Professional Documents
Culture Documents
Figure 7-1 Campus LAN and Data Center LAN, Conceptual Drawing
To forward traffic from a user device to a server and back, each switch performs the same kind of logic, independently
from each other. The first half of this chapter examines the logic: how a switch chooses to forward an Ethernet frame,
when the switch chooses to not forward the frame, and so on.
Overview of Switching Logic
Ultimately, the role of a LAN switch is to forward Ethernet frames. LANs exist as a set of user devices, servers, and
other devices that connect to switches, with the switches connected to each other. The LAN switch has one primary job:
to forward frames to the correct destination (MAC) address. And to achieve that goal, switches use logic—logic based on
the source and destination MAC address in each frame s Ethernet header.
LAN switches receive Ethernet frames and then make a switching decision: either forward the frame out some other
ports or ignore the frame. To accomplish this primary mission, switches perform three actions:
1. Deciding when to forward a frame or when to filter (not forward) a frame, based on the destination MAC address
2. Preparing to forward frames by learning MAC addresses by examining the source MAC address of each frame
received by the switch
3. Preparing to forward only one copy of the frame to the destination by creating a (Layer 2) loop-free environment with
other switches by using Spanning Tree Protocol (STP)
The first action is the switch s primary job, whereas the other two items are overhead functions.
Note
Throughout this book s discussion of LAN switches, the terms switch port and switch interface are synonymous.
Although Chapter 2 s section titled “Ethernet Data-Link Protocols already discussed the frame format, this discussion
of Ethernet switching is pretty important, so reviewing the Ethernet frame at this point might be helpful. Figure 7-2
shows one popular format for an Ethernet frame. Basically, a switch would take the frame shown in the figure, make a
decision of where to forward the frame, and send the frame out that other interface.
A switch s MAC address table lists the location of each MAC relative to that one switch. In LANs with multiple switches,
each switch makes an independent forwarding decision based on its own MAC address table. Together, they forward
the frame so that it eventually arrives at the destination.
For example, Figure 7-4 shows the first switching decision in a case in which Fred sends a frame to Wilma, with
destination MAC 0200.3333.3333. The topology has changed versus the previous figure, this time with two switches,
and Fred and Wilma connected to two different switches. Figure 7-3 shows the first switch s logic, in reaction to Fred
sending the original frame. Basically, the switch receives the frame in port F0/1, finds the destination MAC
(0200.3333.3333) in the MAC address table, sees the outgoing port of G0/1, so SW1 forwards the frame out its G0/1 port.
The examples so far use switches that happen to have a MAC table with all the MAC addresses listed. As a result, the
destination MAC address in the frame is known to the switch. The frames are called known unicast frames, or simply
known unicasts, because the destination address is a unicast address, and the destination is known. As shown in
these examples, switches forward known unicast frames out one port: the port as listed in the MAC table entry for that
MAC address.
Learning MAC Addresses
Thankfully, the networking staff does not have to type in all those MAC table entries. Instead, the switches do their
second main function: to learn the MAC addresses and interfaces to put into its address table. With a complete MAC
address table, the switch can make accurate forwarding and filtering decisions as just discussed.
Switches build the address table by listening to incoming frames and examining the source MAC address in the frame.
If a frame enters the switch and the source MAC address is not in the MAC address table, the switch creates an entry in
the table. That table entry lists the interface from which the frame arrived. Switch learning logic is that simple.
Figure 7-6 depicts the same single-switch topology network as Figure 7-3, but before the switch has built any address
table entries. The figure shows the first two frames sent in this network—first a frame from Fred, addressed to Barney,
and then Barney s response, addressed to Fred.
Figure 7-6 Switch Learning: Empty Table and Adding Two Entries
(Figure 7-6 depicts the MAC learning process only, and ignores the forwarding process and therefore ignores the
destination MAC addresses.)
Focus on the learning process and how the MAC table grows at each step as shown on the right side of the figure. The
switch begins with an empty MAC table, as shown in the upper right part of the figure. Then Fred sends his first frame
(labeled “1 ) to Barney, so the switch adds an entry for 0200.1111.1111, Fred s MAC address, associated with interface
F0/1. Why F0/1? The frame sent by Fred entered the switch s F0/1 port. SW1 s logic runs something like this: “The
source is MAC 0200.1111.1111, the frame entered F0/1, so from my perspective, 0200.1111.1111 must be reachable
out my port F0/1.
Continuing the example, when Barney replies in Step 2, the switch adds a second entry, this one for 0200.2222.2222,
Barney s MAC address, along with interface F0/2. Why F0/2? The frame Barney sent entered the switch s F0/2 interface.
Learning always occurs by looking at the source MAC address in the frame, and adds the incoming interface as the
associated port.
Flooding Unknown Unicast and Broadcast Frames
Now again turn your attention to the forwarding process, using the topology in Figure 7-5 . What do you suppose the switch
does with Fred s first frame, the one that occurred when there were no entries in the MAC address table? As it turns out,
when there is no matching entry in the table, switches forward the frame out all interfaces (except the incoming
interface) using a process called flooding . And the frame whose destination address is unknown to the switch is called
an unknown unicast frame, or simply an unknown unicast.
Switches flood unknown unicast frames. Flooding means that the switch forwards copies of the frame out all ports,
except the port on which the frame was received. The idea is simple: if you do not know where to send it, send it
everywhere, to deliver the frame. And, by the way, that device will likely then send a reply—and then the switch can
learn that device s MAC address, and forward future frames out one port as a known unicast frame.
