This is the second entry in the series. After configuring the basic settings on a Cisco switch in the previous post, it is now time to configure VLANs. When it comes to configuring VLANs on a Cisco switch, you don’t technically need to enable port security, but this is a recommendes step nonetheless.
Disclaimer: this series is not meant to be a replacement for your own testing or for the recommended documentation and training material. It just aims at offering a quick reference for some of the most important tasks you might have to engage with when preparing for the exam. For a comprehensive list of commands and related explanations, please use the official Cisco documentation.
Enabling port security
Port security can only be enabled on access interfaces. It doesn’t make sense to enable port security on trunks because you don’t really want to limit the number of allowed MAC addresses on a trunk which, by definition, allows frames to travel through VLANs. In addition to this, trunks between switches are considered trusted connections.
By default, on Cisco switches all interfaces are set to dynamic desirable (which means that they can be either an access port or a trunk port, but they would prefer to be trunks), a mode that does not allow you to configure port security, therefore you must manually set the port as an access port before being able to configure port security on it.
configure terminal interface fastEthernet 0/1 switchport mode access switchport port-security
switchport port-security is the command that effectively enables port security, so it should be left for last and all the configuration commands should be run before it.
switchport port-security maximum $number: only a maximum of
$numberdevices are allowed at the time, no specific devices, so you can switch devices and the switch will not block any of them
switchport port-security violation < protect | restrict | shutdown >
switchport port-security mac-address $mac_address [ sticky ]
If you combine the maximum option with the sticky option, the switch will automatically learn the first
n devices that connect to the port.
Finally, if a port goes in err-disabled state because of a port security violation, the way to bring it back up consists in running a
shutdown followed by a
no shutdown in interface configuration mode. Shutting down a port clears the port security violation that occurred.
To configure VLANs, you need to configure both access ports and trunking ports.
Configuring access ports
configure terminal interface $interface switchport mode access switchport access vlan $vlan number
Configuring trunk ports
switchport trunk encapsulation dot1q switchport mode trunk
switchport trunk encapsulation dot1q might not even be accepted on some switches because the protocol defaults to 802.1Q already.
Configure the VLANs that are allowed over a trunk
switchport trunk allowed vlan $options
Deleting a VLAN
To delete a VLAN (in switch configuration mode):
no vlan $vlan_number or
no interface vlan $vlan_number.