CCNA 2 - L2 Switch Configuration

By Sheldon L

Published at 2020-05-13

Updated at 2020-05-13

---

L2 Switches

• Here’s a list of four important advantages we gain when using layer 2 switching:
  • Hardware-based bridging (ASICs)
  • Wire speed
  • Low latency
  • Low cost
• Three Functions at Layer 2 Switch:
  • Address learning
  • Forward/filter decisions, show mac address-table
  • Loop avoidance (STP)

Port Security

• You can configure the device to take one of the following actions
  • Protect: The protect violation mode drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below the maximum value.
  • Restrict: The restrict violation mode also drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below the maximum value. It also generates a log message, causes the security violation counter to increment, and sends an SNMP trap.
  • Shutdown: Shutdown is the default violation mode. The shutdown violation mode puts the interface into an error-disabled state immediately. Also, in this mode, the system generates a log message, sends an SNMP trap, and increments the violation counter.
• The port security default that’s immediately set on a port when it’s enabled is maximum 1 and violation shutdown. When tries to add another host on that segment, the switch port will immediately enter error-disabled state, and the port will turn amber

Switch# config t
Switch(config)# int f0/1
Switch(config-if)# switchport mode access
! These ports must be access (only 1 VLAN) or trunk to enable port security.

Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security ?
  aging Port-security aging commands
  mac-address Secure mac address
  maximum Max secure addresses
  violation Security violation mode
  <cr>

! allow only one host per port and make sure
! the port will shut down if this rule is violated
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown

! with the sticky command you can provide static MAC address security
! without having to type in absolutely everyone’s MAC address on the network.
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security violation shutdown

! to ensure that only the MAC address of the lobby PC is allowed
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#switchport port-security mac-address aa.bb.cc.dd.ee.ff

Configure

• Layer 2 switches and bridges are faster than routers because they don’t take up time looking at the Network Layer header information.

• Here’s a list of the basic tasks we’ll be covering next:

  • Administrative functions
  • Configuring the IP address and subnet mask (for Telnet, SSH, SNMP, etc., though no vlan is needed for L2)
  • Setting the IP default gateway
  • Setting port security
  • Testing and verifying the network

              (X) R
        ----- F0/0 192.168.10.30
        |
        |     [=] S1
        |     vlan1 192.168.10.17/28
        ----- F0/8
------------- F0/15
| ----------- F0/16
| |           F0/17 ----------------------------------------
| |           F0/18 -------------------------------------- |
| |                                                      | |
| |    [=] S2                   [=] S3                   | |
| |    vlan1 192.168.10.18/28   vlan1 192.168.10.18/28   | |
| |    F0/6 ------------------- F0/6                     | |
| |    F0/5 ------------------- F0/5                     | |
| |    F0/4 -- [_] PC           F0/4 -- [_] PC           | |
| |    F0/3 -- [_] PC           F0/3 -- [_] PC           | |
| ---- F0/2                     F0/2 --------------------- |
------ F0/1                     F0/1 -----------------------

!
Switch>en
Switch#config t
Switch(config)#hostname S1
S1(config)#enable secret todd

S1(config)#int f0/15
S1(config-if)#description 1st connection to S3
S1(config-if)#int f0/16
S1(config-if)#description 2nd connection to S3
S1(config-if)#int f0/17
S1(config-if)#description 1st connection to S2
S1(config-if)#int f0/18
S1(config-if)#description 2nd connection to S2
S1(config-if)#int f0/8
S1(config-if)#desc Connection to IVR
S1(config-if)#line con 0

S1(config-line)#password console
S1(config-line)#login
S1(config-line)#line vty 0 15
S1(config-line)#password telnet
S1(config-line)#login

S1(config-line)#int vlan 1
S1(config-if)#ip address 192.168.10.17 255.255.255.240
S1(config-if)#no shut
S1(config-if)#exit
! There’s no IP address configured on the switch’s physical interfaces
! The IP address is configured under a logical interface,
! called a management domain or VLAN

