Port Labeling
Interfaces on a switch - interfaces, are mainly physical ports and VLANs (more precisely, a virtual interface for a VLAN - Switch Virtual Interface - SVI). Besides these, there are many others, such as EtherChannel (port-channel), serial line (serial), console (console), asynchronous line (TTY), network terminal (VTY) - telnet.
Physical ports of the switch are labeled (addressed) by type, mainly FastEthernet (abbreviated as f), GigabitEthernet (abbreviated as g), and TenGigabitEthernet (abbreviated as t), and by port number. The port number is a string that varies depending on the switch type. The most common format is {slot}/{port}
or {stack}/{slot}/{port}
. Standard (non-modular) switches are considered to be in slot 0, so an example of addressing (for a C2690 switch) is f0/1
, indicating FastEthernet (100Mbit/s) port number 1. Stackable switches (supporting stack), such as the Catalyst 3750, are addressed, for example, as g1/0/1
, indicating GigabitEthernet (1Gbit/s) port on the first switch in the stack (or standalone), in slot 0, port number 1.
Port Configuration
Selecting a Port
When we want to configure an interface/port, we switch from privileged mode to the configuration of the given port. For simplicity, we can configure multiple ports at once, using the common IOS notation, dash to specify a range (within the same stack/slot, followed by the number) and comma to list ports (followed by the full port designation).
SWITCH(config)#interface f0/5 // switch to port 5 configuration SWITCH(config)#interface range f0/1-5,g0/1 // select ports 1 to 5 (fast) and 1 (gigabit) SWITCH(config-if)# // interface configuration mode
Port Status, Disabling
An interface can be in several states, and we can look at the global port status (mainly using the statuses disabled, notconnect, connected) or specifically at the physical/administrative status and operational status of the port (mainly using up, down). The port status is maintained internally and only converted for certain outputs (e.g., show interfaces status
). The administrative status is the one we can control with commands (using shutdown
), while the operational status is set automatically based on the link status. However, if we set the administrative status to down, the operational status also switches to down. There are also various special states like errors or testing. A common view of the most typical states is:
- disabled - disabled (down, down) - no communication through it
- error-disabled - error-disabled (down, down) - no communication through it, indicates an error
- enabled not connected - notconnect (up, down) - physically disconnected, communicates when connected
- enabled connected - connected (up, up) - functional and communicating
To switch the state between disabled and enabled, use the commands
SWITCH(config-if)#shutdown // disable the port SWITCH(config-if)#no shutdown // enable the port
If the port is in error-disabled state, which can occur due to an error in spanning tree or port security, it must first be disabled and then enabled. It is said that interfaces are disabled (shutdown) by default, but this is not always true. It is recommended to disable unused ports (preferably globally during initial configuration) and always enable the port when configuring it.
Basic Port Properties
For a port, we can set general properties such as duplex, speed, description, MDIX, and others. The default settings for duplex, speed, and mdix are auto
, which is suitable in most cases today. Adding descriptions to individual ports is a good practice and should always be used.
SWITCH(config-if)#duplex full SWITCH(config-if)#speed 100 SWITCH(config-if)#description 3.14 SWITCH(config-if)#mdix auto
Setting Default Values for an Interface
Resetting the port settings to default (factory) values can be done with one command.
SWITCH(config)#default interface f0/1
Displaying Interface Information
We can find a lot of information about interfaces. Some commands we can use are as follows.
SWITCH#show interfaces SWITCH#show interfaces status SWITCH#show interfaces summary SWITCH#show interfaces switchport
Types of Interfaces
The main interfaces on a switch are:
- physical ports - switch ports and routed ports
- VLANs - Switch Virtual Interface
- port channel - EtherChannel interface
Switch Port
Switch Port is a Layer 2 (OSI model Layer 2) interface associated with a physical port. Switch ports are default switch ports and are assigned to one or more VLANs. Parameters related to switching characteristics are configured with the switchport
command in interface configuration mode. A switch port can operate in one of the following modes:
- access - typically for end devices (PC, server, printer), receives untagged packets (without VLAN designation) and assigns them to the VLAN it is set to
- trunk - another switch or active element, communication is tagged and selected VLANs are transmitted
- dynamic - negotiates the port state (access or trunk) using the DTP protocol
- tunnel - uses IEEE 802.1q tunneling to transmit VLAN information over the ISP network
Setting a port to the appropriate mode is done with the following command.
SWITCH(config-if)#switchport mode access SWITCH(config-if)#switchport mode trunk SWITCH(config-if)#switchport mode dynamic SWITCH(config-if)#switchport mode dot1q-tunnel
If we have a routed port, we can convert it to a switch port using the command:
SWITCH(config-if)#switchport
Access mode
This is the default mode of a switch port. If the port is in access mode, we should assign it to the correct VLAN. It can only be a member of one VLAN; by default, all ports are in VLAN 1.
