Lan Switching and Security

8/4/2019 Lan Switching and Security

1/13

LAN SwitchingEthernet switches are used in LAN to create Ethernet n/ws. Switches forward the trafficon the basis of MAC address. Switches maintain a Mac Addresse table in which mac

addresses and port no.s are used to perform switching decision. Working of bridge and

switch is similar to each other.

Classification of switchesSwitches are classified according to the following criteria: -

Types of switches based on working

(1) Store & Forward

This switch receives entire frame then perform error checking and start forwardingdata to the destination.

(2) Cut through

This switch starts forwarding frame as soon as first six bytes of the frame are

received.

(3) Fragment-freeThis switch receives 64 bytes of the frame, perform error checking and then start

forwarding data.

(4) Adaptive cut-through

It changes its mode according the condition. If it see there are errors in many frames

then it changes to Store & Forward mode from Cut through or Fragment-free.

Types of switches based on management

(1) Manageable switches(2) Non-Manageable switches(3) Semi-Manageable switches

Types of switches based on OSI layer

(1) Layer 2 switches (only switching)

(2) Layer 3 switches (switching & routing)

Types of switches based on command mode (only in Cisco)

(1) IOS based

(2) CLI based

Type of switches based on hierarchical model

(1) Core layer switches

(2) Distribution layer switches(3) Access layer switches

1


2/13

Qualities of switch

- No. of ports

- Speed of ports- Type of media

- Switching or wire speed or throughput

Basic Switch AdministrationIOS based switches are similar to the routers. We can perform following function on

switches in a similar manner as performed on router.(1) Access switch using console

(2) Commands to enter & exit from different mode

(3) Commands to configure passwords

(4) Manage configuration(5) Backup IOS and configuration

(6) Configuring and resolving hostnames

(7) Managing telnet

(8) Configuring CDP(9) Configuring time clock

(10) Configuring Banners(11) Command line shortcuts and editing shortcuts

(12) Managing history

(13) Configure logging(14) Boot system commands

Following function and options are not similar in router and switch.

(1) Default hostname is Switch(2) Auxiliary port is not present

(3) VTY ports are mostly 0 to 15(4) By default interfaces are enabled(5) IP address cannot be assign to interfaces

(6) Routing configuration mode is not present

(7) Interface no. starts from 1(8) Web access is by default enabled

(9) Configuration registry is not present in similar manner

(10) Flash memory may contain multiple files and startup-configuration is also saved in

flash

Configuring IP and Gateway on switch

We can configure IP address on switch for web access or telnet IP address is required forthe administration of the switch. If we have to access switch from remote n/w then we

will configure default gateway in addition to IP address.

IP address is assigned to the logical interface of switch with following command:-Switch(config)#interface vlan 1

Switch(config)#IP address

Switch(config)#no shSwitch(config)#exit

2


3/13

Old Switches

Switch(config)#ip address

Switch(config)#exit

Configuring Gateway

Switch(config)#ip default-gateway Switch(config)#exit

Breaking Switch Password

(1) Power off switch press mode button present in front of switch then power on the

switch.

(2) Keep mode button press until Switch: prompt appears on console.

(3) In switch monitor mode, type following commands: -flash_init

load_helper

rename flash:config.text flash:

dir flash:boot

(4) After booting switch will prompt to enter in initial configuration dialog. Enter nohere and type.

Switch>enable

Rename flash: Flash:config.text

Configure memory

Change password and save config. Then copy run start_config.

Cisco Hierarchal Model

When we want to create a large sized LAN network then we may face followingproblems if we are going design the network in flat model.(1) High latency

(2) Conjunction between switches

(3) Large broadcast domain

Cisco hierarchal model recommends three layer design of the network

(i) Core layer

(ii) Distribution layer(iii) Access layer

on each layer there are some rules which we have to follow(1) Highest performance devices are connected on Core layer

(2) Resources should be placed on Core layer

(3) Polices should not be applied on core layer(4) On distribution layer, we can implement policies

(5) Distribution and Core devices should be connected with high-speed links.

(6) Access layer devices are basic devices and may be non manageable.

3


4/13

(Hierarchal model)

After using hierarchal model the most of LAN problem will be solve but one problem

still remain same that is all pc s will be in single broadcast domain. We have to

implement following solution for this problem.(1) Physical Segmentation

(2) Logical Segmentation

VLAN

TrunkingVTP

Inter VLAN

Pruning

Logical Segmentation of Network

To perform logical segmentation, we have to create VLAN in the network. With the helpof VLAN, we can logically divide the broadcast domain of the network

VLAN (Virtual LAN)

4

CORE LAYER

DISTRIBUTION

LAYER

ACCESS

LAYER


5/13

VLAN provides Virtual Segmentation of Broadcast Domain in the network. The devices,

which are member of same Vlan, are able to communicate with each other. The devices

of different Vlan may communicate with each other with routing. So that different Vlandevices will use different n/w addresses. Vlan provides following advantages: -

(1) Logical Segmentation of network

(2) Enhance network security

Creating port based Vlan

In port based Vlan, first we have to create a Vlan on manageable switch then we have toadd ports to the Vlan.

