THE FOLLOWING ICND1 EXAM TOPICS ARE COVERED IN THIS CHAPTER:
When people at Cisco discuss switching in regards to the Cisco exam objectives, they’re talking about layer 2 switching unless they say otherwise. Layer 2 switching is the process of using the hardware address of devices on a LAN to segment a network. Since you’ve got the basic idea of how that works nailed down by now, we’re going to dive deeper into the particulars of layer 2 switching to ensure that your concept of how it works is solid and complete.
You already know that we rely on switching to break up large collision domains into smaller ones and that a collision domain is a network segment with two or more devices sharing the same bandwidth. A hub network is a typical example of this type of technology. But since each port on a switch is actually its own collision domain, we were able to create a much better Ethernet LAN network by simply replacing our hubs with switches!
Switches truly have changed the way networks are designed and implemented. If a pure switched design is properly implemented, it absolutely will result in a clean, cost-effective, and resilient internetwork. In this chapter, we’ll survey and compare how networks were designed before and after switching technologies were introduced.
I’ll be using three switches to begin our configuration of a switched network, and we’ll actually continue with their configurations in Chapter 11, “VLANs and Inter-VLAN Routing.”
Unlike old bridges, which used software to create and manage a Content Addressable Memory (CAM) filter table, our new, fast switches use application-specific integrated circuits (ASICs) to build and maintain their MAC filter tables. But it’s still okay to think of a layer 2 switch as a multiport bridge because their basic reason for being is the same: to break up collision domains.
Layer 2 switches and bridges are faster than routers because they don’t take up time looking at the Network layer header information. Instead, they look at the frame’s hardware addresses before deciding to either forward, flood, or drop the frame.
Unlike hubs, switches create private, dedicated collision domains and provide independent bandwidth exclusive on each port.
Here’s a list of four important advantages we gain when using layer 2 switching:
A big reason layer 2 switching is so efficient is that no modification to the data packet takes place. The device only reads the frame encapsulating the packet, which makes the switching process considerably faster and less error-prone than routing processes are.
And if you use layer 2 switching for both workgroup connectivity and network segmentation (breaking up collision domains), you can create more network segments than you can with traditional routed networks. Plus, layer 2 switching increases bandwidth for each user because, again, each connection, or interface into the switch, is its own, self-contained collision domain.
There are three distinct functions of layer 2 switching that are vital for you to remember: address learning, forward/filter decisions, and loop avoidance.
Address learning Layer 2 switches remember the source hardware address of each frame received on an interface and enter this information into a MAC database called a forward/filter table.
Forward/filter decisions When a frame is received on an interface, the switch looks at the destination hardware address, then chooses the appropriate exit interface for it in the MAC database. This way, the frame is only forwarded out of the correct destination port.
Loop avoidance If multiple connections between switches are created for redundancy purposes, network loops can occur. Spanning Tree Protocol (STP) is used to prevent network loops while still permitting redundancy.
Next, I’m going to talk about address learning and forward/filtering decisions. Loop avoidance is beyond the scope of the objectives being covered in this chapter.
When a switch is first powered on, the MAC forward/filter table (CAM) is empty, as shown in Figure 10.1.
When a device transmits and an interface receives a frame, the switch places the frame’s source address in the MAC forward/filter table, allowing it to refer to the precise interface the sending device is located on. The switch then has no choice but to flood the network with this frame out of every port except the source port because it has no idea where the destination device is actually located.
If a device answers this flooded frame and sends a frame back, then the switch will take the source address from that frame and place that MAC address in its database as well, associating this address with the interface that received the frame. Because the switch now has both of the relevant MAC addresses in its filtering table, the two devices can now make a point-to-point connection. The switch doesn’t need to flood the frame as it did the first time because now the frames can and will only be forwarded between these two devices. This is exactly why layer 2 switches are so superior to hubs. In a hub network, all frames are forwarded out all ports every time—no matter what. Figure 10.2 shows the processes involved in building a MAC database.
In this figure, you can see four hosts attached to a switch. When the switch is powered on, it has nothing in its MAC address forward/filter table, just as in Figure 10.1. But when the hosts start communicating, the switch places the source hardware address of each frame into the table along with the port that the frame’s source address corresponds to.
Let me give you an example of how a forward/filter table is populated using Figure 10.2:
If Host A and Host B don’t communicate to the switch again within a certain time period, the switch will flush their entries from the database to keep it as current as possible.
