34

LESSON 3. Configure Switch Ports and Port Security

In this lesson, you will learn how ports configured to better meet the needs of the network. This includes adjusting port speed,
bandwidth, and security requirements. Port configuration starts with the basics of duplex and speed. Sometimes switch ports must
manually have their duplex mode and speed manually configured. Most of the times the technician simply connects a cable and let the
network device and switch automatically negotiate these parameters. There are also times when things go awry and there are issues.
This lesson helps you with these basic concepts.

Lesson Objectives:
At the end of this lesson, you will be able to:
1. configure switch ports to meet network requirements, and
2. configure the port security feature to restrict network access.

Duplex Communication

The Figure 1-31 illustrates full-duplex and half-duplex communication.

Figure 1-31. Duplex Modes

Full-duplex communication improves the performance of a switched LAN. Full-duplex communication increases effective
bandwidth by allowing both ends of a connection to transmit and receive data simultaneously. This is also known as bidirectional
communication. This method of optimizing network performance requires micro-segmentation. A micro-segmented LAN is created
when a switch port has only one device connected and is operating in full-duplex mode. When a switch port is operating in full-duplex
mode, there is no collision domain associated with the port.
Unlike full-duplex communication, half-duplex communication is unidirectional. Sending and receiving data does not occur at
the same time. Half-duplex communication creates performance issues because data can flow in only one direction at a time, often
resulting in collisions. Half-duplex connections are typically seen in older hardware, such as hubs. Full-duplex communication has
replaced half-duplex in most hardware.
Gigabit Ethernet and 10Gb NICs require full-duplex connections to operate. In full-duplex mode, the collision detection circuit
on the NIC is disabled. Frames that are sent by the two connected devices cannot collide because the devices use two separate circuits
in the network cable. Full-duplex connections require a switch that supports full-duplex configuration, or a direct connection using an
Ethernet cable between two devices.
Standard, shared hub-based Ethernet configuration efficiency is typically rated at 50 to 60 percent of the stated bandwidth.
Full-duplex offers 100 percent efficiency in both directions (transmitting and receiving). This results in a 200 percent potential use of
the stated bandwidth (Cisco Networking Academy, 2014).
 35

Configure Switch Ports at the Physical Layer

Switch ports can be manually configured with specific duplex and speed settings. Use the duplex interface configuration mode
command to manually specify the duplex mode for a switch port. Use the speed interface configuration mode command to manually
specify the speed for a switch port.
In Figure 1-32, port F0/1 on switch S1 and S2 are manually configured with the full keyword for the duplex command, and
the 100 keyword for the speed command.

Figure 1-32. Cisco Switch Port Configuration

Auto-MDIX
As shown in Figure 1-33, some switches have the automatic medium-dependent interface crossover (auto-MDIX) feature that
allows an interface to detect the required cable connection type (straight-through or crossover) and configure the connection
appropriately.

Figure 1-33. Configure Auto-MDIX

Figure 1-34 illustrates how verify auto-MDIX in Cisco switch. Using the command show controllers Ethernet-controller
verifies the auto-MDIX settings
 36

Figure 1-34. Configure Auto-MDIX

Verifying Switch Port Configuration

Some of the options for the show command that are helpful in verifying common configurable switch features as shown in
Figure 1-35.

Figure 1-35. Show option command in Cisco switch

Figure 1-36 shows an example of show interfaces and show running-config command output. The CLI example
shows counters and statistics for the FastEthernet0/1 interface.

Figure 1-36. Example of show interfaces and show running-config commands output

Some media errors are not severe enough to cause the circuit to fail, but do cause network performance issues. Figure on the
left explains some of these common errors which can be detected using the show interfaces command.
 37

The input errors are the sum of all errors in datagrams that were received on the interface being examined. This includes runts,
giants, CRC, no buffer, frame, overrun, and ignored counts. The reported input errors from the show interfaces command include
the following:

a) Runt Frames - Ethernet frames that are shorter than the 64-byte minimum allowed length are called runts. Malfunctioning
NICs are the usual cause of excessive runt frames, but they can also be caused by collisions.
b) Giants - Ethernet frames that are larger than the maximum allowed size are called giants.
c) CRC errors - On Ethernet and serial interfaces, CRC errors usually indicate a media or cable error. Common causes include
electrical interference, loose or damaged connections, or incorrect cabling. If you see many CRC errors, there is too much noise
on the link and you should inspect the cable. You should also search for and eliminate noise sources.

