switchport

To configure switch port related information, use the command switchport in Interface Configuration Mode. The no form of the command resets the configuration to default or disables the features.

switchport

switchport { [dot1q] } { {ingress } { | egress} } { ether-type } { <size(1-65535)> }
{ [acceptable-frame-type } { {all } { | tagged } { | untaggedAndPrioritytagged} }
{ [access } { vlan } { <vlan-id(1-4094)>] }
{ [egress } { TPID-type } { {portbased } { | vlanbased} }
{ [encapsulation } { dot1ad } { vlan-type } { {tpid1 } { <CTAG | STAG > } { [tpid2] } { [tpid3]} }
{ [filtering-utility-criteria } { {default } { | enhanced}] } { [ingress-filter] }
{ [map } { protocols-group } { <Group id integer(0-2147483647)> } { vlan } { <vlan-id/vfi_id>] }
{ [mode } { {access } { | trunk } { | hybrid } { | {dynamic } { | tagged } { {auto } { | desirable}}}] }
{ } { [port-security } { {unicast } { <aa:aa:aa:aa:aa:aa> } { vlan } { <vlan-id/vfi_id> } { | violation } { {{protect } { | restrict } { | shutdown}| [recovery { automatic recovery-time <integer 0-300> | manual }]] }
{ [priority } { default } { <priority value(0-7)> }
{ [protected] }
{ [pvid } { vlan } { <vlan-id/vfi_id>] }
{ [unicast-mac } { learning } { {enable } { | disable} } { }

no switchport

no switchport { [dot1q] } { {ingress } { | egress} } { ether-type} } { [acceptable-frame-type] }
{ [access } { vlan] } { [egress } { TPID-type] }
{ [encapsulation } { dot1ad } { vlan-type } { [tpid1] } { [tpid2] } { [tpid3]} } { [ingress-filter] }
{ [map } { protocols-group } { <Group id integer(0-2147483647)> } { vlan } { <vlan-id(1-4094)>] }
{ [mode] } { [priority } { default } { <priority value(0-7)>] } { [protected] } { [pvid] }

Parameters

Parameter Type Description
dot1q   Enter to put an interface that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration and configure port Ingress/Egress Ethertype. Dot1q shows tunneling related information.
Note:

This command executes only if the bridge port type is set as CBP (Customer Backbone Port).
ingress   Enter to configure ingress Ethertype and hence allows the service provider to support tunneling. Packets received on a port are considered tagged when the packet Ethertype matches the Ethertype configured on the port.
egress   Enter to configure egress Ethertype. This object indicates the Ethertype of the S-VLAN tag that has to be applied for all outgoing packets on this port. If a valid value is in this object, all packets which are outgoing on this port will contain the Ethertype as configured in this object
Ethertype   Enter to configure the size of Ethertype.
<size(1-65535)> Integer Enter a value for Ethertype. This value ranges from 1 to 65535 with a default of 33024.
<vlan-id(1-4094)> Integer Enter a value for VLAN-ID start of range. This value ranges from 1 to 4094.
acceptable-frame-type   Enter to configure the type of VLAN dependent BPDU frames such as GMRP BPDU that the port should accept during the VLAN membership configuration.
all   Enter to configure the acceptable frame type as all. All tagged, untagged and priority tagged frames received on the port are accepted and subjected to ingress filtering.
tagged   Enter to configure the acceptable frame type as tagged.Only the tagged frames received on the port are accepted and subjected to ingress filtering. The untagged and priority tagged frames received on the port are rejected. For ports in PBB bridge mode, for the following Port types, the TAG descriptions are as follows
  • for CNP S Tagged - S-Tag
  • for CNP C Tagged - C-Tag
  • for CNP Port Based - S-Tag
  • PIP - I-Tag
  • CBP - I-Tag
  • PNP - B-tab or S-Tag.
untaggedAndPrioritytagged   Enter to configure the acceptable frame type as untagged and priority tagged. Only the untagged or priority tagged frames received on the port are accepted and subjected to ingress filtering. The tagged frames received on the port are rejected.
access   Enter to configure the PVID (Port VLAN Identifier) on a port.
vlan   Enter to configure the PVID (Port VLAN Identifier) on a port.
<vlan-id(1-4094)> Integer Enter a value for PVID (Port VLAN Identifier). This value ranges from 1 to 4094.
Note:

If the frame (untagged/priority tagged/customer VLAN tagged) is received on a "tunnel" port, then the default PVID associated with the port is used

Note:

If the received frame cannot be classified as MAC-based or port-and-protocol-based, then the PVID associated with the port is used.