When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database. If the destination hardware address is known and listed in the database, the frame is only sent out of the appropriate exit interface. The switch won’t transmit the frame out any interface except for the destination interface, which preserves bandwidth on the other network segments. This process is called frame filtering.
But if the destination hardware address isn’t listed in the MAC database, then the frame will be flooded out all active interfaces except the interface it was received on. If a device answers the flooded frame, the MAC database is then updated with the device’s location—its correct interface.
If a host or server sends a broadcast on the LAN, by default, the switch will flood the frame out all active ports except the source port. Remember, the switch creates smaller collision domains, but it’s always still one large broadcast domain by default.
In Figure 10.3, Host A sends a data frame to Host D. What do you think the switch will do when it receives the frame from Host A?
Let’s examine Figure 10.4 to find the answer.
Since Host A’s MAC address is not in the forward/filter table, the switch will add the source address and port to the MAC address table, then forward the frame to Host D. It’s really important to remember that the source MAC is always checked first to make sure it’s in the CAM table. After that, if Host D’s MAC address wasn’t found in the forward/filter table, the switch would’ve flooded the frame out all ports except for port Fa0/3 because that’s the specific port the frame was received on.
Now let’s take a look at the output that results from using a show mac address-table
command:
Switch#sh mac address-table
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0005.dccb.d74b DYNAMIC Fa0/1
1 000a.f467.9e80 DYNAMIC Fa0/3
1 000a.f467.9e8b DYNAMIC Fa0/4
1 000a.f467.9e8c DYNAMIC Fa0/3
1 0010.7b7f.c2b0 DYNAMIC Fa0/3
1 0030.80dc.460b DYNAMIC Fa0/3
1 0030.9492.a5dd DYNAMIC Fa0/1
1 00d0.58ad.05f4 DYNAMIC Fa0/1
But let’s say the preceding switch received a frame with the following MAC addresses:
How will the switch handle this frame? The right answer is that the destination MAC address will be found in the MAC address table and the frame will only be forwarded out Fa0/3. Never forget that if the destination MAC address isn’t found in the forward/filter table, the frame will be forwarded out all of the switch’s ports except for the one on which it was originally received in an attempt to locate the destination device. Now that you can see the MAC address table and how switches add host addresses to the forward filter table, how do think we can secure it from unauthorized users?
It’s usually not a good thing to have your switches available for anyone to just plug into and play around with. I mean, we worry about wireless security, so why wouldn’t we demand switch security just as much, if not more?
But just how do we actually prevent someone from simply plugging a host into one of our switch ports—or worse, adding a hub, switch, or access point into the Ethernet jack in their office? By default, MAC addresses will just dynamically appear in your MAC forward/filter database and you can stop them in their tracks by using port security!
Figure 10.5 shows two hosts connected to the single switch port Fa0/3 via either a hub or access point (AP).
Port Fa0/3 is configured to observe and allow only certain MAC addresses to associate with the specific port, so in this example, Host A is denied access, but Host B is allowed to associate with the port.
By using port security, you can limit the number of MAC addresses that can be assigned dynamically to a port, set static MAC addresses, and—here’s my favorite part—set penalties for users who abuse your policy! Personally, I like to have the port shut down when the security policy is violated. Making abusers bring me a memo from their boss explaining why they violated the security policy brings with it a certain poetic justice, which is nice. And I’ll also require something like that before I’ll enable their port again. Things like this really seem to help people remember to behave!
This is all good, but you still need to balance your particular security needs with the time that implementing and managing them will realistically require. If you have tons of time on your hands, then go ahead and seriously lock your network down vault-tight! If you’re busy like the rest of us, I’m here to reassure you that there are ways to secure things nicely without being totally overwhelmed with a massive amount of administrative overhead. First, and painlessly, always remember to shut down unused ports or assign them to an unused VLAN. All ports are enabled by default, so you need to make sure there’s no access to unused switch ports!
Here are your options for configuring port security:
Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
Most Cisco switches ship with their ports in desirable mode, which means that those ports will desire to trunk when sensing that another switch has just been connected. So first, we need to change the port out from desirable mode and make it an access port instead. If we don’t do that, we won’t be able to configure port security on it at all! Once that’s out of the way, we can move on using our port-security
commands, never forgetting that we must enable port security on the interface with the basic command switchport port-security
. Notice that I did this after I made the port an access port!
The preceding output clearly illustrates that the switchport port-security
command can be used with four options. You can use the switchport port-security mac-address mac-address
command to assign individual MAC addresses to each switch port, but be warned because if you go with that option, you had better have boatloads of time on your hands!
