Switched LAN Architecture W.lilakiatsakun. Hierarchical LAN Model (1)

Switched LAN ArchitectureSwitched LAN Architecture

W.lilakiatsakunW.lilakiatsakun

Hierarchical LAN ModelHierarchical LAN Model (1)(1)


• The typical hierarchical design model is The typical hierarchical design model is broken up in to three layers: broken up in to three layers: access, access, distribution, and core.distribution, and core.

• Access LayerAccess Layer– The main purpose of the access layer is to The main purpose of the access layer is to

provide a means of connecting devices to the provide a means of connecting devices to the network and controlling which devices are network and controlling which devices are allowed to communicate on the network allowed to communicate on the network

– The access layer interfaces with end devicesThe access layer interfaces with end devices, , such as PCs, printers, and IP phones, to provide such as PCs, printers, and IP phones, to provide access to the rest of the network. access to the rest of the network.

– The access layer can include routers, switches, The access layer can include routers, switches, bridges, hubs, and wireless access points.bridges, hubs, and wireless access points.


• Distribution LayerDistribution Layer– The distribution layerThe distribution layer aggregates aggregates the data received from the data received from

the access layer switches before it is transmitted to the the access layer switches before it is transmitted to the core layer for routing to its final destination. core layer for routing to its final destination.

– The distribution layer controls the flow of network traffic The distribution layer controls the flow of network traffic using policies and delineates broadcast domains by using policies and delineates broadcast domains by performing routing functions between virtual LANs performing routing functions between virtual LANs (VLANs) defined at the access layer. (VLANs) defined at the access layer.

– VLANs allow you to segment the traffic on a switch into VLANs allow you to segment the traffic on a switch into separate subnetworks. separate subnetworks. • For example, in a university you might separate traffic For example, in a university you might separate traffic

according to faculty, students, and guests. according to faculty, students, and guests. – Distribution layer switches are typically high-performance Distribution layer switches are typically high-performance

devicesdevices that have high availability and redundancy to that have high availability and redundancy to ensure reliability.ensure reliability.


• Core LayerCore Layer– The core layer of the hierarchical design is the The core layer of the hierarchical design is the

high-speed backbone of the internetwork. high-speed backbone of the internetwork. – The core layer is critical for interconnectivity The core layer is critical for interconnectivity

between distribution layer devices, so it is between distribution layer devices, so it is important for the core to be important for the core to be highly available and highly available and redundant. redundant.

– The core area can also connect to Internet The core area can also connect to Internet resources. resources.

– The core aggregates the traffic from all the The core aggregates the traffic from all the distribution layer devices, so it must be capable of distribution layer devices, so it must be capable of forwarding large amounts of data quicklyforwarding large amounts of data quickly. .

Benefit of Hierarchical Network Benefit of Hierarchical Network (1)(1)

• ScalabilityScalability– The modularity of the design allows you The modularity of the design allows you to to

replicatereplicate design elements as the network grows. design elements as the network grows. – Because each instance of the module is Because each instance of the module is

consistent, expansion is easy to plan and consistent, expansion is easy to plan and implement. implement. • For example, if your design model consists of two For example, if your design model consists of two

distribution layer switches for every 10 access layer distribution layer switches for every 10 access layer switches, you can continue to add access layer switches switches, you can continue to add access layer switches until you have 10 access layer switches cross-connected until you have 10 access layer switches cross-connected to the two distribution layer switches before you need to to the two distribution layer switches before you need to add additional distribution layer switches to the network add additional distribution layer switches to the network topology. topology.

• Also, as you add more distribution layer switches to Also, as you add more distribution layer switches to accommodate the load from the access layer switches, accommodate the load from the access layer switches, you can add additional core layer switches to handle the you can add additional core layer switches to handle the additional load on the core. additional load on the core.


• Redundancy Redundancy – As a network grows, As a network grows, availability becomes more availability becomes more

importantimportant. . – Access layer switches are connected to two different Access layer switches are connected to two different

distribution layer switches to ensure path redundancy. distribution layer switches to ensure path redundancy. • If one of the distribution layer switches fails, the access layer If one of the distribution layer switches fails, the access layer

switch can switch to the other distribution layer switch. switch can switch to the other distribution layer switch.

– Additionally, distribution layer switches are connected Additionally, distribution layer switches are connected to two or more core layer switches to ensure path to two or more core layer switches to ensure path availability if a core switch fails. availability if a core switch fails.

– The only layer where redundancy is limited is at the The only layer where redundancy is limited is at the access layer. access layer. • Typically, end node devices, such as PCs, printers, and IP Typically, end node devices, such as PCs, printers, and IP

phones, do not have the ability to connect to multiple access phones, do not have the ability to connect to multiple access layer switches for redundancy. layer switches for redundancy.

• If an access layer switch fails, just the devices connected to If an access layer switch fails, just the devices connected to that one switch would be affected by the outage. that one switch would be affected by the outage.


• PerformancePerformance– Data is sent through aggregated switch port linksData is sent through aggregated switch port links

from the access layer to the distribution layer at from the access layer to the distribution layer at near wire speed in most cases. near wire speed in most cases.

