This is a basic guide on configuring a Cisco network switch using the CLI (Command-line interface). Most of the examples provided in this guide will be performed using Cisco Packet Tracer.
Initial switch configuration
When first connecting to the switch, we start in user EXEC mode. This is a very limited mode. Enter the enable command to elevate to Privileged EXEC mode.
Now that we are in Privileged EXEC mode, we need to elevate to Global Configuration mode to configure the switch.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#
When a command is entered incorrectly, Cisco IOS will get hung up attempting to resolve the mistyped command to an IP address and require Ctrl +Shift+ 6 to break out of it. The following command will prevent this behavior.
Switch(config)# no ip domain-lookup
A Cisco switch comes with a default name of Switch, the default name can be changed by running the following command. Notice how the start of the command prompt now starts with S1.
Switch(config)# hostname S1
S1(config)#
Console Password: Add a password to the console session.
S1(config)# line console 0
S1(config-line)# password cisco
S1(config-line)# login
Privilege EXEC Password: Add a password to privilege EXEC mode.
S1(config)# enable secret cisco
Encrypt all plaintext passwords: Encrypt all existing passwords that are in plaintext as well as subsequent passwords.
S1(config)# service password-encryption
Show Running Config: Verify passwords were configured correctly by stepping back down to Privileged EXEC and run:
⚠️ Create a MOTD Banner: Warn against unauthorized access using a MOTD (Message of the Day) banner.
S1(config)# banner motd "Authorized access only. Violators will be prosecuted to the full extent of the law."
Configure an IP on an Interface: Add an IP address to the default Vlan 1 interface.
S1(config)# interface vlan 1
S1(config-if)# ip address 192.168.1.253 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)#
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Add a Default Gateway: Add a Default Gateway to communicate with the switch outside of it's local subnet. To do this, we need to drop back into Global Configuration mode.
S1(config-if)# exit
S1(config)# ip default-gateway 192.168.1.254
Verify IP addressing by running show ip interface brief
S1 #show ip interface brief
FastEthernet0/22 unassigned YES manual down down
FastEthernet0/23 unassigned YES manual down down
FastEthernet0/24 unassigned YES manual down down
GigabitEthernet0/1 unassigned YES manual down down
GigabitEthernet0/2 unassigned YES manual down down
Vlan1 192.168.1.253 YES manual up up
VLAN Configuration
S1(config)# vlan 10
S1(config-vlan)# name Finance
S1(config-vlan)# exit
S1(config)# interface f0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# switchport access vlan 10
S1(config)# interface g0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99
Disable DTP on trunk port
S1(config-if)# switchport nonegotiate
LACP Configuration
S1(config)# interface range FastEthernet 0/1 - 2
S1(config-if-range)# channel-group 1 mode active
Creating a port-channel interface Port-channel 1
S1(config-if-range)# exit
S1(config)# interface port-channel 1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 1,2,20
show etherchannel summary
PAgP Configuration
S1(config)# interface range f0/21 – 22
S1(config-if-range)# shutdown
S1(config-if-range)# channel-group 1 mode desirable
S1(config-if-range)# no shutdown
S3(config)# interface range f0/21 - 22
S3(config-if-range)# shutdown
S3(config-if-range)# channel-group 1 mode desirable
S3(config-if-range)# no shutdown
S1(config)# interface port-channel 1
S1(config-if)# switchport mode trunk
S3(config)# interface port-channel 1
S3(config-if)# switchport mode trunk
Troubleshooting VLAN related issues
R1# show ip interface brief
R1# show interface g0/1.10
R1# show interface g0/1.30
S1# show interface trunk
MLS(config)# interface g0/2
MLS(config-if)# no switchport
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up
MLS(config-if)# ip address 209.165.200.225 255.255.255.252
MLS(config)#interface vlan 10
MLS(config-if)#ip address 192.168.10.254 255.255.255.0
MLS(config-if)# interface g0/1
MLS(config-if)# switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan30, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up
MLS(config-if)# switchport trunk native vlan 99
MLS(config-if)# switchport trunk encapsulation dot1q
MLS(config-if)#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (99), with S1 GigabitEthernet0/1 (1).