You can configure the device to take one of the following actions when a security violation occurs by using the switchport port-security
command:
Protect
: The protect violation mode drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below the maximum value.Restrict
: The restrict violation mode also drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below the maximum value. However, it also generates a log message, causes the security violation counter to increment, and sends an SNMP trap.Shutdown
: Shutdown is the default violation mode. The shutdown violation mode puts the interface into an error-disabled state immediately. The entire port is shut down. Also, in this mode, the system generates a log message, sends an SNMP trap, and increments the violation counter. To make the interface usable, you must perform a shut/no shut
on the interface.If you want to set up a switch port to allow only one host per port and make sure the port will shut down if this rule is violated, use the following commands like this:
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
These commands really are probably the most popular because they prevent random users from connecting to a specific switch or access point that’s in their office. The port security default that’s immediately set on a port when it’s enabled is maximum
1
and violation shutdown
. This sounds okay, but the drawback to this is that it only allows a single MAC address to be used on the port, so if anyone, including you, tries to add another host on that segment, the switch port will immediately enter error-disabled state and the port will turn amber. And when that happens, you have to manually go into the switch and re-enable the port by cycling it with a shutdown
and then a no shutdown
command.
Probably one of my favorite commands is the sticky
command, and not just because it’s got a cool name. It also makes very cool things happen! You can find this command under the mac-address
command:
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security violation shutdown
Basically, with the sticky
command you can provide static MAC address security without having to type in absolutely everyone’s MAC address on the network. I like things that save me time like that!
In the preceding example, the first two MAC addresses coming into the port “stick” to it as static addresses and will be placed in the running-config, but when a third address tried to connect, the port would shut down immediately.
Let me show you one more example. Figure 10.6 displays a host in a company lobby that needs to be secured against the Ethernet cable used by anyone other than a single authorized individual.
What can you do to ensure that only the MAC address of the lobby PC is allowed by switch port Fa0/1?
The solution is pretty straightforward because in this case, the defaults for port security will work well. All I have left to do is add a static MAC entry:
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#switchport port-security mac-address aa.bb.cc.dd.ee.ff
To protect the lobby PC, we would set the maximum allowed MAC addresses to 1 and the violation to restrict
so the port didn’t get shut down every time someone tried to use the Ethernet cable (which would be constantly). By using violation restrict
, the unauthorized frames would just be dropped. But did you notice that I enabled port-security
and then set a static MAC address? Remember that as soon as you enable port-security
on a port, it defaults to violation shutdown
and a maximum of 1. So all I needed to do was change the violation mode and add the static MAC address and our business requirement is solidly met!
Redundant links between switches are important to have in place because they help prevent nasty network failures in the event that one link stops working.
But while it’s true that redundant links can be extremely helpful, they can also cause more problems than they solve! This is because frames can be flooded down all redundant links simultaneously, creating network loops as well as other evils. Here’s a list of some of the ugliest problems that can occur:
All of these problems spell disaster or close, and they’re all evil situations that must be avoided or fixed somehow. That’s where the Spanning Tree Protocol comes into play. It was actually developed to solve each and every one of the problems I just told you about!
Now that I explained the issues that can occur when you have redundant links, or when you have links that are improperly implemented, I’m sure you understand how vital it is to prevent them. However, the best solutions are beyond the scope of this chapter and among the territory covered in the more advanced Cisco exam objectives. For now, let’s focus on configuring some switching!
Cisco Catalyst switches come in many flavors; some run 10 Mbps, while others can speed all the way up to 10 Gbps or higher switched ports with a combination of twisted-pair and fiber. These newer switches, like the 3850, also have more intelligence, so they can give you data fast—mixed media services, too!
With that in mind, it’s time to show you how to start up and configure a Cisco Catalyst switch using the command-line interface (CLI). After you get the basic commands down in this chapter, I’ll show you how to configure virtual LANs (VLANs) plus Inter-Switch Link (ISL) and 802.1q trunking in the next one.
