Chapter 9 – Configuring Switch Interfaces

  • Chapter explains how to change operation of switch interfaces, how to change speed, duplex, or disable interface, or how to add a security feature (port security) which monitors incoming frames and source MAC address and decides what to do with them 

Configuring Switch Interfaces

  • interface = port 
  • lets begin with port speed, duplex and text description 

Configuring Speed Duplex and Description: 

  • Switch interfaces will auto-negotiate what speed to use by default.  
  • However, we can configure speed and duplex settings with duplex (auto, full, half) and speed (auto, 10, 100, 1000) subcommands. 
Example 9-1 Configuring speed, duplex, and description on Switch Emma 
Emma# configure terminal 
Enter conf iguration commands, one per line . 
Emma (config) # interface FastEthernet 0/1 
Emma (config-if) # duplex full 
Emma (config-if) # speed 100 
End with CNTL/Z. 
Emma (config-if) # description Printer on 3rd floor, 
here 
Emma (config-if) # exit 
Preset to 100/ full Is connected 
Emma (config) # #iterface range FastEthernet 0/11 29 
Emma (config-if-range) # description end-users connect here 
Emma (config-if-range) # AZ 
Emma #

IMPORTANCE OF SHOW INTERFACES STATUS COMMAND 

Example 9-2 Displaying Interface Status 
Emma# show interfaces status 
Port 
Fa0/2 
FaO/3 
Fao/q 
FaO/5 
FaO/6 
FaO/7 
FaO/8 
FaO/9 
FaO/10 
Fao/O 
FaO/12 
FaO/13 
FaO/14 
FaO/15 
FaO/16 
FaO/17 
FaO/18 
Name 
Status 
Printer on 3rd f164 notconnect 
end 
-users 
end 
-users 
end 
-users 
end-users 
end-users 
end-users 
end-users 
end 
-users 
connect 
connect 
connect 
connect 
connect 
connect 
connect 
connect 
notconnect 
notconnect 
connected 
notconnect 
connect ed 
notconnect 
notconnect 
notconnect 
notconnect 
notconnect 
notconnect 
notconnect 
notconnect 
notconnect 
notconnect 
notconnect 
notconnect 
VI an 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
Dupl ex 
Oil 
auto 
auto 
-full 
auto 
a-full 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
Speed 
100 
auto 
auto 
a-100 
auto 
a-100 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
auto 
Type 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX 
10/100BaseTX
  • Auto means that port auto negotiated, 
  • Not connect – it’s not connected 
  • a-full and a-100 – auto negotiated settings that switch collected 

Configuring multiple interfaces with the interface range command: 

  • interface range FastEthernet 0/11 – 20 (selects range of interfaces and waits for input to configure them) 

Administratively controlling interface state with shutdown: 

  • # shutdown (to disable) (shut) 
  • # no shutdown (to enable) (no shut) 
  • # show interfaces status (outputs table of interfaces) 
  • # show interfaces (outputs more info about each interface) 

USE NO COMMAND TO REVERT THE COMMAND AND LEAVE IT AS DEFAULT 

Auto negotiation: 

  • Cisco switches default to a setting of duplex auto and speed auto 
  • As a result, interfaces try to automatically determine the speed and duplex. 
  • Using auto-negotiation = leave interface on speed and duplex default settings 

Auto negotiation under working conditions: 

  • End devices must use the same standard or they cant correctly send data 
  • If a PC transmits at 100Base T and switch receives on 1000BaseT, it would not work 
  • IEEE auto-negotiation protocol helps LAN to support multiple speeds. 
  • IEEE 802.3u defines the protocol that lets two UTP Ethernet nodes on a link negotiate so that they each choose to use the same speed and duplex settings.  
  • Each node will pick up best settings and fastest speed 
Autonegotiation Enabled 
10 
Result: 
10 
Full 
1 0/100/1000 
10/100 
Result: 
100 
Full 
10/100/1000 
10/100/1000 
Result: 
1000 
Full 
1 0/100/1000 
Autonegotiation Enabled, 10/100/1000 Ports

Auto-negotiation results when only one node uses auto-negotiation: 

