Basic Switch Configuration Guide with Examples

This tutorial explains basic switch configuration commands in detail with examples. Configuration and
commands explained in this tutorial are essential commands to manage a Cisco switch effectively. Learn
how to configure and manage a Cisco Switch step by step with this basic switch commands and
configuration guide.

To explain basic switch configuration commands, I will use packet tracer network simulator software. You
can use any network simulator software or can use a real Cisco switch to follow this guide. There is no
difference in output as long as your selected software contains the commands explained in this tutorial.

Create a practice lab as shown in following figure or download this pre-created practice lab and load in
packet tracer

In this topology

 Two 2960 Series switches are used.

 Switch1 (Interfarce Gig1/1) is connected with Switch2 (Interface Gig1/1) via cross cable.
 Switch1 has two PCs connected on interfaces Eth0/2 and Eth0/3 via straight through cable.
 Same as switch1, Switch2 also has two PCs connected on its interfaces Eth0/2 and Eth0/3.
 IP address is configured on all PCs PC0 (192.168.1.1/24), PC1 (192.168.1.2/24), PC2 (192.168.1.3/24), PC3
(192.168.1.4/24).

Click Switch1 and click CLI menu item and press Enter Key
Following table lists necessary commands to navigate between different IOS modes with examples.

Mode Purpose Prompt Command to enter Command to exit

User EXEC Allow you to connect Router > Default mode after Use exit command
with remote devices, booting. Login with
perform basic tests, password, if
temporary change configured.
terminal setting and list
system information
Privileged Allow you to set Router # Use enable command Use exit command
EXEC operating parameters. from user exec mode
It also includes high
level testing and list
commands like show,
copy and debug.
Global Contain commands Router(config)# Use configure Use exit command
Configuration those affect the entire terminal command
system from privileged exec
mode
Interface Contain commands Router(config-if)# Use interface type Use exit command
Configuration those modify the number command to return in global
operation of an from global configuration
interface configuration mode mode
Sub-Interface Configure or modify the Router(config-subif) Use interface type sub Use exit to return
Configuration virtual interface interface number in previous mode.
created from physical command from global Use end command
interface configuration mode or to return in
interface configure privileged exec
mode mode.
Setup Used by router to Parameter[Parameter Router will Press CTRL+C to
create initial value]: automatically insert in abort. Type Yes to
configuration, if this mode if running save configuration,
running configuration is configuration is not or No to exit
not present present without saving
when asked in the
end of setup.
ROMMON If router automatically ROMMON> Enter reload command Use exit command.
enter in this mode, then from privileged exec
it indicates that it fails mode. Press CTRL +
to locate a valid IOS C key combination
image. Manual during the first 60
entrance in this mode seconds of booting
Allow you to perform process
low-level diagnostics.
How to get help on Cisco Switch command mode

Switch provides two types of context sensitive help, word help and command syntax help.

Word help

Word help is used to get a list of available commands that begin with a specific letter. For example if we
know that our command begins with letter e, we can hit enter key after typing e? At command prompt. It
will list all possible commands that begin with letter e.

We can list all available commands, if we don't know the initials of our command. For example to list all
available commands at User exec mode, just type? At command prompt and hit enter key.

Command syntax help

Command syntax help can be used to get the list of keyword, commands, or parameters that are available
starting with the keywords that we had already entered. Enter? (Question mark) after hitting Space key
and prompt will return with the list of available command options. For example to know the parameters
required by show ip command type show ip? And prompt will return with all associate parameters. If
prompt returns with <CR> only as an option, that means switch does not need any additional parameters
to complete the command. You can execute the command in current condition.
How to set name on switch

Switch name can be set from global configuration mode. Use hostname [desired hostname] command to
set name on switch.

How to set password on a Catalyst switch

Passwords are used to restrict physical access to switch. Cisco switch supports console line for local login
and VTYs for remote login. All supported lines need be secure for User Exec mode. For example if you
have secured VTYs line leaving console line unsecure, an intruder can take advantage of this situation in
connecting with device. Once you are connected with device, all remaining authentication are same. No
separate configuration is required for further modes.

Password can be set from their respective line mode. Enter in line mode from global configuration mode.
VTY term stand for virtual terminal such as telnet or SSH. Switch may support up to thousand VTYs lines.
By default first five (0 - 4) lines are enabled. If we need more lines, we have to enable them manually.
2960 Series switch supports 16 lines. We can set a separate password for each line, for that we have to
specify the number of line. In our example we set a common password for all lines.

Above method is good for small companies, where numbers of network administrators are very few. In
above method we have to share password between all administrators. Switch supports both local and
remote server authentication. Remote server authentication is a complex process and not included in any
entry level exams. For this article I am also skipping remote server method. In local database
authentication method switch allows us to set a separate password for each user. Two global
configuration commands are used to set local user database.

Switch(config)#username [Username] password[xxx]

Or
Switch(config)#username [Username] secret[xxx]

Both commands do same job. Advantage of using secret option over password option is that
in secret option password is stored in MD5 encryption format while in password option password is stored
in plain text format.