The output errors is the sum of all errors that prevented the final transmission of datagrams out the interface that is being examined.
The reported output errors from the show interfaces command include the following:
d) Collisions - Collisions in half-duplex operations are normal. However, you should never see collisions on an interface
configured for full-duplex communication.
e) Late collisions - A late collision refers to a collision that occurs after 512 bits of the frame have been transmitted. Excessive
cable lengths are the most common cause of late collisions. Another common cause is duplex misconfiguration. For example,
you could have one end of a connection configured for full-duplex and the other for half-duplex. You would see late collisions
on the interface that is configured for half-duplex. In that case, you must configure the same duplex setting on both ends. A
properly designed and configured network should never have late collisions.

Secure Remote Access

SSH Operation
Secure Shell (SSH) is an alternative protocol to Telnet. Telnet uses unsecure plaintext of the username and password as well
as the data transmitted. SSH is more secure because it provides an encrypted management connection. A switch must have an IOS
version (k9 at the end of the IOS file name) that includes cryptographic capabilities in order to configure and use SSH. Figure 1-37
shows the use the show version command to see the IOS version.

Figure 1-37. use the show version command to see the IOS version

Configuring SSH
Before configuring SSH, the switch must be minimally configured with a unique hostname and the correct network connectivity
settings.
Step 1. Verify SSH support. Use the show ip ssh command to verify that the switch supports SSH. If the switch is not running an
IOS that supports cryptographic features, this command is unrecognized.
Step 2. Configure the IP domain. Configure the IP domain name of the network using the ip domain-name domain-name global
configuration mode command. In Figure 1-38, the domain-name value is cisco.com.
Step 3. Generate RSA key pairs. Not all versions of the IOS default to SSH version 2, and SSH version 1 has known security flaws. To
configure SSH version 2, issue the ip ssh version 2 global configuration mode command. Generating an RSA key pair automatically
enables SSH. Use the crypto key generate rsa global configuration mode command to enable the SSH server on the switch and generate
an RSA key pair. When generating RSA keys, the administrator is prompted to enter a modulus length. The sample configuration in
Figure 1 uses a modulus size of 1,024 bits. A longer modulus length is more secure, but it takes longer to generate and to use.
 38

Note: To delete the RSA key pair, use the crypto key zeroize rsa global configuration mode command. After the RSA key pair is deleted,
the SSH server is automatically disabled.

Figure 1-38. Configure SSH for Remote Management

Step 4. Configure user authentication. The SSH server can authenticate users locally or using an authentication server. To use the
local authentication method, create a username and password pair using the username username secret password global
configuration mode command. In the example, the user admin is assigned the password ccna.
Step 5. Configure the vty lines. Enable the SSH protocol on the vty lines using the transport input ssh line configuration
mode command. The Catalyst 2960 has vty lines ranging from 0 to 15. This configuration prevents non-SSH (such as Telnet) connections
and limits the switch to accept only SSH connections. Use the line vty global configuration mode command and then the login
local line configuration mode command to require local authentication for SSH connections from the local username database.
Step 6. Enable SSH version 2. By default, SSH supports both versions 1 and 2. When supporting both versions, this is shown in
the show ip ssh output as supporting version 1.99. Version 1 has known vulnerabilities. For this reason, it is recommended to enable
only version 2. Enable SSH version using the ip ssh version 2 global configuration command.

Verifying SSH
On a PC, an SSH client, such as PuTTY, is used to connect to an SSH server. For the examples in Figures 1-39, the following
have been configured:
 SSH enabled on switch S1
 Interface VLAN 99 (SVI) with IP address 172.17.99.11 on switch S1
 PC1 with IP address 172.17.99.21

Figure 1-39. Configure PuTTY with SSH client connection parameters and remote
management SSH connection

To check the SSH connections to the device, use the show ssh command
(see Figure 1-40).
 39

Figure 1-40. Verify SSH Status and Settings Packet Tracer Activity

Switch Port Security

Port security is the process of enabling specific commands on switch ports to protect against unauthorized wired devices being
attached to the network. An easy way for an intruder to gain access to a corporate network is to plug into an unused Ethernet jack or to
unplug an authorized device and use that connector. Cisco provides ways to protect against such behavior.