KEY TOPIC: 

  • Speed: sense the speed (without auto-negotiation) but if that fails, use the IEEE default (slowest supported speed, often 10Mbps) 
  • Duplex: use the IEEE defaults. If speed = 10 or 100 then use half-duplex, otherwise use full-duplex
Manual Settings, Autonegotiation Disabled 
10/100 
FO/I 
Settings: 
100 Full 
Result: 
100 Half 
10/100/1000 
Settings: 
1000 Full 
Result: 
FO/2 1000 Full 
10/100 
Settings: 
10 Half 
Result: 
FO/3 10 Half 
Autonegotiation Enabled, 10/100/1000 Ports

PC1 shows a classic and unfortunately common end result: a  duplex mismatch. The two nodes (PC1 and SW1’s port F0/1) both use 100 Mbps, so they can send data.  

However, PC1, using full duplex, does not attempt to use carrier sense multiple access with collision detection (CSMA/CD) logic and sends frames at any time.  

Switch port F0/1, with half duplex, does use CSMA/CD. As a result, switch port F0/1 will believe collisions occur on the link, even if none physically occur.  

The switch port will stop transmitting, back off, resend frames, and so on. As a result, the link is up, but it performs poorly.  

Port security

  • Port security identifies devices based on their MAC address of the frames that they send.  
  • Port security allows other options as well, including letting you configure the specific MAC addresses allowed to send frames in an interface.  
The following list summarizes these ideas common to all variations of port security: 
Define a maximum number of source MAC addresses allowed for all frames coming in 
the interface. 
Watch all incoming frames, and keep a list of all source MAC addresses, plus a counter 
of the number of different source MAC addresses. 
When adding a new source MAC address to the list, if the number of MAC addresses 
pushes past the configured maximum, a port security violation has occurred. The switch 
takes action (the default action is to shut down the interface).

Sticky secure MAC addresses

  • Port security provides an easy way to discover the MAC addresses used off each port using a feature called sticky secure mac addresses.  
  • With this feature, port learns the MAC addresses off each port and stores them in the port security configuration (in the running-config file). 
  • This feature helps reduce the big effort of finding out the MAC address of each device 

Configuring port security

  • Port security configuration involves several steps: 
  • Disable negotiation (access or trunk port) 

1) make switch interface either a static access or trunk interface  

# switchport mode access 
# switchport mode trunk 

2) Enable port security  

# switchport port-security 

3) Default maximum number of allowed MAC addresses per port is 1. By using the next command, we can overwrite that. When violation occurs, as default, port will be shutdown (step 4, choose what to do when violation occurs)

# switchport port-security maximum <number> 

4) Choose what to do when security violation occurs. As default, it is shutdown, but others are protect or restrict 

# switchport port-security violation protect 
# switchport port-security violation restrict 
# switchport port-security violation shutdown 

5) Define allowed source MAC address for that interface. We can use this command multiple times to add more MAC addresses 

# switchport port-security mac-address MAC_ADDRESS 

6) Tell switch to sticky learn dynamically learned MAC addresses 

# switchport port-security mac-address sticky 

Verifying port security

# show port-security interface fastEthernet 0/1 
  • inside this command, in output, if we see secure-shutdown state, means that the port has been disabled because of port security violation 

Port Security violation actions

as we said, switch can be configured to use one of three actions when a violation occurs. 

all three cause switch to discard frame, and some have additional options 

actions include sending log messages to console, sending SNMP trap messages to network management station , disabling interface. 

# switchport port-security violation protect 
# switchport port-security violation restrict 
# switchport port-security violation shutdown 
Table 9-2 Actions When Port Security Violation Occurs 
Option on the switchport port-security violation 
Command 
Discards offending traffic 
Sends log and SNMP messages 
Increments the violation counter for each violating 
incoming frame 
Disables the interface by putting it in an err-disabled 
state, discarding all traffic 
*shutdown is the default setting. 
Protect Restrict 
Yes 
No 
No 
No 
Yes 
Yes 
Yes 
No 
Shutdown* 
Yes 
Yes 
Yes 
Yes
  • IOS puts the interface in an error-disabled (err-disabled) state, which makes the switch stop all incoming and outgoing frames. 
  • To recover from this state, someone must manually disable the interface with the shutdown and then no shutdown command 