– The distribution layer then uses its high The distribution layer then uses its high performance switching capabilitiesperformance switching capabilities to forward the to forward the traffic up to the core, where it is routed to its final traffic up to the core, where it is routed to its final destination. destination.

– The core and distribution layers perform their The core and distribution layers perform their operations at very high speedsoperations at very high speeds, there is no , there is no contention for network bandwidth. contention for network bandwidth.

– As a result, properly designed hierarchical networks As a result, properly designed hierarchical networks can achieve near wire speed between all devices.can achieve near wire speed between all devices.


• Security Security – Access layer switches can be configured with various Access layer switches can be configured with various

port securityport security options that provide control over which options that provide control over which devices are allowed to connect to the network. devices are allowed to connect to the network.

– You also have the flexibility to use more You also have the flexibility to use more advanced advanced security policies at the distribution layer. security policies at the distribution layer.

– You may apply You may apply access control policiesaccess control policies that define that define which communication protocols are deployed on your which communication protocols are deployed on your network and where they are permitted to go. network and where they are permitted to go. • For example, if you want to limit the use of HTTP to a specific For example, if you want to limit the use of HTTP to a specific

user community connected at the access layer, you could user community connected at the access layer, you could apply a policy that blocks HTTP traffic at the distribution layer. apply a policy that blocks HTTP traffic at the distribution layer.

• Some access layer switches support Layer 3 functionality, but Some access layer switches support Layer 3 functionality, but it is usually the job of the distribution layer switches to it is usually the job of the distribution layer switches to process Layer 3 data, because they can process it much more process Layer 3 data, because they can process it much more efficiently.efficiently.


• ManageabilityManageability– Each layer of the hierarchical design performs Each layer of the hierarchical design performs

specific functions that are consistentspecific functions that are consistent throughout throughout that layer. that layer. • Therefore, if you need to change the functionality of an Therefore, if you need to change the functionality of an

access layer switch, you could repeat that change across access layer switch, you could repeat that change across all access layer switches in the network because they all access layer switches in the network because they presumably perform the same functions at their layer. presumably perform the same functions at their layer.

• Deployment of new switches is also simplified because Deployment of new switches is also simplified because switch configurations can be copied between devices switch configurations can be copied between devices with very few modifications. with very few modifications.

– Consistency between the switches at each layerConsistency between the switches at each layer allows for rapid recovery and simplified allows for rapid recovery and simplified troubleshooting. troubleshooting.


• MaintainabilityMaintainability– In the hierarchical design model, In the hierarchical design model, switch switch

functions are defined at each layerfunctions are defined at each layer, making the , making the selection of the correct switch easier. selection of the correct switch easier. • Adding switches to one layer does not necessarily Adding switches to one layer does not necessarily

mean there will not be a bottleneck or other limitation mean there will not be a bottleneck or other limitation at another layer. at another layer.

– You can save money by using You can save money by using less expensive less expensive access layer switches at the lowest layer, and access layer switches at the lowest layer, and spend more on the distribution and core layer spend more on the distribution and core layer switchesswitches to achieve high performance on the to achieve high performance on the network.network.


Principle of hierarchical design Principle of hierarchical design (1)(1)

• Network DiameterNetwork Diameter– Network diameter is Network diameter is the number of the number of

devices that a packet has to crossdevices that a packet has to cross before before it reaches its destination. it reaches its destination.

– Keeping the network diameter low ensures Keeping the network diameter low ensures low and predictable latency between low and predictable latency between devices. devices.

– In the figure, PC1 communicates with PC3. In the figure, PC1 communicates with PC3. There could be up to six interconnected There could be up to six interconnected switches between PC1 and PC3. In this switches between PC1 and PC3. In this case, the network case, the network diameter is 6diameter is 6. .



• Each switch in the path introduces some Each switch in the path introduces some degree of latencydegree of latency. .

• Network device latency is the time spent by a Network device latency is the time spent by a device as it processes a packet or frame. device as it processes a packet or frame. – Each switch has to determine the destination MAC Each switch has to determine the destination MAC

address of the frame, check its MAC address table, address of the frame, check its MAC address table, and forward the frame out the appropriate port. and forward the frame out the appropriate port.

• In a hierarchical network, network diameter is In a hierarchical network, network diameter is always going to be a always going to be a predictable number of predictable number of hops between the source and destination hops between the source and destination devicesdevices..

Principle of hierarchical design Principle of hierarchical design (4)(4)• Bandwidth AggregationBandwidth Aggregation

– Bandwidth aggregation is the practice of Bandwidth aggregation is the practice of considering the specific bandwidth requirements considering the specific bandwidth requirements of each part of the hierarchy. of each part of the hierarchy.

– After bandwidth requirements of the network are After bandwidth requirements of the network are known, links between specific switches can be known, links between specific switches can be aggregated, which is called aggregated, which is called link aggregationlink aggregation. .

– Link aggregation allows multiple switch port links Link aggregation allows multiple switch port links to be combined so as to achieve higher to be combined so as to achieve higher throughput between switchesthroughput between switches. .