Enable routing in Global configuration mode
Enable IPv6 routing
MLS(config)# ipv6 unicast-routing
Assign IPv6 address
MLS(config)#interface vlan 10
MLS(config-if)#ipv6 address 2001:db8:acad:10::1/64
Configure a Cisco Router
This is a basic guide on configuring a Cisco router using the CLI (Command-line interface). Most of the examples provided in this guide will be performed using Cisco Packet Tracer.
IPv4 Configuration with description
When first connecting to the router, we start in user EXEC mode. This is a very limited mode. Enter the enable command to elevate to Privileged EXEC mode.
Router> enable
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface g0/0
Router(config-if)# description Link to S1
Router(config-if)# ip address 192.168.0.254 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
IPv6 Configuration
When first connecting to the router, we start in user EXEC mode. This is a very limited mode. Enter the enable command to elevate to Privileged EXEC mode.
Router> enable
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ipv6 unicast-routing
Router(config)# interface g0/0
Router(config-if)# ipv6 address 2001:db8:0:1::1/64
Router(config-if)# ipv6 address fe80::1 link-local
Router(config-if)# no shutdown
Router(config-if)# exit
RA Message flags that determine how client receives GUA
Enable Stateless DHCPv6 on an Interface
R1(config-if)# ipv6 nd other-config-flag
R1(config-if)# end
R1#
R1# show ipv6 interface g0/0/1 | begin ND
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
Hosts use DHCP to obtain other configuration.
R1#
Enable Stateful DHCPv6 on an Interface
R1(config)# int g0/0/1
R1(config-if)# ipv6 nd managed-config-flag
R1(config-if)# ipv6 nd prefix default no-autoconfig
R1(config-if)# end
R1#
R1# show ipv6 interface g0/0/1 | begin ND
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use DHCP to obtain routable addresses.
R1#
R1(config)# ipv6 unicast-routing
R1(config)# ipv6 dhcp pool IPV6-STATELESS
R1(config-dhcpv6)# dns-server 2001:db8:acad:1::254
R1(config-dhcpv6)# domain-name example.com
R1(config-dhcpv6)# exit
R1(config)# interface GigabitEthernet0/0/1
R1(config-if)# description Link to LAN
R1(config-if)# ipv6 address fe80::1 link-local
R1(config-if)# ipv6 address 2001:db8:acad:1::1/64
R1(config-if)# ipv6 nd other-config-flag
R1(config-if)# ipv6 dhcp server IPV6-STATELESS
R1(config-if)# no shut
R1(config-if)# end
R1#
R3(config)# ipv6 unicast-routing
R3(config)#
R3(config)# interface g0/0/1
R3(config-if)# ipv6 enable
R3(config-if)#
R3(config-if)# ipv6 address autoconfig
R3(config-if)# end
R3#
R1(config)# ipv6 unicast-routing
R1(config)#
R1(config)# ipv6 dhcp pool IPV6-STATEFUL
R1(config-dhcpv6)#
R1(config-dhcpv6)# address prefix 2001:db8:acad:1::/64
R1(config-dhcpv6)# dns-server 2001:4860:4860::8888
R1(config-dhcpv6)# domain-name example.com
R1(config-dhcpv6)#
R1(config)# interface GigabitEthernet0/0/1
R1(config-if)# description Link to LAN
R1(config-if)# ipv6 address fe80::1 link-local
R1(config-if)# ipv6 address 2001:db8:acad:1::1/64
R1(config-if)# ipv6 nd managed-config-flag
R1(config-if)# ipv6 nd prefix default no-autoconfig
R1(config-if)# ipv6 dhcp server IPV6-STATEFUL
R1(config-if)# no shut
R1(config-if)# end
R1#
R3(config)# ipv6 unicast-routing
R3(config)#
R3(config)# interface g0/0/1
R3(config-if)# ipv6 enable
R3(config-if)#
R3(config-if)# ipv6 address dhcp
R3(config-if)# end
R3#
R1# show ipv6 dhcp pool
R1# show ipv6 dhcp binding
R1# show ipv6 dhcp interface
R1(config)# interface gigabitethernet 0/0/1
R1(config-if)# ipv6 dhcp relay destination 2001:db8:acad:1::2 G0/0/0
R1(config-if)# exit
R1(config)#