Switches also flood LAN broadcast frames (frames destined to the Ethernet broadcast address of FFFF.FFFF.FFFF),
because this process helps deliver a copy of the frame to all devices in the LAN.
For example, Figure 7-7 shows the same first frame sent by Fred, when the switch s MAC table is empty. At step 1, Fred
sends the frame. At step 2, the switch sends a copy of the frame out all three of the other interfaces.
Figure 7-7 Switch Flooding: Unknown Unicast Arrives, Floods out Other Ports
Avoiding Loops Using Spanning Tree Protocol
The third primary feature of LAN switches is loop prevention, as implemented by Spanning Tree Protocol (STP). Without
STP, any flooded frames would loop for an indefinite period of time in Ethernet networks with physically redundant links.
To prevent looping frames, STP blocks some ports from forwarding frames so that only one active path exists between
any pair of LAN segments.
The result of STP is good: Frames do not loop infinitely, which makes the LAN usable. However, STP has negative
features as well, including the fact that it takes some work to balance traffic across the redundant alternate links.
A simple example makes the need for STP more obvious. Remember, switches flood unknown unicast frames and
broadcast frames. Figure 7-8 shows an unknown unicast frame, sent by Larry to Bob, which loops forever because the
network has redundancy but no STP. Note that the figure shows one direction of the looping frame only, just to reduce
clutter, but a copy of the frame would also loop the other direction as well.
Figure 7-8 Network with Redundant Links but Without STP: The Frame Loops Forever
The flooding of this frame would cause the frame to rotate around the three switches, because none of the switches list
Bob s MAC address in their address tables, each switch floods the frame. And while the flooding process is a good
mechanism for forwarding unknown unicasts and broadcasts, the continual flooding of traffic frames as in the figure can
completely congest the LAN to the point of making it unusable.
A topology like Figure 7-8, with redundant links, is good, but we need to prevent the bad effect of those looping frames. To
avoid Layer 2 loops, all switches need to use STP. STP causes each interface on a switch to settle into either a blocking
state or a forwarding state. Blocking means that the interface cannot forward or receive data frames, while forwarding
means that the interface can send and receive data frames. If a correct subset of the interfaces is blocked, only a single
currently active logical path exists between each pair of LANs.
Note
STP behaves identically for a transparent bridge and a switch. Therefore, the terms bridge , switch , and bridging device
all are used interchangeably when discussing STP.
The Cisco CCNA Routing and Switching ICND2 200-105 Official Cert Guide book covers the details of how STP prevents
loops.
LAN Switching Summary
Switches use Layer 2 logic, examining the Ethernet data-link header to choose how to process frames. In particular,
switches make decisions to forward and filter frames, learn MAC addresses, and use STP to avoid loops, as follows:
The interfaces are enabled by default, ready to start working once a cable is connected.
Use the erase startup-config EXEC command to erase the startup-config file
Use the delete vlan.dat EXEC command to delete the VLAN configuration details
Use the reload EXEC command to reload the switch (thereby using the empty startup-config, with no VLAN
information configured)
First, focus on two columns of the table: the Mac Address and Ports columns of the table. The values should look
familiar: they match the earlier single-switch example, as repeated here as Figure 7-9. Note the four MAC addresses
listed, along with their matching ports, as shown in the figure.
Focus on the port column for a moment. As a reminder, Cisco Catalyst switches name their ports based on the fastest
specification supported, so in this case, the switch has 24 interfaces named Fast Ethernet, and two named Gigabit
Ethernet. Many commands abbreviate those terms, this time as Fa for Fast Ethernet and Gi for Gigabit Ethernet. (The
example happens to come from a Cisco Catalyst switch that has 24 10/100 ports and two 10/100/1000 ports.)
The Status column of course tells us the status or state of the port. In this case, the lab switch had cables and devices
connected to ports F0/1–F0/4 only, with no other cables connected. As a result, those first four ports have a state of
connected, meaning that the ports have a cable and are functional. The notconnect state means that the port is not yet
functioning. It may mean that there is no cable installed, but other problems may exist as well. (The section “Analyzing
Switch Interface Status and Statistics, in Chapter 12 , “Troubleshooting Ethernet LANs, works through the details of
what causes a switch interface to fail.)
Note
You can see the status for a single interface in a couple of ways. For instance, for F0/1, the command show interfaces
f0/1 status lists the status in a single line of output as in Example 7-2 . The show interfaces f0/1 command (without
the status keyword) displays a detailed set of messages about the interface.
The show interfaces command has a large number of options. One particular option, the counters option, lists
statistics about incoming and outgoing frames on the interfaces. In particular, it lists the number of unicast, multicast,
and broadcast frames both the in and out direction, and a total byte count for those frames. Example 7-3 shows an
example, again for interface F0/1.
Example 7-3 show interfaces f0/1 counters on Switch SW1
Click here to view code image
While useful, often times the engineer troubleshooting a problem does not know the MAC addresses of the devices
connected to the network. Instead, the engineer has a topology diagram, knowing which switch ports connect to other
switches and which connect to endpoint devices.
Sometimes you might be troubleshooting while looking at a network topology diagram, and want to look at all the MAC
addresses learned off a particular port. IOS supplies that option with the show mac address-table dynamic
interface command. Example 7-5 shows one example, for switch SW1 s F0/1 interface.