– Cisco has a proprietary link aggregation Cisco has a proprietary link aggregation technology called technology called EtherChannelEtherChannel, which allows , which allows multiple Ethernet links to be consolidated. multiple Ethernet links to be consolidated.


• Example, Example, computers PC1 and PC3 require a computers PC1 and PC3 require a significant amount of bandwidthsignificant amount of bandwidth because they because they are used for developing weather simulations. are used for developing weather simulations. – The network manager has determined that the The network manager has determined that the

access layer switches access layer switches S1, S3, and S5 require S1, S3, and S5 require increased bandwidthincreased bandwidth..

– Following up the hierarchy, these access layer Following up the hierarchy, these access layer switches connect to the distribution switches D1, switches connect to the distribution switches D1, D2, and D4. D2, and D4.

– The distribution switches connect to core layer The distribution switches connect to core layer switches C1 and C2. switches C1 and C2.

– In this way, increased bandwidth is provided for in In this way, increased bandwidth is provided for in a targeted, specific part of the network. a targeted, specific part of the network.



• Redundancy Redundancy – For example, you can double up the network For example, you can double up the network

connections between devices, or you can double connections between devices, or you can double the devices themselves. the devices themselves.

– Implementing redundant links can be expensiveImplementing redundant links can be expensive..• Imagine if every switch in each layer of the network Imagine if every switch in each layer of the network

hierarchy had a connection to every switch at the next hierarchy had a connection to every switch at the next layer.layer.

– It is It is unlikely that you will be able to implement unlikely that you will be able to implement redundancy at the access layerredundancy at the access layer because of the because of the cost and limited features in the end devices, but cost and limited features in the end devices, but you can build redundancy into the distribution you can build redundancy into the distribution and core layers of the network. and core layers of the network.



• In the figure, redundant links are shown In the figure, redundant links are shown at the at the distribution layer and core layer. distribution layer and core layer.

• At the distribution layer, there are At the distribution layer, there are two distribution layer two distribution layer switchesswitches, the minimum required to support redundancy , the minimum required to support redundancy at this layer. at this layer.

• The access layer switches, S1, S3, S4, and S6, are The access layer switches, S1, S3, S4, and S6, are cross-connected to the distribution layer switches. cross-connected to the distribution layer switches. – This protects your network if one of the distribution switches This protects your network if one of the distribution switches

fails.fails. – In case of a failure, the access layer switch adjusts its In case of a failure, the access layer switch adjusts its

transmission path and forwards the traffic through the other transmission path and forwards the traffic through the other distribution switch. distribution switch.

• Some network failure scenarios can never be Some network failure scenarios can never be prevented, for example, if the power goes out in the prevented, for example, if the power goes out in the entire city, or the entire building is demolished because entire city, or the entire building is demolished because of an earthquake. of an earthquake.

Considerations for hierarchical Considerations for hierarchical network switchesnetwork switches (1)(1)• Traffic Flow AnalysisTraffic Flow Analysis

– Traffic flow analysis is the process of measuring the Traffic flow analysis is the process of measuring the bandwidth usage on a network and analyzing the data for bandwidth usage on a network and analyzing the data for the purpose of performance tuning, capacity planning, the purpose of performance tuning, capacity planning, and making hardware improvement decisions.and making hardware improvement decisions.

– Traffic flow analysis is done using Traffic flow analysis is done using traffic flow analysis traffic flow analysis softwaresoftware. .

– Although there is no precise definition of network traffic Although there is no precise definition of network traffic flow, for the purposes of traffic flow analysis we can say flow, for the purposes of traffic flow analysis we can say that that network traffic is the amount of data sent through a network traffic is the amount of data sent through a network for a given period of timenetwork for a given period of time. .

– Analyzing the various traffic sources and their impact on Analyzing the various traffic sources and their impact on the network, allows you to the network, allows you to more accurately tune and more accurately tune and upgrade the network to achieve the best possible upgrade the network to achieve the best possible performanceperformance..

Considerations for hierarchical Considerations for hierarchical network switchesnetwork switches (2)(2)

The figure displays sample output from Solarwinds Orion 8.1 NetFlow Analysis,


• User Communities AnalysisUser Communities Analysis– User community analysis is the User community analysis is the process of process of

identifying various groupings of usersidentifying various groupings of users and their and their impact on network performance. impact on network performance.

– The way users are grouped affects issues related The way users are grouped affects issues related to port density and traffic flow, which, in turn, to port density and traffic flow, which, in turn, influences the selection of network switches.influences the selection of network switches.

– In a typical office building, end users are grouped In a typical office building, end users are grouped according to their job function, because they according to their job function, because they require similar access to resources and require similar access to resources and applications. applications.

– You may find the Human Resource (HR) You may find the Human Resource (HR) department located on one floor of an office department located on one floor of an office building, while Finance is located on another floor. building, while Finance is located on another floor.


