Chapter 4. Managing switch ports
A network can consist of many different kinds of devices: PCs, IP phones, printers, servers, wireless access points, and even other switches. The one thing these devices all have in common is that they physically connect to a switch, specifically, the Ethernet port of a switch.
Although Cisco sometimes refers to ports as interfaces, I’m going to call them ports because that’s how most people know them. Although plugging a device into a switch port is a trivial task, the magic behind how data gets transferred between a device and a switch is anything but trivial.
See if any part of this story sounds familiar: I used to work for a company that had offices scattered around the country. Each office had a few switches, a firewall, and a router, but no IT people to manage it hands-on. Whenever an employee moved desks, or a new employee came on board, a non-IT person (usually a manager) would plug the employee’s IP phone into the network jack in their cubicle. To their surprise, the phone would often not even turn on. Other times, it would turn on but wouldn’t work. Or maybe the phone would work, but the computer (which was plugged into the phone) would not be able to access the network.
Even the simplest networks are not plug-and-play. When someone plugs a device into a switch and that device doesn’t work as expected, you need to be able to understand why. You start by logging into the switch and investigating at the port level. Maybe the port is disabled or misconfigured. Sometimes it isn’t a port configuration problem. Maybe it’s a cabling or computer problem, but IOS can help you determine that as well.
In this chapter, you’re going to learn what causes these all-too-common issues and how to troubleshoot them.
4.1. Viewing port status
Suppose a user tells you they just moved desks and now their computer can’t get on the network. You go to their desk, make a note of the network jack their computer is plugged into, and walk back to the network closet. You find the port on the patch panel and trace it back to port FastEthernet0/2 on the switch. You notice that the link light on the switch isn’t lit. The network cable is connected, but the network connectivity isn’t there. Why? Did you trace the cable wrong? Did a rat chew through the cable somewhere up in the ceiling? Is there a problem with the network interface card (NIC) on the computer? Is there a problem with the switch port?
Investigating each of these possibilities independently is inconvenient and time-consuming. And if the problem occurs in an office 800 miles away, you’re at an even greater disadvantage when it comes to troubleshooting. What you need is a set of commands to give you the status of each switch port. The show interfaces status command gives you just that. Not only is the command intuitive, but its output is as well. Let’s see what I mean.
Log in to one of your switches, get into enable mode, and type show interfaces status.
You should see something like this:
Switch1#show interfaces status
The first thing you’ll notice is that there are several columns here, but what you’re interested in right now are the Port and Status columns.
Note
It’s interesting to note that even though the command uses the term interfaces, the output calls them ports. As you get more experienced with IOS, you’ll start to notice that Cisco tends to use different terms to describe the same thing.
Notice that the ports have a mix of three statuses: notconnect, disabled, and connected. It doesn’t take a network nerd to figure out what these mean. As I said, the command output is quite intuitive. Notice that FastEthernet0/2 is disabled. That might explain why the user can’t get on the network! But why is it disabled? Let’s find out.
As useful as the show interfaces status command is, its output is limited. To get more detail on a particular interface, in this case FastEthernet0/2, you can use the show interface FastEthernet0/2 command. As you learned in chapter 2, you can abbreviate IOS commands. But you can also abbreviate interface names.
If you have a disabled port in your show interfaces status output, run the command show interface [interface] command against it. Otherwise, run show interface fa0/2.
You should see something similar to the following:
Don’t be overwhelmed by the amount of output. Most of the time, the information you need is near the top. In this case, the very first line of output gives it away. It says that the port is administratively down, meaning that somebody disabled this port.
When a port is disabled, it’s almost as if nothing is plugged into it. The switch doesn’t do anything with a disabled port. When a port is disabled, it won’t even provide electrical power to an IP phone if one happens to be plugged into it. It’s effectively dead, and you need to revive it.
4.2. Enabling ports
A disabled port is said to be in the shutdown state. In case you’re keeping track, that makes three different terms Cisco uses to describe a disabled port: disabled, administratively down, and shutdown. All of these terms mean the same thing.
Now suppose that your manager starts getting a lot of complaints about people’s computers not being able to get on the network. You’re asked to check all the ports on the switch and make sure none of them are disabled. You should use the show interfaces status command from earlier, but to make the output more readable, you can also filter the output to include only ports in a disabled state.