Here’s a list of the basic tasks we’ll be covering next:
But before we actually get into configuring one of the Catalyst switches, I’ve got to fill you in regarding the boot process of these switches, just as I did with the routers in Chapter 7, “Managing a Cisco Internetwork.” Figure 10.9 shows a typical Cisco Catalyst switch, and I need to tell you about the different interfaces and features of this device. The first thing I want to point out is that the console port for the Catalyst switches are typically located on the back of the switch. Yet, on a smaller switch like the 3560 shown in the figure, the console is right in the front to make it easier to use. (The eight-port 2960 looks exactly the same.) If the POST completes successfully, the system LED turns green, but if the POST fails, it will turn amber. And seeing that amber glow is an ominous thing—typically fatal. So you may just want to keep a spare switch around—especially in case it’s a production switch that’s croaked! The bottom button is used to show you which lights are providing Power over Ethernet (PoE). You can see this by pressing the Mode button. The PoE is a very nice feature of these switches. It allows me to power my access point and phone by just connecting them into the switch with an Ethernet cable—sweet. Just as we did with the routers we configured in Chapter 9, “IP Routing,” we’ll use a diagram and switch setup in this chapter as well as in Chapter 11. Figure 10.10 shows the switched network we’ll be working on. I’m going to use three 3560 switches, which I also used for demonstration in Chapter 6, “Cisco’s Internetworking Operating System (IOS),” and Chapter 7. You can use any layer 2 switches for this chapter to follow the configuration, but when we get to Chapter 11, you’ll need at least one router as well as a layer 3 switch, like my 3560. Now if we connect our switches to each other, as shown in Figure 10.10, remember that first we’ll need a crossover cable between the switches. My 3560 switches autodetect the connection type, so I was able to use straight-through cables. But not all switches autodetect the cable type. Different switches have different needs and abilities, so just keep this in mind when connecting your various switches together. Make a note that in the Cisco exam objectives, switches never autodetect! When you first connect the switch ports to each other, the link lights are amber and then turn green, indicating normal operation. What you’re actually watching is spanning-tree converging, and this process takes around 50 seconds with no extensions enabled. But if you connect into a switch port and the switch port LED is alternating green and amber, it means the port is experiencing errors. If this happens, check the host NIC or the cabling, possibly even the duplex settings on the port to make sure they match the host setting. Absolutely not! Switches have all ports enabled and ready to rock. Take the switch out of the box, plug it in, and the switch starts learning MAC addresses in the CAM. So why would I need an IP address since switches are providing layer 2 services? Because you still need it for in-band management purposes! Telnet, SSH, SNMP, etc. all need an IP address in order to communicate with the switch through the network (in-band). Remember, since all ports are enabled by default, you need to shut down unused ports or assign them to an unused VLAN for security reasons. So where do we put this management IP address the switch needs for management purposes? On what is predictably called the management VLAN interface—a routed interface on every Cisco switch and called interface VLAN 1. This management interface can be changed, and Cisco recommends that you do change this to a different management interface for security purposes. No worries—I’ll demonstrate how to do this in Chapter 11. Let’s configure our switches now so you can watch how I configure the management interfaces on each switch. We’re going to begin our configuration by connecting into each switch and setting the administrative functions. We’ll also assign an IP address to each switch, but as I said, doing that isn’t really necessary to make our network function. The only reason we’re going to do that is so we can manage/administer it remotely, via Telnet for example. Let’s use a simple IP scheme like 192.168.10.16/28. This mask should be familiar to you! Check out the following output: The first thing to notice about this is that there’s no IP address configured on the switch’s physical interfaces. Since all ports on a switch are enabled by default, there’s not really a whole lot to configure! The IP address is configured under a logical interface, called a management domain or VLAN. You can use the default VLAN 1 to manage a switched network just as we’re doing here, or you can opt to use a different VLAN for management. The rest of the configuration is basically the same as the process you go through for router configuration. So remember… no IP addresses on physical switch interfaces, no routing protocols, and so on. We’re performing layer 2 switching at this point, not routing! Also, make a note to self that there is no AUX port on Cisco switches. Here is the S2 configuration: We should now be able to ping from S2 to S1. Let’s try it: Okay—now why did I get only four pings to work instead of five? The first period [.] is a time-out, but the exclamation point [!] is a success. It’s a good