Example 7-5 show mac address-table dynamic with the interface Keyword
Click here to view code image
Finally, you may also want to find the MAC address table entries for one VLAN. You guessed it—you can add the vlan
parameter, followed by the VLAN number. Example 7-6 shows two such examples from the same switch SW1 from
Figure 7-7—one for VLAN 1, where all four devices reside, and one for a non-existent VLAN 2.
Example 7-6 The show mac address-table vlan command
Click here to view code image
SW1# show mac address-table dynamic vlan 1
Mac Address Table
-------------------------------------------
Each switch also removes the oldest table entries, even if they are younger than the aging time setting, if the table fills.
The MAC address table uses content-addressable memory (CAM), a physical memory that has great table lookup
capabilities. However, the size of the table depends on the size of the CAM in a particular model of switch. When a
switch tries to add a new table entry, and finds the table full, the switch times out (removes) the oldest table entry to
make space. For perspective, the end of Example 7-7 lists the size of a Cisco Catalyst switch s MAC table at about 8000
entries—the same four existing entries from the earlier examples, with space for 7299 more.
Finally, you can remove the dynamic entries from the MAC address table with the clear mac address-table
dynamic command. Note that the show commands in this chapter can be executed from user and enable mode, but the
clear command happens to be a privileged mode command.
MAC Address Tables with Multiple Switches
Finally, to complete the discussion, it helps to think about an example with multiple switches, just to emphasize how
MAC learning, forwarding, and flooding happens independently on each LAN switch.
Consider the topology in Figure 7-10 , and pay close attention to the port numbers. The ports were purposefully chosen so
that neither switch used any of the same ports for this example. That is, switch SW2 does have a port F0/1 and F0/2, but I
did not plug any devices into those ports when making this example. Also note that all ports are in VLAN 1, and as with
the other examples in this chapter, all default configuration is used other than the hostname on the switches.
Figure 7-10 Two-Switch Topology Example
Think about a case in which both switches learn all four MAC addresses. For instance, that would happen if the hosts on
the left communicate with the hosts on the right. SW1 s MAC address table would list SW1 s own port numbers (F0/1,
F0/2, and G0/1), because SW1 uses that information to decide where SW1 should forward frames. Similarly, SW2 s
MAC table lists SW2 s port numbers (F0/3, F0/4, G0/2 in this example). Example 7-8 shows the MAC address tables on
both switches for that scenario.
Example 7-8 The MAC Address Table on Two Switches
Click here to view code image
In addition, Cisco switches protect enable mode (also called privileged mode) with yet another shared password called
the enable password. From the perspective of the network engineer connecting to the CLI of the switch, once in user
mode, the user types the enable EXEC command. This command prompts the user for this enable password; if the
user types the correct password, IOS moves the user to enable mode.
Example 8-1 shows an example of the user experience of logging into a switch from the console when the shared console
password and the enable password have both been set. Note that before this example began, the user started their
terminal emulator, physically connected their laptop to the console cable, and then pressed the return key to make the
switch respond as shown at the top of the example.
Example 8-1 Configuring Basic Passwords and a Hostname
Click here to view code image
(User now presses enter now to start the process. This line of text does not appear.)
Password: hope
Switch> enable
Password: love
Switch#
Note that the example shows the password text as if typed (hope and love), along with the enable command that moves
the user from user mode to enable mode. In reality, the switch hides the passwords when typed, to prevent someone
from reading over your shoulder to see the password.
To configure the shared passwords for the console, Telnet, and for enable mode, you need to configure several
commands. However, the parameters of the commands can be pretty intuitive. Figure 8-2 shows the configuration of all
three of these passwords.
To help you follow the process, and for easier study later, use the configuration checklist before the example. The
configuration checklist collects the required and optional steps to configure a feature as described in this book. The
configuration checklist for shared passwords for the console, Telnet, and enable passwords is
Step 1. Configure the enable password with the enable secret password-value command.
Step 2. Configure the console password:
A. Use the line con 0 command to enter console configuration mode.
B. Use the login subcommand to enable console password security using a simple password.
C. Use the password password-value subcommand to set the value of the console password.
Step 3. Configure the Telnet (vty) password:
A. Use the line vty 0 15 command to enter vty configuration mode for all 16 vty lines (numbered 0 through 15).
B. Use the login subcommand to enable password security for vty sessions using a simple password.
C. Use the password password-value subcommand to set the value of the vty password.
Example 8-2 shows the configuration process as noted in the configuration checklist, along with setting the enable
secret password. Note that the lines which begin with a are comment lines; they are there to guide you through the
configuration.
! Enter global configuration mode, set the enable password, and also
! set the hostname (just because it makes sense to do so)
!
Switch# configure terminal
Switch(config)# enable secret faith
!
! At Step 2 in the checklist, enter console configuration mode, set the
! password value to "hope", and enable simple passwords for the console.
! The exit command moves the user back to global config mode.
!
Switch#(config)# line console 0
Switch#(config-line)# password hope
Switch#(config-line)# login
Switch#(config-line)# exit
!
! The next few lines do basically the same configuration, except it is
! for the vty lines. Telnet users will use "love" to login.
!
Switch#(config)# line vty 0 15
Switch#(config-line)# password love
Switch#(config-line)# login
Switch#(config-line)# end
Switch#
Example 8-3 shows the resulting configuration in the switch per the show running-config command. The gray lines
highlight the new configuration. Note that many unrelated lines of output have been deleted from the output to keep
focused on the password configuration.