Along with User Exec mode we can also secure Privilege Exec mode. Two commands are available for it.

Switch(config)# enable password Privilege_EXEC_password

or
Switch(config)# enable secret Privilege_EXEC_password

Again as I mentioned earlier, password stored with secret command is encrypted while password stored
with password command remains in plain text. You only need to use single command. If you would use
both commands as I did, enable secret command would automatically replace the enable
password command.
How to reset switch to factory defaults

During the practice several times we have to reset switch to factory defaults. Make sure you don't run
following commands in production environment unless you understand their effect clearly. Following
commands will erase all configurations. In production environment you should always takes backup
before removing configurations. In LAB environment we can skip backup process.

Switch>enable
Switch#delete flash:vlan.dat
Delete filename [vlan.dat]? [Press Enter Key]
Delete flash:vlan.dat? [confirm] [ Reconfirm by pressing enter key]
Switch#erase startup-config
Switch#reload

How to set IP address in Switch

IP address is the address of device in network. Switch allows us to set IP address on interface level. IP
address assigned on interface is used to manage that particular interface. To manage entire switch we
have to assign IP address to VLAN1( Default VLAN of switch). We also have to set default gateway IP
address from global configuration mode. In following example we would assign IP 172.16.10.2
255.255.255.0 to VLAN1 and set default gateway to 172.16.10.1.

Switch>enable
Switch#configure terminal
Switch(config)#interface vlan1
Switch(config-if)#ip address 172.16.10.2 255.255.255.0
Switch(config-if)#exit
Switch(config)#ip default-gateway 172.16.10.1

How to set interface description

Switches have several interfaces. Adding description to interface is a good habit. It may help you in finding
correct interface. In following example we would add description Development VLAN to
interface FastEthernet 0/1.

Switch(config)#interface fastethernet 0/1

Switch(config-if)#description Development VLAN

How to clear mac address table

Switch stores MAC addresses in MAC address table. Gradually it could be full. Once it full, switch
automatically starts removing old entries. You can also clear these tables manually from privileged exec
mode. To delete all entries use following command
switch#clear mac address-table
To delete only dynamic entries use

switch#clear mac address-table dynamic

How to add static MAC address in CAM table

For security purpose sometime we have to add mac address in CAM table manually. To add static MAC
address in CAM table use following command

Switch(config)#mac address-table static aaaa.aaaa.aaaa vlan 1 interface fastethernet 0/1

In above command we entered an entry for static MAC address aaaa.aaaa.aaaa assigned to FastEnternet
0/1 with default VLAN1.

How to save running configuration in switch

Switch keeps all running configuration in RAM. All data from RAM is erased when we turned off the device.
To save running configuration use following command

Switch#copy running-config startup-config

How to set duplex mode

Switch automatically adjust duplex mode depending upon remote device. We could change this mode
with any of other supported mode. For example to force switch to use full duplex mode use

Switch(config)# #interface fastethernet 0/1

Switch(config-if)#duplex full
To use half duplex use
Switch(config)# #interface fastethernet 0/1
Switch(config-if)#duplex half
show version

show version command provides general information about device including its model number, type of
interfaces, its software version, configuration settings, location of IOS and configuration files and available
memories.
show mac-address-table

Switch stores MAC address of devices those are attached with its interfaces in CAM table. We can
use show mac-address-table command to list all learned devices. Switch uses this table to make forward
decision.

show flash

Switch stores IOS image file in flash memory. show flash command will list the content of flash memory.
This command is useful to get information about IOS file and available memory space in flash.
show running-config

Configuration parameter values are created, stored, updated and deleted from running configuration.
Running configuration is stored in RAM. We can use show running-config command to view the running
configuration.

show startup-config

Any configuration stored in RAM is erased when devices is turned off. We can save running configuration
in NVRAM. If we have saved running configuration in NVRAM, it would be automatically loaded back in
RAM from NVRAM during the next boot. As switch load this configuration back in RAM in startup of device,
at NVRAM it is known as startup-config.

show vlan
show vlan command will display the VLANs. For administrative purpose, switch automatically create VLAN
1 and assign all its interfaces to it. You can create custom VLANs from global configuration mode and then
assign them to interfaces.

show interface

show interface command displays information about interfaces. Without argument it would list all
interfaces. To get information about specific interface we need to pass its interface number as an
argument. For example to view details about FastEthernet 0/1, use show interface fastethernet 0/1.

First line from output provides information about the status of interface.

FastEthernet0/1 is up, line protocol is up ( connected)

 The first up indicates the status of the physical layer, and the second up indicates to the status of the data
link layer.

Possible interface status

 up and up :- Interface is operational.

 up and down :- Its data link layer problem.
 down and down :- Its physical layer problem.
 Administratively down and down :- Interface is disabled with shutdown command.

Possible values for physical layer status

 Up :- Switch is sensing physical layer signal.

 Down :- Switch is not sensing physical layer signal. Possible reasons could be cable is not connected, wrong
cable type is used and remote end device is turned off.
 Administratively down :- Interface is disabled by using shutdown command.

Possible values for data link layer status

 Up :- The data link layer is operational.