Note:

For ports in PBB bridge mode, PVID can be configured on CNP (Customer Network Port) and CBP (Customer Backbone Port).

Note:

Usage is based on acceptable frame type of the port. Packets will be either dropped or accepted at ingress. Once a packet is accepted, if the packet is having a tag, it will be processed against that tag. Otherwise, the packet will be processed against PVID.
egress   Enter to set the egress TPID-type for the port
TPID-type   Enter to configure the egress TPID-type on a port
portbased   Enter to set egress TPID-type as portbased. The egress TPID of the packet is selected from the Egress Port Table.
vlanbased   Enter to configure the egress TPID-type as vlan-based. The egress TPID is selected from the egress VLAN Table.
encapsulation   Enter to configure standard/user defined TPID for a port.
dot1ad   Enter for DOT1AD configuration. IEEE 802.1ad implements standard protocols for double tagging of data. The data traffic coming from the customer side are double tagged in the provider network where the inner tag is the customer-tag (C-tag) and the outer tag is the provider-tag( S-tag). A service provider's Layer 2 network transports the subscriber's Layer 2 protocols transparently.
vlan-type   Enter to set VLAN TYPE.
tpid1   Enter to configure standard allowable TPID for a Port, either C-Tag or S-Tag.
Note:

The TPID1 value should be configured as a value different from the default ingress Ethertype. If the ingress Ethertype is 0x8808, then TPID CTAG should be configured using this command. if the ingress Ethertype is 0x8100, TPID STAG should be configured.
CTAG   Enter to configure standard allowable TPID for C-tag (i.e. inner or Customer tag) is used to uniquely identify a customer and typically is used on a per port basis. This indicates the secondary Ethertype that is allowable for a port. The configurable value for this object is 0x8100. For Ethertypes numbers see https://www.iana.org/assignments/ieee-802-numbers/ieee-802-numbers.xhtml#ieee-802-numbers-1
STAG   Enter to configure standard allowable TPID for S-TAG (i.e. outer, Service Provider tag). This indicates a secondary Ethertype that is allowable for a port. The configurable value for this object is 0x88A8.
tpid2   Enter to set standard allowable TPID for a port. This indicates the standard Ethertype that is allowable for a port. The configurable value for this object is Q-in-Q Ethertype [0x9100].
tpid3   Enter to configure the user defined allowable TPID for a port.
filtering-utility-criteria   Enter to configure filtering utility criteria for the port. This utility criteria are used to reduce the capacity requirement of the filtering database and to reduce the time for which service is affected, by retaining the filtering information learnt prior to a change in the physical topology of the network.
Note:

The filtering utility criteria cannot be configured in the switch, if the VLAN switching feature is shutdown in the switch.

Note:

This command is applicable only for the port configured as switch port.
default   Enter to allow learning of source MAC from a packet received on the port, only if there is at least one member port for a VLAN mentioned in the packet. This is the default option.
enhanced   Enter to allow learning of source MAC from a packet received on the port, only if the following conditions are satisfied:
  • At least one VLAN that uses the FID includes the reception port and at least one other Port with a port state of Learning or Forwarding in its member set.
  • The operPointToPointMAC parameter is false for the reception port. Or Ingress to the VLAN is permitted through a port other than source and reception. This port can be or not be in the member set for the VLAN.
ingress-filter   Enter to enable ingress filtering feature on the port. The ingress filtering is applied for the incoming frames received on the port. Only the incoming frames of the VLANs that have this port in its member list are accepted. This configuration does not affect VLAN independent BPDU frames such as GVRP BPDU and STP BPDU. It affects only the VLAN dependent BPDU frames GMRP BPDU. By default, the ingress filtering feature is disabled on the port.
Note:
  • Prerequisites:
  • This command is applicable only for the port configured as switch port.
  • The ingress filtering cannot be configured on the port, if the base bridge mode is set as transparent bridging or the VLAN switching feature is shutdown in the switch.
  • The ingress-filtering feature cannot be configured and is always enabled on the port, if the bridge port type is set as customer network port – S tagged.
map   Enter to map the configured protocol group to a particular VLAN ID for an interface. This configuration is used during protocol-VLAN based membership classification.
protocols-group   Enter to map the configured protocol group to a particular VLAN ID for an interface.
<Group id integer(0-2147483647)> Integer Specify a unique group ID that is already created with the specified protocol type and encapsulation frame type. This value represents a specific group that should be associated with a VID. This value ranges from 0 to 2147483647.
vlan   Enter to map the configured protocol group to the specified VLAN / VFI ID.
Note:

The protocol group should have been already created with a specific protocol and encapsulation frame type combination before mapping it to a VID

Note:

This command is applicable only for the port configured as switch port

Note:

The protocol group mapping cannot be configured for the port, if the VLAN switching feature is shutdown in the switch.
<vlan-id/vfi_id> Integer Enter to configure the configured protocol group to the specified VLAN / VFI ID. This value ranges from 1 to 65535.
  • <vlan –id> - VLAN ID is a unique value that represents the specific VLAN. This value ranges from 1 to 4094.<vfi-id>. - VFI ID is a VLAN created in the system which contains Pseudo wires and Attachment Circuits as member ports . This creates a logical LAN for the VPLS service. This value ranges from 4096 to 65535.
Note:

VFI IDs 4096 and 4097 are reserved identifiers used in MPLS PW.

Note:

The theoretical maximum for the maximum number of VFI is 65535 but the actual number of VFI supported is a sizing constant. Based on this, the maximum number of VFI ID accepted in the management interface is restricted. For example if 100 VFIs are supported, the maximum number of VFI supported will be restricted to maximum number of VLANs + 100. An error message is displayed for any value beyond this range.
mode   Enter to configure the mode of operation for a switch port. This mode defines the way of handling of traffic for VLANs.
access   Enter to configure the port as access port that accepts and sends only untagged packets. This kind of port is added as a member to a specific VLAN only and carries traffic only for the VLAN to which the port is assigned. The port can be set as access port, only if the following 3 conditions are met:
  • The GVRP is disabled for that port.
  • Acceptable frame type is set as “untagged AND priority” tagged.
  • Port is a not a tagged member of any VLAN.
trunk   Enter to set the port as trunk port that accepts and sends only tagged frames. This kind of port is added as member of all existing VLANs and for any new VLAN created, and carries traffic for all VLANs. The trunk port accepts untagged frames too, if the acceptable frame type is set as all. The port can be set as trunk port, only if the port is not a member of untagged ports for any VLAN in the switch.
hybrid   Enter to configure the port as hybrid port that accepts and sends both tagged and untagged frames.
dynamic   Enter to configure the mode as Dynamic Mode. The Dynamic Mode can be auto and desirable.
auto   Enter to set the interface to convert the link to a trunk link.
desirable   Enter to set the interface to attempt actively to convert the link to a trunk link.
port-security   Enter to configure the unicast MAC address as a known frame in the port.

The port-security command is used to enable/disable port-security on a port. Port-security needs to be enabled to configure trusted MAC addresses and MAC learn limit.

By default port-security is be “disabled”.

