- Chapter explains how to change operation of switch interfaces, how to change speed, duplex, or disable interface, or how to add a security feature (port security) which monitors incoming frames and source MAC address and decides what to do with them
Configuring Switch Interfaces
- interface = port
- lets begin with port speed, duplex and text description
Configuring Speed Duplex and Description:
- Switch interfaces will auto-negotiate what speed to use by default.
- However, we can configure speed and duplex settings with duplex (auto, full, half) and speed (auto, 10, 100, 1000) subcommands.

IMPORTANCE OF SHOW INTERFACES STATUS COMMAND

- Auto means that port auto negotiated,
- Not connect – it’s not connected
- a-full and a-100 – auto negotiated settings that switch collected
Configuring multiple interfaces with the interface range command:
- interface range FastEthernet 0/11 – 20 (selects range of interfaces and waits for input to configure them)
Administratively controlling interface state with shutdown:
- # shutdown (to disable) (shut)
- # no shutdown (to enable) (no shut)
- # show interfaces status (outputs table of interfaces)
- # show interfaces (outputs more info about each interface)
USE NO COMMAND TO REVERT THE COMMAND AND LEAVE IT AS DEFAULT
Auto negotiation:
- Cisco switches default to a setting of duplex auto and speed auto
- As a result, interfaces try to automatically determine the speed and duplex.
- Using auto-negotiation = leave interface on speed and duplex default settings
Auto negotiation under working conditions:
- End devices must use the same standard or they cant correctly send data
- If a PC transmits at 100Base T and switch receives on 1000BaseT, it would not work
- IEEE auto-negotiation protocol helps LAN to support multiple speeds.
- IEEE 802.3u defines the protocol that lets two UTP Ethernet nodes on a link negotiate so that they each choose to use the same speed and duplex settings.
- Each node will pick up best settings and fastest speed

Auto-negotiation results when only one node uses auto-negotiation:
KEY TOPIC:
- Speed: sense the speed (without auto-negotiation) but if that fails, use the IEEE default (slowest supported speed, often 10Mbps)
- Duplex: use the IEEE defaults. If speed = 10 or 100 then use half-duplex, otherwise use full-duplex

PC1 shows a classic and unfortunately common end result: a duplex mismatch. The two nodes (PC1 and SW1’s port F0/1) both use 100 Mbps, so they can send data.
However, PC1, using full duplex, does not attempt to use carrier sense multiple access with collision detection (CSMA/CD) logic and sends frames at any time.
Switch port F0/1, with half duplex, does use CSMA/CD. As a result, switch port F0/1 will believe collisions occur on the link, even if none physically occur.
The switch port will stop transmitting, back off, resend frames, and so on. As a result, the link is up, but it performs poorly.
Port security
- Port security identifies devices based on their MAC address of the frames that they send.
- Port security allows other options as well, including letting you configure the specific MAC addresses allowed to send frames in an interface.

Sticky secure MAC addresses
- Port security provides an easy way to discover the MAC addresses used off each port using a feature called sticky secure mac addresses.
- With this feature, port learns the MAC addresses off each port and stores them in the port security configuration (in the running-config file).
- This feature helps reduce the big effort of finding out the MAC address of each device
Configuring port security
- Port security configuration involves several steps:
- Disable negotiation (access or trunk port)
1) make switch interface either a static access or trunk interface
# switchport mode access # switchport mode trunk
2) Enable port security
# switchport port-security
3) Default maximum number of allowed MAC addresses per port is 1. By using the next command, we can overwrite that. When violation occurs, as default, port will be shutdown (step 4, choose what to do when violation occurs)
# switchport port-security maximum <number>
4) Choose what to do when security violation occurs. As default, it is shutdown, but others are protect or restrict
# switchport port-security violation protect # switchport port-security violation restrict # switchport port-security violation shutdown
5) Define allowed source MAC address for that interface. We can use this command multiple times to add more MAC addresses
# switchport port-security mac-address MAC_ADDRESS
6) Tell switch to sticky learn dynamically learned MAC addresses
# switchport port-security mac-address sticky
Verifying port security
# show port-security interface fastEthernet 0/1
- inside this command, in output, if we see secure-shutdown state, means that the port has been disabled because of port security violation
Port Security violation actions
as we said, switch can be configured to use one of three actions when a violation occurs.
all three cause switch to discard frame, and some have additional options
actions include sending log messages to console, sending SNMP trap messages to network management station , disabling interface.
# switchport port-security violation protect # switchport port-security violation restrict # switchport port-security violation shutdown

- IOS puts the interface in an error-disabled (err-disabled) state, which makes the switch stop all incoming and outgoing frames.
- To recover from this state, someone must manually disable the interface with the shutdown and then no shutdown command
Port security MAC addresses as static and secure, but not dynamic
Once port security is enabled, show mac address-table dynamic command is not available
Instead, use following:
# show mac address-table secure - lists MAC addresses associated with ports that use port security # show mac address-table static - lists MAC addresses associated with ports that use port security, as well as any other statically defined MAC addresses




![Table 9-7 Chapter 9 EXEC Command Reference
Command
show running-config
show running-config I interface type number
show mac address-table dynamic [interface
type number]
show mac address-table secure [interface type
number]
show mac address-table static [interface type
number]
Purpose
Lists the currently used configuration
Displays the running-configuration excerpt
of the listed interface and its subcommands
only
Lists the dynamically learned entries in the
switch's address (forwarding) table
Lists MAC addresses defined or learned on
ports configured with port security
Lists static MAC addresses and MAC
addresses learned or defined with port
security](https://linuxwheel.com/wp-content/uploads/2020/06/image-61.png)
![Command
show interfaces [interface type number] status
show interfaces [interface type number]
show port-security interface type number
show port-security
Purpose
Lists one output line per interface (or
for only the listed interface if included),
noting the description, operating state,
and settings for duplex and speed on each
interface
Lists detailed status and statistical
information about all interfaces (or the
listed interface only)
Lists an interface's port security
configuration settings and security
operational status
Lists one line per interface that summarizes
the port security settings for any interface
on which it is enabled](https://linuxwheel.com/wp-content/uploads/2020/06/image-62.png)