Skip to content

Switches

Multilayer switches can perform Layer 3 routing. To enable routing on a port, you must disable the switchport functionality.

Disable switchport mode to enable Layer 3 routing:

Terminal window
> enable
# config terminal
(config)# interface <interface>
(config-if)# no switchport
(config-if)# ip address <IP> <subnet>
(config-if)# no shutdown

Example:

Terminal window
(config)# interface gigabitEthernet 1/0/1
(config-if)# no switchport
(config-if)# ip address 10.0.0.1 255.255.255.0
(config-if)# no shutdown

Check if an interface is operating as a switchport or routed port:

Terminal window
# show interfaces <interface> switchport

If the output shows “Switchport: Disabled”, the port is operating at Layer 3.

Terminal window
enable
config terminal

Set the hostname (recommended to do this first):

Terminal window
(config)# hostname <hostname>

Set privileged EXEC password and enable encryption:

Terminal window
(config)# enable secret <password>
(config)# service password-encryption

Configure default gateway for the switch:

Terminal window
(config)# ip default-gateway <gateway_ip>

Example:

Terminal window
(config)# hostname SW1
(config)# enable secret Cisco123
(config)# service password-encryption
(config)# ip default-gateway 192.168.1.1

Configure VLAN 1 for management access:

Terminal window
(config)# interface vlan 1
(config-if)# ip address <ip> <subnet>
(config-if)# no shutdown
(config-if)# exit

Example:

Terminal window
(config)# interface vlan 1
(config-if)# ip address 192.168.1.10 255.255.255.0
(config-if)# no shutdown

Configure password for Telnet/SSH access:

Terminal window
(config)# line vty 0 15
(config-line)# password <password>
(config-line)# login
(config-line)# exit
Terminal window
(config)# exit
# copy running-config startup-config

Select a range of interfaces and configure them as an EtherChannel:

Terminal window
# config terminal
(config)# interface range gigabitEthernet 0/1 - 2
(config-if-range)# switchport trunk encapsulation dot1q
(config-if-range)# switchport mode trunk
(config-if-range)# channel-group 1 mode active

Channel-group modes:

  • active: LACP - actively negotiates
  • passive: LACP - waits for negotiation
  • desirable: PAgP - actively negotiates
  • auto: PAgP - waits for negotiation
  • on: Static - no negotiation protocol

Example:

Terminal window
(config)# interface range gigabitEthernet 0/1 - 2
(config-if-range)# switchport mode trunk
(config-if-range)# channel-group 1 mode active

For non-trunked EtherChannels, configure ports in access mode:

Terminal window
(config)# interface range fastEthernet 0/1 - 2
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 10
(config-if-range)# channel-group 2 mode active

Display EtherChannel summary:

Terminal window
# show etherchannel summary

Display detailed port-channel information:

Terminal window
# show etherchannel <group_number> port-channel
# show interfaces port-channel <number>
# show interfaces etherchannel

Verify EtherChannel is operating as a single interface in STP:

Terminal window
# show spanning-tree

PortFast allows edge ports (connected to end devices) to skip STP listening/learning states and immediately transition to forwarding.

Terminal window
(config)# interface <interface>
(config-if)# spanning-tree portfast

Example:

Terminal window
(config)# interface fastEthernet 0/5
(config-if)# spanning-tree portfast
Terminal window
(config)# spanning-tree portfast default

Warning: Only enable PortFast on ports connected to end devices (PCs, servers, printers). Never enable PortFast on ports connected to other switches, as it bypasses loop prevention.

Port security restricts which devices can connect to a switchport based on MAC address.