– Each department has a different number of Each department has a different number of users and application needs, and requires users and application needs, and requires access to different data resources available access to different data resources available through the network. through the network. •For example, when selecting switches for the For example, when selecting switches for the

wiring closets of the HR and Finance wiring closets of the HR and Finance departments, you would choose a switch that departments, you would choose a switch that had enough ports to meet the department needs had enough ports to meet the department needs and was powerful enough to accommodate the and was powerful enough to accommodate the traffic requirements for all the devices on that traffic requirements for all the devices on that floor. floor.


– The resources that medium-sized business or The resources that medium-sized business or enterprise user communities need could be located enterprise user communities need could be located in geographically separate areas. in geographically separate areas. • Consequently, the location of the user communities Consequently, the location of the user communities

influences where data stores and server farms are influences where data stores and server farms are located. located.

• If the Finance users are using a network-intensive If the Finance users are using a network-intensive application that exchanges data with a specific server on application that exchanges data with a specific server on the network, it may make sense to locate the Finance the network, it may make sense to locate the Finance user community close to that server. user community close to that server.

– By locating users close to their servers and data By locating users close to their servers and data stores, you can stores, you can reduce the network diameter for reduce the network diameter for their communicationstheir communications, thereby reducing the impact , thereby reducing the impact of their traffic across the rest of the network.of their traffic across the rest of the network.



• Future GrowthFuture Growth– A solid network plan includes A solid network plan includes the rate of the rate of

personnel growth over the past five yearspersonnel growth over the past five years to be to be able to anticipate the future growth. able to anticipate the future growth.

– As well as looking at the number of devices on a As well as looking at the number of devices on a given switch in a network, you should investigate given switch in a network, you should investigate the network traffic generated by end-user the network traffic generated by end-user applications. applications.

– By measuring the network traffic generated for By measuring the network traffic generated for all applications in use by different user all applications in use by different user communities, and determining the location of the communities, and determining the location of the data source, you can identify the effect of adding data source, you can identify the effect of adding more users to that community. more users to that community.


Considerations for hierarchical Considerations for hierarchical network switchesnetwork switches (9)(9)• Data Stores and Data Servers AnalysisData Stores and Data Servers Analysis

– Data stores can be servers, storage area networks Data stores can be servers, storage area networks (SANs), network-attached storage (NAS), tape (SANs), network-attached storage (NAS), tape backup units, or any other device or component backup units, or any other device or component where large quantities of data are stored.where large quantities of data are stored.

– When considering the traffic for data stores and When considering the traffic for data stores and servers, servers, consider both client-server traffic and consider both client-server traffic and server-server traffic. server-server traffic.

– Client-server traffic is the traffic generated when a Client-server traffic is the traffic generated when a client device accesses data from data stores or client device accesses data from data stores or servers. servers.

– Bandwidth aggregation and switch forwarding rates Bandwidth aggregation and switch forwarding rates are important factorsare important factors to consider when attempting to to consider when attempting to eliminate bottlenecks for this type of traffic.eliminate bottlenecks for this type of traffic.


Client-server traffic

Client-server traffic typically Client-server traffic typically traverses multiple switches traverses multiple switches to reach its destinationto reach its destination


– Server-server traffic is the traffic generated Server-server traffic is the traffic generated between data storage devicesbetween data storage devices on the network. on the network.• Some server applications generate very high volumes Some server applications generate very high volumes

of traffic between data stores and other servers. of traffic between data stores and other servers. – Servers and data stores are typically located in Servers and data stores are typically located in

data centersdata centers within a business. within a business. • A data center is a secured area of the building where A data center is a secured area of the building where

servers, data stores, and other network equipment are servers, data stores, and other network equipment are located. located.

– Traffic across data center switches is typically Traffic across data center switches is typically very highvery high due to the server-server and client- due to the server-server and client-server traffic that traverses the switches. server traffic that traverses the switches.

– As a result, As a result, switches selected for data centers switches selected for data centers should be higher performing switchesshould be higher performing switches than the than the switches you would find in the wiring closets at switches you would find in the wiring closets at the access layer.the access layer.


– By examining the data paths for various By examining the data paths for various applications used by different user applications used by different user communitiescommunities, , you can identify potential you can identify potential bottlenecksbottlenecks where performance of the where performance of the application can be affected by inadequate application can be affected by inadequate bandwidth. bandwidth.

– To improve the performance, you could To improve the performance, you could aggregate links to accommodate the aggregate links to accommodate the bandwidthbandwidth, or replace the slower switches with , or replace the slower switches with faster switches capable of handling the traffic faster switches capable of handling the traffic load.load.


Server-Server TrafficServer-Server Traffic

To optimize server-server traffic, To optimize server-server traffic, servers servers needing frequent access to certain needing frequent access to certain resources should be located in resources should be located in close proximity to each other so close proximity to each other so that the traffic they generate does that the traffic they generate does not affect the performance of the not affect the performance of the rest of the network. rest of the network.


