Information About Configuring Interface Characteristics
Interface Types
This section describes the different types of interfaces supported by the device. The rest of the chapter describes configuration procedures for physical interface characteristics.
Port-Based VLANs
A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port. Network devices in different VLANs cannot communicate with one another without a Layer 3 device to route traffic between the VLANs.
VLAN partitions provide hard firewalls for traffic in the VLAN, and each VLAN has its own MAC address table. A VLAN comes into existence when a local port is configured to be associated with the VLAN, when the VLAN Trunking Protocol (VTP) learns of its existence from a neighbor on a trunk, or when a user creates a VLAN.
To configure VLANs, use the vlan vlan-id global configuration command to enter VLAN configuration mode. The VLAN configurations for normal-range VLANs (VLAN IDs 1 to 1005) are saved in the VLAN database. If VTP is version 1 or 2, to configure extended-range VLANs (VLAN IDs 1006 to 4094), you must first set VTP mode to transparent. Extended-range VLANs created in transparent mode are not added to the VLAN database but are saved in the device running configuration. With VTP version 3, you can create extended-range VLANs in client or server mode. These VLANs are saved in the VLAN database.
Add ports to a VLAN by using the switchport interface configuration commands:
-
Identify the interface.
-
For a trunk port, set trunk characteristics, and, if desired, define the VLANs to which it can belong.
-
For an access port, set and define the VLAN to which it belongs.
Switch Ports
Switch ports are Layer 2-only interfaces associated with a physical port. Switch ports belong to one or more VLANs. A switch port can be an access port or a trunk port. You can configure a port as an access port or trunk port or let the Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the switchport mode by negotiating with the port on the other end of the link. switch ports are used for managing the physical interface and associated Layer 2 protocols and do not handle routing or bridging.
Configure switch ports by using the switchport interface configuration commands.
Access Ports
An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or IEEE 802.1Q tagged), the packet is dropped, and the source address is not learned.
The types of access ports supported are:
-
Static access ports are manually assigned to a VLAN (or through a RADIUS server for use with IEEE 802.1x.
-
VLAN membership of dynamic access ports is learned through incoming packets. By default, a dynamic access port is not a member of any VLAN, and forwarding to and from the port is enabled only when the VLAN membership of the port is discovered. Dynamic access ports on the device are assigned to a VLAN by a VLAN Membership Policy Server (VMPS). The VMPS can be a Catalyst 6500 series switch; the device cannot be a VMPS server.
You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Trunk Ports
A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database.
The device supports only IEEE 802.1Q trunk ports. An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An IEEE 802.1Q trunk port is assigned a default port VLAN ID (PVID), and all untagged traffic travels on the port default PVID. All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong to the port default PVID. A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged. All other traffic is sent with a VLAN tag.
Although by default, a trunk port is a member of every VLAN known to the VTP, you can limit VLAN membership by configuring an allowed list of VLANs for each trunk port. The list of allowed VLANs does not affect any other port but the associated trunk port. By default, all possible VLANs (VLAN ID 1 to 4094) are in the allowed list. A trunk port can become a member of a VLAN only if VTP knows of the VLAN and if the VLAN is in the enabled state. If VTP learns of a new, enabled VLAN and the VLAN is in the allowed list for a trunk port, the trunk port automatically becomes a member of that VLAN and traffic is forwarded to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded to or from the port.
Switch Virtual Interfaces
A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. You can associate only one SVI with a VLAN. You configure an SVI for a VLAN only to route between VLANs or to provide IP host connectivity to the device. By default, an SVI is created for the default VLAN (VLAN 1) to permit remote device administration. Additional SVIs must be explicitly configured.
Note |
You cannot delete interface VLAN 1. |
SVIs provide IP host connectivity only to the system. SVIs are created the first time that you enter the vlan interface configuration command for a VLAN interface. The VLAN corresponds to the VLAN tag associated with data frames on an ISL or IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port. Configure a VLAN interface for each VLAN for which you want to route traffic, and assign it an IP address.
You can also use the interface range command to configure existing VLAN SVIs within the range. The commands entered under the interface range command are applied to all existing VLAN SVIs within the range. You can enter the command interface range create vlan x - y to create all VLANs in the specified range that do not already exist. When the VLAN interface is created, interface range vlan id can be used to configure the VLAN interface.
When you create an SVI, it does not become active until it is associated with a physical port.
SVI Autostate Exclude
The line state of an SVI with multiple ports on a VLAN is in the up state when it meets these conditions:
-
The VLAN exists and is active in the VLAN database on the device
-
The VLAN interface exists and is not administratively down.
