EN 
11.09.2024 WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Cisco IOS 3 - nastavení interface/portu - access, trunk, port security

Cisco IOS 3 - interface/port settings - access, trunk, port security

Edited 18.05.2009 18:17 | created | Petr Bouška - Samuraj |
In the continuation of the description of the Cisco Switch operating system, I will focus on probably the most used area, setting parameters for ports and interfaces. From basic properties, through the use of VLANs, IP address settings to port security using Port security. The description is only brief and there are practical examples at the end.
displayed: 161 741x (161 720 CZ, 21 EN) | Comments [11]

Port Labeling

Interfaces on a switch - interfaces, are mainly physical ports and VLANs (more precisely, a virtual interface for a VLAN - Switch Virtual Interface - SVI). Besides these, there are many others, such as EtherChannel (port-channel), serial line (serial), console (console), asynchronous line (TTY), network terminal (VTY) - telnet.

Physical ports of the switch are labeled (addressed) by type, mainly FastEthernet (abbreviated as f), GigabitEthernet (abbreviated as g), and TenGigabitEthernet (abbreviated as t), and by port number. The port number is a string that varies depending on the switch type. The most common format is {slot}/{port} or {stack}/{slot}/{port}. Standard (non-modular) switches are considered to be in slot 0, so an example of addressing (for a C2690 switch) is f0/1, indicating FastEthernet (100Mbit/s) port number 1. Stackable switches (supporting stack), such as the Catalyst 3750, are addressed, for example, as g1/0/1, indicating GigabitEthernet (1Gbit/s) port on the first switch in the stack (or standalone), in slot 0, port number 1.

Port Configuration

Selecting a Port

When we want to configure an interface/port, we switch from privileged mode to the configuration of the given port. For simplicity, we can configure multiple ports at once, using the common IOS notation, dash to specify a range (within the same stack/slot, followed by the number) and comma to list ports (followed by the full port designation).

SWITCH(config)#interface f0/5               // switch to port 5 configuration
SWITCH(config)#interface range f0/1-5,g0/1  // select ports 1 to 5 (fast) and 1 (gigabit)
SWITCH(config-if)#                          // interface configuration mode

Port Status, Disabling

An interface can be in several states, and we can look at the global port status (mainly using the statuses disabled, notconnect, connected) or specifically at the physical/administrative status and operational status of the port (mainly using up, down). The port status is maintained internally and only converted for certain outputs (e.g., show interfaces status). The administrative status is the one we can control with commands (using shutdown), while the operational status is set automatically based on the link status. However, if we set the administrative status to down, the operational status also switches to down. There are also various special states like errors or testing. A common view of the most typical states is:

  • disabled - disabled (down, down) - no communication through it
  • error-disabled - error-disabled (down, down) - no communication through it, indicates an error
  • enabled not connected - notconnect (up, down) - physically disconnected, communicates when connected
  • enabled connected - connected (up, up) - functional and communicating

To switch the state between disabled and enabled, use the commands

SWITCH(config-if)#shutdown    // disable the port
SWITCH(config-if)#no shutdown // enable the port

If the port is in error-disabled state, which can occur due to an error in spanning tree or port security, it must first be disabled and then enabled. It is said that interfaces are disabled (shutdown) by default, but this is not always true. It is recommended to disable unused ports (preferably globally during initial configuration) and always enable the port when configuring it.

Basic Port Properties

For a port, we can set general properties such as duplex, speed, description, MDIX, and others. The default settings for duplex, speed, and mdix are auto, which is suitable in most cases today. Adding descriptions to individual ports is a good practice and should always be used.

SWITCH(config-if)#duplex full 
SWITCH(config-if)#speed 100 
SWITCH(config-if)#description 3.14
SWITCH(config-if)#mdix auto

Setting Default Values for an Interface

Resetting the port settings to default (factory) values can be done with one command.

SWITCH(config)#default interface f0/1 

Displaying Interface Information

We can find a lot of information about interfaces. Some commands we can use are as follows.

