Speed and MDIX

The default setting for both duplex and speed for switch ports on Cisco Catalyst 2960 and 3560 switches is auto. The 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mb/s, but when they are set to 1000 Mb/s (1 Gb/s), they operate only in full-duplex mode.

When auto-MDIX is enabled, the interface automatically detects the required cable connection type (straight- through or crossover) and configures the connection appropriately.The auto-MDIX feature is enabled by default on Catalyst 2960 and Catalyst 3560 switches, but is not available on the older Catalyst 2950 and Catalyst 3550 switches.

S1(config)#int f0/1

S1(config-if)#duplex full

S1(config-if)#speed 100

S1(config-if)#mdix auto

To examine the MDIX feature, use

S1(config)#show controllers ethernet-controller  fa0/1 phy | include Auto-MDIX

Note: if the two adjacent  switch ports have different above configuration, the “show interface command” will indicate that the status: up, protocol:down.

Show Command
  • Show interfaces {interface-id} or show int
  • Show startup-config or show start
  • show running-config or show run
  • show flash
  • show version
  • show history
  • show ip {interface-id}
  • show mac-address-table or show mac address-table
  • show ip ssh: verify the switch support SSH.
  • show port-security interface f0/5

    show interfaces command include the following:

  • Runt Frames – Ethernet frames that are shorter than the 64-byte minimum allowed length are called runts. Malfunctioning NICs are the usual cause of excessive runt frames, but they can be caused by the same issues as excessive collisions.
  • Giants – Ethernet frames that are longer than the maximum allowed length are called giants. Giants are caused by the same issues as those that cause runts.
  • CRC errors – On Ethernet and serial interfaces, CRC errors usually indicate a media or cable error. Common causes include electrical interference, loose or damaged connections, or using the incorrect cabling type. If you see many CRC errors, there is too much noise on the link and you should inspect the cable for damage and length. You should also search for and eliminate noise sources, if possible.

“Output errors” is the sum of all errors that prevented the final transmission of datagrams out of the interface that is being examined. The reported output errors from the show interfaces command include the following:

  • Collisions – Collisions in half-duplex operations are completely normal and you should not worry about them, as long as you are pleased with half-duplex operations. However, you should never see collisions in a properly designed and configured network that uses full-duplex communication. It is highly recommended that you use full-duplex unless you have older or legacy equipment that requires half-duplex.
  • Late collisions – A late collision refers to a collision that occurs after 512 bits of the frame have been transmitted. Excessive cable lengths are the most common cause of late collisions. Another common cause is duplex misconfiguration.

  1. SSH, steps to configure:
    1. Verify SSH support: show ip ssh
    2. Configure the IP domain: s1(config)#ip domain-name cisco.com
    3. Generate RSA key pairs. s1(config)# Generating an RSA key pair automatically enables SSH: s1(config)#crypto key generate rsa. Use the length at least 1024. To delete it use: crypto key zeroize rsa.
    4. Configure user authentication: s1(config)#username user_name secret password
    5. Configure the vty line:
      1. s1(config)#line vty 0 15             //choose the lines to configure
      2. s1(config-line)#transport input ssh   //enable the SSH protocol on the vty lines
      3. s1(config-line)#login local          //require local authentication for SSH connection as well.
    6. Enable the SSH version 2:
      s1(config)# ip ssh version 2
    7. Restrict attempt times:
      S1(conifg)#ip ssh authentication-retries 2
    8. Set the timeout:
      S1(config)timeout 60    //in second
    9. Use “ssh -l username host_IP to connect from a PC. If no privilege mode password was set, ssh connection can not connect to privilege mode.

  2. Switchport security
    • Secure MAC Address TypesThere are a number of ways to configure port security.First of all, s1(config-if)#switchport port-security , so the switchport security will start to work.The type of secure address is based on the configuration and includes:
      • Static secure MAC addresses – MAC addresses that are manually configured on a port by using the s1(config-if)# switchport port-security mac-address mac-address {vlan |{access | voice}}. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.
        • vlan access: optional, on an access port only, specify the VLAN as an access VLAN
        • vlan voice: optional, On an access port only, specify the VLAN as a voice VLAN.
      • Dynamic secure MAC addresses – MAC addresses that are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts.
      • Sticky secure MAC addresses – MAC addresses that can be dynamically learned or manually configured, then stored in the address table and added to the running configuration( so it can be saved to startup-config if we issue”copy run startup”command).To configure an interface to convert dynamically learned MAC addresses to sticky secure MAC addresses and add them to the running configuration, you must enable sticky learnings1(config-if)#switchport port-security mac-address sticky .

      When this command is entered, the switch converts all dynamically learned MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. All sticky secure MAC addresses are added to the address table and to the running configuration.

      If the sticky secure MAC addresses are saved to the startup configuration file, then when the switch restarts or the interface shuts down, the interface does not need to relearn the addresses. If the sticky secure addresses are not saved, they will be lost.

      If sticky learning is disabled by using the

      no switchport port-security mac-address sticky".

      the sticky secure MAC addresses remain part of the address table  (can be deleted by

      s1(config-if)#no switchport port-security mac-address 00E0.F909.706D ) ,but are removed from the running configuration.

    • violation modes :
      • Protect – Packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. There is no notification(syslog) that a security violation has occurred, basically the notification(syslog) means the “Security Violation Counter”in the “show port-security interface f0/1” command.
      • Restrict – When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. In this mode, there is a notification(syslog) that a security violation has occurred.
      • Shutdown – In this (default) violation mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It increments the violation counter. When a secure port is in the error-disabled state, it can be brought out of this state by entering the shutdown and no shutdown interface configuration mode commands. Note that it also sends an SNMP trap notificationviolation

      To change the violation mode on a switch port, use the
      switchport port-security violation {protect | restrict |shutdownshutdown vlan}

    • Set the maximum hosts mac address will be allowed:
      s1(config-if)#switchport port-security maximum n
  3. Password requirement

    security passwords min-length length
    Router(config)# security passwords min-length 6
  4. Login block (reference)

    a. Configures the number of allowable unsuccessful login attempts.


    security authentication failure rate threshold-rate log

    threshold-rate—Number of allowable unsuccessful login attempts.

    log—Syslog authentication failures if the rate exceeds the threshold.

    Router(config)# security authentication failure rate 10 log

    b. If the user exceeded the attempt time set by the admin, the user will be blocked out for a certain time.
    login block-for <Time period in seconds> attempts <Max no of failed attempts>within <Time period in seconds>

    The command should be entered in Configuration mode.

Here is an example:

Router1(config)#login block-for 360 attempts 2 within 30

BLOCK all connections to Router1 for 360 seconds if the credentials are entered INCORRECTLY 2 times WITHIN a span of 30 seconds. If this policy is breached you’ll get the following message on the console terminal:

%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 5 secs, [user: jesin] [Source:] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 17:01:34 UTC Thu Sep 22 2011

This means your router has entered into “quiet mode” during which will will NOT accept any telnet or SSH connections. The command show login failures will display the failed login attempts.

Router1#sh login failures
Total failed logins: 2
Detailed information about last 50 failures
Username          SourceIPAddr    lPort Count      TimeStamp
jesin                    22    2           17:01:34 UTC Thu Sep 22 2011