Subinterface for inter-VLAN routing (router on a stick)
R1> enable
R1# configure terminal
R1(config)# interface g0/0.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 172.17.10.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface g0/0
R1(config-if)# no shutdown
Configure subinterface as native VLAN
R1(config-subif)#encapsulation dot1Q 88 native
R1(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.9
R1(config)# ip dhcp excluded-address 192.168.10.254
R1(config)# ip dhcp pool LAN-POOL-1
R1(dhcp-config)# network 192.168.10.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.10.1
R1(dhcp-config)# dns-server 192.168.11.5
R1(dhcp-config)# domain-name example.com
R1(dhcp-config)# end
R1#
R1# show running-config | section dhcp
R1# show ip dhcp binding
R1# show ip dhcp server statistics
Disable DHCP
R1(config)# no service dhcp
R1(config)# service dhcp
R1(config)#
R1(config)# interface g0/0/0
R1(config-if)# ip helper-address 192.168.11.6
R1(config-if)# end
R1#
SOHO(config)# interface G0/0/1
SOHO(config-if)# ip address dhcp
SOHO(config-if)# no shutdown
Show commands for HSRP
show standby
show standby brief
R1(config)# interface g0/1
R1(config-if)# standby version 2
R1(config-if)# standby 1 ip 192.168.1.254
R1(config-if)# standby 1 priority 150
R1(config-if)# standby 1 preempt
R2(config)# interface g0/1
R2(config-if)# standby version 2
R2(config-if)# standby 1 ip 192.168.1.254
IPv4 Default static route (also considered the route of last resort)
Router(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.1
IPv4 Floating static route
An administrative distance is assigned to this static route so it acts as a backup route if the primary static route fails. In this example and admininstrative distance of 5 is assigned since the default value of a static route is 1.
Router(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.1 5
IPv4 Static route to specific network
Router(config)#ip route 192.168.11.32 255.255.255.224 10.10.10.2
IPv4 Next hop host routes
Router(config)#ip route 198.0.0.10 255.255.255.255 10.10.10.1
Router(config)#ip route 198.0.0.10 255.255.255.255 s0/0/1 5
IPv6 Default static route
Router(config)#ipv6 route ::/0 2001:db8:a:1::1
IPv6 Floating static route
Router(config)#ipv6 route ::/0 2001:db8:a:2::1 5
IPv6 Static host routes
Edge_Router(config)#ipv6 route 2001:db8:f:f::10/128 2001:db8:a:1::1
Edge_Router(config)#ipv6 route 2001:db8:f:f::10/128 2001:db8:a:2::1 5
OSPFv2
OSPF Show commands
R1# show ip protocols
R1# show ip ospf
R1# show ip ospf interface GigabitEthernet 0/0/0
R1# show ip ospf neighbor
R1# show ip ospf neighbors detail
R1# show ip route ospf
configure OSPF on router
R1(config)# router ospf 10
R1(config-router)# router-id 1.1.1.1
Configure OSPF priority on an interface
R1(config)# interface g0/0/0
R1(config-if)# ip ospf priority 100
Clear OSPF process
R1# clear ip ospf process
Reset ALL OSPF processes? [y/n]: y
Adjust the hello and dead timers between two routers
R1(config)#interface s0/0/0
R1(config-if)#ip ospf hello-interval 15
R1(config-if)#ip ospf dead
R1(config-if)#ip ospf dead-interval 60
Configure OSPF to propagate the default route in OSPF
R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/1/0
R1(config)# router ospf 1
R1(config-router)# default-information originate
Access Control Lists (ACLs)
Show commands for ACLs
R1# show access-lists
R1# show ip access-lists
R1# show access-lists 101
R1# show access-lists 101 detail
Clear ACL counters
R1# clear access-list counters
R1# clear access-list counters 101
Create an ACL using the number 1 on R2 with a statement that denies access to the 192.168.20.0/24 network from the 192.168.11.0/24 network.