Use the command show interfaces status | include disabled to display only disabled ports.
All you should see are disabled ports, if there are any:
Fa0/2 disabled 1 auto auto 10/100BaseTX Fa0/6 disabled 1 auto auto 10/100BaseTX Fa0/13 disabled 1 auto auto 10/100BaseTX Fa0/14 disabled 1 auto auto 10/100BaseTX Fa0/18 disabled 1 auto auto 10/100BaseTX Fa0/23 disabled 1 auto auto 10/100BaseTX
Notice that the column headings are missing. This would be a good time to practice a little more output filtering to also include those.
Type show interfaces status | i disabled|Status to display only disabled interfaces and the column headings.
Again, if you don’t have any disabled interfaces on your switch, you should still at least see the headings:
Recall from chapter 3 that the IOS running configuration controls what the switch is doing right now. That means that IOS has disabled these ports because of a command in the running configuration. Let’s take FastEthernet0/2 again and see what command is disabling this port.
Execute show run interface FastEthernet0/2 to see the interface configuration.
Your output may differ, but you should at least see the section of the running configuration that controls port FastEthernet0/2:
This little slice of the running configuration is called the interface or port configuration section. The shutdown command is an interface command that disables the port. Notice how the command is indented, indicating that it’s within the port’s own configuration section. The end keyword signifies the end of the section.
Enabling FastEthernet0/2 involves removing the shutdown command. You should remember from the last chapter that putting a no in front of a command is usually sufficient to remove that command or at least undo it. Let’s try that.
The first step is to get into global configuration mode by typing configure terminal.
Next, because you need to make a change to one specific interface, FastEthernet0/2, type interface fa0/2.
You should see the following:
Switch1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)#interface fa0/2 Switch1(config-if)#
Notice that the prompt changes from config to config-if, indicating you’re in interface configuration mode (the if is short for interface). Now you’re ready to negate the shutdown command, which will enable the interface.
After entering the command, you should see two messages indicating the port is up:
Switch1(config-if)#no shutdown Switch1(config-if)# *Mar 1 06:49:27.824: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up *Mar 1 06:49:28.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
It’s always a good idea to verify your changes, so do that with a show interfaces status | i Fa0/2 |Status:
Port Name Status Vlan Duplex Speed Type Fa0/2 connected 1 a-full a-100 10/100BaseTX
Port FastEthernet0/2 is now in the connected state. This is a good start, but your manager wants all of the ports enabled. If there are more than a few ports disabled, manually enabling them one by one is a time-consuming hassle. You need a way to enable all the ports in one fell swoop with a couple of commands.
4.2.1. The interface range command
Earlier you got into interface configuration mode by typing interface fa0/2 while in global configuration mode. Any changes you make in interface configuration mode affect only the port you specify in the command. In other words, you’ve selected only one port. But there’s a way to select and configure multiple ports at once.
The interface range command lets you specify a range of interfaces separated by a dash. Because you need to enable all the ports on your switch, you can specify the entire range of ports on the switch and then issue the no shutdown command against them all at once.
Get into global configuration mode and type the following to enable ports Fast-Ethernet 0/1 through 0/24:
Interface range fa0/1-24 no shutdown
If your switch has 48 ports instead of 24, you can specify 48 instead. Regardless of how many ports are on your switch, you must specify a starting port and an ending port.
You should see output similar to the following:
The output indicates that some of the interfaces changed their state to down. That might seem a bit odd, considering you just enabled the interface. But all this means is that there are no active devices on those ports. A spot check with a show interfaces status | i Fa0/6|Status should confirm this:
Port Name Status Vlan Duplex Speed Type Fa0/6 notconnect 1 auto auto 10/100BaseTX
And indeed FastEthernet0/6 is in the notconnect state, which means that it is enabled, but either there’s no device connected to it or the connected device is not turned on. What’s important is that with all of the switch ports enabled, you should be able to plug a working device into any port and get it to a connected state.
