14 Chapter 1: LAN Switching Review and Configuring Cisco 2950 LAN Switches
LAN Switch Logic Summary
The following list provides a quick review of the basic logic a switch uses:
1.A frame is received.
2.If the destination is a broadcast or multicast, forward on all ports except the port on which the frame was received.
3.If the destination is a unicast, and the address is not in the address table, forward on all ports except the port on which the frame was received.
4.If the destination is a unicast, and the address is in the address table, and if the associated interface is not the interface on which the frame arrived, forward the frame out the one correct port.
5.Otherwise, filter (do not forward) the frame.
With this brief review of LAN switching concepts, you should now be ready to read the LAN materials for the ICND exam, as covered in the first three chapters of this book.
Basic Configuration and Operation Commands for the Cisco 2950 Switch
If you know how to navigate a Cisco router, you know how to navigate a Cisco 2950 switch. This chapter covers some of the more common configuration and operational commands in the switch. Chapters 2 and 3 cover some additional commands for STP and VLAN configuration, respectively.
For reference, Table 1-2 lists the switch configuration commands referred to in this section. Table 1-3 lists the commands used for operation and troubleshooting.
Table 1-2 Commands for Catalyst 2950 Switch Configuration
Command |
Description |
|
|
interface vlan 1 |
Global command. Moves the user to interface |
|
configuration mode for a VLAN interface. |
|
|
ip address address subnet-mask |
Interface configuration mode command that sets |
|
the IP address for in-band switch management. |
|
|
ip default-gateway address |
Global command that sets the default gateway so |
|
that the management interface can be reached |
|
from a remote network. |
|
|
interface fastethernet 0/x |
Puts the user into interface configuration mode for |
|
that interface. |
|
|
Basic Configuration and Operation Commands for the Cisco 2950 Switch 15
Table 1-2 Commands for Catalyst 2950 Switch Configuration (Continued)
Command |
Description |
|
|
duplex {auto | full | half} |
Interface configuration mode command that sets |
|
the duplex mode for the interface. |
|
|
speed {10 | 100 | 1000 | auto| nonegotiate} |
Interface configuration mode command that sets |
|
the speed for the interface. |
|
|
switchport port-security mac-address mac- |
Interface configuration mode command that |
address |
statically adds a specific MAC address as an |
|
allowed MAC address on the interface. |
|
|
switchport port-security mac-address |
Interface subcommand that tells the switch to |
sticky |
learn MAC addresses on the interface and add |
|
them to the configuration for the interface as |
|
secure MAC addresses. |
|
|
switchport port-security maximum value |
Global command that sets the maximum number |
|
of static secure MAC addresses that can be |
|
assigned to a single interface. |
|
|
switchport port-security violation {protect | |
Global configuration command that tells the |
restrict | shutdown} |
switch what to do if an inappropriate MAC |
|
address tries to access the network through a |
|
secure switch port. |
|
|
hostname name |
Sets the switch’s host name. |
|
|
line con 0 |
Global command that places the user in console |
|
configuration mode. |
|
|
line vty 0 15 |
Global command that places the user in vty |
|
configuration mode. |
|
|
login |
Console or vty configuration mode command that |
|
tells the switch to ask for a password for a console |
|
user or Telnet user, respectively. |
|
|
password password |
Console or vty configuration mode command that |
|
sets the password required. |
|
|
enable secret password |
Global command that sets the switch’s enable |
|
password. The password is stored in a hashed |
|
format, meaning that someone reading the |
|
configuration file will not see the correct text |
|
password. |
|
|
enable password |
Global command that sets the switch’s enable |
|
password. The enable secret password is used if |
|
both are configured. |
|
|
16 Chapter 1: LAN Switching Review and Configuring Cisco 2950 LAN Switches
Table 1-3 Commands for Catalyst 2950 Switch Operation
Command |
Description |
|
|
configure terminal |
Places the user in configuration mode. |
|
|
show interface fastethernet 0/x |
Displays the interface status for a physical 10/ |
|
100 interface. |
|
|
show interface vlan 1 |
Displays the IP address configuration. |
|
|
show interfaces [interface-id | vlan vlan-id] |
Generic command, with many options, for |
[description | etherchannel | pruning | stats | |
displaying information about specific |
status [err-disabled] | switchport | trunk] |
interfaces. |
|
|
show running-config |
Shows the currently active configuration. |
|
|
show startup-config |
Shows startup-config, which is used the next |
|
time the switch is reloaded. |
|
|
show mac address-table [aging-time | count | |
Displays the MAC address table. The security |
dynamic | static] [address hw-addr] [interface |
option displays information about the |
interface-id] [vlan vlan-id] |
restricted or static settings. |
|
|
show port-security [interface interface-id] |
Shows information about security options |
[address] |
configured on an interface. |
|
|
erase startup-config |
Erases the startup-config file. |
|
|
show version |
Lists information about the version of |
|
software in the switch. |
|
|
reload |
Re-initializes all software and hardware in the |
|
switch. |
|
|
Basic Switch Operation
You can order a Cisco 2950, take it out of its box, plug it in, and it works! So, rather than starting with configuration, this section begins with a basic examination of switch show commands. Almost every command that helps you look at the status of a switch—or a router, for that matter—starts with the word show, so most people just call troubleshooting commands show commands. Example 1-1 shows the output of several popular show commands on a 2950 switch that has no added configuration.