SWITCH#show interfaces
SWITCH#show interfaces status
SWITCH#show interfaces summary
SWITCH#show interfaces switchport

Types of Interfaces

The main interfaces on a switch are:

  • physical ports - switch ports and routed ports
  • VLANs - Switch Virtual Interface
  • port channel - EtherChannel interface

Switch Port

Switch Port is a Layer 2 (OSI model Layer 2) interface associated with a physical port. Switch ports are default switch ports and are assigned to one or more VLANs. Parameters related to switching characteristics are configured with the switchport command in interface configuration mode. A switch port can operate in one of the following modes:

  • access - typically for end devices (PC, server, printer), receives untagged packets (without VLAN designation) and assigns them to the VLAN it is set to
  • trunk - another switch or active element, communication is tagged and selected VLANs are transmitted
  • dynamic - negotiates the port state (access or trunk) using the DTP protocol
  • tunnel - uses IEEE 802.1q tunneling to transmit VLAN information over the ISP network

Setting a port to the appropriate mode is done with the following command.

SWITCH(config-if)#switchport mode access
SWITCH(config-if)#switchport mode trunk
SWITCH(config-if)#switchport mode dynamic
SWITCH(config-if)#switchport mode dot1q-tunnel

If we have a routed port, we can convert it to a switch port using the command:

SWITCH(config-if)#switchport

Access mode

This is the default mode of a switch port. If the port is in access mode, we should assign it to the correct VLAN. It can only be a member of one VLAN; by default, all ports are in VLAN 1.

SWITCH(config-if)#switchport access vlan 100

Besides manually assigning a port to a VLAN, we can also use the IEEE 802.1x protocol (along with a RADIUS server) or dynamic assignment using the VLAN Membership Policy Server (VMPS).

If a tagged packet (with a VLAN tag using ISL or 802.1q) arrives at an access port, it is discarded.

The standard value of MTU (Maximum Transmission Unit) for Ethernet is 1518 B (1500B packet size + 18B frame header and trailer). When using IEEE 802.1q, a frame can be 4B larger, i.e., 1522B; when using ISL, it can be 30B larger, i.e., 1548B. If the port is not set as a trunk and such a large frame arrives, it is discarded and reported as a Giant (Jumbo frame). Giant packets are displayed in the interface counters.

SWITCH#show system mtu
SWITCH(config-if)#system mtu jumbo 9000

Trunk mode

Trunk mode is primarily used to connect multiple switches together and keep communication within the correct VLAN. Today, it is also often used to connect some servers that need to communicate in multiple VLANs. If we connected switches with an access port, only communication in the VLAN set on that port would be transmitted, and on the other switch, the packet would be in the VLAN of that port.

If the port is in trunk mode, there are more configuration points. For higher-end switch models (generally L3 switches and above), we choose the method by which the packet is tagged with VLAN information. We have the following options:

  • IEEE 802.1q - a standardized method supported by all switches. It works on the principle of tagging, adding a 4B tag to the packet header (2B - 0x8100 = it is 802.1q/802.1p, 2B - priority + VLAN number) and recalculating the CRC. It is also used for QoS.
  • Cisco ISL - a Cisco proprietary method supported only by higher-end switches. It takes the entire original packet and encapsulates it as the content of a new packet, adding 30B to the content.
SWITCH(config-if)#switchport trunk encapsulation dot1q

We can then specify which VLANs we want to transmit in the trunk. By default, all VLANs are transmitted, but for security and traffic reasons, we may want to limit some VLANs. By entering the VLAN number (or numbers separated by commas or a range with a dash), we set the values, and previous values are erased. We can also use helper keywords to modify the list: add, remove, all, none, except.

SWITCH(config-if)#switchport trunk allowed vlan 100,200
SWITCH(config-if)#switchport trunk allowed vlan add 300

A related setting is the native VLAN, which is used to transmit packets that are not assigned to any VLAN. In other words, if we connect a normal station (which does not support trunking) to a port configured as a trunk, it will communicate in this VLAN. By default, this is VLAN 1. It is important that the native VLAN is set the same on both sides of the trunk.

SWITCH(config-if)#switchport trunk native vlan 1

More information about VLAN configuration can be found in the article Cisco IOS 7 - VLAN configuration, VTP.

dot1q-tunnel mode

IEEE 802.1q tunneling allows us to transmit frames tagged with our VLAN numbers over the service provider's network. This is done by double tagging, where packets arriving at the tunnel port already tagged with our VLAN are supplemented with a second tag with the VLAN number used for transmission within the service provider's network.