S1(config)#banner motd #this is my S1 switch#
S1(config)#exit

S1#config t
S1(config)#ip default-gateway 192.168.10.30

S1#copy run start

!
Switch#config t
Switch(config)#hostname S2
S2(config)#enable secret todd

S2(config)#int f0/1
S2(config-if)#desc 1st connection to S1
S2(config-if)#int f0/2
S2(config-if)#desc 2nd connection to s1
S2(config-if)#int f0/5
S2(config-if)#desc 1st connection to S3
S2(config-if)#int f0/6
S2(config-if)#desc 2nd connection to s3

S2(config-if)#line con 0
S2(config-line)#password console
S2(config-line)#login

S2(config-line)#line vty 0 15
S2(config-line)#password telnet
S2(config-line)#login

S2(config-line)#int vlan 1
S2(config-if)#ip address 192.168.10.18 255.255.255.240
S2(config-if)#no shut
S2(config-if)#exit

S2(config)#banner motd #This is the S2 switch#
S2(config)#exit

S2#ping 192.168.10.17

S2#config t
S2(config)#ip default-gateway 192.168.10.30

S2#copy run start

!
Switch>en
Switch#config t
SW-3(config)#hostname S3
S3(config)#enable secret todd

S3(config)#int f0/1
S3(config-if)#desc 1st connection to S1
S3(config-if)#int f0/2
S3(config-if)#desc 2nd connection to S1
S3(config-if)#int f0/5
S3(config-if)#desc 1st connection to S2
S3(config-if)#int f0/6
S3(config-if)#desc 2nd connection to S2

S3(config-if)#line con 0
S3(config-line)#password console
S3(config-line)#login
S3(config-line)#line vty 0 15
S3(config-line)#password telnet
S3(config-line)#login

S3(config-line)#int vlan 1
S3(config-if)#ip address 192.168.10.19 255.255.255.240
S3(config-if)#no shut
S3(config-if)#exit

S3(config)#banner motd #This is the S3 switch#
S3(config)#exit

S3#ping 192.168.10.17
S3#ping 192.168.10.18
S3#sh ip arp

S3#config t
S3(config)#ip default-gateway 192.168.10.30

S3#copy run start

! Ports Fa0/3 and Fa0/4 will have only one device connected
S3#config t
S3(config)#int range f0/3-4
S3(config-if-range)#switchport mode access
! Eable derictly using shutdown and max 1 as default
S3(config-if-range)#switchport port-security
S3(config-if-range)#do show port-security int f0/3
  Port Security : Enabled
  Port Status : Secure-down
  Violation Mode : Shutdown
  Maximum MAC Addresses : 1
  [output cut]

S3#config t
S3(config)#int range f0/6
S3(config-if-range)#switchport mode access
S3(config-if-range)#switchport port-security violation restrict
! Remember to enable
S3(config-if-range)#do show port-security int f0/6
  Port Security : Disabled
  [output cut]
S3(config-if-range)#switchport port-security
S3(config-if-range)#do show port-security int f0/6
  Port Security : Enabled
  [output cut]

! The ports will look like this when a violation occurs,
! you can see the abuser's MAC
S3# sh port-security int f0/3
  Port Security : Enabled
  Port Status : Secure-shutdown
  Last Source Address:Vlan : 0013:0ca69:00bb3:00ba8:1
  [output cut]

! To enable the port again:
S3(config-if)# shutdown
S3(config-if)# no shutdown

! Modify speed and duplex as need
int range f0/1 - 10
speed 100
duplex full

Verify

S3#sh int vlan 1
S3#sh mac address-table

! Assigning Static MAC Addresses
S3(config)#mac address-table ?
S3(config)#mac address-table static aaaa.bbbb.cccc vlan 1 int fa0/7
S3(config)#do show mac address-table