question, and here’s your answer: the first ping didn’t work because of the time that ARP takes to resolve the IP address to its corresponding hardware MAC address. Check out the S3 switch configuration: Now let’s ping to S1 and S2 from the S3 switch and see what happens: In the output of the Now, before we move on to verifying the switch configurations, there’s one more command you need to know about, even though we don’t really need it in our current network because we don’t have a router involved. It’s the Now that we have all three switches basically configured, let’s have some fun with them! A secured switch port can associate anywhere from 1 to 8,192 MAC addresses, but the 3560s I am using can support only 6,144, which seems like way more than enough to me. You can choose to allow the switch to learn these values dynamically, or you can set static addresses for each port using the So let’s set port security on our S3 switch now. Ports Fa0/3 and Fa0/4 will have only one device connected in our lab. By using port security, we’re assured that no other device can connect once our hosts in ports Fa0/3 and in Fa0/4 are connected. Here’s how to easily do that with just a couple commands: The first command sets the mode of the ports to “access” ports. These ports must be access or trunk ports to enable port security. By using the command Port security is enabled, as displayed on the first line, but the second line shows I’ve just got to point out this all-so-important fact one more time: It’s very important to remember that you can set parameters for port security but it won’t work until you enable port security at the interface level. Notice the output for port F0/6: Port Fa0/6 has been configured with a violation of restrict, but the first line shows that port security has not been enabled on the port yet. Remember, you must use this command at interface level to enable port security on a port: There are two other modes you can use instead of just shutting down the port. The restrict and protect modes mean that another host can connect up to the maximum MAC addresses allowed, but after the maximum has been met, all frames will just be dropped and the port won’t be shut down. Additionally, both the restrict and shutdown violation modes alert you via SNMP that a violation has occurred on a port. You can then call the abuser and tell them they’re so busted—you can see them, you know what they did, and they’re in serious trouble! If you’ve configured ports with the Here you can see that the port is in Let’s verify our switch configurations before we move onto VLANs in the next chapter. Beware that even though some switches will show The first thing I like to do with any router or switch is to run through the configurations with a For example, to verify the IP address set on a switch, we can use the The previous output shows the interface is in up/up status. Remember to always check this interface, either with this command or the I’m sure you remember being shown this command earlier in the chapter. Using it displays the forward filter table, also called a content addressable memory (CAM) table. Here’s the output from the S1 switch: The switches use things called base MAC addresses, which are assigned to the CPU. The first one listed is the base mac address of the switch. From the preceding output, you can see that we have six MAC addresses dynamically assigned to Fa0/1, meaning that port Fa0/1 is connected to another switch. Ports Fa0/5 and Fa0/6 only have one MAC address assigned, and all ports are assigned to VLAN 1. Let’s take a look at the S2 switch CAM and see what we can find out. This output tells us that we have seven MAC addresses assigned to Fa0/5, which is our connection to S3. But where’s port 6? Since port 6 is a redundant link to S3, STP placed Fa0/6 into blocking mode. You can set a static MAC address in the MAC address table, but like setting static MAC port security without the As shown on the left side of the output, you can see that a static MAC address has now been assigned permanently to interface Fa0/7 and that it’s also been assigned to VLAN 1 only. Now admit it—this chapter had a lot of great information, and you really did learn a lot and, well, maybe even had a little fun along the way too! You’ve now configured and verified all switches and set port security. That means you’re now ready to learn all about virtual LANs! I’m going to save all our switch configurations so we’ll be able to start right from here in Chapter 11.Catalyst Switch Configuration
Do We Need to Put an IP Address on a Switch?
S1
Switch>en
Switch#config t
Switch(config)#hostname S1
S1(config)#enable secret todd
S1(config)#int f0/15
S1(config-if)#description 1st connection to S3
S1(config-if)#int f0/16
S1(config-if)#description 2nd connection to S3
S1(config-if)#int f0/17
S1(config-if)#description 1st connection to S2
S1(config-if)#int f0/18
S1(config-if)#description 2nd connection to S2
S1(config-if)#int f0/8
S1(config-if)#desc Connection to IVR
S1(config-if)#line con 0
S1(config-line)#password console
S1(config-line)#login
S1(config-line)#line vty 0 15
S1(config-line)#password telnet
S1(config-line)#login
S1(config-line)#int vlan 1
S1(config-if)#ip address 192.168.10.17 255.255.255.240
S1(config-if)#no shut
S1(config-if)#exit
S1(config)#banner motd #this is my S1 switch#
S1(config)#exit
S1#copy run start
Destination filename [startup-config]? [enter]
Building configuration...