 Down :- The data link layer is not operational. Possible reasons could be a disabled physical layer, missed
keep alives on a serial link, no clocking or an incorrect encapsulation type.

show ip interface brief

show ip interface brief is a extremely useful command to get quick overview of all interfaces on switch. It
lists their status including IP address and protocol.

That’s all for this article.

VLAN Basic Concepts Explained with Examples

This tutorial explains basic concepts of VLAN, VLAN Membership (Static & Dynamic) and VLAN
Connections (Access link & Trunk link) in detail with VLAN examples. Learn what VLAN is and what
advantages it provides in computer network step by step.
 What is VLAN

VLAN is a logical grouping of networking devices. When we create VLAN, we actually break large broadcast
domain in smaller broadcast domains. Consider VLAN as a subnet. Same as two different subnets cannot
communicate with each other without router, different VLANs also requires router to communicate.

Advantage of VLAN
VLAN provides following advantages:-

 Solve broadcast problem

 Reduce the size of broadcast domains
 Allow us to add additional layer of security
 Make device management easier
 Allow us to implement the logical grouping of devices by function instead of location

When we connect devices into the switch ports, switch creates separate collision domain for each port
and single broadcast domain for all ports. Switch forwards a broadcast frame from all possible ports. In a
large network having hundreds of computers, it could create performance issue. Of course we could use
routers to solve broadcast problem, but that would be costly solution since each broadcast domain
requires its own port on router. Switch has a unique solution to broadcast issue known as VLAN. In
practical environment we use VLAN to solve broadcast issue instead of router.

Each VLAN has a separate broadcast domain. Logically VLANs are also subnets. Each VLAN requires a
unique network number known as VLAN ID. Devices with same VLAN ID are the members of same
broadcast domain and receive all broadcasts. These broadcasts are filtered from all ports on a switch that
aren’t members of the same VLAN.

Reduce the size of broadcast domains

VLAN increase the numbers of broadcast domain while reducing their size. For example we have a network
of 100 devices. Without any VLAN implementation we have single broadcast domain that contain 100
devices. We create 2 VLANs and assign 50 devices in each VLAN. Now we have two broadcast domains
with fifty devices in each. Thus more VLAN means more broadcast domain with less devices.

Allow us to add additional layer of security

VLANs enhance the network security. In a typical layer 2 network, all users can see all devices by default.
Any user can see network broadcast and responds to it. Users can access any network resources located
on that specific network. Users could join a workgroup by just attaching their system in existing switch.
This could create real trouble on security platform. Properly configured VLANs gives us total control over
each port and users. With VLANs, you can control the users from gaining unwanted access over the
resources. We can put the group of users that need high level security into their own VLAN so that users
outside from VLAN can’t communicate with them.

Make device management easier

 Device management is easier with VLANs. Since VLANs are a logical approach, a device can be located
anywhere in the switched network and still belong to the same broadcast domain. We can move a user
from one switch to another switch in same network while keeping his original VLAN. For example our
company has a five story building and a single layer two network. In this scenario, VLAN allows us to move
the users from one floor to another floor while keeping his original VLAN ID. The only limitation we have
is that device when moved, must still be connected to the same layer 2 network.

Allow us to implement the logical grouping of devices by function instead of location

VLANs allow us to group the users by their function instead of their geographic locations. Switches
maintain the integrity of your VLANs. Users will see only what they are supposed to see regardless what
their physical locations are.

In switch we can created 4096 No of VLANS.

Default vlan -1

In normal mode 2- 1001

In default mode 1002–1005 used for token ring

In extend and primary mode 1006–4096

These are the vlan nos we can created in the switch.

VLAN Examples
To understand VLAN more clearly let's take an example.

 Our company has three offices.

 All offices are connected with back links.
 Company has three departments Development, Production and Administration.
 Development department has six computers.
 Production department has three computers.
 Administration department also has three computers.
 Each office has two PCs from development department and one from both production and administration
department.
 Administration and production department have sensitive information and need to be separate from
development department.

With default configuration, all computers share same broadcast domain. Development department can
access the administration or production department resources.

With VLAN we could create logical boundaries over the physical network. Assume that we created three
VLANs for our network and assigned them to the related computers.

 VLAN Admin for Administration department

 VLAN Dev for Development department
 VLAN Pro for Production department

Physically we changed nothing but logically we grouped devices according to their function. These groups
[VLANs] need router to communicate with each other. Logically our network look likes following diagram.

With the help of VLAN, we have separated our single network in three small networks. These networks
do not share broadcast with each other improving network performance. VLAN also enhances the
security. Now Development department cannot access the Administration and Production department
directly. Different VLAN can communicate only via Router where we can configure wild range of security
options.

So far in this article we have explained VLAN, in following section we will explain VLAN terms in more
details.

VLAN Membership
VLAN membership can be assigned to a device by one of two methods

1. Static
2. Dynamic
 These methods decide how a switch will associate its ports with VLANs.

Static

Assigning VLANs statically is the most common and secure method. It is pretty easy to set up and
supervise. In this method we manually assign VLAN to switch port. VLANs configured in this way are
usually known as port-based VLANs.