If port-security configuration is enabled, the Port Security MACs limit(trusted MACs) would be limited to 3K per device. This valud is hardcoded and not configurable.
unicast   Enter to configure the static unicast MAC address for the specified interface.
<aa:aa:aa:aa:aa:aa>   Enter an unicast MAC address. This address should be in the format of aa:bb:cc:dd:ee:ff.
vlan   Enter to set VLAN Interface configuration for the specified VLAN / VFI ID.
<vlan-id/vfi_id> Integer Enter set VLAN Interface configuration for the specified VLAN / VFI ID. This value ranges from 1 to 6553.
  • <vlan –id> - VLAN ID is a unique value that represents the specific VLAN. This value ranges from 1 to 4094.
  • <vfi-id>- VFI ID is for a VLAN created in the system with a value ranging from 4096 to 65535.
Note:

The VLAN ID 4095 is reserved and may be used to indicate a wildcard match for the VID in management operations or Filtering Database entries.

Note:

VFI IDs 4096 and 4097 are reserved identifiers used in MPLS PW.

Note:

The theoretical maximum for the maximum number of VFI is 65535 but the actual number of VFI supported is a sizing constant. Based on this, the maximum number of VFI ID accepted in the management interface is restricted. For example if 100 VFIs are supported, the maximum number of VFI supported will be restricted to maximum number of VLANs + 100. An error message is displayed for any value beyond this range.
violation   Enter to configure the security violation status for the specified switch port.
Note:

This command can be executed only if the interface created is mapped to a context.
recovery   The default state is manual recovery. The user needs to manually change the admin status to the UP (no shutdown) state to recover the port.
automatic   If port recovery is configured as “automatic”, based on the “timer” value configured, the port will change its status to UP automatically. The timer value to be configured will be in “seconds”. The default recovery timer value is 5 secs.
protect   Enter to set the port-security violation label (sav) as protected, which sets strict security flag as false, and only unknown MAC is treated as violation on all security configured ports.

Drops packets with unknown source addresses until secure MAC addresses drop below the maximum value.
restrict   Enter to set the port-security violation label (shv) as restricted, which sets the security flag as true, and configured MAC alone are alone treated as non violation on all security configured ports.Restrict

drops packets with unknown source addresses until the number of secure MAC addresses drop below the maximum value and causes the Security Violation counter to increment. If max value is reached all violated entries will flash out and the learning process will start again.
shutdown   Enter to set the port-security violation status as shutdown which disables all security. This is the default option.
priority   Enter to configure the default ingress user priority for a port. This priority is assigned to frames received on the port that does not have a priority assigned to it. This priority value is useful only on media such as Ethernet that does not support native user priority.
Note:

This command is applicable only for the port configured as switch port.

Note:

The default user priority cannot be configured for the port, if the VLAN switching feature is shutdown in the switch
default   Enter to configure the default ingress user priority for a port.
<priority value(0-7)> Integer Enter a value for the default ingress user priority. This value ranges from 0 to 7. The value 0 represents the lowest priority and the value 7 represents the highest priority. 0 is also the default value.
protected   Enter to enable switchport protection feature for a port. This feature sets the particular port as protected so that the port does not forward frames received from another protected port present on the same switch. By default, the switchport protection feature is disabled in the port.
Note:

The switchport protection feature cannot be configured in the switch if the VLAN switching feature is shutdown in the switch.

Note:

This command is applicable only for the port configured as switch port.
pvid   Enter to configure the PVID on the specified port. PVID (Port VLAN ID) is a default VLAN id assigned to frames coming to the port. The PVID represents the VLAN ID/ VFI ID that is to be assigned to untagged frames or priority-tagged or C-VLAN frames received on the port. The PVID is used for port based VLAN type membership classification.

The PVID configuration is used based on the acceptable frame type of the port. The packets are processed against PVID if the packets accepted at ingress are not having tags.

Note:

Only the IDs of the active VLAN can be used as PVIDs in the command.

Note:

This command is applicable only for the port configured as switch port.

Note:

The PVID cannot be configured for the port if the VLAN switching feature is shut down in the switch.
<vlan-id/vfi_id> Integer Enter a value for the / VFI ID. This value ranges from 1 to 65535.
  • <vlan –id> - VLAN ID is a unique value that represents the specific VLAN. This value ranges from 1 to 4094. The default is 1.
  • <vfi-id> - VFI ID is for a VLAN created in the system and ranges from 4096 to 65535.
Note:

The VLAN ID 4095 is reserved and may be used to indicate a wildcard match for the VID in management operations or Filtering Database entries.

