Switches
Multilayer Switching
Section titled “Multilayer Switching”Multilayer switches can perform Layer 3 routing. To enable routing on a port, you must disable the switchport functionality.
Convert Switchport to Routed Port
Section titled “Convert Switchport to Routed Port”Disable switchport mode to enable Layer 3 routing:
> enable# config terminal(config)# interface <interface>(config-if)# no switchport(config-if)# ip address <IP> <subnet>(config-if)# no shutdownExample:
(config)# interface gigabitEthernet 1/0/1(config-if)# no switchport(config-if)# ip address 10.0.0.1 255.255.255.0(config-if)# no shutdownVerify Switchport Status
Section titled “Verify Switchport Status”Check if an interface is operating as a switchport or routed port:
# show interfaces <interface> switchportIf the output shows “Switchport: Disabled”, the port is operating at Layer 3.
Basic Switch Configuration
Section titled “Basic Switch Configuration”Initial Setup
Section titled “Initial Setup”enableconfig terminalGlobal Configuration
Section titled “Global Configuration”Set the hostname (recommended to do this first):
(config)# hostname <hostname>Set privileged EXEC password and enable encryption:
(config)# enable secret <password>(config)# service password-encryptionConfigure default gateway for the switch:
(config)# ip default-gateway <gateway_ip>Example:
(config)# hostname SW1(config)# enable secret Cisco123(config)# service password-encryption(config)# ip default-gateway 192.168.1.1Management Interface Configuration
Section titled “Management Interface Configuration”Configure VLAN 1 for management access:
(config)# interface vlan 1(config-if)# ip address <ip> <subnet>(config-if)# no shutdown(config-if)# exitExample:
(config)# interface vlan 1(config-if)# ip address 192.168.1.10 255.255.255.0(config-if)# no shutdownVTY Line Configuration (Remote Access)
Section titled “VTY Line Configuration (Remote Access)”Configure password for Telnet/SSH access:
(config)# line vty 0 15(config-line)# password <password>(config-line)# login(config-line)# exitSave Configuration
Section titled “Save Configuration”(config)# exit# copy running-config startup-configEtherChannel Configuration
Section titled “EtherChannel Configuration”Configure EtherChannel with LACP
Section titled “Configure EtherChannel with LACP”Select a range of interfaces and configure them as an EtherChannel:
# config terminal(config)# interface range gigabitEthernet 0/1 - 2(config-if-range)# switchport trunk encapsulation dot1q(config-if-range)# switchport mode trunk(config-if-range)# channel-group 1 mode activeChannel-group modes:
- active: LACP - actively negotiates
- passive: LACP - waits for negotiation
- desirable: PAgP - actively negotiates
- auto: PAgP - waits for negotiation
- on: Static - no negotiation protocol
Example:
(config)# interface range gigabitEthernet 0/1 - 2(config-if-range)# switchport mode trunk(config-if-range)# channel-group 1 mode activeConfigure EtherChannel for Access Ports
Section titled “Configure EtherChannel for Access Ports”For non-trunked EtherChannels, configure ports in access mode:
(config)# interface range fastEthernet 0/1 - 2(config-if-range)# switchport mode access(config-if-range)# switchport access vlan 10(config-if-range)# channel-group 2 mode activeEtherChannel Verification Commands
Section titled “EtherChannel Verification Commands”Display EtherChannel summary:
# show etherchannel summaryDisplay detailed port-channel information:
# show etherchannel <group_number> port-channel# show interfaces port-channel <number># show interfaces etherchannelVerify EtherChannel is operating as a single interface in STP:
# show spanning-treePortFast Configuration
Section titled “PortFast Configuration”PortFast allows edge ports (connected to end devices) to skip STP listening/learning states and immediately transition to forwarding.
Enable PortFast on Interface
Section titled “Enable PortFast on Interface”(config)# interface <interface>(config-if)# spanning-tree portfastExample:
(config)# interface fastEthernet 0/5(config-if)# spanning-tree portfastEnable PortFast Globally (All Access Ports)
Section titled “Enable PortFast Globally (All Access Ports)”(config)# spanning-tree portfast defaultWarning: Only enable PortFast on ports connected to end devices (PCs, servers, printers). Never enable PortFast on ports connected to other switches, as it bypasses loop prevention.
Port Security
Section titled “Port Security”Port security restricts which devices can connect to a switchport based on MAC address.