Routed Port

A Routed Port is a physical port that functions as a Layer 3 (OSI Layer 3) interface, just like on a router, and communication occurs through routing. A routed port is not assigned to any VLAN, and we can assign it an L3 address (i.e., an IP address). It also does not support any L2 protocols, such as DTP and STP. Routed ports are only supported on L3 switches (those that support routing).

SWITCH(config-if)#no switchport
SWITCH(config-if)#ip address 192.168.100.2 255.255.255.0

Port security

Port security is a simple and interesting method for securing network access. On a port where it is set, it checks whether packets come from an allowed MAC address. Therefore, if a user connects a different device to the socket, it will not be able to communicate.

To set Port security, the port must be in static mode (trunk, access, but not dynamic). Enable port security for the given port:

SWITCH(config-if)#switchport port-security

We can set how many MAC addresses are allowed for the port (or a specific VLAN) (e.g., if a switch is connected to the port). The default value is 1.

SWITCH(config-if)#switchport port-security maximum 1

If we do not specify any allowed MAC addresses, dynamic addresses are used (temporarily stored for current communication up to the maximum). Or we can manually enter MAC addresses as static addresses. For dynamic addresses, we can set them to be saved to the running configuration (a static entry is created, but if we do not save the configuration, they will be deleted after a restart).

SWITCH(config-if)#switchport port-security mac-address 0018.deda.2990 // fixed address
SWITCH(config-if)#switchport port-security mac-address 0000.02000.0004 vlan 3 // address on trunk in VLAN 3
SWITCH(config-if)#switchport port-security mac-address sticky // save dynamic addresses
SWITCH(config-if)#switchport port-security mac-address 001e.138c.7430 vlan voice // address in Voice VLAN

Next, we choose what happens in case of a violation, i.e., if communication comes from a MAC address that is not allowed (and the maximum is reached). The default is shutdown. The options are:

  • protect - unauthorized communication is discarded, allowed MAC addresses still communicate
  • restrict - sends an informative SNMP trap
  • shutdown - the port is blocked, switches to Error-disabled state (reminder: to re-enable it, it must first be disabled)
SWITCH(config-if)#switchport port-security violation shutdown

Note: A violation also occurs if a MAC address assigned to a specific port appears on another port of this switch.

If the port switches to Error-disabled state, administrator intervention is required to re-enable it. However, it is possible to set automatic re-enabling of the port after a certain time:

SWITCH(config)# errdisable recovery cause psecure-violation
SWITCH(config)# errdisable recovery interval 60 // time in seconds, 60 - 86400

If we want MAC addresses for the port to be automatically deleted after a certain time, we can use the aging keyword in various variants. For example, if we want dynamic addresses to be valid for 10 minutes:

SWITCH(config-if)#switchport port-security aging time 10

By default, after enabling Port security, one MAC address is allowed, which is used dynamically, i.e., the first device that starts communicating. If another device tries to communicate, the port is blocked.

The main commands for displaying information about Port security are

SWITCH#show port-security // info for all interfaces
SWITCH#show port-security address // table of MAC addresses and related info
SWITCH#show port-security interface f0/1 // detailed info for a specific interface

Protected port

Between ports set as Protected, no communication is sent on Layer 2 (broadcast, multicast, unicast), only communication on Layer 3 (i.e., with an IP address and through routing).

SWITCH(config-if)#switchport protected

More information about Protected Port can be found in the article Cisco IOS 19 - Private VLAN and Protected Port.

Spanning Tree Protocol

The STP - Spanning Tree Protocol is used to prevent loops in the network, for example, in a redundant topology or when switches are incorrectly connected. It is a standardized IEEE 802.1d protocol, with several improved versions. It works on the principle of finding the shortest path in a weighted graph and blocks unnecessary ports. The basic version of STP runs on the switch by default and does not require any configuration.

If a device such as a server or workstation is connected to the switch port and thus a loop cannot occur on this port, we can set this port to portfast mode, which prevents initial port blocking and the port is enabled significantly faster.

SWITCH(config-if)#spanning-tree portfast

More information about STP can be found in the article Cisco IOS 9 - Spanning Tree Protocol.