Secure Unused Ports

Disable Unused Ports
A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused
ports on a switch. For example, if a Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is good
practice to disable the 21 unused ports. Navigate to each unused port and issue the Cisco IOS shutdown command. If a port later on
needs to be reactivated, it can be enabled with the no shutdown command. Figure 2-23 shows partial output for this configuration.
It is simple to make configuration changes to multiple ports on a switch. If a range of ports must be configured, use the
interface range command.
Switch(config)# interface range type module/first-number - last-number

The interface range command can

be used to apply a configuration to
several switch ports at one time.

Figure 1-41. Disable unused Switch Ports

DHCP Snooping
DHCP snooping is a Cisco Catalyst feature that determines which devices attached to switch ports can respond to DHCP requests. DHCP
snooping can be used to prevent unauthorized DHCP messages that contain information such as IP address- related data being provided to legitimate
network devices.
 40

As part of the DHCP configuration process, switch ports can be identified as trusted and untrusted. Trusted ports can source any type of
DHCP message; untrusted ports can source DHCP requests only. This configuration protects the network from someone attacking a device by acting
as a rogue DHCP server as shown in Figure 1-42.

Figure 1-42. DHCP Snooping Operation and DHCP Snooping Configuration

Port Security: Operation

Port Security
Port security can be configured to allow one or more MAC addresses. If the number of MAC addresses allowed on the port is
limited to one, then only the device with that specific MAC address can successfully connect to the port. If a port is configured as a
secure port and the maximum number of MAC addresses is reached, any additional attempts to connect by unknown MAC addresses
will generate a security violation.
Note remember that when implementing port security on a switch port to:
 Turn port security on before doing any other commands.
 Specify a single MAC address or a group of valid MAC addresses allowed on the port.
 Specify that a port automatically shuts down if unauthorized MAC addresses are detected.

Secure MAC Address Types

There are a number of ways to configure port security. The type of secure address is based on the configuration and includes:
1. Static secure MAC addresses: MAC addresses that are manually configured on a port by using the switchport
port-security mac-address mac-address interface configuration mode command. MAC addresses
configured in this way are stored in the address table and are added to the running configuration on the switch.
2. Dynamic secure MAC addresses: MAC addresses that are dynamically learned and stored only in the address table. MAC
addresses configured in this way are removed when the switch restarts.
3. Sticky secure MAC addresses: MAC addresses that can be dynamically learned or manually configured stored in the
address table, and added to the running configuration. When sticky secure MAC addresses are configured by using the
switchport port-security mac-address sticky mac-address interface configuration mode command,
all specified addresses are added to the address table and the running configuration.

Note on a switch port, switchport port-security commands will not function until port security is enabled.
 Learned dynamically, converted to sticky secure MAC addresses stored in the running-config.
 Removed from the running-config if port security is disabled.
 Lost when the switch reboots (power cycled).
 Saving sticky secure MAC addresses in the startup-config makes them permanent, and the switch retains them after a
reboot.
 41

 Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes them from the
running-config.

Port Security: Violation Modes

It is a security violation when either of these situations occurs:
1. The maximum number of secure MAC addresses have been added to the address table for that interface, and a station
whose MAC address is not in the address table attempts to access the interface.
2. An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

An interface can be configured for one of three violation modes, specifying the action to be taken if a violation occurs. Figure
1-43 presents which kinds of data traffic are forwarded when one of the following security violation modes are configured on a port:
1. Protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until a sufficient number of secure MAC addresses are removed or the number of maximum
allowable addresses is increased. There is no notification that a security violation has occurred.
2. Restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until a sufficient number of secure MAC addresses are removed or the number of maximum
allowable addresses is increased. In this mode, there is a notification that a security violation has occurred.
3. Shutdown: In this (default) violation mode, a port security violation causes the interface to immediately become error-
disabled and turns off the port LED. It increments the violation counter. When a secure port is in the error-disabled state,
it can be brought out of this state by entering the shutdown and no shutdown interface configuration mode commands.

Figure 1-43. Security Violations Modes

The security violations occur in these situations:

 A station with MAC address that is not in the address table attempts to access the interface when the table is full.
 An address is being used on two secure interfaces in the same VLAN.

Port Security: Configuring

Figure 1-44 shows the summary the default port security configuration on a Cisco Catalyst switch.

