Configuring Switch Interfaces

Configuring Switch Interfaces

 IOS uses the term interface to refer to physical ports used to forward data to and from other
devices.

Configuring Speed, Duplex, and Description

 can configure the speed and duplex settings with the duplex {auto | full | half} and speed {auto |
10 | 100 | 1000} interface subcommands.
 The description text interface subcommand lets you add a text description to the interface.
 Configuring Multiple Interfaces with the interface range Command

Displaying Interface Status

 show interfaces status command lists much of the detail configured even with only one line of
output per interface.
Administratively Controlling Interface State with shutdown

 Can be able to decide which ports should be enabled, and which should be disabled with
shutdown /no shutdown command

Removing Configuration with the no Command

■If you earlier had configured speed 100 on an interface, the no speed command on that same interface
reverts to the default speed setting (which happens to be speed auto).

■Same idea with the duplex command: an earlier configuration of duplex half or duplex full, followed
by no duplex on the same interface, reverts the configuration back to the default of duplex auto.

■If you had configured a description command with some text, to go back to the default
state of having no description command at all for that interface, use the no description
command.
Autonegotiation

 Autonegotiation relies on the fact that the IEEE uses the same wiring pinouts for 10BASE-T and
100BASE-T, and that 1000BASE-T simply adds to those pinouts, adding two pairs.

Cisco switches use this slightly different logic to choose the speed when autonegotiation fails:
■ Speed: Sense the speed (without using autonegotiation), but if that fails, use the IEEE

default (slowest supported speed, often 10 Mbps).

■ Duplex: Use the IEEE defaults: If speed = 10 or 100, use half duplex; otherwise, use full

duplex.

Port Security
 , the engineer can use port security to restrict that interface so that
only the expected devices can use it.
 This reduces exposure to attacks in which the attacker
connects a laptop to some unused switch port.
 When that inappropriate device attempts to
send frames to the switch interface, the switch can take different actions, ranging from simply issuing informational messages to
effectively shutting down the interface.
 Port security identifies devices based on the source MAC address of Ethernet frames the
devices send.

 Port security also has no restrictions on whether the frame came from a local device or was
forwarded through other switches. For example, switch SW1 could use port security on its
G0/1 interface, checking the source MAC address of the frame from PC2, when forwarded
up to SW1 from SW2.

The following list summarizes these ideas common to all variations of port security:
■ Define a maximum number of source MAC addresses allowed for all frames coming in

the interface.
■ Watch all incoming frames, and keep a list of all source MAC addresses, plus a counter
of the number of different source MAC addresses.
■ When adding a new source MAC address to the list, if the number of MAC addresses

pushes past the configured maximum, a port security violation has occurred. The switch
takes action (the default action is to shut down the interface).

Configuring Port Security

 FastEthernet 0/1, adds one optional port security subcommand: switchport port-security mac-
address 0200.1111.1111, which defines a specific source MAC address. With the default maximum
source address setting of 1, only frames with source MAC 0200.1111.1111 will be allowed in this
port. When a frame with a source other than 0200.1111.1111 enters F0/1, the switch will take the
default violation action and disable the interface.
 FastEthernet 0/2 uses the same logic as FastEthernet 0/1, except that it uses the sticky learning
feature. For port F0/2, the configuration the switchport port-security mac-address sticky
 command, which tells the switch to dynamically learn source MAC addresses and add port-
security commands to the running-config.
 Interface F0/3 uses the default maximum of one MAC address.
 FastEthernet 0/4 supports eight MAC addresses, because it connects to another switch and
should receive frames with multiple source MAC addresses.

Verifying Port Security

 show portsecurity interface fastethernet 0/1 command shows that the interface is in a
secureshutdown state, which means that the interface has been disabled because of port security.
 In this case, another device connected to port F0/1, sending a frame with a source MAC
address other than 0200.1111.1111, is causing a violation.
 port Fa0/2, which used sticky learning, simply learned the MAC address used by Server 2.

Default Port Security Configuration

Table 32-1 Default Port Security Configuration
Feature Default Setting

Port security Disabled on a port

Maximum number of secure 1
MAC addresses
Violation mode Shutdown. The port shuts down when the maximum number of secure
MAC addresses is exceeded, and an SNMP trap notification is sent.
Aging Disabled
Aging type Absolute
Static Aging Disabled
Sticky Disabled

Configuring Port Security on an Interface

To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to access
the port, perform this task:

Command Purpose

Step 1 Switch(config)# interface Enters interface configuration mode and enters the physical
interface_id interface to configure, for example gigabitethernet 3/1.

Step 2 Switch(config-if)# Sets the interface mode as access; an interface in the default
switchport mode access mode (dynamic desirable) cannot be configured as a secure port.

Step 3 Switch(config-if)# Enables port security on the interface.

switchport port-security
Step 4 Switch(config-if)# (Optional) Sets the maximum number of secure MAC addresses
switchport port-security for the interface. The range is 1 to 3072; the default is 1.
maximum value

Step 5 Switch(config-if)# (Optional) Sets the violation mode, the action to be taken when a
switchport port-security
security violation is detected, as one of these:
violation {restrict |
shutdown}
• restrict—A port security violation restricts data and causes
the SecurityViolation counter to increment and send an SNMP
trap notification.

• shutdown—The interface is error-disabled when a security

violation occurs.

Note When a secure port is in the error-disabled state, you can

bring it out of this state by entering the errdisable recovery
cause psecure-violation global configuration command or you
can manually reenable it by entering the shutdown and no shut
down interface configuration commands.
Step 6 Switch(config-if)# Sets the rate limit for bad packets.
switchport port-security
limit
rate invalid-source-mac

Step 7 Switch(config-if)# (Optional) Enters a secure MAC address for the interface. You
switchport port-security can use this command to enter the maximum number of secure
mac-address mac_address
MAC addresses. If you configure fewer secure MAC addresses
than the maximum, the remaining MAC addresses are
dynamically learned.
Step 8 Switch(config-if)# (Optional) Enable sticky learning on the interface.
switchport port-security
mac-address sticky

Step 9 Switch(config-if)# end Returns to privileged EXEC mode.

Step 10 Switch# show port- Verifies your entries.

security address
interface interface_id
Switch# show port-
security address