Example 8-3 Resulting Running-Config File (Subset) Per Example 8-2 Configuration
Click here to view code image
Step 1. Use the username name secret password global configuration command to add one or more
username/password pairs on the local switch.
Step 2. Configure the console to use locally configured username/password pairs:
A. Use the line con 0 command to enter console configuration mode.
B. Use the login local subcommand to enable the console to prompt for both username and password, checked versus
the list of local usernames/passwords.
C. (Optional) Use the no password subcommand to remove any existing simple shared passwords, just for good
housekeeping of the configuration file.
Step 3. Configure Telnet (vty) to use locally configured username/password pairs.
A. Use the line vty 0 15 command to enter vty configuration mode for all 16 vty lines (numbered 0 through 15).
B. Use the login local subcommand to enable the switch to prompt for both username and password for all inbound
Telnet users, checked versus the list of local usernames/passwords.
C. (Optional) Use the no password subcommand to remove any existing simple shared passwords, just for good
housekeeping of the configuration file.
When a Telnet user connects to the switch configured as shown in Figure 8-3, the user will be prompted first for a
username and then for a password, as shown in Example 8-4. The username/password pair must be from the list of
local usernames or the login is rejected.
Example 8-4 Telnet Login Process After Applying Configuration in Figure 8-3
Click here to view code image
Username: wendell
Password:
SW1> enable
Password:
SW1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#^
SW1#
*Mar 1 02:00:56.229: SYS-5-CONFIG I: Configured from console by wendell on vty0
(10.9.9.19)
Note
Example 8-4 does not show the password value as having been typed because Cisco switches do not display the typed
password for security reasons.
Note
The username secret command has an older less-secure cousin, the username password command. Chapter
34 explains more about the security levels of various password mechanisms. Today, use the more secure username
secret command.
Earlier, I mentioned that one useful default was that the switch defaults to support both SSH and Telnet on the vty lines.
However, because Telnet is a security risk, you could disable Telnet to enforce a tighter security policy. (For that matter,
you can disable SSH support and allow Telnet on the vty lines as well.)
To control which protocols a switch supports on its vty lines, use the transport input {all | none | telnet | ssh vty
subcommand in vty mode, with the following options:
transport input all or transport input telnet ssh: Support both Telnet and SSH
transport input none: Support neither
transport input telnet: Support only Telnet
transport input ssh: Support only SSH
To complete this section about SSH, the following configuration checklist details the steps for one method to configure a
Cisco switch to support SSH using local usernames. (SSH support in IOS can be configured in several ways; this
checklist shows one simple way to configure it.) The process shown here ends with a comment to configure local
username support on vty lines, as was discussed earlier in the section titled “Securing User Mode Access with Local
Usernames and Passwords.
Step 1. Configure the switch to generate a matched public and private key pair to use for encryption:
A. If not already configured, use the hostname name in global configuration mode to configure a hostname for this
switch.
B. If not already configured, use the ip domain-name name in global configuration mode to configure a domain name
for the switch, completing the switch s FQDN.
C. Use the crypto key generate rsa command in global configuration mode (or the crypto key generate rsa
modulus modulus-value command to avoid being prompted for the key modulus) to generate the keys. (Use at least a
768-bit key to support SSH version 2.)
Step 2. (Optional) Use the ip ssh version 2 command in global configuration mode to override the default of
supporting both versions 1 and 2, so that only SSHv2 connections are allowed.
Step 3. (Optional) If not already configured with the setting you want, configure the vty lines to accept SSH and whether
to also allow Telnet:
A. Use the transport input ssh command in vty line configuration mode to allow SSH only.
B. Use the transport input all command (default) or transport input telnet ssh command in vty line configuration
mode to allow both SSH and Telnet.
Step 4. Use various commands in vty line configuration mode to configure local username login authentication as
discussed earlier in this chapter.
Note
Cisco routers default to transport input none , so that you must add the transport input line subcommand to enable
Telnet and/or SSH into a router.
Two key commands give some information about the status of SSH on the switch. First, the show ip ssh command lists
status information about the SSH server itself. The show ssh command then lists information about each SSH client
currently connected into the switch. Example 8-6 shows samples of each, with user Wendell currently connected to the
switch.
Example 8-6 Displaying SSH Status
Click here to view code image
Configuring the IP address (and mask) on one VLAN interface allows the switch to send and receive IP packets with
other hosts in a subnet that exists on that VLAN; however, the switch cannot communicate outside the local subnet
without another configuration setting called the default gateway. The reason a switch needs a default gateway setting is
the same reason that hosts need the same setting—because of how hosts think when sending IP packets. Specifically:
To send IP packets to hosts in a different subnet, send them to the local router; that is, the default gateway
Figure 8-8 shows the ideas. In this case, the switch (on the right) will use IP address 192.168.1.200 as configured on
interface VLAN 1. However, to communicate with host A, on the far left of the figure, the switch must use Router R1 (the
default gateway) to forward IP packets to host A. To make that work, the switch needs to configure a default gateway
setting, pointing to Router R1 s IP address (192.168.1.1 in this case). Note that the switch and router both use the same
mask, 255.255.255.0, which puts the addresses in the same subnet.
Step 1. Use the interface vlan 1 command in global configuration mode to enter interface VLAN 1 configuration
mode.
Step 2. Use the ip address ip-address mask command in interface configuration mode to assign an IP address and
mask.
Step 3. Use the no shutdown command in interface configuration mode to enable the VLAN 1 interface if it is not
already enabled.
Step 4. Add the ip default-gateway ip-address command in global configuration mode to configure the default
gateway.