Static method is the most secure method also. As any switch port that we have assigned a VLAN will keep
this association always unless we manually change it. It works really well in a networking environment
where any user movement within the network needs to be controlled.

Dynamic

In dynamic method, VLANs are assigned to port automatically depending on the connected device. In this
method we have configure one switch from network as a server. Server contains device specific
information like MAC address, IP address etc. This information is mapped with VLAN. Switch acting as
server is known as VMPS (VLAN Membership Policy Server). Only high end switch can configured as VMPS.
Low end switch works as client and retrieve VLAN information from VMPS.

Dynamic VLANs supports plug and play movability. For example if we move a PC from one port to another
port, new switch port will automatically be configured to the VLAN which the user belongs. In static
method we have to do this process manually.

VLAN Connections
During the configuration of VLAN on port, we need to know what type of connection it has.

Switch supports two types of VLAN connection

 Access link
 Trunk link

Access link

Access link connection is the connection where switch port is connected with a device that has a
standardized Ethernet NIC. Standard NIC only understand IEEE 802.3 or Ethernet II frames. Access link
connection can only be assigned with single VLAN. That means all devices connected to this port will be
in same broadcast domain.

For example twenty users are connected to a hub, and we connect that hub with an access link port on
switch, then all of these users belong to same VLAN. If we want to keep ten users in another VLAN, then
we have to purchase another hub. We need to plug in those ten users in that hub and then connect it with
another access link port on switch.
 Trunk link

Trunk link connection is the connection where switch port is connected with a device that is capable to
understand multiple VLANs. Usually trunk link connection is used to connect two switches or switch to
router. Remember earlier in this article I said that VLAN can span anywhere in network, that is happen
due to trunk link connection. Trunking allows us to send or receive VLAN information across the network.
To support trunking, original Ethernet frame is modified to carry VLAN information.

Trunk Tagging

In trunking a separate logical connection is created for each VLAN instead of a single physical connection.
In tagging switch adds the source port’s VLAN identifier to the frame so that other end device can
understands what VLAN originated this frame. Based on this information destination switch can make
intelligent forwarding decisions on not just the destination MAC address, but also the source VLAN
identifier.

Since original Ethernet frame is modified to add information, standard NICs will not understand this
information and will typically drop the frame. Therefore, we need to ensure that when we set up a trunk
connection on a switch’s port, the device at the other end also supports the same trunking protocol and
has it configured. If the device at the other end doesn’t understand these modified frames it will drop
them. The modification of these frames, commonly called tagging. Tagging is done in hardware by
application-specific integrated circuits (ASICs).

Switch supports two types of Ethernet trunking methods:

 ISL [ Inter Switch Link, Cisco’s proprietary protocol for Ethernet ]

 Dot1q [ IEEE’s 802.1Q, protocol for Ethernet]

That's all for this part. In next part of this article we will practically implement what we have learnt from
this part on Cisco switches.
VLAN Configuration Commands Step by Step Explained

This tutorial explains how to create and assign VLAN, VLAN Membership (Static and Dynamic), Router on
Stick and Spanning Tree Protocol (STP) in detail with practical examples in packet tracer. Learn how to
create and manage VLAN in Cisco switch step by step.

Create a practice lab in packet tracer as shown in following figure or download pre-created practice lab
from second part of this tutorial.

In practice lab network Office1 Switch is configured as VTP Server. Office2 and Office3 switches are
configured as VTP clients. We only need to create VLANs in VTP Server. VTP Server will propagate this
information to all VTP clients automatically.

vlan vlan number command is used to create the VLAN.

Office 1 Switch

S1(config)#vlan 10
S1(config-vlan)#exit
S1(config)#vlan 20
S1(config-vlan)#exit
S1(config)#

Assigning VLAN Membership: VLAN can be assigned statically or dynamically. CCNA exam only includes
static method; therefore we will also use static method to assign VLAN membership. switchport access
vlan [vlan number ] command is used to assign VLAN to the interface. Following commands will assign
VLANs to the interfaces.
Office 1 Switch

S1(config)#interface fastEthernet 0/1

S1(config-if)#switchport access vlan 10
S1(config-if)#interface fastEthernet 0/2
S1(config-if)#switchport access vlan 20
Office 2 Switch

S2(config)#interface fastEthernet 0/1

S2(config-if)#switchport access vlan 10
S2(config-if)#interface fastEthernet 0/2
S2(config-if)#switchport access vlan 20
Office 3 Switch

S3(config)#interface fastEthernet 0/1

S3(config-if)#switchport access vlan 10
S3(config-if)#interface fastEthernet 0/2
S3(config-if)#switchport access vlan 20

We have successfully assigned VLAN membership. It's time to test our configuration. To test this
configuration, we will use ping command. ping command is used to test connectivity between two
devices. As per our configuration, devices from same VLAN can communicate. Devices from different
VLANs must not be able to communicate with each other without router.