-
At least one Layer 2 (access or trunk) port exists, has a link in the up state on this VLAN, and is in the spanning-tree forwarding state on the VLAN.
Note |
The protocol link state for VLAN interfaces come up when the first switchport belonging to the corresponding VLAN link comes up and is in STP forwarding state. |
The default action, when a VLAN has multiple ports, is that the SVI goes down when all ports in the VLAN go down. You can use the SVI autostate exclude feature to configure a port so that it is not included in the SVI line-state up-or-down calculation. For example, if the only active port on the VLAN is a monitoring port, you might configure autostate exclude on that port so that the VLAN goes down when all other ports go down. When enabled on a port, autostate exclude applies to all VLANs that are enabled on that port.
The VLAN interface is brought up when one Layer 2 port in the VLAN has had time to converge (transition from STP listening-learning state to forwarding state). This prevents features such as routing protocols from using the VLAN interface as if it were fully operational and minimizes other problems.
EtherChannel Port Groups
EtherChannel port groups treat multiple switch ports as one switch port. These port groups act as a single logical port for high-bandwidth connections between devices or between devices and servers. An EtherChannel balances the traffic load across the links in the channel. If a link within the EtherChannel fails, traffic previously carried over the failed link changes to the remaining links. You can group multiple trunk ports into one logical trunk port or multiple access ports into one logical access port. Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
When you configure an EtherChannel, you create a port-channel logical interface and assign an interface to the EtherChannel. For Layer 2 interfaces, use the channel-group interface configuration command to dynamically create the port-channel logical interface. This command binds the physical and logical ports together.
Note |
Cisco Catalyst 2960-CX and 3560-CX support a maximum of six EtherChannel port groups. |
Power over Ethernet Ports
A PoE-capable switch port automatically supplies power to one of these connected devices if the device senses that there is no power on the circuit:
-
a Cisco pre-standard powered device (such as a Cisco IP Phone or a Cisco Aironet Access Point)
-
an IEEE 802.3af-compliant powered device
A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power source. The device does not receive redundant power when it is only connected to the PoE port.
Using the Switch USB Ports
USB Mini-Type B Console Port
The device has the following console ports:
-
USB mini-Type B console connection
-
RJ-45 console port
Console output appears on devices connected to both ports, but console input is active on only one port at a time. By default, the USB connector takes precedence over the RJ-45 connector.
Note |
Windows PCs require a driver for the USB port. See the hardware installation guide for driver installation instructions. |
Use the supplied USB Type A-to-USB mini-Type B cable to connect a PC or other device to the device. The connected device must include a terminal emulation application. When the device detects a valid USB connection to a powered-on device that supports host functionality (such as a PC), input from the RJ-45 console is immediately disabled, and input from the USB console is enabled. Removing the USB connection immediately reenables input from the RJ-45 console connection. An LED on the device shows which console connection is in use.
Console Port Change Logs
At software startup, a log shows whether the USB or the RJ-45 console is active. Every device always first displays the RJ-45 media type.
When the USB cable is removed or the PC de-activates the USB connection, the hardware automatically changes to the RJ-45 console interface:
You can configure the console type to always be RJ-45, and you can configure an inactivity timeout for the USB connector.
USB Type A Ports
The USB Type A ports provide access to external USB flash devices, also known as thumb drives or USB keys. The switch supports Cisco 64 MB, 256 MB, 512 MB, 1 GB, 4 GB, and 8 GB flash drives. You can use standard Cisco IOS command- line interface (CLI) commands to read, write, erase, and copy to or from the flash device. You can also configure the switch to boot from the USB flash drive.
Interface Connections
Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device.
In the following configuration example, when Host A in VLAN 20 sends data to Host B in VLAN 30, the data must go from Host A to the device, to the router, back to the device, and then to Host B.
With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router.
Note |
The Catalyst 3560-CX and 2960-CX switches do not support stacking. Ignore all references to stacking throughout this book. |
Interface Configuration Mode
The device supports these interface types:
-
Physical ports—device ports and routed ports
-
VLANs—switch virtual interfaces
-
Port channels—EtherChannel interfaces
You can also configure a range of interfaces.
To configure a physical interface (port), specify the interface type, module number, and device port number, and enter interface configuration mode.
-
Type—Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mb/s Ethernet ports, or small form-factor pluggable (SFP) module Gigabit Ethernet interfaces (gigabitethernet or gi).
-
Module number—The module or slot number on the switch (always 0).