Step 5. (Optional) Add the ip name-server ip-address1 ip-address2 ... command in global configuration mode to
configure the switch to use Domain Name System (DNS ) to resolve names into their matching IP address.
Example 8-7 Switch Static IP Address Configuration
Click here to view code image
On a side note, this example shows a particularly important and common command: the [no shutdown command. To
administratively enable an interface on a switch, use the no shutdown interface subcommand; to disable an interface,
use the shutdown interface subcommand. This command can be used on the physical Ethernet interfaces that the
switch uses to switch Ethernet messages in addition to the VLAN interface shown here in this example.
Also, pause long enough to look at the messages that appear just below the no shutdown command in Example 8-7 .
Those messages are syslog messages generated by the switch stating that the switch did indeed enable the interface.
Switches (and routers) generate syslog messages in response to a variety of events, and by default, those messages
appear at the console. Chapter 33 , “Device Management Protocols, discusses syslog messages in more detail.
Configuring a Switch to Learn Its IP Address with DHCP
The switch can also use Dynamic Host Configuration Protocol (DHCP) to dynamically learn its IPv4 settings. Basically,
all you have to do is tell the switch to use DHCP on the interface, and enable the interface. Assuming that DHCP works in
this network, the switch will learn all its settings. The following list details the steps, again assuming the use of
interface VLAN 1, with Example 8-8 that follows showing an example:
Step 1. Enter VLAN 1 configuration mode using the interface vlan 1 global configuration command, and enable the
interface using the no shutdown command as necessary.
Step 2. Assign an IP address and mask using the ip address dhcp interface subcommand.
Example 8-8 Switch Dynamic IP Address Configuration with DHCP
Click here to view code image
The output of the show interfaces vlan 1 command lists two very important details related to switch IP addressing.
First, this show command lists the interface status of the VLAN 1 interface—in this case, “up and up. If the VLAN 1
interface is not up, the switch cannot use its IP address to send and receive management traffic. Notably, if you forget to
issue the no shutdown command, the VLAN 1 interface remains in its default shutdown state and is listed as
“administratively down in the show command output.
Second, note that the output lists the interface s IP address on the third line. If you statically configure the IP address,
as in Example 8-7, the IP address will always be listed; however, if you use DHCP and DHCP fails, the show
interfaces vlan x command will not list an IP address here. When DHCP works, you can see the IP address with the
show interfaces vlan 1 command, but that output does not remind you whether the address is either statically
configured or DHCP leased. So it does take a little extra effort to make sure you know whether the address is statically
configured or DHCP-learned on the VLAN interface.
Miscellaneous Settings Useful in Lab
This last short section of the chapter touches on a couple of commands that can help you be a little more productive when
practicing in a lab.
History Buffer Commands
When you enter commands from the CLI, the switch saves the last several commands in the history buffer. Then, as
mentioned in Chapter 6, “Using the Command-Line Interface, you can use the up-arrow key or press Ctrl+P to move back
in the history buffer to retrieve a command you entered a few commands ago. This feature makes it very easy and fast to
use a set of commands repeatedly. Table 8-2 lists some of the key commands related to the history buffer.
First, focus on the mechanics of moving around in configuration mode again by looking closely at the command prompts.
The various interface commands move the user from global mode into interface configuration mode for a specific
interface. For instance, the example configures the duplex, speed, and description commands all just after the
interface FastEthernet 0/1 command, which means that all three of those configuration settings apply to interface
Fa0/1, and not to the other interfaces.
The show interfaces status command lists much of the detail configured in Example 9-1, even with only one line of
output per interface. Example 9-2 shows an example, just after the configuration in Example 9-1 was added to the switch.
Example 9-2 Displaying Interface Status
Click here to view code image
IOS does not actually put the interface range command into the configuration. Instead, it acts as if you had typed the
subcommand under every single interface in the specified range. Example 9-3 shows an excerpt from the show
running-config command, listing the configuration of interfaces F0/11–12 from the configuration in Example 9-1. The
example shows the same description command on both interfaces; to save space the example did not bother to show all
10 interfaces that have the same description text.
Example 9-3 How IOS Expands the Subcommands Typed After interface range
Click here to view code image
To bring the interface back up again, all you have to do is follow the same process but use the no shutdown command
instead.
Before leaving the simple but oddly named shutdown/no shutdown commands, take a look at two important show
commands that list the status of a shutdown interface. The show interfaces status command lists one line of output
per interface, and when shut down, lists the interface status as “disabled. That makes logical sense to most people.
The show interfaces command (without the status keyword) lists many lines of output per interface, giving a much
more detailed picture of interface status and statistics. With that command, the interface status comes in two parts, with
one part using the phrase “administratively down, matching the highlighted log message in Example 9-4.
Example 9-5 shows an example of each of these commands. Note that both examples also use the F0/1 parameter
(short for Fast Ethernet0/1), which limits the output to the messages about F0/1 only. Also note that F0/1 is still shut
down at this point.
Example 9-5 The Different Status Information About Shutdown in Two Different show Commands
Click here to view code image
If you earlier had configured speed 100 on an interface, the no speed command on that same interface reverts to
the default speed setting (which happens to be speed auto ).
Same idea with the duplex command: an earlier configuration of duplex half or duplex full, followed by no
duplex on the same interface, reverts the configuration back to the default of duplex auto.
If you had configured a description command with some text, to go back to the default state of having no
description command at all for that interface, use the no description command.