Example 1-1 Popular show Commands on a 2950 Switch
Switch>
Switch>enable
Switch#show interfaces fastEthernet 0/13
FastEthernet0/13 is up, line protocol is up
Hardware is Fast Ethernet, address is 000a.b7dc.b78d (bia 000a.b7dc.b78d)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Basic Configuration and Operation Commands for the Cisco 2950 Switch 17
Example 1-1 Popular show Commands on a 2950 Switch (Continued)
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:01, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
20 packets output, 2291 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
Switch#show interfaces status |
|
|
|
||
Port |
Name |
Status |
Vlan |
Duplex |
Speed Type |
Fa0/1 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/2 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/3 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/4 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
|
|
|
|
|
|
Fa0/5 |
|
connected |
1 |
a-full |
a-100 10/100BaseTX |
Fa0/6 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/7 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
|
|
|
|
|
|
Fa0/8 |
|
connected |
1 |
a-full |
a-100 10/100BaseTX |
Fa0/9 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/10 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/11 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/12 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
|
|
|
|
|
|
Fa0/13 |
|
connected |
1 |
a-full |
a-100 10/100BaseTX |
Fa0/14 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/15 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/16 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/17 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/18 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/19 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/20 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/21 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
continues
18 Chapter 1: LAN Switching Review and Configuring Cisco 2950 LAN Switches
Example 1-1 Popular show Commands on a 2950 Switch (Continued)
Fa0/22 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/23 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Fa0/24 |
|
notconnect |
1 |
auto |
auto 10/100BaseTX |
Gi0/1 |
|
notconnect |
1 |
auto |
auto unknown |
Gi0/2 |
|
notconnect |
1 |
auto |
auto unknown |
switch#show mac-address-table dynamic |
|
|
|||
|
Mac Address Table |
|
|
|
|
------------------------------------------ |
|
|
|||
Vlan |
Mac Address |
Type |
Ports |
|
|
---- |
----------- |
---- |
----- |
|
|
|
|
|
|
|
|
1 |
0007.8580.71b8 |
DYNAMIC |
Fa0/5 |
|
|
1 |
0007.8580.7208 |
DYNAMIC |
Fa0/8 |
|
|
1 |
0007.8580.7312 |
DYNAMIC |
Fa0/13 |
|
|
Total Mac Addresses for this criterion: 2
Switch#
Switch#show running-config
Building configuration...
Current configuration : 1451 bytes
!
version 12.1 no service pad
service timestamps debug uptime service timestamps log uptime no service password-encryption
!
hostname Switch
!
ip subnet-zero
!
spanning-tree extend system-id
!
interface FastEthernet0/1 no ip address
interface FastEthernet0/2 no ip address
interface FastEthernet0/3 no ip address
interface FastEthernet0/4 no ip address
interface FastEthernet0/5 no ip address
interface FastEthernet0/6 no ip address
Basic Configuration and Operation Commands for the Cisco 2950 Switch 19
Example 1-1 Popular show Commands on a 2950 Switch (Continued)
interface FastEthernet0/7 no ip address
interface FastEthernet0/8 no ip address
interface FastEthernet0/9 no ip address
interface FastEthernet0/10 no ip address
interface FastEthernet0/11 no ip address
interface FastEthernet0/12 no ip address
interface FastEthernet0/13 no ip address
interface FastEthernet0/14 no ip address
!