4.3. Disabling ports
You just learned how to enable ports, so you should already have a pretty good idea of how to disable them. But you might be wondering why anyone would disable a port to begin with. Why not leave them all enabled? It’s certainly more convenient to patch an Ethernet cable into a switch and have everything work. But in some environments, security policies dictate that unused ports should be disabled. Although such a policy might sound like the brainchild of a bureaucratic busybody, there are some good reasons to disable unused ports.
Suppose that every weekend a salesperson comes into the office, sits down at an empty desk, and plugs their personal laptop into the network. Their laptop, unbeknown to them, is infected with a nasty virus. One Monday morning, you find out that all of the computers on the network are infected with a crippling virus. It turns out that the salesperson’s personal laptop infected all of the other computers over the weekend when they plugged it into the network. Had the switch port they were using been disabled, their laptop wouldn’t have been able to get on the network. That would have led them to enlist the help of an IT person who might have found the virus before it infected other machines.
There are many other good reasons to disable an unused switch port, too many to discuss during lunch. Just look at it as a cheap and easy way to avoid a lot of headaches.
4.3.1. Finding unused interfaces
Disabling ports because you think they’re unused is a bad idea—really bad. In a live environment, you can wreak some real havoc by doing this. It’s vital that you first verify that the ports you’re going to disable are, in fact, not being used. You can do this by looking for ports that are in a notconnect state.
List all interfaces with a notconnect status:
show interfaces status | i notconnect
If any port has no devices plugged in, or plugged in and not turned on, it will show up in the output as follows:
Switch1#show interfaces status | i notconnect Fa0/5 notconnect 1 auto auto 10/100BaseTX Fa0/6 notconnect 1 auto auto 10/100BaseTX Fa0/8 notconnect 1 auto auto 10/100BaseTX Fa0/9 notconnect 1 auto auto 10/100BaseTX Fa0/10 notconnect 1 auto auto 10/100BaseTX Fa0/11 notconnect 1 auto auto 10/100BaseTX Fa0/13 notconnect 1 auto auto 10/100BaseTX Fa0/14 notconnect 1 auto auto 10/100BaseTX Fa0/15 notconnect 1 auto auto 10/100BaseTX Fa0/16 notconnect 1 auto auto 10/100BaseTX Fa0/17 notconnect 1 auto auto 10/100BaseTX Fa0/18 notconnect 1 auto auto 10/100BaseTX Fa0/19 notconnect 1 auto auto 10/100BaseTX Fa0/20 notconnect 1 auto auto 10/100BaseTX Fa0/21 notconnect 1 auto auto 10/100BaseTX Fa0/22 notconnect 1 auto auto 10/100BaseTX Fa0/23 notconnect 1 auto auto 10/100BaseTX Fa0/24 notconnect 1 auto auto 10/100BaseTX
The idea is to get all of these ports into a disabled state. As you can see, there are a lot of them. Because ports FastEthernet0/13 through 0/24 are consecutive, you can disable all of them at once by getting into interface range configuration mode and shutting them down. You can do that with the following commands:
Configure terminal interface range fa0/13-24 Shutdown
This still leaves a handful of interfaces that need to be disabled: FastEthernet0/5, 0/6, and 0/8 through 0/11. Fortunately, you can also disable these using the interface range command. But this time, in addition to specifying a range, you’ll specify individual interfaces separately, separating each with a comma:
Interface range fa0/5,fa0/6,fa0/8-11 shutdown
Now run the show interfaces status | i notconnect command again:
Switch1#show interfaces status | i notconnect|Status Port Name Status Vlan Duplex Speed Type
This time, you get no interfaces listed, implying that all the unused interfaces are now disabled.
Find all of the unused interfaces on your switch:
show interfaces status | i notconnect
If you have any that are unused, disable them using the shutdown command.
A word of warning
Just because an interface is in the notconnect state doesn’t mean someone won’t try to use it. If a user goes home sick for the day and turns their computer off, the port their computer is connected to may be in the notconnect state. If you disable the port, when they come back the following workday, their computer won’t have network connectivity, and you’ll have to re-enable the port. Before disabling an unused port, it’s always a good idea to verify that it isn’t going to be needed in the very near future.