Testing VLAN configuration

Access PC's command prompt to test VLAN configuration. Double click PC-PT and click Command Prompt

We have two VLAN configurations VLAN 10 and VLAN 20. Let's test VLAN 10 first. In VLAN 10 we have
three PCs with IP addresses 10.0.0.2, 10.0.0.3 and 10.0.0.4. These PCs must be able to communicate with
each other's. At this point PCs from VLAN 10 should not be allowed to access PCs from VLAN 20. VLAN 20
also has three PCs 20.0.0.2, 20.0.0.3 and 20.0.0.4.
We have successfully implemented VLAN 10 now test VLAN 20.

Same as VLAN 10, PCs from VLAN 20 must be able to communicate with other PCs of same VLAN while
they should not be able to access VLAN 10.

Congratulations we have successfully achieved one more mile stones of this article.

Configure Router on Stick

Typically routers are configured to receive data on one physical interface and forward that data from
another physical interface based on its configuration. Each VLAN has a layer 3 address that should be
configured as default gateway address on all its devices. In our scenario we reserved IP address 10.0.0.1
for VLAN 10 and 20.0.0.1 for VLAN 20.

With default configuration we need two physical interfaces on router to make this intra VLAN
communication. Due to price of router, it’s not a cost effective solution to use a physical interface of router
for each VLAN. Usually a router has one or two Ethernet interface. For example if we have 50 VLANs, we
would need nearly 25 routers in order to make intra VLANs communications. To deal with situation we
use Router on Stick.
 Router on Stick is router that supports trunk connection and has an ability to switch frames between the
VLANs on this trunk connection. On this router, single physical interface is sufficient to make
communication between our both VLANs.

Access command prompt of Router

To configure Router on Stick we have to access CLI prompt of Router. Click Router and Click CLI from menu
items and Press Enter key to access the CLI

Run following commands in same sequence to configure Router on Stick

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastEthernet 0/0.10
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 10.0.0.1 255.0.0.0
Router(config-subif)#exit
Router(config)#interface fastEthernet 0/0.20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 20.0.0.1 255.0.0.0
Router(config-subif)#exit

 In above configuration we broke up single physical interface [FastEthernet 0/0] into two logical interfaces,
known as sub-interfaces. Router supports up to 1000 interfaces including both physical and logical.
 By default interface link works as access link. We need to change it into trunk link. encapsulation
commands specify the trunk type and associate VLAN with sub-interface.
 In next step we assigned IP address to our sub-interface.

That's all configuration we need to switch VLANs. Now we can test different VLAN communications. To
test intra VLANs communication open command prompt of PC and ping the PC of other VLAN.
PC [10.0.0.3] from VLAN 10 can now access PC [20.0.0.2] from VLAN 20.

Inter VLAN Routing by Layer 3 Switch

Normally, Routers are used to divide broadcast domain and switches (at layer 2) Operates in a single
broadcast domain but Switches can also divide broadcast domain by using the concept of VLAN (Virtual
LAN).

Vlan is logical grouping of devices in same or different broadcast domain. By default, all the switch ports
are in Vlan 1. As the single broadcast domain is divided into multiple broadcast domains, Routers or layer
3 switches are used for intercommunication between the different Vlans.The process of
intercommunication of the different Vlans is known as Inter Vlan Routing (IVR).
Suppose we have made 2 logical group of devices (vlan) named sales and finance.If a device in sales
department wants to communicate with a device in finance department, inter Vlan routing has to be
performed. These can be performed by either router or layer 3 switches.

Switch Virtual Interface (SVI) –

SVI is a logical interface on a multilayer switch which provides layer 3 processing for packets to all switch
ports associated with that VLAN.A single SVI can be created for a Vlan. SVI for layer 3 switch provides
both management and routing services while SVI on layer 2 switch provides only management services
like creating vlans or telnet/SSH services.

Process of Inter Vlan Routing by Layer 3 Switch –

The SVI created for the respective Vlan acts a default gateway for that Vlan just like the sub-interface of
the router (in the process of Router On a stick). If the packet is to be delivered to different vlan i.e inter
Vlan Routing is to be performed on layer 3 switch then first the packet is delivered to layer 3 switch and
then to destination just like in the process of router on a stick.
Configuration –

Here is a topology in which we have a layer 3 switch connected to host devices namely PC1, PC2, PC3,
PC4. The hosts PC1, PC2 will be in Vlan 10 and PC3, PC4 will be in Vlan 20. Giving IP address to All hosts.
PC1-192.168.1.10/24, PC2-192.168.1.20/24, PC3 – 192.168.2.10/24, PC4-192.168.2.20/24.
Now creating vlans on layer 3 switch namely vlan 2 on the switch ports fa0/1, 2 and fa0/3, 4 for vlan 3.
Switch# vlan 2
Switch# vlan 3
Switch# int range fa0/1-2
Switch# switchport access vlan 2
Switch# int range fa0/3-4
Switch# switchport access vlan 3
Now creating SVI for vlan 2 giving it IP address 192.168.1.1/24 and SVI for vlan 3 giving IP address
192.168.2.1/24
Switch# ip routing
Switch# int vlan 2
Switch# ip address 192.168.1.1 255.255.255.0
Switch# int vlan 3
Switch# ip address 192.168.2.1 255.255.255.0
Now if we will try to ping PC1 to PC4.
The packet is first delivered to switch then to the destination. As the destination is present in other
networks, the packet will be first delivered to switch which has a SVI for both vlans (acts as gateway).
Advantages –
In Router on a stick method, both switch and router are needed but while using layer 3 switch, a single
switch will perform inter-vlan routing as well as the layer 2 functions (Vlan), therefore this method is
cost effective and also less configuration is needed.
Voice VLAN – Auxiliary VLAN
The terms Voice VLAN or Auxiliary VLAN typically mean the same thing: They are a feature which allows
an access port — which normally only accepts untagged traffic for a single VLAN — to also
accept tagged traffic for a second VLAN.
Before we get into the details, it is important to have a solid understanding of VLANs. Namely the purpose
of VLANs, Access Ports, Trunk Ports, the Native VLAN, the configuration of VLANs, and the concept of
a Converged Network. If these concepts are not familiar to you, start by reading
the articles and videos which explain them.

