8. Switching Concept

Introduction, Switching Domain, Switch Configuration, Switch Security Management.

Revision

Borderless switched network

  • Hierarchical

    • Access Layer

    • Distribution Layer

    • Core Layer

  • Traffic flow in Switch

    • ingress

    • egress

Switch MAC Table

  • learn from source MAC address

    • source MAC and physical port binding

Type of Switch

  • Fixed

  • Modular

  • Stackable

Switch Environment

  • Collision Domain

  • full-duplex / half-duplex

  • Port density

  • Port speed

  • auto-MDIX

Switch Operation

  • POST

  • load boot loader

  • the boot loader locates and loads a default IOS

  • IOS loads the startup configuration

Switch Remote Management

  • IP address, subnet mask and the default gateway.

Switch Security Management

  • Secure Shell (SSH) - Port 22

  • Configuration

    • Configure the hostname

    • Configure the IP domain name.

    • Generate RSA key pairs

      • A minimum modulus size of 1,024 bits is required.

    • Configure user authentication.

    • Configure the vty lines.

  • enabling SSH version 2

Switch Threat

  • MAC Address Flooding

Port security

  • MAC Addresses

    • Static secure

    • Dynamic secure

    • Sticky secure (save in config file)

  • Maximum number

  • Violation Mode

    • Protect

    • Restrict

    • Shutdown

  • aging time

    • absolute

    • inactivity

Introduction

Layers

Access Layer 接入层 - represents the network edge, where the primary function of an access layer switch is to provide network access to the user.

Distribution Layer 分布层 – the interfaces between the access layer and the core layer. Providing high availability through redundant distribution layer switches.

Core Layer 核心层 – The network backbone. It connects several layers of the campus network. The core layer serves as the aggregator for all of the other campus blocks and ties the campus together with the rest of the network.

Traffic Flow

  • The decision on how a switch forwards traffic is made based on the flow of that traffic.

    Ingress 入口 - This is used to describe the port where a frame enters the device.

    Egress 出口 - This is used to describe the port that frames will use when leaving the device.

  • A LAN switch forwards traffic based on the ingress port and the destination MAC address of an Ethernet frame.

  • Switch has a MAC address table stored in content addressable memory (CAM) 内容寻址存储器 . CAM is a special type of memory used in high-speed searching applications.

Step 1: learn

Examining the Source MAC Address

Every frame that enters a switch is checked for new information to learn. It does this by examining the source MAC address of the frame and port number where the frame entered the switch:

  • If the source MAC address does not exist in the MAC address table, the MAC address and incoming port number are added to the table.

  • If the source MAC address does exist, the switch updates the refresh timer for that entry. By default, most Ethernet switches keep an entry in the table for five minutes.

Step 2: forward

Examining the Destination MAC Address

If the destination MAC address is a unicast address, the switch will look for a match between the destination MAC address of the frame and an entry in its MAC address table:

  • If the destination MAC address is in the table, it will forward the frame out of the specified port.

  • If the destination MAC address is not in the table, the switch will forward the frame out all ports except the incoming port. This is called an unknown unicast.

If the destination MAC address is a broadcast or a multicast, the frame is also flooded out all ports except the incoming port.

Switch

Fixed Configuration Switches 固定配置交换机

Fixed configuration switches do not support features or options beyond those that originally came with the switch.

Modular Configuration Switches 模块化交换机

Modular configuration switches typically come with different sized chassis that allows for the installation of different numbers of modular line cards.

Stackable Configuration Switches 堆叠式交换机

Stackable configuration switches can be interconnected using a special cable that provides high-bandwidth throughput between the switches.

The stacked switches effectively operate as a single larger switch. Stackable switches are desirable where fault tolerance and bandwidth availability are critical.

A switch stack can consist of up to nine switches connected through their StackWise ports.

One switch called the stack master controls the operation of the stack. Switch stacks are managed using a single IP address. The master contains the saved and running configuration files for the stack and each member has a current copy of these files for backup purposes.

If the master becomes unavailable, there is an automatic process to elect a new master from the remaining stack members. The highest stack-member priority value will become the master.

Every switch is uniquely identified by its own stack member number. The first number after the interface-type is the stack-member number

Switching Domain

Ethernet switch ports will auto-negotiate full-duplex when the adjacent device can also operate in full-duplex 全双工.

If the switch port is connected to a device operating in half-duplex 半双工, such as a legacy hub, then the switch port will operate in half-duplex.

If an Ethernet switch port is operating in half-duplex, each segment is in its own collision domain 冲突域. There are no collision domains when switch ports are operating in full-duplex.

A collection of interconnected switches forms a single broadcast domain. This broadcast domain is referred to as the MAC broadcast domain. The MAC broadcast domain consists of all devices on the LAN that receive broadcast frames from a host.

Characteristics of switches :

Fast port speeds

  • Most access layer switches support 100 Mbps and 1 Gbps port speeds.

  • Distribution layer switches support 100 Mbps, 1 Gbps, and 10 Gbps port speeds

  • Core layer and data center switches may support 100 Gbps, 40 Gbps, and 10 Gbps port speeds.

Fast internal switching

  • Switches use a fast internal bus or shared memory to provide high performance.

Large frame buffers

  • Switches use large memory buffers to temporarily store more received frames before having to start dropping them. This enables ingress traffic from a faster port (e.g., 1 Gbps) to be forwarded to a slower (e.g., 100 Mbps) egress port without losing frames.