! (Lines omitted for brevity)
!
interface Vlan1 no ip address shutdown
!
ip classless ip http server
!
line con 0 line vty 5 15
!
end
Switch#show startup-config
%% Non-volatile configuration memory is not present
Although Example 1-1 is rather long, the more important points to consider are highlighted.
To begin, the user at the console is immediately placed in user mode, as implied by the command prompt that ends in a >. The switch has no enable password set, so the enable command places the user in enable mode without the need for a password. For security reasons alone, you will want to learn enough to be able to do basic configuration in a Cisco switch!
Next, the show interfaces fastethernet 0/13 command lists basic status and configuration information about fastethernet interface 0/13. That interface cable connects to a working PC, so the status in the first line of the command output shows a status of “up” and “up.” An interface is not yet operational if both status words do not say “up.”
20 Chapter 1: LAN Switching Review and Configuring Cisco 2950 LAN Switches
A more practical command for looking at all interfaces at once comes next in the example— the show interfaces status command. This command lists the status of each interface in a single line, including the speed and duplex settings negotiated on that interface. In this example, only three working devices are cabled to the switch. You can tell from the command output which interfaces are currently active (0/5, 0/8, and 0/13).
Next, the show mac-address-table dynamic command lists all the dynamically learned entries in the bridging table. (Note: the show mac address-table command performs the same function, so either is valid.) One MAC address has been learned on each of the three interfaces that showed up as “connected” in the show interfaces status command output earlier in the example. The show mac-address-table dynamic command, as seen in the example, shows only the dynamically learned MAC addresses. The show mac-address-table command shows both static and dynamic entries.
Next in the example, the show running-config command lists the default configuration. (The output has been edited slightly to save a little space.) Notice that each interface is listed, as well as an interface called Vlan1. The switch’s management IP address will be configured on that interface, as shown later in this chapter.
The show startup-config command at the very end of the example lists some very interesting output. It says that nothing has been saved! To build this example, I started by erasing the startup-config with the erase startup-config command, and then I reloaded the switch (with the reload command). I did not configure anything, but the switch did indeed come up and start working. Because I had not done a copy running-config startup-config command since erasing the startup-config earlier, nothing has been stored in NVRAM, so the file is empty, as implied by the message shown in the example. Later, after changing the configuration, you would typically want to save the configuration using the copy running-config startup-config command, and the startup-config would then have something in it.
The switch is now up and working. Next you will see some of the more typical basic switch configuration commands.
Typical Basic Administrative Configuration
The switch comes up and works, with all the ports in VLAN 1, without any configuration. However, you typically want to configure something. Example 1-2 shows a typical initial configuration session on a 2950 switch, along with some other commands that point out what the configuration has accomplished.
Basic Configuration and Operation Commands for the Cisco 2950 Switch 21
Example 1-2 Basic Configuration of a 2950 Switch
Switch>enable
Switch#
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname fred
fred(config)#enable secret cisco fred(config)#line con 0 fred(config-line)#password barney fred(config-line)#login fred(config-line)#line vty 0 15 fred(config-line)#password wilma fred(config-line)#login fred(config-line)#interface fastethernet0/5 fred(config-if)#speed 100 fred(config-if)#duplex half fred(config-if)#
00:23:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to down
00:23:52: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to up 00:23:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed
state to up fred(config-if)# fred(config-if)#shutdown fred(config-if)#
00:24:33: %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down
00:24:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to down
fred(config-if)# fred(config-if)#no shutdown fred(config-if)# fred(config-if)#
00:24:42: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to up 00:24:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed
state to up fred(config-if)#exit fred(config)#interface vlan 1
fred(config-if)#ip address 10.1.1.1 255.255.255.0 fred(config-if)#no shutdown
00:25:07: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
00:25:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
fred(config-if)#exit
fred(config)#ip default-gateway 10.1.1.1 fred(config)#^Z
fred#copy running-config startup-config
continues
22 Chapter 1: LAN Switching Review and Configuring Cisco 2950 LAN Switches
Example 1-2 Basic Configuration of a 2950 Switch (Continued)
Destination filename [startup-config]?
Building configuration...