Example 9-6 shows the process. In this case, switch SW1 s F0/2 port has been configured with speed 100 , duplex
half, description link to 2901-2 , and shutdown. You can see evidence of all four settings in the command that
begins the example. (This command lists the running-config, but only the part for that one interface.) The example then
shows the no versions of those commands, and closes with a confirmation that all the commands have reverted to
default.
Example 9-6 Removing Various Configuration Settings Using the no Command
Click here to view code image
Autonegotiation
For any 10/100 or 10/100/1000 interfaces—that is, interfaces that can run at different speeds—Cisco Catalyst switches
default to a setting of duplex auto and speed auto . As a result, those interfaces attempt to automatically determine
the speed and duplex setting to use. Alternatively, you can configure most devices, switch interfaces included, to use a
specific speed and/or duplex.
In practice, using autonegotiation is easy: just leave the speed and duplex at the default setting, and let the switch port
negotiate what settings to use on each port. However, problems can occur due to unfortunate combinations of
configuration. Therefore, this next topic walks through more detail about the concepts behind autonegotiation, so you
know better how to interpret the meaning of the switch show commands and when to choose to use a particular
configuration setting.
Autonegotiation Under Working Conditions
Ethernet devices on the ends of a link must use the same standard or they cannot correctly send data. For example, a
NIC cannot use 100BASE-T, which uses a two-pair UTP cable with a 100-Mbps speed, while the switch port on the other
end of the link uses 1000BASE-T. Even if you used a cable that works with Gigabit Ethernet, the link would not work with
one end trying to send at 100 Mbps while the other tried to receive the data at 1000 Mbps.
Upgrading to new and faster Ethernet standards becomes a problem because both ends have to use the same
standard. For example, if you replace an old PC with a new one, the old one might have been using 100BASE-T while the
new one uses 1000BASE-T. The switch port on the other end of the link needs to now use 1000BASE-T, so you upgrade
the switch. If that switch had ports that would use only 1000BASE-T, you would need to upgrade all the other PCs
connected to the switch. So, having both PC network interface cards (NIC) and switch ports that support multiple
standards/speeds makes it much easier to migrate to the next better standard.
The IEEE autonegotiation protocol helps makes it much easier to operate a LAN when NICs and switch ports support
multiple speeds. IEEE autonegotiation (IEEE standard 802.3u) defines a protocol that lets the two UTP-based Ethernet
nodes on a link negotiate so that they each choose to use the same speed and duplex settings. The protocol messages
flow outside the normal Ethernet electrical frequencies as out-of-band signals over the UTP cable. Basically, each node
states what it can do, and then each node picks the best options that both nodes support: the fastest speed and the best
duplex setting, with full duplex being better than half duplex.
Note
Autonegotiation relies on the fact that the IEEE uses the same wiring pinouts for 10BASE-T and 100BASE-T, and that
1000BASE-T simply adds to those pinouts, adding two pairs.
Many networks use autonegotiation every day, particularly between user devices and the access layer LAN switches,
as shown in Figure 9-1 . The company installed four-pair cabling of the right quality to support 1000BASE-T, to be ready
to support Gigabit Ethernet. As a result, the wiring supports 10-Mbps, 100-Mbps, and 1000-Mbps Ethernet options.
Both nodes on each link send autonegotiation messages to each other. The switch in this case has all 10/100/1000
ports, while the PC NICs support different options.
Figure 9-1 IEEE Autonegotiation Results with Both Nodes Working Correctly
The following list breaks down the logic, one PC at a time:
PC1: The switch port claims it can go as fast as 1000 Mbps, but PC1 s NIC claims a top speed of 10 Mbps. Both the PC
and switch choose the best speed both support (10 Mbps) and the best duplex (full).
PC2: PC2 claims a best speed of 100 Mbps, which means it can use 10BASE-T or 100BASE-T. The switch port and NIC
negotiate to use the best speed of 100 Mbps and full duplex.
PC3: It uses a 10/100/1000 NIC, supporting all three speeds and standards, so both the NIC and switch port choose
1000 Mbps and full duplex.
Autonegotiation Results When Only One Node Uses Autonegotiation
Figure 9-1 shows the IEEE autonegotiation results when both nodes use the process. However, most Ethernet devices
can disable autonegotiation, so it is just as important to know what happens when a node tries to use autonegotiation but
the node gets no response.
Disabling autonegotiation is not always a bad idea. For instance, many network engineers disable autonegotiation on
links between switches and simply configure the desired speed and duplex on both switches. However, mistakes can
happen when one device on an Ethernet predefines speed and duplex (and disables autonegotiation), while the device
on the other end attempts autonegotiation. In that case, the link might not work at all, or it might just work poorly.
Note
Configuring both the speed and duplex on a Cisco switch interface disables autonegotiation.
IEEE autonegotiation defines some rules (defaults) that nodes should use as defaults when autonegotiation fails—that
is, when a node tries to use autonegotiation but hears nothing from the device. The rules:
Duplex: If your speed = 10 or 100, use half duplex; otherwise, use full duplex.
Cisco switches can make a better choice than that base IEEE logic, because Cisco switches can actually sense the
speed used by other nodes, even without IEEE autonegotiation. As a result, Cisco switches use this slightly different
logic to choose the speed when autonegotiation fails:
Speed: Sense the speed (without using autonegotiation), but if that fails, use the IEEE default (slowest supported
speed, often 10 Mbps).