[OK]
S1#
S2
Switch#config t
Switch(config)#hostname S2
S2(config)#enable secret todd
S2(config)#int f0/1
S2(config-if)#desc 1st connection to S1
S2(config-if)#int f0/2
S2(config-if)#desc 2nd connection to s2
S2(config-if)#int f0/5
S2(config-if)#desc 1st connection to S3
S2(config-if)#int f0/6
S2(config-if)#desc 2nd connection to s3
S2(config-if)#line con 0
S2(config-line)#password console
S2(config-line)#login
S2(config-line)#line vty 0 15
S2(config-line)#password telnet
S2(config-line)#login
S2(config-line)#int vlan 1
S2(config-if)#ip address 192.168.10.18 255.255.255.240
S2(config)#exit
S2#copy run start
Destination filename [startup-config]?[enter]
Building configuration...
[OK]
S2#
S2#ping 192.168.10.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.17, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
S2#
S3
Switch>en
Switch#config t
SW-3(config)#hostname S3
S3(config)#enable secret todd
S3(config)#int f0/1
S3(config-if)#desc 1st connection to S1
S3(config-if)#int f0/2
S3(config-if)#desc 2nd connection to S1
S3(config-if)#int f0/5
S3(config-if)#desc 1st connection to S2
S3(config-if)#int f0/6
S3(config-if)#desc 2nd connection to S2
S3(config-if)#line con 0
S3(config-line)#password console
S3(config-line)#login
S3(config-line)#line vty 0 15
S3(config-line)#password telnet
S3(config-line)#login
S3(config-line)#int vlan 1
S3(config-if)#ip address 192.168.10.19 255.255.255.240
S3(config-if)#no shut
S3(config-if)#banner motd #This is the S3 switch#
S3(config)#exit
S3#copy run start
Destination filename [startup-config]?[enter]
Building configuration...
[OK]
S3#
S3#ping 192.168.10.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.17, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms
S3#ping 192.168.10.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.18, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms
S3#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.10.17 0 001c.575e.c8c0 ARPA Vlan1
Internet 192.168.10.18 0 b414.89d9.18c0 ARPA Vlan1
Internet 192.168.10.19 - ecc8.8202.82c0 ARPA Vlan1
S3#
show ip arp
command, the dash (-
) in the minutes column means that it is the physical interface of the device.ip default-gateway
command. If you want to manage your switches from outside your LAN, you must set a default gateway on the switches just as you would with a host, and you do this from global config. Here’s an example where we introduce our router with an IP address using the last IP address in our subnet range:S3#config t
S3(config)#ip default-gateway 192.168.10.30
Port Security
switchport port-security mac-address mac-address
command.S3#config t
S3(config)#int range f0/3-4
S3(config-if-range)#switchport mode access
S3(config-if-range)#switchport port-security
S3(config-if-range)#do show port-security int f0/3
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
switchport port-security
on the interface, I’ve enabled port security with a maximum MAC address of 1 and violation of shutdown. These are the defaults, and you can see them in the highlighted output of the show port-security int f0/3
command in the preceding code.Secure-down
because I haven’t connected my hosts into the ports yet. Once I do, the status will show Secure-up
and would become Secure-shutdown
if a violation occurs.S3#config t
S3(config)#int range f0/6
S3(config-if-range)#switchport mode access
S3(config-if-range)#switchport port-security violation restrict
S3(config-if-range)#do show port-security int f0/6
Port Security : Disabled
Port Status : Secure-up
Violation Mode : restrict
[output cut]
S3(config-if-range)#switchport port-security
violation shutdown
command, then the ports will look like this when a violation occurs:S3#sh port-security int f0/3
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0013:0ca69:00bb3:00ba8:1
Security Violation Count : 1
Secure-shutdown
mode and the light for the port would be amber. To enable the port again, you’d need to do the following:S3(config-if)#shutdown
S3(config-if)#no shutdown
err-disabled
instead of Secure-shutdown
as my switch shows, there is no difference between the two.Verifying Cisco Catalyst Switches
show running-config
command. Why? Because doing this gives me a really great overview of each device. But it is time consuming, and showing you all the configs would take up way too many pages in this book. Besides, we can instead run other commands that will still stock us up with really good information.show interface
command. Here’s the output:S3#sh int vlan 1
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is ecc8.8202.82c0 (bia ecc8.8202.82c0)
Internet address is 192.168.10.19/28
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
[output cut]
show ip interface brief
command. Lots of people tend to forget that this interface is shutdown
by default.show mac address-table
S3#sh mac address-table
Mac Address Table -------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
[output cut]
1 000e.83b2.e34b DYNAMIC Fa0/1
1 0011.1191.556f DYNAMIC Fa0/1
1 0011.3206.25cb DYNAMIC Fa0/1
1 001a.2f55.c9e8 DYNAMIC Fa0/1
1 001a.4d55.2f7e DYNAMIC Fa0/1
1 001c.575e.c891 DYNAMIC Fa0/1
1 b414.89d9.1886 DYNAMIC Fa0/5
1 b414.89d9.1887 DYNAMIC Fa0/6
S2#sh mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
[output cut
1 000e.83b2.e34b DYNAMIC Fa0/5
1 0011.1191.556f DYNAMIC Fa0/5
1 0011.3206.25cb DYNAMIC Fa0/5
1 001a.4d55.2f7e DYNAMIC Fa0/5
1 581f.aaff.86b8 DYNAMIC Fa0/5
1 ecc8.8202.8286 DYNAMIC Fa0/5
1 ecc8.8202.82c0 DYNAMIC Fa0/5
Total Mac Addresses for this criterion: 27
S2#
Assigning Static MAC Addresses
sticky
command, it’s a ton of work. Just in case you want to do it, here’s how it’s done:S3(config)#mac address-table ?