Port security MAC addresses as static and secure, but not dynamic

Once port security is enabled, show mac address-table dynamic command is not available 

Instead, use following: 

# show mac address-table secure - lists MAC addresses associated with ports that use port security 
# show mac address-table static - lists MAC addresses associated with ports that use port security, as well as any other statically defined MAC addresses 
Example 9-9 Using the secure Keyword to See MAC Table Entries When Using Port 
Security 
SWI# show mac address-table secure interface FO/2 
Mac Address Table 
VI an 
1 
Mac Address 
Type 
0200.2222 .2222 
STATIC 
Ports 
Fao/2 
Total Mac Addresses for this criterion: 1 
SWI# show mac address-table dynamic Interface fO/# 
Mac Address Table 
VI an 
SWI# 
Mac Address 
Type 
Ports
Table 9-5 Switch Interface Configuration 
Command 
interface type port-number 
interface range 
type port-number - 
end-port-number 
shutdown I no shutdown 
speed {10 1 100 1 1000 1 auto} 
duplex {auto I full I half) 
Mode/Purpose/Description 
Changes context to interface mode. The type is typically 
Fast Ethernet or Gigabit Ethernet. The possible port numbers 
vary depending on the model of switch—for example, Fa0/1, 
Fa0/2, and so on. 
Changes the context to interface mode for a range of 
consecutively numbered interfaces. The subcommands that 
follow then apply to all interfaces in the range. 
Interface mode. Disables or enables the interface, 
respectively. 
Interface mode. Manually sets the speed to the listed speed 
or, with the auto setting, automatically negotiates the speed. 
Interface mode. Manually sets the duplex to half or full, or to 
autonegotiate the duplex setting.
Command 
description text 
no duplex 
no speed 
no description 
Mode/Purpose/Description 
Interface mode. Lists any information text that the engineer 
wants to track for the interface, such as the expected device 
on the other end of the cable. 
Reverts to the default setting for each interface subcommand 
of speed auto, duplex auto, and the absence of a description 
command.
Table 9-6 Port Security Configuration 
Command 
switchport mode {access I trunk} 
switchport port-security mac-address 
mac-address 
switchport port-security mac-address 
sticky 
switchport port-security maximum value 
switchport port-security violation 
{protect I restrict I shutdown} 
Mode/Purpose/Description 
Interface configuration mode command that tells 
the switch to always be an access port, or always 
be a trunk port 
Interface configuration mode command that 
statically adds a specific MAC address as an 
allowed MAC address on the interface 
Interface subcommand that tells the switch to 
learn MAC addresses on the interface and add 
them to the configuration for the interface as 
secure MAC addresses 
Interface subcommand that sets the maximum 
number of static secure MAC addresses that can 
be assigned to a single interface 
Interface subcommand that tells the switch what 
to do if an inappropriate MAC address tries to 
access the network through a secure switch port
Table 9-7 Chapter 9 EXEC Command Reference 
Command 
show running-config 
show running-config I interface type number 
show mac address-table dynamic [interface 
type number] 
show mac address-table secure [interface type 
number] 
show mac address-table static [interface type 
number] 
Purpose 
Lists the currently used configuration 
Displays the running-configuration excerpt 
of the listed interface and its subcommands 
only 
Lists the dynamically learned entries in the 
switch's address (forwarding) table 
Lists MAC addresses defined or learned on 
ports configured with port security 
Lists static MAC addresses and MAC 
addresses learned or defined with port 
security
Command 
show interfaces [interface type number] status 
show interfaces [interface type number] 
show port-security interface type number 
show port-security 
Purpose 
Lists one output line per interface (or 
for only the listed interface if included), 
noting the description, operating state, 
and settings for duplex and speed on each 
interface 
Lists detailed status and statistical 
information about all interfaces (or the 
listed interface only) 
Lists an interface's port security 
configuration settings and security 
operational status 
Lists one line per interface that summarizes 
the port security settings for any interface 
on which it is enabled

Leave a Reply