High port density

  • A high port density switch lowers overall costs because it reduces the number of switches required. For instance, if 96 access ports were required, it would be less expensive to buy two 48-port switches instead of four 24-port switches.

Switch Configuration

Switch Operation

  1. First, the switch loads a power-on self-test (POST) program stored in ROM. POST checks the CPU subsystem. It tests the CPU, DRAM, and the portion of the flash device that makes up the flash file system.

  2. Next, the switch loads the boot loader software. The boot loader is a small program stored in ROM that is run immediately after POST successfully completes. The boot loader performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, the quantity of memory, and its speed.

  3. The boot loader initializes the flash file system on the system board.

  4. Finally, the boot loader locates and loads a default IOS operating system software image into memory and gives control of the switch over to the IOS. The IOS operating system then initializes the interfaces using the commands found in the configuration file, startup configuration, which is stored in NVRAM.

Status LED

The switch has several status LED indicator lights.

System LED

  • LED off - System is OFF.

  • LED is green - The system is operating normally.

  • LED is amber - The system is not functioning properly.

Redundant Power System (RPS) LED

Port Status LED

Port Duplex LED

Port Speed LED

Power over Ethernet (PoE) Mode LED

Access boot loader

Step 1. Connect a PC by console cable to the switch console port. Configure terminal emulation software to connect to the switch.

Step 2. Unplug the switch power cord.

Step 3. Reconnect the power cord to the switch and, within 15 seconds, press and hold down the Mode button while the System LED is still flashing green.

Step 4. Continue pressing the Mode button until the System LED turns briefly amber and then solid green; then release the Mode button.

Step 5. The boot loader switch: prompt appears in the terminal emulation software on the PC.

Configure Switch

To prepare a switch for remote management access, the switch must be configured with an IP address, subnet mask, and the default gateway.

The switch virtual interface (SVI) should be assigned an IP address.

By default, the switch is configured to have the management of the switch controlled through VLAN 1.

SW1(config)# int vlan 1
SW1(config-if)# ip address 172.16.1.2 255.255.255.0
SW1(config-if)# ip default-gateway 172.16.1.1
SW1(config-if)# no shutdown

For security purposes, it is considered a best practice to use a VLAN other than VLAN 1 for the management VLAN.

In order to configure IPv6 on the Switch (2960), you will need to enter sdm prefer dual-ipv4-and-ipv6 default and then reload the switch.

Switch ports can be manually configured with specific duplex and speed settings.

The duplex command accepts auto, full, and half.

The speed command accepts the speed in Mbps.

We can enable auto-MDIX on the switch ports. When auto-MDIX is enabled, the interface automatically detects the required cable connection.

SW1(config)# interface FastEthernet 0/1
SW1(config-if)# duplex full
SW1(config-if)# speed 100
SW1(config-if)# mdix auto

Show Configuration

Task

IOS Commands

Display interface status and configuration

S1# show interfaces [interface-id]

Display current startup configuration

S1# show startup-config

Display current running configuration

S1# show running-config

Display information about flash file system

S1# show flash

Display system hardware and software status

S1# show version

Display history of commands entered

S1# show history

Display IP information about an interface

S1# show ip/ipv6 interfaces [interface-id]

Display the MAC address table

S1# show mac address-table

Switch Security Management

SSH and Telnet

Secure Shell (SSH) is a protocol that provides a secure management connection to a remote device.

Telnet is an older protocol that uses insecure plaintext transmission of both the login authentication (username and password) and the data transmitted between the communicating devices.

SSH provides security for remote connections by providing strong encryption when a device is authenticated (username and password) and also for the transmitted data between the communicating devices.

SSH is assigned to TCP port 22.

Telnet is assigned to TCP port 23.

Configuring SSH

1.Configure the hostname. 

Switch(config)# hostname SW1

2.Configure the IP domain name. 

SW1(config)# ip domain-name CCNA.com

3.Generate RSA key pairs - A minimum modulus size of 1,024 bits is required. 

SW1(config)# crypto key generate rsa
The name for the keys will be: SW1.CCNA.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

4.Configure user authentication. 

SW1(config-line)# login local

5.Configure the vty lines. 

SW1(config)# line vty 0 15
SW1(config-line)# transport input ssh

Enabling SSH version 2

ip ssh version 2 

SW1(config)# ip ssh version 2

show ip ssh

SW1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

MAC Address Flooding

The MAC address table in a switch contains the MAC addresses associated with each physical port and the associated VLAN for each port.

When a Layer 2 switch receives a frame, the switch looks in the MAC address table for the destination MAC address.

If the MAC address does not exist in the MAC address table, the switch floods the frame out of every port on the switch, except the port where the frame was received.

MAC address tables are limited in size. MAC flooding attacks make use of this limitation to overwhelm the switch with fake source MAC addresses until the switch MAC address table is full. (the macof attacking tool)

When this occurs, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic out all ports on the same VLAN without referencing the MAC table.

This condition allows a threat actor to capture all of the frames sent from one host to another on the local LAN or local VLAN.

All switch ports should be secured using port security. Port security limits the number of valid MAC addresses allowed on a port.

By limiting the number of permitted MAC addresses on a port to one, port security can be used to control unauthorized access to the network

If a port is configured as a secure port and the maximum number of MAC addresses is reached, any additional attempts to connect by unknown MAC addresses will generate a security violation.

A security violation also occurs when an address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

PreviousWIA1005NextConfigure Switch

Last updated

Was this helpful?