Also, the terms themselves are generally interchangeable. Voice VLAN is more often used in the Cisco
context because of the command used to configure it, while Auxiliary VLAN is typically the name of the
feature itself.

Voice VLAN Functionality

Imagine office cubicles. Imagine each cubicle contains a desk and a computer which an employee uses to
connect to your corporate network.

When this office floor was being built, network cables were ran through the walls and ceilings from each
position on the cubicle floor to the network closet where the access switch for the corporate network
exists.

These cable runs are sometimes called “LAN drops” – a place an employee can connect locally (from their
cubicle) into the corporate network switch (behind lock and key in the network cabinet).

You end up with a topology that looks something like this (image not drawn to scale):

Traditionally, there was one LAN drop for each cubicle.

This was sufficient when employees only had one PC or Laptop to connect to the network. They would
simply plug in locally at the cubicle, and the wall jack would lead back to the corporate network switch.
The switchport would be configured as an access port in the VLAN associated with that employee’s role.
The PC sends untagged data traffic, and the switch associates that traffic with the Data VLAN. On a Cisco
switch, the configuration would resemble something like the following:

Switch(config)# vlan 22
Switch(config-vlan)# name DATA

Switch(config)# interface ethernet0/0

Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 22

It is worth highlighting that (typically) PCs always send untagged traffic – this point will be important
shortly.

As time went on, phones which could carry Voice traffic over the IP network (VOIP phones) started being
developed. Which leaves us with a problem — if a VOIP phone is added to each desk, where could you
plug it in to get access to the corporate network? There is only one available wall jack and it is already in
use by the PC.

Voice and Data using two ports

One solution is to run a second LAN drop to each cubicle. This is the simplest solution from the networking
perspective:

One port is dedicated to carrying Data traffic, the other is dedicated to carrying Voice traffic. They are
distinguished on the Switch using a simple access port in two different VLANs (the Data VLAN and
the Voice VLAN):
Switch(config)# vlan 22
Switch(config-vlan)# name DATA
Switch(config)# vlan 33
Switch(config-vlan)# name VOICE

Switch(config)# interface ethernet0/0

Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 22
Switch(config)# interface ethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 33

Most modern office buildings now include multiple ports at each cubicle in order to account
for multiple devices that need to be connected to the corporate network. Unfortunately, this wasn’t
always an option for office’s which were not recently built.

Voice and Data using one port

A lot of older office build outs, which already only have one LAN drop at each cubicle, simply cannot afford
the additional cost or delays to pay another technician to crawl through all the ceilings and walls to run
another LAN drop to each cubicle. Which means the cubicles are limited to a single LAN drop per
employee.

VOIP phone manufacturers were able to foresee this problem, and created another solution built right
into the VOIP phones themselves.

The majority of VOIP phones come with two Ethernet ports: One meant to face the wall jack (and
subsequently, the corporate LAN), the other meant to face a PC:
Using these two ports, the PC can be connected to the phone, and the phone can subsequently be
connected to the single wall jack. This allows both devices to share a single wall jack.

The key is how to configure the switch, as now the single port will be receiving both Voice and Data traffic.
We’ve already determined that Voice and Data traffic must be confined to distinct VLANs, but
now both types of traffic are arriving on a single port.

There are two solutions: One solution is to configure the port as a Trunk port. The other is to make use of
the Auxiliary VLAN (or Voice VLAN) feature. Both solutions are discussed and compared below.
 Voice and Data using a Trunk port and the Native VLAN
Traditionally, if you want to carry traffic for multiple VLANs on a single port, you would configure a Trunk
port.

This would allow traffic for multiple VLANs to traverse the single link. But typically traffic on trunk ports
require tagging to distinguish which bits belong to one VLAN and which bits belong to another VLAN.

VOIP phones have the capacity to send and understand 802.1q VLAN tags, and can therefore be
configured to send a VLAN tag for all the Voice traffic.

PC’s, as we’ve already discussed, only send untagged traffic. As such, the switch must have a way to
associate the received untagged traffic on the trunk port to a particular VLAN. This is the exact purpose
of the Native VLAN.