4.4. Changing the port speed and duplex
At the beginning of the chapter I said that networks are not plug-and-play. Just because a port shows connected doesn’t mean that everything is working correctly. The switch port and the device on the other end have to operate at the same speed and duplex in order for data to flow smoothly. The port speed and duplex are concepts you’re already familiar with, but they have special implications for switch port configuration. Let’s briefly cover speed and duplex.
4.4.1. Speed
The port speed is another term for the bandwidth—how fast data can travel between a device and the switch. Although 100 megabits per second (Mbps) is a common speed, you may occasionally see the slower 10 Mbps speed. There is no one right speed, but most devices should be operating at at least 100 Mbps. Some older devices may not be capable of this and operate at 10 Mbps instead. The point is that if you see a device operating at 10 Mbps, it warrants further investigation but doesn’t necessarily indicate a problem.
The command show interfaces status | i connected|Status gives you a summary of the operating speed of each port:
The relevant column heading here is the one labeled Speed. Take a look at the row for FastEthernet0/1. The a-100 indicates the port is operating at 100 Mbps, and the switch and the device have automatically negotiated that speed. This is called autonegotiation, and it’s enabled by default on all ports. The switch and device attempt to negotiate the highest speed they both support, which in this case is 100 Mbps.
4.4.2. Duplex
Duplex describes simultaneous two-way communication between a switch port and a device. The terminology around duplex gets a bit awkward. Full duplex means that both the device and the switch can transmit data at the same time without stepping on each other. Half duplex means that only one device can transmit at a time. If the switch port is sending data, for example, the computer on the other end has to wait for the switch to stop before it can start transmitting.
Take a look at the Duplex column. All of the ports show a-full except for FastEthernet0/4, which shows a-half. Like with speed, the a indicates the duplex is autonegotiated. Most modern devices will autonegotiate to full duplex.
4.4.3. Autonegotiation
In the late 1990s and early 2000s, it was common practice to disable speed and duplex autonegotiation on all switch ports because it was unreliable. Those days are long gone, and you shouldn’t disable autonegotiation unless you have a specific reason to do so.
Disabling autonegotiation isn’t something you do explicitly. It’s a side effect of hardcoding the speed or duplex of a port. For example, when you hardcode a port to 10 Mbps, half duplex, you’re telling the switch to allow that port to operate only at that speed and duplex all the time. Hardcoding is the opposite of autonegotiation.
Although you shouldn’t hardcode speed and duplex for most ports, there are times when it’s a good idea. Some devices like older HP JetDirect print servers and Cisco Analog Telephone Adapters want to operate at 10 Mbps, half duplex. Although even older devices support autonegotiation, many are from that era when autonegotiation wasn’t reliable.
Moving into more modern territory, devices like IP cameras and security systems are themselves often hardcoded to a specific speed and duplex, and your switch port configuration has to match that. Sometimes a device manufacturer will require a hardcoded speed and duplex for no good reason, but you have to comply or else you can’t get support when things go south.
The bottom line is that although changing the port speed and duplex isn’t something you want to do every day, it’s likely that you already have at least one device in your environment that will mandate it.
4.4.4. Changing the port speed
Let’s take another look at the status of the connected interfaces:
Switch1#show interfaces status | i connected|Status Port Name Status Vlan Duplex Speed Type Fa0/1 connected 1 a-full a-100 10/100BaseTX Fa0/2 connected 1 a-full a-100 10/100BaseTX Fa0/3 connected 1 a-full a-100 10/100BaseTX Fa0/4 connected 1 a-half a-10 10/100BaseTX Fa0/7 connected 1 a-full a-100 10/100BaseTX Fa0/12 connected 1 a-full a-100 10/100BaseTX
My computer is plugged into FastEthernet0/1, and it has negotiated a speed and duplex of 100 Mbps, full duplex with the switch. Let’s see what happens when I change the speed and duplex to 10 Mbps:
Switch1(config)#interface fa0/1 Switch1(config-if)#speed 10 Switch1(config-if)# *Mar 2 03:33:25.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down *Mar 2 03:33:27.248: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Notice that the port momentarily goes into a down state and then comes back up. Network folks call this flapping or bouncing. The fact that the port came back up indicates my computer does in fact support a speed of 10 Mbps. If my computer didn’t support 10 Mbps, the interface wouldn’t have come back up. Let’s check that port again:
Switch1#show interfaces status | i Fa0/1 |Status Port Name Status Vlan Duplex Speed Type Fa0/1 connected 1 a-full 10 10/100BaseTX
This time, the speed shows 10. But not only that, the a is missing as well, indicating the speed wasn’t autonegotiated.