[OK]
fred#show startup-config
Using 1613 out of 393216 bytes
!
version 12.1 no service pad
service timestamps debug uptime service timestamps log uptime no service password-encryption
!
hostname fred
!
enable secret 5 $1$sgBC$CWUWtIwBJ1G1zedlEIYr5/
!
spanning-tree extend system-id
!
interface FastEthernet0/1 no ip address
!
interface FastEthernet0/2 no ip address
!
interface FastEthernet0/3 no ip address
!
interface FastEthernet0/4 no ip address
!
interface FastEthernet0/5 no ip address
duplex half speed 100
!
!
! Lines omitted for brevity
!
interface Vlan1
ip address 10.1.1.1 255.255.255.0
!
ip classless ip http server
!
line con 0 password barney
Basic Configuration and Operation Commands for the Cisco 2950 Switch 23
Example 1-2 Basic Configuration of a 2950 Switch (Continued)
login
line vty 0 4 password wilma login
line vty 5 15 password wilma login
!
end
fred#quit
fred con0 is now available
Press RETURN to get started.
User Access Verification
Password:
fred>enable
Password:
fred#
Rather than just listing the configuration commands, this example shows you everything that appears on the screen when you enter the commands in configuration mode.
The example begins with the user logging in to the switch. Because no configuration is added at this point, the switch does not ask for a console password or enable password. Next, the user enters configuration mode, setting the switch’s name with the hostname fred command. Notice that the command prompt immediately changes to begin with fred, because the prompt starts with the host name. This is more proof that that the switch IOS accepts configuration commands immediately—so be careful out there!
Next, the user sets the enable secret password to cisco, the console password to barney, and the vty (Telnet) password to wilma. The login commands tell the switch to require a password at the console and for Telnet sessions, respectively, and the password commands tell it what passwords to expect. Often, the console and Telnet passwords are the same value, because both let you enter user mode; I used two different passwords in the example just to make the point that they can be different.
With this configuration, when a user Telnets to the switch, the switch prompts the user for a password, expecting wilma. Similarly, the switch prompts the user for a password at the console and expects barney. Both methods put the user into user mode. To enter privileged
24 Chapter 1: LAN Switching Review and Configuring Cisco 2950 LAN Switches
mode, the user uses the enable command and enters the enable secret password of cisco when prompted. (An example of that process at the console is shown at the end of the example.)
NOTE Both the enable secret and enable password commands define the password needed to enter enable mode. enable password also defines the enable password. If only one of these two commands is in the configuration, that password is used. If both are configured, the enable secret password is used. Why two commands? The enable password command came first, but even with encryption, breaking the password was easy to do. The enable secret command uses a hash algorithm to store the password value in the configuration, which makes breaking the password very difficult, and more secure.
Next, the user issues the interface Fastethernet 0/5 command to enter interface configuration mode. While there, the duplex and speed commands tell the switch to force these settings rather than use the autonegotiated settings. But the PC on the other end of the cable on interface fastethernet 0/5 has already negotiated for 100 Mbps, full-duplex—and the new duplex setting of half-duplex takes effect immediately! So that interface will no longer work for a short time.
The messages that clutter the example, immediately after the changing of the speed and duplex settings, actually confirm that interface fastethernet 0/5 was temporarily unusable. The switch issues informational messages when events occur and sends them to the console by default. So these messages tell you that the switch brought the interface down because of the duplex mismatch. The next message tells you the interface is back up again as a result of the switch and the device negotiating to use half duplex.
Next, the example just shows the basic operation of the shutdown and no shutdown commands. shutdown puts an interface in a down status administratively so that the interface cannot pass traffic. The no shutdown command brings the interface back up. The example shows the informational messages that tell you that the interface has changed status after each command.
The switch needs an IP address to allow people to Telnet to and manage the switch. The switch also needs to know a default gateway, just as an end-user PC would. The default gateway is the IP address of a router connected to the switch; the switch sends IP packets to that router to send them to IP hosts that are not on the LAN created by the switch.
To configure the IP address, you first use the interface vlan 1 command, because the IP address of the 2950 switch is configured on that interface. Next, the ip address command sets the IP address and subnet mask. (IP subnet masks are covered in Chapter 4, “IP Addressing and Subnetting.”) Finally, the ip default-gateway command, a global command, sets the default IP gateway for the switch.
Basic Configuration and Operation Commands for the Cisco 2950 Switch 25
Now that the configuration has been changed, you should save the configuration so that it will not be lost when the switch is reloaded. The copy running-config startup-config command does just that, as shown in the example.