Therefore, in order to properly configure a single port to accommodate both a Voice and Data VLAN, you
must first configure the interface as a Trunk port, then configure the Data VLAN as the Native VLAN:

Switch(config)# vlan 22
Switch(config-vlan)# name DATA
Switch(config)# vlan 33
Switch(config-vlan)# name VOICE

Switch(config)# interface ethernet0/0

Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 22

Voice traffic will arrive from the VOIP phone with a tag for VLAN 33. And Data traffic will arrive from the
PC untagged (forwarded untouched by the VOIP phone) and be associated to VLAN 22 because of the
Native VLAN configuration.

While on the surface, this solution does work, we have to go a step further. There are, in fact, two
problems with using a Trunk port to carry both Voice and Data traffic.

Problem #1: Configured as above, all VLANs on the switch will traverse the trunk link
If there are only two VLANs configured on the switch (as above), then this isn’t really a problem.

If however, you had more than just two VLANs configured, such as:
Switch(config)# vlan 22
Switch(config-vlan)# name DATA_Sales
Switch(config)# vlan 33
Switch(config-vlan)# name VOICE_Sales
Switch(config)# vlan 44
Switch(config-vlan)# name DATA_Marketing
Switch(config)# vlan 55
Switch(config-vlan)# name VOICE_Marketing

Switch(config)# interface ethernet0/0

Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 22

Then traffic for all four VLANs would be sent down the trunk port. Leading to, at best, possible link
saturation, or at worst, data leakage.

The solution would be to add yet another configuration item to the interface to limit which VLANs are
able to traverse the trunk port:

Switch(config)# interface ethernet0/0

Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 22
Switch(config-if)# switchport trunk allowed vlan 22,33

This will limit the VLANs which can traverse this trunk to only the necessary VLANs.

Problem #2: The interface will not benefit from traffic optimizations that apply to Access ports

Spanning tree has an optimization known as Portfast which speeds up how quickly an access port is
enabled.

Spanning tree also has an optimization known as BPDU guard which also (by default) only applies to access
ports.
Port Security (by default) only applies to access ports.

There are other optimizations that exist for access ports that are tailored to ports facing network clients
— like PC’s and VOIP phones.

If the interface facing your VOIP phone and PC is configured as a trunk port, it will not be able to take
advantage of the optimizations which exist for access ports.

Of course, for each of these optimizations there are manual overrides that can be applied, but it increases
the complexity of the network configuration. Besides, there is a much simpler solution to using a Trunk
port for Voice and Data VLANs on a single port, and that solution is what this article has been building
towards.

The more optimal solution is to use the Auxiliary VLAN feature (also known as the Voice VLAN).

Voice and Data using an Access port and the Auxiliary VLANs
And so, we’ve finally come to the primary purpose of this article – to describe the specific problems that
are solved by the Auxiliary VLANs feature. Namely, the problem serves as an answer to the following
question (note: illustration is identical to the one above):

In situations where only one physical port is available on your switch, how do you accept and receive
Voice and Data traffic on one switchport while still keeping them in independent VLANs?

The solution:

First, use the VOIP phone’s built in switch – connect the PC to the phone, and the “LAN” port of the phone
to the wall jack (which subsequently leads to the switchport).
Second, use the Auxillary VLAN configuration to accept the tagged voice traffic from the VOIP phone, and
untagged traffic from the PC:

Switch(config)# vlan 22
Switch(config-vlan)# name DATA
Switch(config)# vlan 33
Switch(config-vlan)# name VOICE

Switch(config)# interface ethernet0/0

Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 22
Switch(config-if)# switchport voice vlan 33

With this configuration, traffic arriving on the single available switchport will still be accepted in two
different VLANs on your network. Allowing you to separate Voice and Data traffic, despite it arriving on
the same physical switchport.

NATIVE VLAN

There are two types of switch ports. Trunk and access. Access ports can carry traffic for only one vlan and
that traffic is untagged. Trunk ports carry traffic for multiple vlans and the traffic is tagged with the vlan
id.

Native vlan on a trunk port is the vlan to which any untagged traffic on the trunk port is assigned.

Default behavior is that vlan 1 is the native vlan on a switchport

Switchport Port Security Explained With Examples

This tutorial explains Switchport security modes (Protect, Restrict and Shutdown), sticky address, mac
address, maximum number of hosts and Switchport security violation rules in detail with examples. Learn
how to secure a switch port with Switchport security feature step by step.

Anyone can access unsecure network resources by simply plugging his host into one of our available switch
ports. A user can also change his physical location in LAN network without telling the admin. You can
secure layer two accesses as well as keep users in their tracks by using port security feature.

To explain Switchport port security modes and commands, I will use packet tracer network simulator
software. You can use any network simulator software or can use a real Cisco switch to follow this guide.
There is no difference in output as long as your selected software contains the commands explained in
this tutorial.

Create a simple practice lab as shown in following figure.

Click PC0 and Click Desktop and Click IP Configuration and select Static from radio options and assign the
IP address (10.0.0.10) and subnet mask (255.0.0.0)

Follow same process to assign IP address (10.0.0.20) and subnet mask (255.0.0.0) to PC1.