SWITCH(config-if)#switchport access vlan 100
Besides manually assigning a port to a VLAN, we can also use the IEEE 802.1x protocol (along with a RADIUS server) or dynamic assignment using the VLAN Membership Policy Server (VMPS).
If a tagged packet (with a VLAN tag using ISL or 802.1q) arrives at an access port, it is discarded.
The standard value of MTU (Maximum Transmission Unit) for Ethernet is 1518 B (1500B packet size + 18B frame header and trailer). When using IEEE 802.1q, a frame can be 4B larger, i.e., 1522B; when using ISL, it can be 30B larger, i.e., 1548B. If the port is not set as a trunk and such a large frame arrives, it is discarded and reported as a Giant (Jumbo frame). Giant packets are displayed in the interface counters.
SWITCH#show system mtu SWITCH(config-if)#system mtu jumbo 9000
Trunk mode
Trunk mode is primarily used to connect multiple switches together and keep communication within the correct VLAN. Today, it is also often used to connect some servers that need to communicate in multiple VLANs. If we connected switches with an access port, only communication in the VLAN set on that port would be transmitted, and on the other switch, the packet would be in the VLAN of that port.
If the port is in trunk mode, there are more configuration points. For higher-end switch models (generally L3 switches and above), we choose the method by which the packet is tagged with VLAN information. We have the following options:
- IEEE 802.1q - a standardized method supported by all switches. It works on the principle of tagging, adding a 4B tag to the packet header (2B - 0x8100 = it is 802.1q/802.1p, 2B - priority + VLAN number) and recalculating the CRC. It is also used for QoS.
- Cisco ISL - a Cisco proprietary method supported only by higher-end switches. It takes the entire original packet and encapsulates it as the content of a new packet, adding 30B to the content.
SWITCH(config-if)#switchport trunk encapsulation dot1q
We can then specify which VLANs we want to transmit in the trunk. By default, all VLANs are transmitted, but for security and traffic reasons, we may want to limit some VLANs. By entering the VLAN number (or numbers separated by commas or a range with a dash), we set the values, and previous values are erased. We can also use helper keywords to modify the list: add
, remove
, all
, none
, except
.
SWITCH(config-if)#switchport trunk allowed vlan 100,200 SWITCH(config-if)#switchport trunk allowed vlan add 300
A related setting is the native VLAN, which is used to transmit packets that are not assigned to any VLAN. In other words, if we connect a normal station (which does not support trunking) to a port configured as a trunk, it will communicate in this VLAN. By default, this is VLAN 1. It is important that the native VLAN is set the same on both sides of the trunk.
SWITCH(config-if)#switchport trunk native vlan 1
More information about VLAN configuration can be found in the article Cisco IOS 7 - VLAN configuration, VTP.
dot1q-tunnel mode
IEEE 802.1q tunneling allows us to transmit frames tagged with our VLAN numbers over the service provider's network. This is done by double tagging, where packets arriving at the tunnel port already tagged with our VLAN are supplemented with a second tag with the VLAN number used for transmission within the service provider's network.
Routed Port
A Routed Port is a physical port that functions as a Layer 3 (OSI Layer 3) interface, just like on a router, and communication occurs through routing. A routed port is not assigned to any VLAN, and we can assign it an L3 address (i.e., an IP address). It also does not support any L2 protocols, such as DTP and STP. Routed ports are only supported on L3 switches (those that support routing).
SWITCH(config-if)#no switchport SWITCH(config-if)#ip address 192.168.100.2 255.255.255.0
Port security
Port security is a simple and interesting method for securing network access. On a port where it is set, it checks whether packets come from an allowed MAC address. Therefore, if a user connects a different device to the socket, it will not be able to communicate.
To set Port security, the port must be in static mode (trunk, access, but not dynamic). Enable port security for the given port:
SWITCH(config-if)#switchport port-security
We can set how many MAC addresses are allowed for the port (or a specific VLAN) (e.g., if a switch is connected to the port). The default value is 1.
SWITCH(config-if)#switchport port-security maximum 1
If we do not specify any allowed MAC addresses, dynamic addresses are used (temporarily stored for current communication up to the maximum). Or we can manually enter MAC addresses as static addresses. For dynamic addresses, we can set them to be saved to the running configuration (a static entry is created, but if we do not save the configuration, they will be deleted after a restart).
