Professional Documents
Culture Documents
concerned with forwarding policies. All these decisions are made simultaneously by independent portions of
switching hardware and can be described as follows:
L2 forwarding table
Security ACLs
QoS ACLs
Now, the decision of where to forward the packet is based on two address tables, whereas the decision of how
to forward the packet still is based on access list results. As in Layer 2 switching, all these multilayer
decisions are performed simultaneously in hardware:
L2 forwarding table
L3 forwarding table
Security ACLs
QoS ACLs
By default, idle CAM table entries are kept for 300 seconds before they are deleted.
Switch(config)# define interface-range macro-name type module/number [, type module/ number ...] [type module/first-number last-number] [...]
Switch(config)# interface range macro macro-name
Switch(config)# define interface-range MyGroup gig 2/0/1 , gig 2/0/3 2/0/5 , gig 3/0/1 , gig 3/0/10, gig 3/0/32 3/0/48
Switch(config)# interface range macro MyGroup
Switch(config-if)# description description-string
Switch(config-if)# speed {10 | 100 | 1000 | auto}
Switch(config-if)# duplex {auto | full | half}
STATIC VLANS
Switch(config)# vlan vlan-num
Switch(config-vlan)# name vlan-name
Switch(config)# interface type module/number
Switch(config-if)# switchport
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan-num
If an entire instance of STP has been disabled, you can reenable it with the following global
configuration command:
Switch(config)# spanning-tree vlan vlan-id
If STP has been disabled for a specific VLAN on a specific port, you can reenable it with
the following interface configuration command:
Switch (config-if)# spanning-tree vlan vlan-id
Switch(config)# spanning-tree extend system-id
Switch(config)# spanning-tree vlan vlan-list priority bridge-priority
The bridge-priority value defaults to 32,768, but you can also assign a value of 0 to
65,535. If STP extended system ID is enabled, the default bridge-priority is 32,768
plus the VLAN number. In that case, the value can range from 0 to 61,440, but only
as multiples of 4096. A lower bridge priority is preferable.
Switch (config-if)# spanning-tree [vlan vlan-id] cost cost
Switch# show spanning-tree interface type mod/num [cost]
Switch(config-if)# spanning-tree [vlan vlan-list] port-priority port-priority
Switch(config)# spanning-tree [vlan vlan-id] hello-time seconds
Switch(config)# spanning-tree [vlan vlan-id] forward-time seconds
Switch(config)# spanning-tree [vlan vlan-id] max-age seconds
Switch(config)# spanning-tree vlan vlan-list root {primary | secondary} [diameter diameter [hello-time hello-time]]
After an STP topology has converged and becomes loop free, switch ports are assigned
the following roles:
Root portThe one port on a switch that is closest (with the lowest root path cost)
to the root bridge.
Designated portThe port on a LAN segment that is closest to the root. This port
relays, or transmits, BPDUs down the tree.
Blocking portPorts that are neither root nor designated ports.
Alternate portPorts that are candidate root ports (they are also close to the root
bridge) but are in the Blocking state. These ports are identified for quick use by the
STP UplinkFast feature.
Forwarding portPorts where no other STP activity is detected or expected. These
are ports with normal end-user connections.
STP 802.1D
RSTP 802.1w
MST 802.1s
802.1D
Root port
Designated port
Blocking port (neither root nor designated)
Edge portA port at the edge of the network, where only a single host connects.
Traditionally, this has been identified by enabling the STP PortFast feature.
Root portThe port that has the best cost to the root of the STP instance.
Point-to-point portAny port that connects to another switch and becomes a designated
port.
Port Security
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum max-addr
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address mac-addr
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
ShutdownThe port immediately is put into the Errdisable state, which effectively
shuts it down. It must be reenabled manually or through errdisable recovery to be
used again.
RestrictThe port is allowed to stay up, but all packets from violating MAC addresses
are dropped. The switch keeps a running count of the number of violating
packets and can send an SNMP trap and a syslog message as an alert of the violation.
ProtectThe port is allowed to stay up, as in the restrict mode. Although packets
from violating addresses are dropped, no record of the violation is kept.
Port-Based Authentication
802.1x Configuration
Remote Authentication
Dial-In User Service (RADIUS), only RADIUS is supported for 802.1x
force-authorizedThe port is forced to always authorize any connected client. No authentication is necessary. This is the
default state for all switch ports when 802.1x is enabled.
force-unauthorizedThe port is forced to never authorize any connected client. As a result, the port cannot move to the
authorized state to pass traffic to a connected client.
autoThe port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful. This
requires an 802.1x-capable application on the client PC.
Step 6. Allow multiple hosts on a switch port.
Switch(config-if)# dot1x host-mode multi-host
DHCP Snooping
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan vlan-id [vlan-id]
Switch(config)# interface type mod/num
Switch(config-if)# ip dhcp snooping trust
Switch(config)# interface type mod/num
Switch(config-if)# ip dhcp snooping limit rate rate
IP Source Guard
Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface type mod/num
Switch(config)# interface type mod/num
Switch(config-if)# ip verify source [port-security]
Switch# show ip verify source [interface type mod/num]
Switch# show ip source bindng [ip-address] [mac-address] [dhcp-snooping | static] [interface type mod/num] [vlan vlan-id]
dst-macCheck the destination MAC address in the Ethernet header against the
target MAC address in the ARP reply.
ipCheck the senders IP address in all ARP requests; check the senders IP address
against the target IP address in all ARP replies.
VLAN Hopping