Duplex: Use the IEEE defaults: If speed = 10 or 100, use half duplex; otherwise, use full duplex.
Figure 9-2 shows three examples in which three users change their NIC settings and disable autonegotiation, while the
switch (with all 10/100/1000 ports) attempts autonegotiation. That is, the switch ports all default to speed auto and
duplex auto . The top of the figure shows the configured settings on each PC NIC, with the choices made by the switch
listed next to each switch port.
Figure 9-2 IEEE Autonegotiation Results with Autonegotiation Disabled on One Side
Reviewing each link, left to right:
PC1: The switch receives no autonegotiation messages, so it senses the electrical signal to learn that PC1 is
sending data at 100 Mbps. The switch uses the IEEE default duplex based on the 100 Mbps speed (half duplex).
PC2: The switch uses the same steps and logic as with the link to PC1, except that the switch chooses to use full
duplex because the speed is 1000 Mbps.
PC3: The user picks poorly, choosing the slower speed (10 Mbps) and the worse duplex setting (half). However,
the Cisco switch senses the speed without using IEEE autonegotiation and then uses the IEEE duplex default for
10-Mbps links (half duplex).
PC1 shows a classic and unfortunately common end result: a duplex mismatch. The two nodes (PC1 and SW1 s port F0/1)
both use 100 Mbps, so they can send data. However, PC1, using full duplex, does not attempt to use carrier sense
multiple access with collision detection (CSMA/CD) logic and sends frames at any time. Switch port F0/1, with half
duplex, does use CSMA/CD. As a result, switch port F0/1 will believe collisions occur on the link, even if none physically
occur. The switch port will stop transmitting, back off, resend frames, and so on. As a result, the link is up, but it
performs poorly.
Autonegotiation and LAN Hubs
LAN hubs also impact how autonegotiation works. Basically, hubs do not react to autonegotiation messages, and they do
not forward the messages. As a result, devices connected to a hub must use the IEEE rules for choosing default
settings, which often results in the devices using 10 Mbps and half duplex.
Figure 9-3 shows an example of a small Ethernet LAN that uses a 20-year-old 10BASE-T hub. In this LAN, all devices
and switch ports are 10/100/1000 ports. The hub supports only 10BASE-T.
Figure 9-3 IEEE Autonegotiation with a LAN Hub
Note that the devices on the right need to use half duplex because the hub requires the use of the CSMA/CD algorithm to
avoid collisions.
Port Security
If the network engineer knows what devices should be cabled and connected to particular interfaces on a switch, the
engineer can use port security to restrict that interface so that only the expected devices can use it. This reduces
exposure to attacks in which the attacker connects a laptop to some unused switch port. When that inappropriate device
attempts to send frames to the switch interface, the switch can take different actions, ranging from simply issuing
informational messages to effectively shutting down the interface.
Port security identifies devices based on the source MAC address of Ethernet frames the devices send. For example, in
Figure 9-4, PC1 sends a frame, with PC1 s MAC address as the source address. SW1 s F0/1 interface can be
configured with port security, and if so, SW1 would examine PC1 s MAC address and decide whether PC1 was allowed to
send frames into port F0/1.
Define a maximum number of source MAC addresses allowed for all frames coming in the interface.
Watch all incoming frames, and keep a list of all source MAC addresses, plus a counter of the number of different
source MAC addresses.
When adding a new source MAC address to the list, if the number of MAC addresses pushes past the configured
maximum, a port security violation has occurred. The switch takes action (the default action is to shut down the interface).
Those rules define the basics, but port security allows other options as well, including letting you configure the specific
MAC addresses allowed to send frames in an interface. For example, in Figure 9-4, switch SW1 connects through
interface F0/1 to PC1, so the port security configuration could list PC1 s MAC address as the specific allowed MAC
address. But predefining MAC addresses for port security is optional: You can predefine all MAC addresses, none, or a
subset of the MAC addresses.
You might like the idea of predefining the MAC addresses for port security, but finding the MAC address of each device
can be a bother. Port security provides an easy way to discover the MAC addresses used off each port using a feature
called sticky secure MAC addresses. With this feature, port security learns the MAC addresses off each port and stores
them in the port security configuration (in the running-config file). This feature helps reduce the big effort of finding out
the MAC address of each device.
As you can see, port security has a lot of detailed options. The next few sections walk you through these options to pull
the ideas together.
Configuring Port Security
Port security configuration involves several steps. First, you need to disable the negotiation of a feature that is not
discussed until Chapter 11 , “Implementing Ethernet Virtual LANs, whether the port is an access or trunk port. For now,
accept that port security requires a port to be configured to either be an access port or a trunking port. The rest of the
commands enable port security, set the maximum allowed MAC addresses per port, and configure the actual MAC
addresses, as detailed in this list:
Step 1. Make the switch interface either a static access or trunk interface using the switchport mode access or the
switchport mode trunk interface subcommands, respectively.
Step 2. Enable port security using the switchport port-security interface subcommand.
Step 3. (Optional) Override the default maximum number of allowed MAC addresses associated with the interface (1)
by using the switchport port-security maximum number interface subcommand.
Step 4. (Optional) Override the default action to take upon a security violation (shutdown) using the switchport
port-security violation {protect | restrict | shutdown interface subcommand.
Step 5. (Optional) Predefine any allowed source MAC addresses for this interface using the switchport port-
security mac-address mac-address command. Use the command multiple times to define more than one MAC
address.
Step 6. (Optional) Tell the switch to “sticky learn dynamically learned MAC addresses with the switchport port-
security mac-address sticky interface subcommand.