Commands to create Vlan

Switch#config terSwitch(config)#vlan

[name ]

Switch(config)#exit optional

Or

Switch#vlan database

Switch(vlan)#vlan

[name ]

Switch(vlan)#exit

Commands to configure ports for a Vlan

By default, all ports are member of single vlan that is Vlan1. we can change vlanmembership according to our requirement.

Switch#conf terSwitch(config)#interface

Switch(config-if)#switchport access vlan

Switch(config-if)#exit

Commands to configure multiple ports in a vlan

Switch#conf ter

Switch(config)#interface range Switch(config-if)#switchport access vlan


Example: - Suppose we want to add interface fast Ethernet 0/10 to 0/18 in vlan5

Switch#config ter

Switch(config)#interface range fastethernet 0/10 18Switch(config-if)#switchport access vlan 5

Switchconfig-if#exit

5


6/13

In 1900 & Compatible switches

Switch#config ter

Switch(config)#interface Switch(config-if)#vlan-membership static


To Disable web access in switch

Switch#config ter

Switch(config)#no ip http server

To display mac address table

Switch#sh mac-address-table

Vlan Mac address type ports

20 00-08-a16-ab-6a-7b dynamic fa0/7

To Display Vlan and port membershipSwitch#sh vlan

TrunkingWhen there are multiple switches then we have to use trunk links to connect one switch

with other. If we are not using trunk links then we have to connect one cable from eachvlan to the corresponding vlan of the other switch.

Normal: -

Vlan 1 7 3 1 3 7

6

In Trunking: - Vlan 1,3,7

1 7 3 1 3 7

Trunk Trunk

Switches will perform trunking with the help of frame tagging. The trunk port will send

data frames by adding a Vlan id information to the frame, at the receiving end vlan id

6


7/13

information is removing from the end and according to the tag data is delivered to the

corresponding vlan. There are two protocols to perform frame tagging.

(1) Inter switch link (cisco prop)(2) IEEE 802.1 q

Configuring TrunkingIn cisco switches all switch ports may be configured in three modes

(1) Trunk desirable (default)

(2) Trunk on(3) Trunk off

Switch#conf ter

Switch(config)#interface Switch(config-if)#switchport mode

Switch(config-if)#exit on off desirable

To configure Vlans allowed on TrunkBy default all Vlans are allowed on Trunk port. We can add/remove a partucular Vlan

from trunk port with following commandSwitch#config ter

Switch(config)#interface

Switch(config-if)#switchport trunk allowed vlan all

Remove Add

Except

To display trunk interfaces

Switch#sh interface trunk

Switch#sh interface trunk

Vlan Trunking Protocol (VTP)With the help of VTP, we can simplify the process of creating Vlan. In multiple switches,we can configure one switch as VTP server and all other switches will be configured as

VTP client. We will create Vlans on VTP server switch. The server will send periodic

updates to VTP client switches. The clients will create Vlans from the update received

from the VTP server.

VTP server

VTP server is a switch in which we can create, delete or modify Vlans. The server willsend periodic updates for VTP clients.

VTP client

On VTP client, we are not able to create, modify or delete Vlans. The client will receive

and forward vtp updates. The client will create same Vlans as defined in vtp update.

7


8/13

VTP Transparent

Transparent is a switch, which will receive and forward VTP update. It is able to create,

delete and modify Vlans locally. A transparent will not send its own VTP updates andwill not learn any information from received vtp update.

Commands

Switch#conf ter

Switch(config)#vtp domain Switch(config)#vtp password

Switch(config)#vtp mode

Switch(config)#exit

By default in cisco switches the VTP mode is set as VTP server with no domain and no

password.

To display VTP status

Switch#sh vtp status

VTP Pruning

Pruning is the VTP feature through which a trunk link can be automatically disable, for aparticular Vlan if neighbor switch does not contain ports in that Vlan. Vlan1 is not prun

eligible.

Command to configure VTP Pruning

We have to use only one command on VTP server for VTP Pruning.

Switch#conf ter

Switch(config)#vtp pruningSwitch(config)#exit

8


9/13

Inter Vlan Communication

After creating Vlans, each Vlan has own broadcast domain. If we want communication

from one Vlan to another Vlan then we need to perform routing. There are three methodsfor inter vlan communication.

(1) Inter Vlan using multi-interface router

(2) Inter Vlan using router on a stick method(3) Inter Vlan using layer 3 switch

1751, 2621 routers supports Vlan

(1) Inter Vlan using multi-interface router

In this case, we have to connect one interface of router in each Vlan. This interface

will act as gateway for the corresponding vlan. Each Vlan has to use different n/w

addresses. Data from one Vlan to another Vlan will travel by router.