aging-time Set MAC address table entry maximum age
learning Enable MAC table learning feature
move Move keyword
notification Enable/Disable MAC Notification on the switch
static static keyword
S3(config)#mac address-table static aaaa.bbbb.cccc vlan 1 int fa0/7
S3(config)#do show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
[output cut]
1 000e.83b2.e34b DYNAMIC Fa0/1
1 0011.1191.556f DYNAMIC Fa0/1
1 0011.3206.25cb DYNAMIC Fa0/1
1 001a.4d55.2f7e DYNAMIC Fa0/1
1 001b.d40a.0538 DYNAMIC Fa0/1
1 001c.575e.c891 DYNAMIC Fa0/1
1 aaaa.bbbb.0ccc STATIC Fa0/7
[output cut]
Total Mac Addresses for this criterion: 59
In this chapter, I talked about the differences between switches and bridges and how they both work at layer 2. They create MAC address forward/filter tables in order to make decisions on whether to forward or flood a frame.
Although everything in this chapter is important, I wrote two port-security sections—one to provide a foundation and one with a configuration example. You must know both these sections in detail.
I also covered some problems that can occur if you have multiple links between bridges (switches).
Finally, I covered detailed configuration of Cisco’s Catalyst switches, including verifying the configuration.
Remember the three switch functions. Address learning, forward/filter decisions, and loop avoidance are the functions of a switch.
Remember the command show mac address-table
. The command show mac address-table
will show you the forward/filter table used on the LAN switch.
Understand the reason for port security. Port security restricts access to a switch based on MAC addresses.
Know the command to enable port security. To enable port security on a port, you must first make sure the port is an access port with switchport mode access
and then use the switchport port-security
command at the interface level. You can set the port security parameters before or after enabling port security.
Know the commands to verify port security. To verify port security, use the show port-security
, show port-security interface interface
, and show running-config
commands.
In this section, you’ll complete the following lab to make sure you’ve got the information and concepts contained within them fully dialed in:
Lab 10.1: Layer 2 Switching
You can find the answers to this lab in Appendix A, “Answers to Written Labs.”
Write the answers to the following questions:
sticky
keyword in the port-security
command provide?In this section, you will use the following switched network to configure your switching labs. You can use any Cisco switches to do this lab, as well as LammleSim IOS version simulator found at www.lammle.com/ccna. They do not need to be multilayer switches, just layer 2 switches.
The first lab (Lab 10.1) requires you to configure three switches, and then you will verify them in Lab 10.2.
The labs in this chapter are as follows:
In this lab, you will configure the three switches in the graphic:
IP address, subnet mask, default gateway
Switch>en
Switch#config t
Switch(config)#hostname S1
S1(config)#enable secret todd
S1(config)#int f0/15
S1(config-if)#description 1st connection to S3
S1(config-if)#int f0/16
S1(config-if)#description 2nd connection to S3
S1(config-if)#int f0/17
S1(config-if)#description 1st connection to S2
S1(config-if)#int f0/18
S1(config-if)#description 2nd connection to S2
S1(config-if)#int f0/8
S1(config-if)#desc Connection to IVR
S1(config-if)#line con 0
S1(config-line)#password console
S1(config-line)#login
S1(config-line)#line vty 0 15
S1(config-line)#password telnet
S1(config-line)#login
S1(config-line)#int vlan 1
S1(config-if)#ip address 192.168.10.17 255.255.255.240
S1(config-if)#no shut
S1(config-if)#exit
S1(config)#banner motd #this is my S1 switch#
S1(config)#exit
S1#copy run start
Destination filename [startup-config]? [enter]
Building configuration...