SWITCH(config-if)#switchport port-security mac-address 0018.deda.2990 // fixed address SWITCH(config-if)#switchport port-security mac-address 0000.02000.0004 vlan 3 // address on trunk in VLAN 3 SWITCH(config-if)#switchport port-security mac-address sticky // save dynamic addresses SWITCH(config-if)#switchport port-security mac-address 001e.138c.7430 vlan voice // address in Voice VLAN
Next, we choose what happens in case of a violation, i.e., if communication comes from a MAC address that is not allowed (and the maximum is reached). The default is shutdown. The options are:
- protect - unauthorized communication is discarded, allowed MAC addresses still communicate
- restrict - sends an informative SNMP trap
- shutdown - the port is blocked, switches to Error-disabled state (reminder: to re-enable it, it must first be disabled)
SWITCH(config-if)#switchport port-security violation shutdown
Note: A violation also occurs if a MAC address assigned to a specific port appears on another port of this switch.
If the port switches to Error-disabled state, administrator intervention is required to re-enable it. However, it is possible to set automatic re-enabling of the port after a certain time:
SWITCH(config)# errdisable recovery cause psecure-violation
SWITCH(config)# errdisable recovery interval 60 // time in seconds, 60 - 86400
If we want MAC addresses for the port to be automatically deleted after a certain time, we can use the aging
keyword in various variants. For example, if we want dynamic addresses to be valid for 10 minutes:
SWITCH(config-if)#switchport port-security aging time 10
By default, after enabling Port security, one MAC address is allowed, which is used dynamically, i.e., the first device that starts communicating. If another device tries to communicate, the port is blocked.
The main commands for displaying information about Port security are
SWITCH#show port-security // info for all interfaces SWITCH#show port-security address // table of MAC addresses and related info SWITCH#show port-security interface f0/1 // detailed info for a specific interface
Protected port
Between ports set as Protected, no communication is sent on Layer 2 (broadcast, multicast, unicast), only communication on Layer 3 (i.e., with an IP address and through routing).
SWITCH(config-if)#switchport protected
More information about Protected Port can be found in the article Cisco IOS 19 - Private VLAN and Protected Port.
Spanning Tree Protocol
The STP - Spanning Tree Protocol is used to prevent loops in the network, for example, in a redundant topology or when switches are incorrectly connected. It is a standardized IEEE 802.1d protocol, with several improved versions. It works on the principle of finding the shortest path in a weighted graph and blocks unnecessary ports. The basic version of STP runs on the switch by default and does not require any configuration.
If a device such as a server or workstation is connected to the switch port and thus a loop cannot occur on this port, we can set this port to portfast
mode, which prevents initial port blocking and the port is enabled significantly faster.
SWITCH(config-if)#spanning-tree portfast
More information about STP can be found in the article Cisco IOS 9 - Spanning Tree Protocol.
Setting IP Address and Gateway
We can set an IP address for some interfaces, mainly VLANs (SVI). This address is primarily used for communication with the switch, but also for other services such as routing or DHCP server. Simply put, we are setting the switch's address. If we do not use VLANs, we must set it on VLAN 1. Otherwise, it is advisable to have a special VLAN for management and set the IP address there.
We can set the address manually or let it be assigned by a DHCP server. If we set the address manually, we must enter it along with the network mask in which this address is valid (this is for other services).
SWITCH(config)#interface vlan 1 SWITCH(config-if)#ip address 192.168.190.2 255.255.255.0
In some cases, we need to set the gateway address. If we will only communicate with the switch from the local subnet, this is not necessary. Otherwise, we must set the address so that the switch knows where to send responses. The gateway is set for the entire switch.
SWITCH(config)#ip default-gateway 192.168.190.1
UniDirectional Link Detection - UDLD
This is an L2 protocol that allows for the physical configuration/connection of primarily fiber-optic cables, but also twisted-pair cables. It monitors whether there is only a unidirectional connection (Tx and Rx). For fiber optics, it checks if one of the pair of cables is broken and ensures that the pairs are correctly connected on both sides. For metallic cables, it checks that one strand is not broken. If it detects a unidirectional connection, the port switches to error-disabled state. The same configuration needs to be done on both sides.
We can enable it globally for all optical ports.
SWITCH(config)#udld enable
Or we can enable it for selected interfaces, which also works for metallic cables.
SWITCH(config-if)#udld enable
To display information about UDLD and reset disabled interfaces, use the following commands.
SWITCH#show udld
SWITCH#udld reset // resets interfaces that were disabled by UDLD
In Conclusion - Saving Configuration
Important notice. At the end of the configuration, it is necessary to save the changes to the startup configuration to avoid losing them upon restart.
SWITCH#copy running-config startup-config // save Destination filename [startup-config]? // prompt for name, press ENTER Building configuration... [OK]
Or we can use a shorter command.