Switch Features in a Switch Features in a Hierarchical NetworkHierarchical Network (1)(1)

Switch Features in a Switch Features in a Hierarchical NetworkHierarchical Network (2)(2)• Access layer switch featureAccess layer switch feature• Port securityPort security allows the switch to decide allows the switch to decide

how many or what specific devices are how many or what specific devices are allowed to connect to the switch.allowed to connect to the switch.– Consequently, it is an important first line of Consequently, it is an important first line of

defense for a network. defense for a network. • VLANsVLANs are an important component of a are an important component of a

converged network. converged network. – Voice traffic is typically given a separate VLAN. Voice traffic is typically given a separate VLAN. – In this way, voice traffic can be supported with In this way, voice traffic can be supported with

more bandwidth, more redundant connections, more bandwidth, more redundant connections, and improved security. and improved security.

– Access layer switches allow you to set the VLANs Access layer switches allow you to set the VLANs for the end node devices on your network.for the end node devices on your network.


• Port speedPort speed is also a characteristic you need to is also a characteristic you need to consider for your access layer switches. consider for your access layer switches. – Fast EthernetFast Ethernet allows up to 100 Mb/s of traffic per allows up to 100 Mb/s of traffic per

switch port. Fast Ethernet is adequate for IP switch port. Fast Ethernet is adequate for IP telephony and data traffic on most business telephony and data traffic on most business networks.networks.

– Gigabit EthernetGigabit Ethernet allows up to 1000 Mb/s of traffic allows up to 1000 Mb/s of traffic per switch port. per switch port. • Most modern devices, such as workstations, notebooks, Most modern devices, such as workstations, notebooks,

and IP phones, support Gigabit Ethernet. and IP phones, support Gigabit Ethernet.

• This allows for much more efficient data transfers, enabling This allows for much more efficient data transfers, enabling users to be more productive. users to be more productive.

• Gigabit Ethernet does have a drawback-switches Gigabit Ethernet does have a drawback-switches supporting Gigabit Ethernet are more expensive.supporting Gigabit Ethernet are more expensive.

Switch Features in a Switch Features in a Hierarchical NetworkHierarchical Network (4)(4)• PoE (Power on Ethernet)PoE (Power on Ethernet) dramatically increases the dramatically increases the

overall price of the switch.overall price of the switch.– It should only be considered when voice convergence is It should only be considered when voice convergence is

required or wireless access points are being implemented, required or wireless access points are being implemented, and power is difficult or expensive to run to the desired and power is difficult or expensive to run to the desired location.location.

• Link aggregationLink aggregation is another feature that is common to is another feature that is common to most access layer switches. most access layer switches. – Link aggregation allows the switch to use multiple links Link aggregation allows the switch to use multiple links

simultaneously. simultaneously. – Access layer switches take advantage of link aggregation Access layer switches take advantage of link aggregation

when aggregating bandwidth up to distribution layer switches. when aggregating bandwidth up to distribution layer switches.


• In a converged network supporting voice, In a converged network supporting voice, video and data network traffic, access video and data network traffic, access layer switches need to support layer switches need to support QoSQoS to to maintain the prioritization of traffic. maintain the prioritization of traffic. – IP phonesIP phones are types of equipment that are are types of equipment that are

found at the access layer. found at the access layer. • When an IP phone is plugged into an access layer When an IP phone is plugged into an access layer

switch port configured to support voice traffic, that switch port configured to support voice traffic, that switch port tells the IP phone how to send its voice switch port tells the IP phone how to send its voice traffic. traffic.

– QoS needs to be enabled on access layer QoS needs to be enabled on access layer switchesswitches so that voice traffic the IP phone has so that voice traffic the IP phone has priority over, for example, data traffic.priority over, for example, data traffic.



• Distribution Layer Switch FeaturesDistribution Layer Switch Features

• Layer 3 supportLayer 3 support– Distribution layer switches provides the Distribution layer switches provides the

inter-VLAN routing functionsinter-VLAN routing functions so that one so that one VLAN can communicate with another on VLAN can communicate with another on the network. the network.

– This routing typically takes place at the This routing typically takes place at the distribution layerdistribution layer because distribution layer because distribution layer switches have higher processing switches have higher processing capabilities than the access layer switches. capabilities than the access layer switches.


• Security PoliciesSecurity Policies– An Access Control List (ACL)An Access Control List (ACL) allows the switch to allows the switch to

prevent certain types of traffic and permit others. prevent certain types of traffic and permit others. – ACLs also allow you to controlACLs also allow you to control which network which network

devices can communicate on the network. devices can communicate on the network. – Using ACLs is processing-intensiveUsing ACLs is processing-intensive because the because the

switch needs to inspect every packet and see if it switch needs to inspect every packet and see if it matches one of the ACL rules defined on the switch. matches one of the ACL rules defined on the switch.

– This inspection is performed at the distribution This inspection is performed at the distribution layer, because the switches at this layer typically layer, because the switches at this layer typically have the processing capability to handle the have the processing capability to handle the additional load, and it also simplifies the use of additional load, and it also simplifies the use of ACLs. ACLs.


• Quality of ServiceQuality of Service– The distribution layer switches also The distribution layer switches also need to need to

support QoS to maintain the prioritization of support QoS to maintain the prioritization of traffictraffic coming from the access layer switches that coming from the access layer switches that have implemented QoS. have implemented QoS.