Note:

VFI IDs 4096 and 4097 are reserved identifiers used in MPLS PW.

Note:

The theoretical maximum for the maximum number of VFI is 65535 but the actual number of VFI supported is a sizing constant. Based on this, the maximum number of VFI ID accepted in the management interface is restricted. For example if 100 VFIs are supported, the maximum number of VFI supported will be restricted to maximum number of VLANs + 100. An error message is displayed for any value beyond this range.
unicast-mac   Enter to enable / disable unicast-MAC learning for the port.
learning   Enter to enable / disable unicast-MAC learning for the port.

The learning command allows users to enable/disable mac-learning on a specific port with the configured mac-learning count.

There are no changes in standard MAC learning process, Upon the configuration of port-security users will be able to specify the max number of MAC addresses that may be learned by a port.

When the number of MAC addresses learned exceeds the limit then entries in excess of the limit will be marked as DROPped.
enable   Enter to enable unicast-MAC learning for the port. When Mac Learning is enabled, unicast mac entries will be learnt on this port. Configuration of this object will not get affected by the Global Mac Learning Status. This is the default option.
disable   Enter to disable unicast-MAC learning for the port. When Unicast Mac Learning is disabled, no unicast mac entry will be learnt on this port.

Mode

Interface Configuration Mode (Physical / Port Channel)

Examples

iS5Comm(config)# int port-channel 1

iS5Comm(config-if)# switchport access vlan 3

iS5Comm(config-if)# switchport dot1q ingress ether-type 33024

iS5Comm(config-if)# switchport egress TPID-type vlanbased

iS5Comm(config-if) switchport encapsulation dot1ad vlan-type tpid1 STAG tpid2 tpid3

iS5Comm(config-if)# switchport filtering-utility-criteria enhanced

iS5Comm(config-if)# switchport ingress-filter

iS5Comm(config-if)# switchport map protocols-group 1 vlan 2

iS5Comm(config-if)# switchport mode access

iS5Comm (config-if)# switchport port-security unicast 00:11:22:33:44:55 vlan 1

iS5Comm (config-if)# switchport port-security violation protect

iS5Comm(config-if)# switchport priority default 5

iS5Comm(config-if)# switchport protected

iS5Comm(config-if)# switchport pvid 1

iS5Comm(config-if)# switchport unicast-mac learning enable

iS5Comm(config-if)# switchport port-security violation recovery automatic recovery-time 150

Enabling Port Security

iS5Comm# config terminal

iS5Comm(config)# int gi 0/7

iS5Comm(config-if)# switchport port-security enable

MAC learning

iS5Comm(config)# int gi 0/17

iS5Comm(config-if)# switchport unicast-mac learning enable mac-limit 3

iS5Comm(config-if)# end

iS5Comm# show mac-address

Vlan Mac Address Type ConnectionId Ports

---- ----------- ---- ----------- -----

1 00:10:94:00:00:02 Learnt Gi0/17

1 00:10:94:00:00:03 Learnt Gi0/17

1 00:10:94:00:00:04 Learnt Gi0/17

1 00:10:94:00:00:05 Drop Gi0/17  DROP entries after 3 MACs.

1 00:10:94:00:00:06 Drop Gi0/17Total Mac Addresses displayed: 5

Unicast

iS5Comm(config-if)# switchport port-security unicast 12:23:34:34:34:34 vlan 1

The above command allows the user to configure the trusted MAC-address in the VLAN, this will be the only MAC address that will be allowed for this interface.

This is an optional configuration, if the MAC address is not specified, then the first learned MAC addresses will be allowed until the configured limit is reached.

To remove the trusted MAC address from the interface use the following command:

iS5Comm(config-if)# no switchport port-security unicast 12:23:34:34:34:34 vlan 1

Parent topic: VLAN