R2(config)# access-list 1 deny 192.168.11.0 0.0.0.255
R2(config)# access-list 1 permit any
Apply the ACL to the G0/0 interface in the outbound direction
R2(config)# interface g0/0
R2(config-if)# ip access-group 1 out
Delete numbered standard ACL
R2(config)# no access-list 1
R1(config)# ip access-list standard File_Server_Restrictions
R1(config-std-nacl)# permit host 192.168.20.4
R1(config-std-nacl)# permit host 192.168.100.100
R1(config-std-nacl)# deny any
Apply the ACL to the F0/1 interface in the outbound direction
R1(config)# interface f0/1
R1(config-if)# ip access-group File_Server_Restrictions out
Delete a named standard ACL
R1(config)# no ip access-list standard File_Server_Restrictions
Add Standard ACL to VTY lines
R1(config)# username ADMIN secret class
R1(config)# ip access-list standard ADMIN-HOST
R1(config-std-nacl)# remark This ACL secures incoming vty lines
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# deny any
R1(config-std-nacl)# exit
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input telnet
R1(config-line)# access-class ADMIN-HOST in
R1(config-line)# end
Numbered Extended ACL
Allow FTP traffic from the 172.22.34.64/27 network to the host 172.22.34.62
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp
Apply the ACL to the G0/0 interface in the inbound direction
R1(config)# interface g0/0
R1(config-if)# ip access-group 100 in
Named Extended ACL
R1(config)# ip access-list extended WEB-TRAFFIC
R1(config-ext-nacl)# remark This ACL allows web traffic to the web server
R1(config-ext-nacl)# permit tcp any host 192.168.1.10 eq 80
R1(config-ext-nacl)# permit tcp any host 192.168.1.10 eq 443
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface g0/0
R1(config-if)# ip access-group WEB-TRAFFIC in
R1(config-if)# end
Show commands for NAT
R1# show run | include nat
R1# show ip nat translations
R1# show ip nat translation verbose
R1# show ip nat statistics
Create a static NAT translation to map the WebServer inside address to its outside address.
R1(config)# ip nat inside source static 172.16.16.1 64.100.50.1
Configure G0/0 as the inside NAT interface and S0/0/0 as the outside NAT interface.
R1(config)# interface g0/0
R1(config-if)# ip address 172.16.16.5 255.255.255.252
R1(config-if)# ip nat inside
R1(config-if)# interface s0/0/0
R1(config-if)# ip address 64.100.50.5 255.255.255.252
R1(config-if)# ip nat outside
Configure a NAT pool that uses two addresses in the 209.165.200.228/30 address space.
R2(config)# ip nat pool NAT-POOL1 209.165.200.229 209.165.200.230 netmask 255.255.255.252
Create an ACL that identifies the inside local addresses that will be translated.
R2(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Bind ACL 1 to the NAT pool to enable dynamic NAT translation for the inside local addresses that match ACL 1.
