/2, and so on. Changes the context to interface mode for a range of consecutively numbered interfaces. The subcommands that follow then apply to all interfaces in the range. Interface mode. Disables or enables the interface, respectively. Interface mode. Manually sets the speed to the listed speed or, with the auto setting, automatically negotiates the speed. Interface mode. Manually sets the duplex to half or full, or to autonegotiate the duplex setting.
Command description text no duplex no speed no description Mode/Purpose/Description Interface mode. Lists any information text that the engineer wants to track for the interface, such as the expected device on the other end of the cable. Reverts to the default setting for each interface subcommand of speed auto, duplex auto, and the absence of a description command.
Table 9-6 Port Security Configuration Command switchport mode {access I trunk} switchport port-security mac-address mac-address switchport port-security mac-address sticky switchport port-security maximum value switchport port-security violation {protect I restrict I shutdown} Mode/Purpose/Description Interface configuration mode command that tells the switch to always be an access port, or always be a trunk port Interface configuration mode command that statically adds a specific MAC address as an allowed MAC address on the interface Interface subcommand that tells the switch to learn MAC addresses on the interface and add them to the configuration for the interface as secure MAC addresses Interface subcommand that sets the maximum number of static secure MAC addresses that can be assigned to a single interface Interface subcommand that tells the switch what to do if an inappropriate MAC address tries to access the network through a secure switch port
Table 9-7 Chapter 9 EXEC Command Reference Command show running-config show running-config I interface type number show mac address-table dynamic [interface type number] show mac address-table secure [interface type number] show mac address-table static [interface type number] Purpose Lists the currently used configuration Displays the running-configuration excerpt of the listed interface and its subcommands only Lists the dynamically learned entries in the switch's address (forwarding) table Lists MAC addresses defined or learned on ports configured with port security Lists static MAC addresses and MAC addresses learned or defined with port security
Command show interfaces [interface type number] status show interfaces [interface type number] show port-security interface type number show port-security Purpose Lists one output line per interface (or for only the listed interface if included), noting the description, operating state, and settings for duplex and speed on each interface Lists detailed status and statistical information about all interfaces (or the listed interface only) Lists an interface's port security configuration settings and security operational status Lists one line per interface that summarizes the port security settings for any interface on which it is enabled

Leave a Reply