-
Port number—The interface number on the switch. The 10/100/1000 port numbers always begin at 1, starting with the far left port when facing the front of the switch, for example, gigabitethernet1/0/1 or gigabitethernet1/0/8. For a switch with 10/100/1000 ports and SFP module ports, SFP module ports are numbered consecutively following the 10/100/1000 ports.
You can identify physical interfaces by physically checking the interface location on the switch. You can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
Default Ethernet Interface Configuration
This table shows the Ethernet interface default configuration, including some features that apply only to Layer 2 interfaces.
Feature |
Default Setting |
||
---|---|---|---|
Operating mode |
Layer 2 or switching mode (switchport command). |
||
Allowed VLAN range |
VLANs 1– 4094. |
||
Default VLAN (for access ports) |
VLAN 1. |
||
Native VLAN (for IEEE 802.1Q trunks) |
VLAN 1. |
||
802.1p priority-tagged traffic |
Drop all packets tagged with VLAN 0. |
||
VLAN trunking |
Switchport mode dynamic auto (supports DTP). |
||
Port enable state |
All ports are enabled. |
||
Port description |
None defined. |
||
Speed |
Autonegotiate. (Not supported on the 10-Gigabit interfaces.) |
||
Duplex mode |
Autonegotiate. (Not supported on the 10-Gigabit interfaces.) |
||
Flow control |
Flow control is set to receive: off . It is always off for sent packets. |
||
EtherChannel (PAgP) |
Disabled on all Ethernet ports. |
||
Port blocking (unknown multicast and unknown unicast traffic) |
Disabled (not blocked). |
||
Broadcast, multicast, and unicast storm control |
Disabled. |
||
Protected port |
Disabled. |
||
Port security |
Disabled. |
||
Port Fast |
Disabled. |
||
Auto-MDIX |
Enabled.
|
||
Power over Ethernet (PoE) |
Enabled (auto). |
||
Keepalive messages |
Disabled on SFP module ports; enabled on all other ports. |
Interface Speed and Duplex Mode
Ethernet interfaces on the switch operate at 10, 100, or 1000 Mb/s and in either full- or half-duplex mode. In full-duplex mode, two stations can send and receive traffic at the same time. Normally, 10-Mb/s ports operate in half-duplex mode, which means that stations can either receive or send traffic.
Switch modules include Gigabit Ethernet (10/100/1000-Mb/s) ports and small form-factor pluggable (SFP) module slots supporting SFP modules.
Speed and Duplex Configuration Guidelines
When configuring an interface speed and duplex mode, note these guidelines:
-
Do not disable Auto-Negotiation on PoE switches.
-
Gigabit Ethernet (10/100/1000-Mb/s) ports support all speed options and all duplex options (auto, half, and full). However, Gigabit Ethernet ports operating at 1000 Mb/s do not support half-duplex mode.
- For SFP module ports, the
speed and duplex CLI options change depending on the SFP module type:
-
The 1000BASE-x (where -x is -BX, -CWDM, -LX, -SX, and -ZX) SFP module ports support the nonegotiate keyword in the speed interface configuration command. Duplex options are not supported.
-
The 1000BASE-T SFP module ports support the same speed and duplex options as the 10/100/1000-Mb/s ports.
-
-
-
If both ends of the line support autonegotiation, we highly recommend the default setting of auto negotiation.
-
If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do not use the auto setting on the supported side.
-
When STP is enabled and a port is reconfigured, the device can take up to 30 seconds to check for loops. The port LED is amber while STP reconfigures.
-
As best practice, we suggest configuring the speed and duplex options on a link to auto or to fixed on both the ends. If one side of the link is configured to auto and the other side is configured to fixed, the link will not be up and this is expected.
Caution |
Changing the interface speed and duplex mode configuration might shut down and re-enable the interface during the reconfiguration. |
IEEE 802.3x Flow Control
Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period.
Note |
The switch ports can receive, but not send, pause frames. |
You use the flowcontrol interface configuration command to set the interface’s ability to receive pause frames to on , off , or desired . The default state is off .
When set to desired , an interface can operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets.
These rules apply to flow control settings on the device:
-
receive on (or desired ): The port cannot send pause frames but can operate with an attached device that is required to or can send pause frames; the port can receive pause frames.
-
receive off : Flow control does not operate in either direction. In case of congestion, no indication is given to the link partner, and no pause frames are sent or received by either device.
Note |
For details on the command settings and the resulting flow control resolution on local and remote ports, see the flowcontrol interface configuration command in the command reference for this release. |