Terminal window
enable
config terminal
(config)# interface <interface>

Put port in access mode (required for port security):

Terminal window
(config-if)# switchport mode access

Enable port security:

Terminal window
(config-if)# switchport port-security

Learn and save MAC addresses dynamically:

Terminal window
(config-if)# switchport port-security mac-address sticky

Limit the number of allowed MAC addresses:

Terminal window
(config-if)# switchport port-security maximum <1-8192>

Configure violation action:

Terminal window
(config-if)# switchport port-security violation <shutdown|restrict|protect>

Violation modes:

  • shutdown: Disables the port (default, most secure)
  • restrict: Drops packets and logs violations
  • protect: Drops packets silently (no log)

Complete Example:

Terminal window
(config)# interface fastEthernet 0/5
(config-if)# switchport mode access
(config-if)# switchport port-security
(config-if)# switchport port-security mac-address sticky
(config-if)# switchport port-security maximum 1
(config-if)# switchport port-security violation shutdown

Instead of sticky learning, manually specify allowed MAC addresses:

Terminal window
(config-if)# switchport port-security mac-address <mac_address>

Example:

Terminal window
(config-if)# switchport port-security mac-address 0050.5682.1234
Terminal window
# show port-security
# show port-security interface <interface>
# show port-security address

If a port is shut down due to a violation (err-disabled state):

Terminal window
(config)# interface <interface>
(config-if)# shutdown
(config-if)# no shutdown

Or enable automatic recovery:

Terminal window
(config)# errdisable recovery cause psecure-violation
(config)# errdisable recovery interval <seconds>

Display all VLANs (brief):

Terminal window
# show vlan brief

Display specific VLAN information:

Terminal window
# show vlan id <vlan_number>
Terminal window
enable
# config terminal
(config)# vlan <vlan_number>
(config-vlan)# name <vlan_name>
(config-vlan)# exit

Example:

Terminal window
(config)# vlan 10
(config-vlan)# name SALES
(config-vlan)# exit
(config)# vlan 20
(config-vlan)# name ENGINEERING
(config-vlan)# exit

Assign a single port:

Terminal window
(config)# interface <interface>
(config-if)# switchport mode access
(config-if)# switchport access vlan <vlan_number>

Assign a range of ports:

Terminal window
(config)# interface range <interface_range>
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan <vlan_number>
(config-if-range)# exit

Example:

Terminal window
(config)# interface range fastEthernet 0/1 - 10
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 10

Configure a Switch Virtual Interface (SVI) for inter-VLAN routing or management:

Terminal window
(config)# interface vlan <vlan_number>
(config-if)# ip address <ip_address> <subnet_mask>
(config-if)# no shutdown

Example:

Terminal window
(config)# interface vlan 10
(config-if)# ip address 192.168.10.1 255.255.255.0
(config-if)# no shutdown
Terminal window
(config)# no vlan <vlan_number>

Trunk ports carry traffic for multiple VLANs between switches.

Terminal window
# show interfaces trunk
Terminal window
enable
# config terminal
(config)# interface <interface>
(config-if)# switchport mode trunk
(config-if)# switchport trunk native vlan <vlan_number>
(config-if)# switchport trunk allowed vlan <vlan_list>
(config-if)# no shutdown

Example:

Terminal window
(config)# interface gigabitEthernet 0/1
(config-if)# switchport mode trunk
(config-if)# switchport trunk native vlan 99
(config-if)# switchport trunk allowed vlan 10,20,30
(config-if)# no shutdown
Terminal window
(config)# interface range <interface_range>
(config-if-range)# switchport mode trunk
(config-if-range)# switchport trunk native vlan <vlan_number>
(config-if-range)# switchport trunk allowed vlan <vlan_list>
(config-if-range)# no shutdown
(config-if-range)# exit

Example:

Terminal window
(config)# interface range fastEthernet 0/23 - 24
(config-if-range)# switchport mode trunk
(config-if-range)# switchport trunk native vlan 99
(config-if-range)# switchport trunk allowed vlan 10,20,30,99
(config-if-range)# no shutdown

Some switches require you to specify trunk encapsulation type:

Terminal window
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport mode trunk
  • trunk: Port is permanently in trunking mode
  • access: Port is permanently in access mode
  • dynamic auto: Port waits for the neighbor to initiate trunking
  • dynamic desirable: Port actively attempts to negotiate trunking

Example:

Terminal window
(config-if)# switchport mode dynamic desirable

Add VLANs to the allowed list:

Terminal window
(config-if)# switchport trunk allowed vlan add <vlan_list>

Remove VLANs from the allowed list:

Terminal window
(config-if)# switchport trunk allowed vlan remove <vlan_list>

Allow all VLANs:

Terminal window
(config-if)# switchport trunk allowed vlan all

Example:

Terminal window
(config-if)# switchport trunk allowed vlan add 40,50
(config-if)# switchport trunk allowed vlan remove 30

Display all learned MAC addresses:

Terminal window
# show mac address-table

Display MAC addresses for a specific VLAN:

Terminal window
# show mac address-table vlan <vlan_number>

Display MAC addresses on a specific interface:

Terminal window
# show mac address-table interface <interface>

Clear the entire MAC address table:

Terminal window
# clear mac address-table

Clear only dynamically learned entries (preserves static entries):

Terminal window
# clear mac address-table dynamic

Manually assign a MAC address to a VLAN and interface (not recommended for production):

Terminal window
# mac address-table static <mac_address> vlan <vlan_number> interface <interface>

Example:

Terminal window
# mac address-table static 0050.5682.1234 vlan 10 interface fastEthernet 0/5

Configure a port for both data and voice traffic:

Terminal window
(config)# interface <interface>
(config-if)# switchport mode access
(config-if)# switchport access vlan <data_vlan>
(config-if)# switchport voice vlan <voice_vlan>
(config-if)# spanning-tree portfast
(config-if)# mls qos trust cos

Example:

Terminal window
(config)# interface fastEthernet 0/5
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# switchport voice vlan 20
(config-if)# spanning-tree portfast
(config-if)# mls qos trust cos
Terminal window
(config)# interface range fastEthernet 0/1 - 24
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 10
(config-if-range)# switchport voice vlan 20
(config-if-range)# spanning-tree portfast
(config-if-range)# mls qos trust cos
Terminal window
(config)# mls qos

Trust Class of Service markings from IP phones:

Terminal window
(config-if)# mls qos trust cos

Trust Differentiated Services Code Point markings:

Terminal window
(config-if)# mls qos trust dscp

Enable priority queuing for time-sensitive traffic:

Terminal window
(config-if)# priority-queue out

Cisco’s simplified QoS configuration for VoIP.

For interfaces connected to Cisco IP phones:

Terminal window
(config-if)# auto qos voip cisco-phone

For trunk ports or interfaces already trusted:

Terminal window
(config-if)# auto qos voip trust

Example:

Terminal window
(config)# interface fastEthernet 0/5
(config-if)# auto qos voip cisco-phone
(config)# interface gigabitEthernet 0/1
(config-if)# auto qos voip trust
Terminal window
# show mls qos
# show mls qos interface <interface>
# show mls qos interface <interface> statistics
# show auto qos

Set power priority for critical devices:

Terminal window
(config-if)# power inline priority <high|low>

Example:

Terminal window
(config)# interface fastEthernet 0/5
(config-if)# power inline priority high

Limit power allocation per port:

Terminal window
(config-if)# power inline max <milliwatts>

Example:

Terminal window
(config-if)# power inline max 15400

Prevent PoE delivery on a port:

Terminal window
(config-if)# power inline never
Terminal window
(config-if)# power inline auto

Display PoE status for all interfaces:

Terminal window
# show power inline

Display PoE status for specific interface:

Terminal window
# show power inline <interface>

Display PoE power budget and consumption:

Terminal window
# show power inline consumption

Example output interpretation:

  • Available: Total power budget
  • Used: Currently allocated power
  • Remaining: Available for additional devices

Private VLANs provide Layer 2 isolation between ports in the same VLAN.

Terminal window
(config)# vlan <primary_vlan_number>
(config-vlan)# private-vlan primary
Terminal window
(config)# vlan <secondary_vlan_number>
(config-vlan)# private-vlan <isolated|community>
Terminal window
(config)# vlan <primary_vlan_number>
(config-vlan)# private-vlan association <secondary_vlan_list>

Example:

Terminal window
(config)# vlan 100
(config-vlan)# private-vlan primary
(config)# vlan 101
(config-vlan)# private-vlan isolated
(config)# vlan 100
(config-vlan)# private-vlan association 101