Finally, the show startup-config command lists the newly stored startup configuration. Remember, the previous show startup-config command at the end of Example 1-2 implied that the startup-config was empty; now, the startup-config has a configuration that will be used at the switch’s next reload. The show startup-config output highlights the configuration commands added earlier in the example.
Port Security Configuration
The last major topic for this chapter revolves around something Cisco calls port security. Because the network engineer knows what devices should be cabled and connected to particular interfaces on a switch, the engineer can restrict that interface so that only the expected devices can use it. If the wrong device attempts to use the interface, the switch can issue informational messages, discard frames from that device, or even shut down the interface.
To configure port security, you need to configure several things. You enable port security using the switchport port-security interface configuration command. Also, the 2950 switch IOS allows port security only on ports that do not connect to other switches. To designate an interface as not connecting to another switch, you use the switchport mode access command. Then you can statically configure the MAC addresses using the switchport portsecurity mac-address mac-address command.
For example, in Figure 1-3, Server 1 and Server 2 are the only devices that should ever be connected to interfaces Fastethernet 0/1 and 0/2, respectively. You can use port security to ensure that only those MAC addresses connect to those ports, as shown in Example 1-3.
Figure 1-3 Port Security Configuration Example
Fa0/1 |
|
|
|
Server 1 |
|
|
|
|
|||
|
|
|
|
|
0200.2222.2222 |
|
|
|
|
|
|
Fa0/2 
Payroll Server
0200.1111.1111
Fa0/3 
Company
Comptroller
Fa0/4
User1
26 Chapter 1: LAN Switching Review and Configuring Cisco 2950 LAN Switches
Example 1-3 Using Port Security to Define Correct MAC Addresses of Particular Interfaces
Fred#show running-config
(Lines omitted for brevity)
interface FastEthernet0/1 switchport mode access switchport port-security
switchport port-security mac-address 0200.1111.1111 no ip address
!
interface FastEthernet0/2 switchport mode access switchport port-security
switchport port-security mac-address sticky no ip address
fred#show port-security interface fastEthernet 0/1
Port Security : Enabled
Port status : Err-Disabled
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 1
fred#show port-security interface fastEthernet 0/2
Port Security : Enabled
Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 0
Fred#show running-config
(Lines omitted for brevity)
interface FastEthernet0/2
switchport mode access
switchport port-security
Basic Configuration and Operation Commands for the Cisco 2950 Switch 27
Example 1-3 Using Port Security to Define Correct MAC Addresses of Particular Interfaces (Continued)
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0200.2222.2222
no ip address
This example uses two styles of port security configuration. For fastethernet 0/1, Server 1’s MAC address is configured with the switchport port-security mac-address 0200.1111.1111 command. For port security to work, the 2950 must think that the interface is an access interface rather than a trunk interface, so the switchport mode access command is required.
And to enable port security on the interface, the switchport port-security command is required. Together, these three interface subcommands enable port security, and only MAC address 0200.1111.1111 is allowed to use the interface.
Port security uses a default of a single allowed MAC address per interface; you can configure up to 132 per interface using the switchport port-security maximum command. Also, by default, the action taken if a different MAC address tries to use the interface is to shut down the interface. You can change that default action using the switchport port-security violation command.
Interface fastethernet 0/2 uses a feature called sticky secure MAC addresses. The configuration still includes the switchport mode access and switchport port-security commands for the same reasons as on fastethernet 0/1. However, the switchport portsecurity mac-address sticky command tells the switch to learn the MAC address from the first frame sent into the switch, and then add the MAC address as a secure MAC to the running configuration. In other words, the first MAC address seen “sticks” to the configuration. So the engineer does not have to know the MAC address of the device connected to the interface ahead of time.
As it turns out, a security violation has occurred on fastethernet 0/1, while all is well on fastethernet 0/2. The show port-security interface fastethernet 0/1 command shows that the interface is in an err-disabled state, which means that the interface has been disabled. The device connected to interface fastethernet 0/1 does not use MAC address 0200.1111.1111, so the switch receives a frame in that interface from a different MAC and takes the interface out of service.
For interface fastethernet 0/2, the interface is in “secureup” state as far as the port security feature is concerned. Notice that in the final portion of the show running-config output, Server 2’s MAC address (0200.2222.2222) has been learned and added to the running configuration in the command switchport port-security mac-address sticky 0200.2222.2222. If you wanted to save the configuration so that only 0200.2222.2222 is used on that interface from now on, you would simply need to use the copy running-config startup-config command to save the configuration.