Ports

Ports

Physical Port Types

  • Console Port: Out-of-band management access using RJ45 or USB connector

    • Uses RS-232 serial communication (9600 baud rate default)
    • Critical for initial device configuration when no network connectivity exists
    • Always accessible regardless of network configuration errors

  • Auxiliary (AUX) Port: Remote out-of-band access via modem connection

    • RJ45 connector supporting dial-up modem attachment
    • Used for remote management when primary network paths fail
    • Considered legacy - rarely implemented on modern equipment

  • Ethernet Ports: Data transmission interfaces with varying speeds

    • FastEthernet (100 Mbps), GigabitEthernet (1 Gbps), 10GigE (10 Gbps)
    • Auto-negotiation determines speed/duplex automatically
    • Full-duplex eliminates collision domains entirely

  • SFP/SFP+ Ports: Small Form-factor Pluggable transceivers for fiber connections

    • Hot-swappable optical/copper interfaces
    • SFP supports up to 1 Gbps, SFP+ supports up to 10 Gbps
    • Enables flexible media types (single-mode, multi-mode fiber)

Logical Port Numbers

  • Well-Known Ports (0-1023): Reserved for system services and protocols

    • Require administrative privileges to bind
    • Examples: HTTP (80), HTTPS (443), SSH (22), Telnet (23)
    • IANA-assigned and globally standardized

  • Registered Ports (1024-49151): Assigned to specific applications by IANA

    • Available for user applications with registration
    • Examples: MySQL (3306), RDP (3389), SNMP (161)

  • Dynamic/Private Ports (49152-65535): Ephemeral ports for client connections

    • Automatically assigned by operating system for outbound connections
    • Source ports for client-initiated sessions

Common Protocol Ports

Protocol Port Transport Purpose
HTTP 80 TCP Web traffic
HTTPS 443 TCP Secure web traffic
SSH 22 TCP Secure remote access
Telnet 23 TCP Insecure remote access
FTP Control 21 TCP File transfer control
FTP Data 20 TCP File transfer data
SMTP 25 TCP Email transmission
DNS 53 TCP/UDP Domain name resolution
DHCP Server 67 UDP IP address assignment
DHCP Client 68 UDP IP address requests
TFTP 69 UDP Trivial file transfer
SNMP 161 UDP Network management
Syslog 514 UDP System logging

Port Security Features

  • Port Security: Limits MAC addresses allowed on switchport

    • Maximum MAC addresses configurable (default 1)
    • Violation actions: Protect, Restrict, Shutdown
    • Protect drops frames silently, Restrict logs violations, Shutdown err-disables port

  • 802.1X: Port-based network access control

    • Three components: Supplicant (client), Authenticator (switch), Authentication Server (RADIUS)
    • Port remains in unauthorized state until successful authentication
    • Mission-critical for securing network perimeter access

  • DHCP Snooping: Prevents rogue DHCP servers

    • Trusted ports allow DHCP server responses
    • Untrusted ports block DHCP offers/acknowledgments
    • Builds binding table of IP-to-MAC mappings

Vocabulary

  • Transceiver: Device that transmits and receives signals (transmitter + receiver)
  • Hot-swappable: Component can be replaced without powering down system
  • Ephemeral Port: Temporary port number assigned for duration of communication session
  • Err-disable: Cisco feature that automatically shuts down port due to security violation
  • Out-of-band Management: Network management through dedicated channel separate from data network

Port States and Modes

  • Access Mode: Port belongs to single VLAN

    • Frames sent/received without VLAN tags (untagged)
    • Default mode for end-user device connections
    • Automatically strips VLAN tags before forwarding to connected device

  • Trunk Mode: Port carries multiple VLANs

    • Frames tagged with 802.1Q VLAN headers
    • Native VLAN traffic remains untagged
    • Used for switch-to-switch and switch-to-router connections

  • Dynamic Desirable: Actively negotiates trunking via DTP

  • Dynamic Auto: Passively responds to DTP negotiation

  • Nonegotiate: Disables DTP entirely (security best practice)

Notes

  • Console port configuration survives device reboots and factory resets - always your fallback access method
  • Port security violation counters increment even in protect mode, helping identify potential security issues
  • Native VLAN mismatch between trunk ports creates security vulnerability allowing VLAN hopping attacks
  • SFP transceivers are vendor-specific despite standard form factor - verify compatibility before deployment
  • DHCP snooping requires trusted uplink ports to prevent legitimate DHCP traffic blocking
  • Always disable unused ports and assign to dummy VLAN for security hardening
  • Use show interfaces status for quick port overview including speed, duplex, and VLAN assignment
  • Port channels (EtherChannel) aggregate multiple physical ports for increased bandwidth and redundancy
  • Speed/duplex mismatches cause late collisions and CRC errors - auto-negotiation prevents most issues