10.0.0.1 12.0.0.1

11.0.0.1

1, 3, 5

N/w 10.x.x.x 11.x.x.x 12.x.x.x

Gateway 10.0.0.1 11.0.0.1 12.0.0.1

(2) Inter Vlan using router on a stick method

In this method a special router is used for Inter Vlan. In this router, we can create one

interface for each Vlan. The physical interface of router will be connected on trunk portswitch. This router will route traffic on the same interface by swapping vlan id

information with the help of frame tagging protocol.

Fa 0/0.1 10.0.0.1 -> Vlan1

Fa 0/0.2 11.0.0.1 -> Vlan3Fa 0/0.3 12.0.0.1 -> Vlan5

9

Router

E0 E2

E1

Vlan1 Vlan3 Vlan5T T T

1 3 5 1 3 5 1 3 5

Router

Fa 0/0


10/13

Vlan 1, 3, 5

T T T

N/w 10.x.x.x 11.x.x.x 12.x.x.xGateway 10.0.0.1 11.0.0.1 12.0.0.1

Configuration on RouterRouter#config ter

Router(config)#interface fastethernet 0/0

Router(config-if)#no ip address

Router(config-if)#no shRouter(config-if)#exit

Router(config)#interface fastethernet 0/0.1Router(config-if)#encapsulation dot1q 1

Router(config-if)#ip address 10.0.0.1 255.0.0.0

Router(config-if)#no sh

Router(config-if)#exit

Router(config)#interface fastethernet 0/0.2Router(config-if)#encapsulation dot1q 3

Router(config-if)#ip address 11.0.0.1 255.0.0.0

Router(config-if)#no sh

Router(config-if)#exit

Router(config)#interface fastethernet 0/0.3

Router(config-if)#encapsulation dot1q 5Router(config-if)#ip address 12.0.0.1 255.0.0.0

Router(config-if)#no shRouter(config-if)#exit

Configuration on Core switch

(1) Configure switch as VTP server

(2) Create Vlans(3) Configure interface connected to router as Trunk

(4) Configure interfaces connected to other switches as trunk (if required)

10

TrunkT T T

1 3 5 1 3 5 1 3 5


11/13

Configuration on Distribution layer switches

(1) Configure switch as VTP client(2) Configure required interface as Trunk (optional)

(3) Add ports to Vlan

Configuration on Pc

Configure IP and Gateway

Spanning Tree ProtocolWhen we connect multiple switches with each other and multiple path exist from one

switch to another switch then it may lead to the switching loop in the network. Multiplepaths are used to create redundancy in the network. STP is only required when multiple

path exist then there is possibility of loop in n/w.

Packets

Problems the occur with redundancy path

(1) Multiple copies of the frame will be received by destination.(2) Frequent changes in the mac address table of switch.

(3) A mac address may appear at multiple ports in a switch.(4) Packets may enter in the endless loop.

Spanning Tree Protocol will solve this problem by blocking the redundancy interface. So

that only one path will remain active in the switches. If the primary path goes down then

disabled link will become enable and data will be transferred through that path.

Working of STP

The STP will create a topology database in which one switch will be elected as Routeswitch. Path cost is calculated on the basis of bandwidth. The lowest path cost link will

be enable mode and another path will be disable.

11

Switch Switch Switch


12/13

1 Gb 1 Gb

100 Mb 100 Mb

100 Mb

Lowest cost

(Disable)

STP terminology(1) Bridge id

It is the combination of bridge priority and base mac address. In Cisco switches

default priority no. is 32768.

(2) Root BridgeThe Bridge/Switch with lowest Bridge id will become the Route Bridge. Route

Bridge is used as the center point for calculating path cost in topology.

(3) BPDU Bridging Protocol Data UnitsIt is the STP information, which is exchange between the switches to create topology

and path selection.

(4) STP port mode

An STP is enabled a port may be in one of the following mode.(i) Listening: - in this mode a port will send/receive BPD.

(ii) Learning: - a port will learn mac address table.(iii) Forwarding: - the port will forward data based on mac address table.

(iv) Blocking: - the port is block to send/receive data by Spanning Tree Protocol.

(v) Disable: - the port is administratively disabled.

Path cost calculation

The links in switches will be enable or disabled on the basis of path cost. The path cost

for each link is calculated according to following table.

Old IEEE New IEEE

Speed Cost Cost10 Mb 100 100100 Mb 10 19

1 Gb 1 4

10 Gb 1 2

12

Root Switch

Switch Switch

SwitchSwitch


13/13

To configure ports for forwarding mode directly

Switch#config ter

Switch(config)#interface Switch(config-if)#switchport host

Configuring port securityIn manageable switches, we can restrict the no. of mac addresses that a port can learn.

Even we can specify the mac address statically with a command. With port security, we

can also specify the action to be perform if port security violation is detected.

Switch#conf ter

Switch(config)#interface

Switch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security maximum

Switch(config-if)#switchport port-security violation

Switch(config-if)#switchport port-security mac-address sticky

Switch(config-if)#switchport port-security mac-address sticky Switch(config-if)#exit

13

Documents

Lan Switching and Security