SWITCH#write Building configuration... [OK]
Configuration Examples
Setting a Port for a User
SWITCH>enable // switch to privileged mode SWITCH#configure terminal // switch to configuration mode SWITCH(config)#interface f0/1 // configure the given switch port SWITCH(config-if)#shutdown // recommended to first disable the port, it should already be disabled SWITCH(config-if)#switchport mode access // set port to access mode SWITCH(config-if)#switchport access vlan 100 // assign to the appropriate VLAN SWITCH(config-if)#description 3.14 // port description SWITCH(config-if)#spanning-tree portfast // a computer is connected to the socket, fast startup SWITCH(config-if)#no shutdown // enable the port SWITCH(config-if)#exit // go up one level SWITCH(config)#exit // go up one level SWITCH#copy running-config startup-config // save Destination filename [startup-config]? // prompt for name, press ENTER Building configuration... [OK]
Setting a Port for Switch-to-Switch Connection - Trunk
SWITCH>enable // switch to privileged mode SWITCH#configure terminal // switch to configuration mode SWITCH(config)#interface g1/0/25 // configure the given switch port SWITCH(config-if)#shutdown // recommended to first disable the port, it should already be disabled SWITCH(config-if)#switchport trunk encapsulation dot1q // set the method for adding VLAN information, 802.1q standard, set only on higher switch models SWITCH(config-if)#switchport trunk allowed vlan 2-200 // which VLANs are transmitted SWITCH(config-if)#switchport trunk native vlan 1 // frames without VLAN are transmitted over the trunk in Native VLAN SWITCH(config-if)#switchport mode trunk // set port to TRUNK mode SWITCH(config-if)#switchport nonegotiate // do not negotiate with the DTP protocol SWITCH(config-if)#description 3.14 // port description SWITCH(config-if)#no shutdown // enable the port SWITCH(config-if)#end // go directly to privileged mode SWITCH#write // save configuration
The same configuration needs to be done on the other side, i.e., on the other switch and port that are connected.
Setting Port Security
SWITCH>enable // switch to privileged mode SWITCH#configure terminal // switch to configuration mode SWITCH(config)#interface f0/5 // configure the given switch port SWITCH(config-if)#switchport port-security // enable port security SWITCH(config-if)#switchport port-security maximum 1 // number of MAC addresses, 1 is default SWITCH(config-if)#switchport port-security violation shutdown // block port on violation, default SWITCH(config-if)#switchport port-security mac-address sticky // save dynamic MAC address as static SWITCH(config-if)#^Z // CTRL+Z goes directly to privileged mode SWITCH#write // save configuration
zruseni nastaveni portu lze provest i prikazem:
conf t
default interface ...
respond to [2]cm3l1k1: Díky za doplnění. Tento příkaz jsem neznal.
perfektní , díky moc
>>SWITCH(config)#interface range f0/1-5,g0/1
na ios Version 12.1(14)EA1a
chce při zadání rozsahu "range" mezeru před i za pomlčkou
....range f0/1 - 5,g0/1
pepa
U Port Security - Pri pripojeni zarizeni na jiny port, nenastane error u PS portu.
respond to [6]Ferda: Nevím, jak to myslíte. Ale pokud mám na dvou portech zapnuté PS a na jednom je naučená MAC adresa zařízení, tak když toto zařízení připojím k tomu druhému portu, tak se tento vypne (pokud je nastaveno shutdown).
Já mám zase problém v tom, že pokud na dvou portech na jiných swtichích ve stejné vlaně nastavím stejnou portsecuritu, tak ve chvíli, když to je pouze na jednom swtichi tak ok, ale jakmile to nastavím i na tomdruhém, přestane mi jít konektivita na tom druhém switchi v rámci stejné vlany... Nedává to smysl, protože je připojená mac adresa, která je povolená tou port securitou...
Cílová verze by měla být taková, že potřebuji nastavit ve 2 zasedačkách securitu pro nbtky a nejde to...
Zdar, rad by som sa opytal ako je nutne nastavit porty na Cisco switch 2960 ked pozadujem nasledovne od nich:
1 - primarna linka sa pouziva optika (optika medzi medzi dvoma budovami cca 250 metrov)
2 - ak padne opticka linka, pozadujem aby sa zaplo radiove spojenie (tzn. backupova linka, prenos je vzduchom cca 250 metrov)
Ak momentalne zapojim radiove spojenie do Cisco switcha, tak neviem preco sa mi vzdy ako primarna linka nastavi radiova a sekundarna je optika. Ja to potrebujem presne opacne :).
Dakujem za kazdu radu.
S pozdravom Jano
Ak pripojim
Zdravím, jsem začátečník a prosím o radu ( ukázku )jak zkopírovat nastavení jednoho portu na druhý. Děkuji.
respond to [10]fizby:
Vypiš si aktuální konfiguraci interface a pak vstup do konfigurace toho druhého a zkopíruj nastavení (Ctrl+C -> Ctrl+V), které požaduješ pro druhý interface.