Configure Port Security with Sticky MAC
Section titled “Configure Port Security with Sticky MAC”enableconfig terminal(config)# interface <interface>Put port in access mode (required for port security):
(config-if)# switchport mode accessEnable port security:
(config-if)# switchport port-securityLearn and save MAC addresses dynamically:
(config-if)# switchport port-security mac-address stickyLimit the number of allowed MAC addresses:
(config-if)# switchport port-security maximum <1-8192>Configure violation action:
(config-if)# switchport port-security violation <shutdown|restrict|protect>Violation modes:
- shutdown: Disables the port (default, most secure)
- restrict: Drops packets and logs violations
- protect: Drops packets silently (no log)
Complete Example:
(config)# interface fastEthernet 0/5(config-if)# switchport mode access(config-if)# switchport port-security(config-if)# switchport port-security mac-address sticky(config-if)# switchport port-security maximum 1(config-if)# switchport port-security violation shutdownManually Configure Allowed MAC Address
Section titled “Manually Configure Allowed MAC Address”Instead of sticky learning, manually specify allowed MAC addresses:
(config-if)# switchport port-security mac-address <mac_address>Example:
(config-if)# switchport port-security mac-address 0050.5682.1234Port Security Verification Commands
Section titled “Port Security Verification Commands”# show port-security# show port-security interface <interface># show port-security addressRecover from Security Violation
Section titled “Recover from Security Violation”If a port is shut down due to a violation (err-disabled state):
(config)# interface <interface>(config-if)# shutdown(config-if)# no shutdownOr enable automatic recovery:
(config)# errdisable recovery cause psecure-violation(config)# errdisable recovery interval <seconds>VLAN Configuration
Section titled “VLAN Configuration”Show VLAN Information
Section titled “Show VLAN Information”Display all VLANs (brief):
# show vlan briefDisplay specific VLAN information:
# show vlan id <vlan_number>Create and Name VLANs
Section titled “Create and Name VLANs”enable# config terminal(config)# vlan <vlan_number>(config-vlan)# name <vlan_name>(config-vlan)# exitExample:
(config)# vlan 10(config-vlan)# name SALES(config-vlan)# exit
(config)# vlan 20(config-vlan)# name ENGINEERING(config-vlan)# exitAssign Ports to VLANs
Section titled “Assign Ports to VLANs”Assign a single port:
(config)# interface <interface>(config-if)# switchport mode access(config-if)# switchport access vlan <vlan_number>Assign a range of ports:
(config)# interface range <interface_range>(config-if-range)# switchport mode access(config-if-range)# switchport access vlan <vlan_number>(config-if-range)# exitExample:
(config)# interface range fastEthernet 0/1 - 10(config-if-range)# switchport mode access(config-if-range)# switchport access vlan 10Assign IP Address to VLAN (SVI)
Section titled “Assign IP Address to VLAN (SVI)”Configure a Switch Virtual Interface (SVI) for inter-VLAN routing or management:
(config)# interface vlan <vlan_number>(config-if)# ip address <ip_address> <subnet_mask>(config-if)# no shutdownExample:
(config)# interface vlan 10(config-if)# ip address 192.168.10.1 255.255.255.0(config-if)# no shutdownDelete VLAN
Section titled “Delete VLAN”(config)# no vlan <vlan_number>VLAN Trunking
Section titled “VLAN Trunking”Trunk ports carry traffic for multiple VLANs between switches.
Show Trunk Information
Section titled “Show Trunk Information”# show interfaces trunkConfigure Trunk Port
Section titled “Configure Trunk Port”enable# config terminal(config)# interface <interface>(config-if)# switchport mode trunk(config-if)# switchport trunk native vlan <vlan_number>(config-if)# switchport trunk allowed vlan <vlan_list>(config-if)# no shutdownExample:
(config)# interface gigabitEthernet 0/1(config-if)# switchport mode trunk(config-if)# switchport trunk native vlan 99(config-if)# switchport trunk allowed vlan 10,20,30(config-if)# no shutdownConfigure Trunk on Interface Range
Section titled “Configure Trunk on Interface Range”(config)# interface range <interface_range>(config-if-range)# switchport mode trunk(config-if-range)# switchport trunk native vlan <vlan_number>(config-if-range)# switchport trunk allowed vlan <vlan_list>(config-if-range)# no shutdown(config-if-range)# exitExample:
(config)# interface range fastEthernet 0/23 - 24(config-if-range)# switchport mode trunk(config-if-range)# switchport trunk native vlan 99(config-if-range)# switchport trunk allowed vlan 10,20,30,99(config-if-range)# no shutdownTrunk Encapsulation (on switches that support it)
Section titled “Trunk Encapsulation (on switches that support it)”Some switches require you to specify trunk encapsulation type:
(config-if)# switchport trunk encapsulation dot1q(config-if)# switchport mode trunkTrunk Mode Options
Section titled “Trunk Mode Options”- trunk: Port is permanently in trunking mode
- access: Port is permanently in access mode
- dynamic auto: Port waits for the neighbor to initiate trunking
- dynamic desirable: Port actively attempts to negotiate trunking
Example:
(config-if)# switchport mode dynamic desirableModify Allowed VLANs on Trunk
Section titled “Modify Allowed VLANs on Trunk”Add VLANs to the allowed list:
(config-if)# switchport trunk allowed vlan add <vlan_list>Remove VLANs from the allowed list:
(config-if)# switchport trunk allowed vlan remove <vlan_list>Allow all VLANs:
(config-if)# switchport trunk allowed vlan allExample:
(config-if)# switchport trunk allowed vlan add 40,50(config-if)# switchport trunk allowed vlan remove 30MAC Address Table Management
Section titled “MAC Address Table Management”Show MAC Address Table
Section titled “Show MAC Address Table”Display all learned MAC addresses:
# show mac address-tableDisplay MAC addresses for a specific VLAN:
# show mac address-table vlan <vlan_number>Display MAC addresses on a specific interface:
# show mac address-table interface <interface>Clear MAC Address Table
Section titled “Clear MAC Address Table”Clear the entire MAC address table:
# clear mac address-tableClear only dynamically learned entries (preserves static entries):
# clear mac address-table dynamicConfigure Static MAC Address Entry
Section titled “Configure Static MAC Address Entry”Manually assign a MAC address to a VLAN and interface (not recommended for production):
# mac address-table static <mac_address> vlan <vlan_number> interface <interface>Example:
# mac address-table static 0050.5682.1234 vlan 10 interface fastEthernet 0/5Voice VLAN Configuration
Section titled “Voice VLAN Configuration”Configure Voice VLAN on Access Port
Section titled “Configure Voice VLAN on Access Port”Configure a port for both data and voice traffic:
(config)# interface <interface>(config-if)# switchport mode access(config-if)# switchport access vlan <data_vlan>(config-if)# switchport voice vlan <voice_vlan>(config-if)# spanning-tree portfast(config-if)# mls qos trust cosExample:
(config)# interface fastEthernet 0/5(config-if)# switchport mode access(config-if)# switchport access vlan 10(config-if)# switchport voice vlan 20(config-if)# spanning-tree portfast(config-if)# mls qos trust cosVoice VLAN on Interface Range
Section titled “Voice VLAN on Interface Range”(config)# interface range fastEthernet 0/1 - 24(config-if-range)# switchport mode access(config-if-range)# switchport access vlan 10(config-if-range)# switchport voice vlan 20(config-if-range)# spanning-tree portfast(config-if-range)# mls qos trust cosQoS (Quality of Service) for VoIP
Section titled “QoS (Quality of Service) for VoIP”Enable QoS Globally
Section titled “Enable QoS Globally”(config)# mls qosTrust CoS Values
Section titled “Trust CoS Values”Trust Class of Service markings from IP phones:
(config-if)# mls qos trust cosTrust DSCP Values
Section titled “Trust DSCP Values”Trust Differentiated Services Code Point markings:
(config-if)# mls qos trust dscpConfigure Priority Queue
Section titled “Configure Priority Queue”Enable priority queuing for time-sensitive traffic:
(config-if)# priority-queue outAuto QoS Configuration
Section titled “Auto QoS Configuration”Cisco’s simplified QoS configuration for VoIP.
For interfaces connected to Cisco IP phones:
(config-if)# auto qos voip cisco-phoneFor trunk ports or interfaces already trusted:
(config-if)# auto qos voip trustExample:
(config)# interface fastEthernet 0/5(config-if)# auto qos voip cisco-phone
(config)# interface gigabitEthernet 0/1(config-if)# auto qos voip trustQoS Verification Commands
Section titled “QoS Verification Commands”# show mls qos# show mls qos interface <interface># show mls qos interface <interface> statistics# show auto qosPower over Ethernet (PoE)
Section titled “Power over Ethernet (PoE)”Configure PoE Priority
Section titled “Configure PoE Priority”Set power priority for critical devices:
(config-if)# power inline priority <high|low>Example:
(config)# interface fastEthernet 0/5(config-if)# power inline priority highSet Maximum PoE Power
Section titled “Set Maximum PoE Power”Limit power allocation per port:
(config-if)# power inline max <milliwatts>Example:
(config-if)# power inline max 15400Disable PoE on Interface
Section titled “Disable PoE on Interface”Prevent PoE delivery on a port:
(config-if)# power inline neverEnable PoE on Interface
Section titled “Enable PoE on Interface”(config-if)# power inline autoPoE Verification Commands
Section titled “PoE Verification Commands”Display PoE status for all interfaces:
# show power inlineDisplay PoE status for specific interface:
# show power inline <interface>Display PoE power budget and consumption:
# show power inline consumptionExample output interpretation:
- Available: Total power budget
- Used: Currently allocated power
- Remaining: Available for additional devices
Private VLAN Configuration
Section titled “Private VLAN Configuration”Private VLANs provide Layer 2 isolation between ports in the same VLAN.
Configure Primary VLAN
Section titled “Configure Primary VLAN”(config)# vlan <primary_vlan_number>(config-vlan)# private-vlan primaryConfigure Secondary VLANs
Section titled “Configure Secondary VLANs”(config)# vlan <secondary_vlan_number>(config-vlan)# private-vlan <isolated|community>Associate Secondary with Primary
Section titled “Associate Secondary with Primary”(config)# vlan <primary_vlan_number>(config-vlan)# private-vlan association <secondary_vlan_list>Example:
(config)# vlan 100(config-vlan)# private-vlan primary
(config)# vlan 101(config-vlan)# private-vlan isolated
(config)# vlan 100(config-vlan)# private-vlan association 101