Setting IP Address and Gateway

We can set an IP address for some interfaces, mainly VLANs (SVI). This address is primarily used for communication with the switch, but also for other services such as routing or DHCP server. Simply put, we are setting the switch's address. If we do not use VLANs, we must set it on VLAN 1. Otherwise, it is advisable to have a special VLAN for management and set the IP address there.

We can set the address manually or let it be assigned by a DHCP server. If we set the address manually, we must enter it along with the network mask in which this address is valid (this is for other services).

SWITCH(config)#interface vlan 1
SWITCH(config-if)#ip address 192.168.190.2 255.255.255.0

In some cases, we need to set the gateway address. If we will only communicate with the switch from the local subnet, this is not necessary. Otherwise, we must set the address so that the switch knows where to send responses. The gateway is set for the entire switch.

SWITCH(config)#ip default-gateway 192.168.190.1

UniDirectional Link Detection - UDLD

This is an L2 protocol that allows for the physical configuration/connection of primarily fiber-optic cables, but also twisted-pair cables. It monitors whether there is only a unidirectional connection (Tx and Rx). For fiber optics, it checks if one of the pair of cables is broken and ensures that the pairs are correctly connected on both sides. For metallic cables, it checks that one strand is not broken. If it detects a unidirectional connection, the port switches to error-disabled state. The same configuration needs to be done on both sides.

We can enable it globally for all optical ports.

SWITCH(config)#udld enable

Or we can enable it for selected interfaces, which also works for metallic cables.

SWITCH(config-if)#udld enable

To display information about UDLD and reset disabled interfaces, use the following commands.

SWITCH#show udld
SWITCH#udld reset // resets interfaces that were disabled by UDLD

In Conclusion - Saving Configuration

Important notice. At the end of the configuration, it is necessary to save the changes to the startup configuration to avoid losing them upon restart.

SWITCH#copy running-config startup-config // save
Destination filename [startup-config]? // prompt for name, press ENTER
Building configuration...
[OK]

Or we can use a shorter command.

SWITCH#write
Building configuration...
[OK]

Configuration Examples

Setting a Port for a User

SWITCH>enable // switch to privileged mode
SWITCH#configure terminal // switch to configuration mode
SWITCH(config)#interface f0/1 // configure the given switch port
SWITCH(config-if)#shutdown // recommended to first disable the port, it should already be disabled
SWITCH(config-if)#switchport mode access // set port to access mode
SWITCH(config-if)#switchport access vlan 100 // assign to the appropriate VLAN
SWITCH(config-if)#description 3.14 // port description
SWITCH(config-if)#spanning-tree portfast // a computer is connected to the socket, fast startup
SWITCH(config-if)#no shutdown // enable the port
SWITCH(config-if)#exit // go up one level
SWITCH(config)#exit // go up one level
SWITCH#copy running-config startup-config // save
Destination filename [startup-config]? // prompt for name, press ENTER
Building configuration...
[OK]

Setting a Port for Switch-to-Switch Connection - Trunk

SWITCH>enable // switch to privileged mode
SWITCH#configure terminal // switch to configuration mode
SWITCH(config)#interface g1/0/25 // configure the given switch port
SWITCH(config-if)#shutdown // recommended to first disable the port, it should already be disabled
SWITCH(config-if)#switchport trunk encapsulation dot1q // set the method for adding VLAN information, 802.1q standard, set only on higher switch models
SWITCH(config-if)#switchport trunk allowed vlan 2-200 // which VLANs are transmitted
SWITCH(config-if)#switchport trunk native vlan 1 // frames without VLAN are transmitted over the trunk in Native VLAN
SWITCH(config-if)#switchport mode trunk // set port to TRUNK mode
SWITCH(config-if)#switchport nonegotiate // do not negotiate with the DTP protocol
SWITCH(config-if)#description 3.14 // port description
SWITCH(config-if)#no shutdown // enable the port
SWITCH(config-if)#end // go directly to privileged mode
SWITCH#write // save configuration

The same configuration needs to be done on the other side, i.e., on the other switch and port that are connected.