– Priority policiesPriority policies ensure that audio and video ensure that audio and video communications are guaranteed adequate communications are guaranteed adequate bandwidth to maintain an acceptable quality of bandwidth to maintain an acceptable quality of service. service.

– To maintain the priority of the voice data To maintain the priority of the voice data throughout the network, throughout the network, all of the switches that all of the switches that forward voice data must support QoSforward voice data must support QoS


• RedundancyRedundancy– Distribution layer switches are typically Distribution layer switches are typically

implemented in pairs to ensure availability. implemented in pairs to ensure availability. – It is also recommended that distribution layer It is also recommended that distribution layer

switches support multiple, switches support multiple, hot swapable power hot swapable power suppliessupplies. . • Having more than one power supply allows the switch to Having more than one power supply allows the switch to

continue operating even if one of the power supplies continue operating even if one of the power supplies failed during operation. failed during operation.

• Having hot swappable power supplies allows you to Having hot swappable power supplies allows you to change a failed power supply while the switch is still change a failed power supply while the switch is still running. running.

• This allows you to repair the failed component without This allows you to repair the failed component without impacting the functionality of the network.impacting the functionality of the network.


• Link aggregationLink aggregation. . – Because distribution layer switches accept Because distribution layer switches accept

incoming traffic from multiple access layer incoming traffic from multiple access layer switches, they need to be able to forward all of switches, they need to be able to forward all of that traffic as fast as possible to the core layer that traffic as fast as possible to the core layer switches. switches.

– As a result, distribution layer switches also need As a result, distribution layer switches also need high-bandwidth aggregated links back to the core high-bandwidth aggregated links back to the core layer switches. layer switches.

– Newer distribution layer switches support Newer distribution layer switches support aggregated 10 Gigabit Ethernet (10GbE) uplinks aggregated 10 Gigabit Ethernet (10GbE) uplinks to the core layer switches.to the core layer switches.


Switch Features in a Switch Features in a Hierarchical NetworkHierarchical Network (12)(12)• Core Layer Switch FeaturesCore Layer Switch Features

– The core layer of a hierarchical topology is the The core layer of a hierarchical topology is the high-speed backbone of the network and requires high-speed backbone of the network and requires switches that can handle very high forwarding switches that can handle very high forwarding rates.rates.

– The required forwarding rate is largely The required forwarding rate is largely dependent dependent on the number of deviceson the number of devices participating in the participating in the network. network.

– You determine your necessary forwarding rate by You determine your necessary forwarding rate by conducting and conducting and examining various traffic flow examining various traffic flow reportsreports and user communities analysesand user communities analyses..

– If you choose an If you choose an inadequate switchinadequate switch to run in the to run in the core of the network, core of the network, you face potential bottleneckyou face potential bottleneck issues in the core, slowing down all issues in the core, slowing down all communications on the network. communications on the network.


• Link AggregationLink Aggregation– The core layer also needs to support link The core layer also needs to support link

aggregation to ensure adequate bandwidth coming aggregation to ensure adequate bandwidth coming into the core from the distribution layer switches. into the core from the distribution layer switches.

– Core layer switches should have support for Core layer switches should have support for aggregated 10GbE connections, which is currently aggregated 10GbE connections, which is currently the fastest available Ethernet connectivity optionthe fastest available Ethernet connectivity option. .

– This allows corresponding distribution layer This allows corresponding distribution layer switches to deliver traffic as efficiently as possible switches to deliver traffic as efficiently as possible to the coreto the core

Switch Features in a Switch Features in a Hierarchical NetworkHierarchical Network (14)(14)• RedundancyRedundancy

– The availability of the core layer is also criticalThe availability of the core layer is also critical, so you , so you should build in as much redundancy as you can.should build in as much redundancy as you can.

– Layer 3 redundancy typically has a faster convergence Layer 3 redundancy typically has a faster convergence than Layer 2 redundancy in the event of hardware failure. than Layer 2 redundancy in the event of hardware failure.

– Also, core layer switches have additional Also, core layer switches have additional hardware hardware redundancy featuresredundancy features like redundant power supplies that like redundant power supplies that can be swapped while the switch continues to operate. can be swapped while the switch continues to operate.

– Because of the high workload carried by core layer Because of the high workload carried by core layer switches, they tend to operate hotter than access or switches, they tend to operate hotter than access or distribution layer switches, so they should have distribution layer switches, so they should have more more sophisticated cooling optionssophisticated cooling options. . • Many true, core layer-capable switches have the ability to Many true, core layer-capable switches have the ability to

swap cooling fans without having to turn the switch off.swap cooling fans without having to turn the switch off.


• QoSQoS– At the core and network edge, mission-At the core and network edge, mission-

critical and time-sensitive traffic such as critical and time-sensitive traffic such as voice should receive voice should receive higher QoS higher QoS guaranteesguarantees than less time-sensitive than less time-sensitive traffic such as file transfers or e-mail. traffic such as file transfers or e-mail.

– Core layer switches can provide a cost Core layer switches can provide a cost effect way of supporting optimal and effect way of supporting optimal and differentiated use of existing bandwidth.differentiated use of existing bandwidth.