Figure 9-5 and Example 9-7 show four examples of port security. Three ports operate as access ports, while port F0/4,
connected to another switch, operates as a trunk. Note that port security allows either a trunk or an access port, but
requires that the port be statically set as one or the other.
Figure 9-5 Port Security Configuration Example
Example 9-7 Variations on Port Security Configuration
Click here to view code image
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address 0200.1111.1111
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
!
interface FastEthernet0/3
switchport mode access
switchport port-security
!
interface FastEthernet0/4
switchport mode trunk
switchport port-security
switchport port-security maximum 8
First, scan the configuration for all four interfaces in Example 9-7, focusing on the first two interface subcommands.
Note that the first three interfaces in the example use the same first two interface subcommands, matching the first two
configuration steps noted before Figure 9-5. The switchport port-security command enables port security, with all
defaults, with the switchport mode access command meeting the requirement to configure the port as either an
access or trunk port. The final port, F0/4, has a similar configuration, except that it has been configured as a trunk rather
than as an access port.
Next, scan all four interfaces again, and note that the configuration differs on each interface after those first two
interface subcommands. Each interface simply shows a different example for perspective.
The first interface, FastEthernet 0/1, adds one optional port security subcommand: switchport port-security mac-
address 0200.1111.1111, which defines a specific source MAC address. With the default maximum source
address setting of 1, only frames with source MAC 0200.1111.1111 will be allowed in this port. When a frame with a
source other than 0200.1111.1111 enters F0/1, the switch will take the default violation action and disable the interface.
As a second example, FastEthernet 0/2 uses the same logic as FastEthernet 0/1, except that it uses the sticky learning
feature. For port F0/2, the configuration the switchport port-security mac-address sticky command, which tells
the switch to dynamically learn source MAC addresses and add port-security commands to the running-config. The
end of upcoming Example 9-8 shows the running-config file that lists the sticky-learned MAC address in this case.
Note
Port security does not save the configuration of the sticky addresses, so use the copy running-config startup-
config command if desired.
The other two interfaces do not predefine MAC addresses, nor do they sticky-learn the MAC addresses. The only
difference between these two interfaces port security configuration is that FastEthernet 0/4 supports eight MAC
addresses, because it connects to another switch and should receive frames with multiple source MAC addresses.
Interface F0/3 uses the default maximum of one MAC address.
Verifying Port Security
Example 9-8 lists the output of two examples of the show port-security interface command. This command lists the
configuration settings for port security on an interface, plus it lists several important facts about the current operation of
port security, including information about any security violations. The two commands in the example show interfaces
F0/1 and F0/2, based on Example 9-7 s configuration.
Example 9-8 Using Port Security to Define Correct MAC Addresses of Particular Interfaces
Click here to view code image
The first two commands in Example 9-8 confirm that a security violation has occurred on FastEthernet 0/1, but no
violations have occurred on FastEthernet 0/2. The show port-security interface fastethernet 0/1 command
shows that the interface is in a secure-shutdown state, which means that the interface has been disabled because of
port security. In this case, another device connected to port F0/1, sending a frame with a source MAC address other than
0200.1111.1111, is causing a violation. However, port Fa0/2, which used sticky learning, simply learned the MAC
address used by Server 2.
The bottom of Example 9-8 , as compared to the configuration in Example 9-7 , shows the changes in the running-config
because of sticky learning, with the switchport port-security mac-address sticky 0200.2222.2222 interface
subcommand.
Port Security Violation Actions
Finally, the switch can be configured to use one of three actions when a violation occurs. All three options cause the
switch to discard the offending frame, but some of the options make the switch take additional actions. The actions
include the sending of syslog messages to the console, sending SNMP trap messages to the network management
station, and disabling the interface. Table 9-2 lists the options of the switchport port-security violation {protect |
restrict | shutdown command and their meanings.
Table 9-2 Actions When Port Security Violation Occurs
Note that the shutdown option does not actually add the shutdown subcommand to the interface configuration. Instead,
IOS puts the interface in an error disabled (err-disabled) state, which makes the switch stop all inbound and outbound
frames. To recover from this state, someone must manually disable the interface with the shutdown interface
command and then enable the interface with the no shutdown command.
Port Security MAC Addresses as Static and Secure but Not Dynamic
To complete this chapter, take a moment to think about Chapter 7 s discussions about switching, along with all those
examples of output from the show mac address-table dynamic EXEC command.
Once a switch port has been configured with port security, the switch no longer considers MAC addresses associated
with that port as being dynamic entries as listed with the show mac address-table dynamic EXEC command. Even
if the MAC addresses are dynamically learned, once port security has been enabled, you need to use one of these
options to see the MAC table entries associated with ports using port security:
show mac address-table secure: Lists MAC addresses associated with ports that use port security
show mac address-table static: Lists MAC addresses associated with ports that use port security, as well as
any other statically defined MAC addresses
Example 9-9 proves the point. It shows two commands about interface F0/2 from the port security example shown in
Figure 9-5 and Example 9-7. In that example, port security was configured on F0/2 with sticky learning, so from a literal
sense, the switch learned a MAC address off that port (0200.2222.2222). However, the show mac address-table
dynamic command does not list the address and port, because IOS considers that MAC table entry to be a static entry.
The show mac address-table secure command does list the address and port.
Example 9-9 Using the secure Keyword to See MAC Table Entries When Using Port Security
Click here to view code image