Click Server0 and click Desktop and click IP Configuration and select Static from radio options and assign
IP address (10.0.0.100) and subnet mask (255.0.0.0)
That's all initial configuration we need to understand the switch port security.

How to configure port security

To configure port security we need to access the command prompt of switch.

Click Switch and click CLI and press Enter Key.

Port can be secure from interface mode. Use enable command to move in Privilege Exec mode. From
Privilege Exec mode use configure terminal command to enter in Global Configuration mode. From global
configuration mode enter in specific interface.

Following figure illustrates available commands for port security.

 How to enable switchport port-security
Port security is disabled by default. switchport port-security command is used to enables it.

Port security feature does not work on three types of ports.

 Trunk ports
 Ether channel ports
 Switch port analyzer ports

Port security work on host port. In order to configure port security we need to set it as host port. It could
be done easily by switchport mode access command.

switchport port-security limit maximum number of hosts

According to our requirements we can limit the number hosts that can be associated with an interface.
We can set this limit anywhere from 1 to 132. Maximum number of devices that can be associated with
the interface is 132. By default it is set to 1. switchport port-security maximum value command will set
the maximum number of hosts.

switchport port-security mac address

We have two options static and dynamic to associate mac address with interface.

In static method we have to manually define the exact mac address of host with switchport port-security
mac-address MAC_address command. This is the most secure method but requires a lot of manual works.

In dynamic method we use sticky feature that allows interface to learn mac address automatically.
Interface will learn mac addresses until it reaches maximum number of allowed hosts.

switchport port-security violation

We need to specify what action; it should take in security violation. Three possible modes are available:

Protect: - This mode will only work with sticky option. In this mode frames from non-allowed address
would be dropped. It will not make log entry for dropped frames. Interface will learn address until it reach
maximum allowed number. Any additionally learned addresses would be dropped while keeping interface
operational.

Restrict: - In restrict mode frames from non-allowed address would be dropped. But in this mode, switch
will make a log entry and generate a security violation alert.

Shutdown: - In this mode switch will generate the violation alert and disable the port. Only way to re-
enable the port is to manually enter no shutdown command. This is the default violation mode.

switchport port security example

In our topology PC0 is connected with F0/1 port of switch. Enter following commands to secure F0/1 port.
Following table explains above commands in detail

Command Description

Switch>enable Move in privilege exec mode

Switch#configure terminal Move in global configuration mode

Switch(config)#interface fastethernet 0/1 Move in interface mode

Switch(config-if)#switchport mode access Assign port as host port

Switch(config-if)#switchport port-security Enable port security feature on this port

Switch(config-if)#switchport port-security Set limit for hosts that can be associated with interface.
maximum 1 Default value is 1. Skip this command to use default value.

Switch(config-if)#switchport port-security violation Set security violation mode. Default mode is shutdown. Skip
shutdown this command to use default mode.

Switch(config-if)#switchport port-security mac- Enable sticky feature.

address sticky

We have successfully secured F0/1 port of switch. We used dynamic address learning feature of interface.
Switch will associate first learned mac address (on interface F0/1) with this port. You can check MAC
Address table for currently associated address.
So far no mac address is associated with F0/1 port. Switch learns mac address from incoming frames.

We need to generate frame from PC0 that would be receive on F0/1 port of switch. ping command is used
to test the connectivity between two hosts. In our scenario we have connectivity between server and pc.
We can use this utility to generate frames from PC0.

To access command prompt of PC0 click PC0 and click Desktop menu item and click Command Prompt.
Use ping command to generate frames.
Now check again the MAC Address table on switch.

One interesting thing that you may notice here is the type. Switch learns this address dynamically but it is
showing as STATIC. This is the magic of sticky option, which we used with port security command. Sticky
option automatically converts dynamically learned address in static address.

Switchport port security testing

In our topology we have one additional PC. Assume that, this is the cracker's PC. To gain unauthorized
access in network he unplugged the Ethernet cable from pc (PC0) and plugged in his pc (PC1).

Click red X button on the right hand partition of packet tracer window and place the X over the connection
between Switch and PC0. This will remove the connection.
Click lightning bolt button on the bottom left-handed corner and click copper straight–through
connection.

Click PC1 and select FastEthernet port. Next click Switch and select the same F0/1 port.

From the command prompt of PC1 try to ping the Server IP.

What happened this time? Why ping command did not get response from server? Because switch
detected the mac address change and shutdown the port.

Verify port security

We have three commands to verify the port security

show port-security

This command displays port security information about all the interfaces on switch.

show port-security address

Display statically defined or dynamically learned address with port security.

show port-security interface interface

Display port security information about the specific interface.

How to reset an interface that is disabled due to violation of port security

When an interface is down due to port security violation, we have two options to bring it back. First is
following global configuration mode command

Switch(config)# errdisable recovery cause psecure-violation

This command neither includes in CCNA exam nor available in packet tracer.

Second option is manually restart the interface. Unplugged cable from unauthorized pc and plugged back
it to authorized pc.

Run following commands on switch and test connectivity from pc

That’s all for this article.