Basic Switch ConceptBasic Switch Concept

w.lilakiatsakunw.lilakiatsakun

IEEE802.3 (1)IEEE802.3 (1)

• Carrier Sense (CS)Carrier Sense (CS)– In the CSMA/CD access method, all network In the CSMA/CD access method, all network

devices that have messages to send must devices that have messages to send must listen before transmittinglisten before transmitting. .

– If a device detects a signal from another If a device detects a signal from another device, device, it waits for a specified amount of timeit waits for a specified amount of time before attempting to transmit. before attempting to transmit.

– When When there is no traffic detected, a device there is no traffic detected, a device transmits its messagetransmits its message. . • While this transmission is occurring, the device While this transmission is occurring, the device

continues to listen for traffic or collisions on the LAN. continues to listen for traffic or collisions on the LAN. • After the message is sent, the device returns to its After the message is sent, the device returns to its

default listening mode. default listening mode.

IEEE802.3 (2)IEEE802.3 (2)

• Multiple Access (MA)Multiple Access (MA)– More than one devices can access on the same mediumMore than one devices can access on the same medium– This situation might cause data collisionThis situation might cause data collision

• Collision Detection (CD)Collision Detection (CD)– A device can detect when a collision occurs on the A device can detect when a collision occurs on the

shared media, because an increase in shared media, because an increase in the amplitude of the amplitude of the signal above the normal levelthe signal above the normal level..

– When a collision is detected, the transmitting devices When a collision is detected, the transmitting devices send out a send out a jamming signaljamming signal. .

– The jamming signal notifies the other devices of a The jamming signal notifies the other devices of a collision, so that they invoke a backoff algorithm. collision, so that they invoke a backoff algorithm.

– This backoff algorithm causes all devices to stop This backoff algorithm causes all devices to stop transmitting for a random amount of time, which allows transmitting for a random amount of time, which allows the collision signals to subside. the collision signals to subside.

Ethernet Communication (1)Ethernet Communication (1)

• UnicastUnicast– Communication in which a frame is sent from one Communication in which a frame is sent from one

host and addressed to one specific destination. host and addressed to one specific destination. – In unicast transmission, there is just In unicast transmission, there is just one sender one sender

and one receiver. and one receiver. – Unicast transmission is the predominant formUnicast transmission is the predominant form of of

transmission on LANs and within the Internet.transmission on LANs and within the Internet.– Examples of unicast transmissions include HTTP, Examples of unicast transmissions include HTTP,

SMTP, FTP, and Telnet.SMTP, FTP, and Telnet.


• BroadcastBroadcast– Communication in which a frame is sent Communication in which a frame is sent from from

one address to all other addressesone address to all other addresses..– In this case, there is just In this case, there is just one senderone sender, but the , but the

information is sent to information is sent to all connected receiversall connected receivers. . – Broadcast transmission is essential when Broadcast transmission is essential when

sending the same message to all devices on the sending the same message to all devices on the LAN.LAN.• An example of a broadcast transmission is the address An example of a broadcast transmission is the address

resolution query that the address resolution protocol resolution query that the address resolution protocol (ARP) sends to all computers on a LAN.(ARP) sends to all computers on a LAN.


• MulticastMulticast– Communication in which a frame is sent to Communication in which a frame is sent to

a specific a specific group of devices or clientsgroup of devices or clients. . – Multicast transmission clients must be Multicast transmission clients must be

members of a logical multicast groupmembers of a logical multicast group to to receive the information. receive the information. •An example of multicast transmission is the An example of multicast transmission is the

video and voice transmissions associated with video and voice transmissions associated with a network-based, collaborative business a network-based, collaborative business meeting.meeting.


MAC Address (1)MAC Address (1)

• Organizational Unique IdentifierOrganizational Unique Identifier– It is 24 bits long and identifies the manufacturer of It is 24 bits long and identifies the manufacturer of

the NIC card. the NIC card. – The IEEE regulates the assignment of OUI numbers. The IEEE regulates the assignment of OUI numbers. – Within the OUI, there are 2 bits that have meaning Within the OUI, there are 2 bits that have meaning

only when used in the destination address, as only when used in the destination address, as follows:follows:• Broadcast or multicast bitBroadcast or multicast bit: Indicates to the receiving : Indicates to the receiving

interface that the frame is destined for all or a group of interface that the frame is destined for all or a group of end stations on the LAN segment.end stations on the LAN segment.

• Locally administered address bitLocally administered address bit: If the vendor-assigned : If the vendor-assigned MAC address can be modified locally, this bit should be MAC address can be modified locally, this bit should be set.set.

MAC Address (2)MAC Address (2)

• Vendor Assignment NumberVendor Assignment Number– The vendor-assigned part of the MAC The vendor-assigned part of the MAC

address is 24 bits long and uniquely address is 24 bits long and uniquely identifies the Ethernet hardware. identifies the Ethernet hardware.

– It can be a BIA (Burned in Address) or It can be a BIA (Burned in Address) or modified by software indicated by the modified by software indicated by the local bit.local bit.