Once you configure a device, you must be able to verify it.
Connect to each switch and verify the management interface.
S1#sh interface vlan 1
Connect to each switch and verify the CAM.
S1#sh mac address-table
Verify your configurations with the following commands:
S1#sh running-config
S1#sh ip int brief
Port security is a big Cisco objective. Do not skip this lab!
Configure port Fa0/3 with port security.
S3#config t
S(config)#int fa0/3
S3(config-if#Switchport mode access
S3(config-if#switchport port-security
Check your default setting for port security.
S3#show port-security int f0/3
Change the settings to have a maximum of two MAC addresses that can associate to interface Fa0/3.
S3#config t
S(config)#int fa0/3
S3(config-if#switchport port-security maximum 2
Change the violation mode to restrict.
S3#config t
S(config)#int fa0/3
S3(config-if#switchport port-security violation restrict
Verify your configuration with the following commands:
S3#show port-security
S3#show port-security int fa0/3
S3#show running-config
You can find the answers to these questions in Appendix B, “Answers to Review Questions.”
Which of the following statements is not true with regard to layer 2 switching?
List the two commands that generated the last entry in the MAC address table shown.
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
[output cut]
1 000e.83b2.e34b DYNAMIC Fa0/1
1 0011.1191.556f DYNAMIC Fa0/1
1 0011.3206.25cb DYNAMIC Fa0/1
1 001a.4d55.2f7e DYNAMIC Fa0/1
1 001b.d40a.0538 DYNAMIC Fa0/1
1 001c.575e.c891 DYNAMIC Fa0/1
1 aaaa.bbbb.0ccc STATIC Fa0/7
In the diagram shown, what will the switch do if a frame with a destination MAC address of 000a.f467.63b1 is received on Fa0/4? (Choose all that apply.)
Write the command that generated the following output.
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
[output cut]
1 000e.83b2.e34b DYNAMIC Fa0/1
1 0011.1191.556f DYNAMIC Fa0/1
1 0011.3206.25cb DYNAMIC Fa0/1
1 001a.2f55.c9e8 DYNAMIC Fa0/1
1 001a.4d55.2f7e DYNAMIC Fa0/1
1 001c.575e.c891 DYNAMIC Fa0/1
1 b414.89d9.1886 DYNAMIC Fa0/5
1 b414.89d9.1887 DYNAMIC Fa0/6
In the work area in the following graphic, draw the functions of a switch from the list on the left to the right.
What statement(s) is/are true about the output shown here? (Choose all that apply.)
S3#sh port-security int f0/3
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0013:0ca69:00bb3:00ba8:1
Security Violation Count : 1
shutdown
command to function.Write the command that would limit the number of MAC addresses allowed on a port to 2. Write only the command and not the prompt.
Which of the following commands in this configuration is a prerequisite for the other commands to function?
S3#config t
S(config)#int fa0/3
S3(config-if#switchport port-security
S3(config-if#switchport port-security maximum 3
S3(config-if#switchport port-security violation restrict
S3(config-if#Switchport mode-security aging time 10
switchport mode-security aging time 10
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
Which if the following is not an issue addressed by STP?
What issue that arises when redundancy exists between switches is shown in the figure?
Which two of the following switch port violation modes will alert you via SNMP that a violation has occurred on a port?
______________ is the loop avoidance mechanism used by switches.
Write the command that must be present on any switch that you need to manage from a different subnet.
On which default interface have you configured an IP address for a switch?
int fa0/0
int vty 0 15
int vlan 1
int s/0/0
Which Cisco IOS command is used to verify the port security configuration of a switch port?
show interfaces port-security
show port-security interface
show ip interface
show interfaces switchport
Write the command that will save a dynamically learned MAC address in the running-configuration of a Cisco switch?
Which of the following methods will ensure that only one specific host can connect to port F0/3 on a switch? (Choose two. Each correct answer is a separate solution.)
What will be the effect of executing the following command on port F0/1?
switch(config-if)# switchport port-security mac-address 00C0.35F0.8301
The conference room has a switch port available for use by the presenter during classes, and each presenter uses the same PC attached to the port. You would like to prevent other PCs from using that port. You have completely removed the former configuration in order to start anew. Which of the following steps is not required to prevent any other PCs from using that port?
Write the command required to disable the port if a security violation occurs. Write only the command and not the prompt.