Figure 1-44. Security Violations Modes

Before configuring port-security features, place the port in access mode and use the switchport port-security interface
configuration command to enable port security on an interface.
Figure 1-45 shows the Cisco IOS CLI commands needed to configure port security on the Fast Ethernet F0/18 port on the S1
switch. Notice that the example does not specify a violation mode. In this example, the violation mode is the default mode of shutdown.
Likewise, Figure 1-46 shows the commands needed to enable sticky secure MAC addresses for port security on Fast Ethernet
port 0/19 of switch S1. As stated earlier, a specific maximum number of secure MAC addresses can be manually configured. In this
 42

example, the Cisco IOS command syntax is used to set the maximum number of MAC addresses to 50 for port 0/19. The violation mode
is set to the default mode of shutdown.

Figure 1-45. Cisco Switch IOS CLI Commands for Dynamic Port
Security
Figure 1-46. Cisco Switch IOS CLI Commands for Sticky Port Security

Port Security: Verifying

After configuring port security on a switch, check each interface to verify that the port security is set correctly, and
check to ensure that the static MAC addresses have been configured correctly.
Use the show port-security interface command to verify the maximum number of MAC addresses
allowed on a particular port and how many of those addresses were learned dynamically using sticky as shown in Figure 1-
47. Notice that the MAC address in the previous output as 0025.83e6.4b02:1 is identified as a sticky MAC address.

Figure 1-47. Cisco Switch IOS CLI Commands for Sticky Port Security

The Sticky MAC addresses are added to the MAC address table and to the running configuration. Figure 1-48 shows the
output of the sticky MAC address for PC2 has been automatically added to the running configuration for S1
To display all secure MAC addresses configured on all switch interfaces, or on a specified interface with aging information
for each, use the show port-security address command. As shown in the output (see Figure 1-49), the secure MAC addresses are listed
along with the types.

Figure 1-48. The sticky MAC address for PC2 has been Figure 1-49. Verifying secure MAC addresses
automatically added to the running configuration for S1
 43

Ports in Error Disabled State

When a port is configured with port security, a violation
can cause the port to become error disabled. When a port is error
disabled, it is effectively shut down and no traffic is sent or received
on that port. A series of port security related messages display on
the console as shown Figure 1-50. Notice in the output how the port
protocol and link status changed to down.
Figure 1-50. Ports in error disabled state

Another indication that a port security violation has occurred is that

the switch port LED will change to orange. The show interfaces command
identifies the port status as error-disabled as shown in Figure 1-51. The
output of the show port-security interface command now
shows the port status as secure-shutdown.
Figure 1-51. Port with the security violation goes to the
error disabled state

Do not re-enable a port until the security threat is investigated and

eliminated. The administrator should determine what caused the security
violation before reenabling the port. If an unauthorized device is connected
to a secure port, the port should not be re-enabled until the security threat is
eliminated. To re-enable the port, use the shutdown interface
configuration mode command. Then, use the no shutdown interface
configuration command to make the port operational as shown in Figure 1-
52.
Figure 1-52. Enabling port that is disabled

Summary
 Secure Shell (SSH) is used to provide a secure (encrypted) management connection to a remote device to prevent the sniffing of
unencrypted user names and passwords which is possible when using protocols such as Telnet.
 One of the advantages of a switch is that it allows full-duplex communication between devices effectively doubling the
communication rate. Although it is possible to specify the speed and duplex settings of a switch interface, it is recommended that
the switch be allowed to set these parameters automatically to avoid errors.
 Switch port security is a requirement to prevent such attacks as MAC Address Flooding and DHCP Spoofing.
 Switch ports should be configured to allow only frames with specific source MAC addresses to enter. Frames from unknown source
MAC addresses should be denied and cause the port to shut down to prevent further attacks.
 Port security is only one defense against network computer.
 Best practices that represent the best insurance for a network are: develop a written security policy for the organization, shut down
unused services and ports, use strong passwords and change them often, control physical access to devices, avoid using standard
insecure HTTP websites, especially for login screens. Instead use the more secure HTTPS, perform backups and test the backed-up
files on a regular basis, educate employees about social engineering attacks, and develop policies to validate identities over the
phone, via email, and in person, encrypt sensitive data and protect it with a strong password, implement security hardware and
software, such as firewalls, and keep IOS software up-to-date by installing security patches weekly or daily, if possible.