Locate a port in the connected state that you know isn’t being used and try to change the speed to 10 or 10 Mbps. Use the IOS inline help to guide you. If you’re not sure of what to type, type ? and IOS will show you your options.
When you’ve finished, enable autonegotiate by using the speed auto interface command.
By the way, network folks use shorthand to refer to speed and duplex combinations. For example, they’ll refer to a 100 Mbps, full duplex combination as simply 100/full. I’ll refer to speed and duplex this way throughout the rest of the book.
4.4.5. Changing the duplex
We saw earlier that FastEthernet0/4 is operating at half duplex. Let’s take a closer look at that port:
Switch1#show interfaces status | i Fa0/4|Status Port Name Status Vlan Duplex Speed Type Fa0/4 connected 1 a-half a-10 10/100BaseTX
It’s operating at 10/half, and both of those parameters are autonegotiated. If you ever see this on a live network, you definitely want to investigate it. At worst, it could indicate a cabling or other problem. At best, it could lead you to an interesting device. Chances are anything operating at 10/half is neither a desktop computer nor a server.
Notice that the speed and duplex were autonegotiated. Let’s try to change the duplex to full:
Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)#interface fa0/4 Switch1(config-if)#duplex full Switch1(config-if)# *Mar 2 04:39:12.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down *Mar 2 04:39:13.761: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to down
The port goes down and stays down. Whatever is on the other end certainly doesn’t support full duplex communication. It’s also possible, though less likely, that there’s a damaged Ethernet cable. This is exactly why you always want to investigate any port with a speed and duplex that’s out of the ordinary.
Let’s look at that port again:
Switch1#show interfaces status | i Fa0/4|Status Port Name Status Vlan Duplex Speed Type Fa0/4 notconnect 1 full auto 10/100BaseTX
Interesting! The port is now in the notconnect state. I didn’t unplug anything, but the mismatched duplex makes it look like nothing is plugged into the port at all. This illustrates why it’s a good idea to let autonegotiation do its work unless you have a really compelling reason not to.
Locate a port in the connected state that isn’t being used and try to change the duplex to half or full. What happens? When you’ve finished, set it back to autonegotiate with the duplex auto interface command.
4.5. Commands in this chapter
In this chapter, you learned how to manipulate individual ports in interface configuration mode. When working with the IOS command line, you need to be able to distinguish between global configuration mode commands and interface configuration mode commands. Table 4.1 differentiates these commands and also lists some of the show commands used in this chapter.
Table 4.1. Commands used in this chapter
|
Command |
Configuration mode |
Description |
|---|---|---|
| show interfaces status | N/A | Concisely displays the state, speed, and duplex of all ports |
| show run interface fa0/2 | N/A | Displays detailed information about FastEthernet0/2 |
| interface range fa0/5,fa0/6,fa0/8-11 | Global | Selects a range of ports for configuration |
| speed 10/100/auto | Interface | Hardcodes the speed of a port or enables speed autonegotiation |
| duplex full/half/auto | Interface | Hardcodes the duplex of a port or enables duplex autonegotiation |
| (no) shutdown | Interface | Disables or enables a port |
4.6. Hands-on lab
Practice everything you learned in this chapter if you haven’t already. If you have, go ahead and perform the lab:
- Display only the ports that aren’t connected.
- Select a range of unused ports and disable them.
- Try selecting a range of ports that falls outside the number of ports on your switch. What error do you get?
- Using the show commands, see if you can find any interesting devices operating at 10 Mbps or half duplex.
- Select a port operating at 100/full. Change the speed to 10 Mbps. What happens?
- What happens when you set it back to 100 Mbps?
- Change the duplex of the port to half duplex. What happens now?
- Change the duplex back to full. If it doesn’t come back up, try shutting down the port and then enabling it.
- When you’ve finished, remember to save your running configuration using the copy run start or write memory command.