Setting Port Security

SWITCH>enable // switch to privileged mode
SWITCH#configure terminal // switch to configuration mode
SWITCH(config)#interface f0/5 // configure the given switch port
SWITCH(config-if)#switchport port-security // enable port security
SWITCH(config-if)#switchport port-security maximum 1 // number of MAC addresses, 1 is default
SWITCH(config-if)#switchport port-security violation shutdown // block port on violation, default
SWITCH(config-if)#switchport port-security mac-address sticky // save dynamic MAC address as static
SWITCH(config-if)#^Z // CTRL+Z goes directly to privileged mode
SWITCH#write // save configuration
Author:

Related articles:

Cisco IOS

A large series about the operating system of Cisco's active elements. It contains some of the most read articles on this site. The articles describe the configuration of switches and routers, primarily with Cisco IOS. Things about ports, VLANs, STP, ACLs, QoS, etc.

If you want write something about this article use comments.

Comments
  1. [1] Slavko

    ;-)

    Thursday, 24.05.2007 18:10 | answer
  2. [2] cm3l1k1

    zruseni nastaveni portu lze provest i prikazem:

    conf t

    default interface ...

    Tuesday, 31.07.2007 15:57 | answer
  3. [3] Samuraj

    respond to [2]cm3l1k1: Díky za doplnění. Tento příkaz jsem neznal.

    Thursday, 02.08.2007 15:25 | answer
  4. [4] synnasek

    perfektní , díky moc

    Monday, 23.03.2009 10:53 | answer
  5. [5] sjp

    >>SWITCH(config)#interface range f0/1-5,g0/1

    na ios Version 12.1(14)EA1a

    chce při zadání rozsahu "range" mezeru před i za pomlčkou

    ....range f0/1 - 5,g0/1

    pepa

    Friday, 11.09.2009 11:10 | answer
  6. [6] Ferda

    U Port Security - Pri pripojeni zarizeni na jiny port, nenastane error u PS portu.

    Thursday, 14.07.2011 15:34 | answer
  7. [7] Samuraj

    respond to [6]Ferda: Nevím, jak to myslíte. Ale pokud mám na dvou portech zapnuté PS a na jednom je naučená MAC adresa zařízení, tak když toto zařízení připojím k tomu druhému portu, tak se tento vypne (pokud je nastaveno shutdown).

    Thursday, 14.07.2011 17:07 | answer
  8. [8] D4rkys

    Já mám zase problém v tom, že pokud na dvou portech na jiných swtichích ve stejné vlaně nastavím stejnou portsecuritu, tak ve chvíli, když to je pouze na jednom swtichi tak ok, ale jakmile to nastavím i na tomdruhém, přestane mi jít konektivita na tom druhém switchi v rámci stejné vlany... Nedává to smysl, protože je připojená mac adresa, která je povolená tou port securitou... :-(

    Cílová verze by měla být taková, že potřebuji nastavit ve 2 zasedačkách securitu pro nbtky a nejde to...

    Thursday, 16.10.2014 10:02 | answer
  9. [9] Jano

    Zdar, rad by som sa opytal ako je nutne nastavit porty na Cisco switch 2960 ked pozadujem nasledovne od nich:

    1 - primarna linka sa pouziva optika (optika medzi medzi dvoma budovami cca 250 metrov)

    2 - ak padne opticka linka, pozadujem aby sa zaplo radiove spojenie (tzn. backupova linka, prenos je vzduchom cca 250 metrov)

    Ak momentalne zapojim radiove spojenie do Cisco switcha, tak neviem preco sa mi vzdy ako primarna linka nastavi radiova a sekundarna je optika. Ja to potrebujem presne opacne :).

    Dakujem za kazdu radu.

    S pozdravom Jano

    Ak pripojim

    Monday, 19.02.2018 14:09 | answer
  10. [10] fizby

    Zdravím, jsem začátečník a prosím o radu ( ukázku )jak zkopírovat nastavení jednoho portu na druhý. Děkuji.

    Tuesday, 28.04.2020 21:29 | answer
  11. [11] MIKEs

    respond to [10]fizby:

    Vypiš si aktuální konfiguraci interface a pak vstup do konfigurace toho druhého a zkopíruj nastavení (Ctrl+C -> Ctrl+V), které požaduješ pro druhý interface.

    Thursday, 01.10.2020 14:17 | answer
Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)