R2(config)# ip nat inside source list 1 pool NAT-POOL1
Assign Inside and outside NAT interfaces
R2(config)# interface g0/0
R2(config-if)# ip nat inside
R2(config-if)# interface s0/0/0
R2(config-if)# ip nat outside
Clear IP NAT translations
R2# clear ip nat translation *
R2# show ip nat translation
R2(config)# ip nat inside source list 1 interface serial 0/1/1 overload
R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# interface serial0/1/0
R2(config-if)# ip nat inside
R2(config-if)# exit
R2(config)# interface Serial0/1/1
R2(config-if)# ip nat outside
R2(config)# ip nat pool NAT-POOL2 209.165.200.226 209.165.200.240 netmask 255.255.255.224
R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL2 overload
R2(config)#
R2(config)# interface serial0/1/0
R2(config-if)# ip nat inside
R2(config-if)# exit
R2(config)# interface serial0/1/1
R2(config-if)# ip nat outside
R2(config-if)# end
R2#
🔒 Security Settings for Cisco Devices
Most of these settings can be configured on both switches and routers. The following settings are recommended to secure the device.
Disable unused ports (excluding uplinks)
S1(config)# interface range F0/2-24, G0/2
S1(config-if-range)# shutdown
Encrypt all plaintext passwords. Encrypt all existing passwords that are in plaintext as well as subsequent passwords.
S1(config)# service password-encryption
Set a minimum password length. Set a minimum password length of 10 characters.
S1(config)# security passwords min-length 10
Disable DNS lookup Disable DNS lookup to prevent the device from trying to resolve mistyped commands as hostnames.
S1(config)# no ip domain-lookup
Set a domain name.
S1(config)# ip domain-name example.com
Create a local user account.
S1(config)# username any_user secret any_password
Generate an RSA key pair. Generate an RSA key pair for SSH access.
S1(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
Block anyone for three minutes who fails to log in after four attempts within a two-minute period.
S1(config)# login block-for 180 attempts 4 within 120
Configure all VTY lines for SSH access and use the local user profiles for authentication.
S1(config)# line vty 0 4
S1(config-line)# transport input ssh
S1(config-line)# login local
Set the EXEC mode timeout to 6 minutes on the VTY lines.
S1(config-line)# exec-timeout 6
Enable Port Security
S1# show port-security interface fastethernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7273.018c:1
Security Violation Count : 0
S1#
S1# show run interface fa0/1
Building configuration...
Current configuration : 365 bytes
!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky a41f.7272.676a
switchport port-security mac-address aaaa.bbbb.1234
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security
end
S1#
S1(config)# interface f0/1
S1(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# end
S1#
S1# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
S1#
S1(config)#
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 2
S1(config-if)# switchport port-security mac-address aaaa.bbbb.1234
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# end
Port Security Aging
S1(config)# interface fa0/1
S1(config-if)# switchport port-security aging time 10
S1(config-if)# switchport port-security aging type inactivity
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#
Switch Port violation modes
S1(config)# interface f0/1
S1(config-if)# switchport port-security violation restrict
S1(config-if)# end
S1#
S1# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#
Enable DHCP Snooping
S1# show ip dhcp snooping
S1(config)# ip dhcp snooping
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 6
S1(config-if-range)# exit
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)# end
S1#
DAI Configuration
DHCP Snooping needs to be enabled
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10
S1(config)# ip arp inspection vlan 10
S1(config)# interface fa0/24
S1(config-if)# ip dhcp snooping trust
S1(config-if)# ip arp inspection trust
S1(config)# ip arp inspection validate ?
dst-mac Validate destination MAC address
ip Validate IP addresses
src-mac Validate source MAC address
S1(config)# ip arp inspection validate src-mac
S1(config)# ip arp inspection validate dst-mac
S1(config)# ip arp inspection validate ip
S1(config)# do show run | include validate
ip arp inspection validate ip
S1(config)# ip arp inspection validate src-mac dst-mac ip
S1(config)# do show run | include validate
ip arp inspection validate src-mac dst-mac ip
S1(config)#
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
S1(config-if)# exit
S1(config)# spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
S1(config)# exit
S1# show running-config | begin span
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
(output omitted)
S1#
S1(config)# interface fa0/1
S1(config-if)# spanning-tree bpduguard enable
S1(config-if)# exit
S1(config)# spanning-tree portfast bpduguard default
S1(config)# end
S1# show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
(output omitted)
S1#