Duplex SettingDuplex Setting

MAC Address Table (1)MAC Address Table (1)


Frame are broadcasted to all ports since S1 does not haveMAC table for the destination


Frame is forwarded to port 1

Design Consideration Design Consideration

• Bandwidth and throughputBandwidth and throughput

• Collision DomainCollision Domain

• Broadcast DomainBroadcast Domain

• Network LatencyNetwork Latency

• Network CongestionNetwork Congestion

Bandwidth and throughputBandwidth and throughput

• It is important to understand that when It is important to understand that when stating the stating the bandwidth of the Ethernet bandwidth of the Ethernet network is 10 Mb/s, full bandwidth for network is 10 Mb/s, full bandwidth for transmission is available only after any transmission is available only after any collisions have been resolvedcollisions have been resolved. .

• The net throughput of the port (the average The net throughput of the port (the average data that is effectively transmitted) will be data that is effectively transmitted) will be considerably reduced as a function of how considerably reduced as a function of how many other nodes want to use the network. many other nodes want to use the network.

• As a result, As a result, the number of nodes sharing the the number of nodes sharing the Ethernet network will have effect on the Ethernet network will have effect on the throughput or productivity of the networkthroughput or productivity of the network..

Collision Domain (1)Collision Domain (1)

• The network area where frames originate and The network area where frames originate and collide is called the collision domain. collide is called the collision domain.

• All shared media environments, such as All shared media environments, such as those created by using hubs, are collision those created by using hubs, are collision domainsdomains. .

• When a host is connected to a switch port, When a host is connected to a switch port, the switch creates the switch creates a dedicated connectiona dedicated connection. . – This connection is considered an individual This connection is considered an individual

collision domain, because traffic is kept separate collision domain, because traffic is kept separate from all other traffic, thereby eliminating the from all other traffic, thereby eliminating the potential for a collision. potential for a collision.

Collision Domain (2)Collision Domain (2)

Broadcast Domain (1)Broadcast Domain (1)

• A collection of interconnected switches forms a A collection of interconnected switches forms a single broadcast domainsingle broadcast domain. .

• Only a Layer 3 entity, such as a router, or a Only a Layer 3 entity, such as a router, or a virtual LAN (VLAN), can stop a Layer 3 broadcast virtual LAN (VLAN), can stop a Layer 3 broadcast domain. domain.

• Routers and VLANs are used to segment both Routers and VLANs are used to segment both collision and broadcast domains. collision and broadcast domains.

• When a device wants to send out a Layer 2 When a device wants to send out a Layer 2 broadcast, the destination MAC address in the broadcast, the destination MAC address in the frame is set to all ones. frame is set to all ones. – By setting the destination to this value, all the devices By setting the destination to this value, all the devices

accept and process the broadcasted frame.accept and process the broadcasted frame.

Broadcast Domain (2)Broadcast Domain (2)

The broadcast domain at Layer 2 is referred to as the MAC broadcast domain. The MAC broadcast domain consists of all devices on the LAN that receive frame broadcasts by a host to all other machines on the LAN.

Network LatencyNetwork Latency

Network Congestion (1)Network Congestion (1)

• The primary reason for segmenting a The primary reason for segmenting a LAN into smaller parts is LAN into smaller parts is to isolate to isolate traffic and to achieve better use of traffic and to achieve better use of bandwidth per userbandwidth per user. .

• Without segmentation, a LAN quickly Without segmentation, a LAN quickly becomes clogged with traffic and becomes clogged with traffic and collisions. collisions.

Network Congestion (2)Network Congestion (2)

• These are the most common causes of These are the most common causes of network congestion:network congestion:– Increasingly powerful computer and network Increasingly powerful computer and network

technologiestechnologies. . • they can send more data at higher rates through the they can send more data at higher rates through the

network, and they can process more data at higher rates.network, and they can process more data at higher rates.– Increasing volume of network trafficIncreasing volume of network traffic. .

• In addition to normal traffic, broadcast messages, such In addition to normal traffic, broadcast messages, such as address resolution queries are also sent outas address resolution queries are also sent out

– High-bandwidth applicationsHigh-bandwidth applications • Desktop publishing, engineering design, video on Desktop publishing, engineering design, video on

demand (VoD), electronic learning (e-learning), and demand (VoD), electronic learning (e-learning), and streaming video all require considerable processing streaming video all require considerable processing power and speed.power and speed.

LAN Segmentation (1)LAN Segmentation (1)

Uncontrolled Collision Domain and Broadcast Domain


Uncontrolled Collision Domain and Broadcast Domain


Controlled Collision Domain and Broadcast Domain


Controlled Collision Domain and Broadcast Domain

Controlling Network LatencyControlling Network Latency

Switch Forwarding Method Switch Forwarding Method (1)(1)• Store and ForwardStore and Forward

– When the switch receives the frame, it stores When the switch receives the frame, it stores the data in buffers until the complete frame the data in buffers until the complete frame has been received.has been received.

– During the storage process, the switch During the storage process, the switch analyzes the frame for information about its analyzes the frame for information about its destination. destination.

– In this process, the switch also performs an In this process, the switch also performs an error check using the Cyclic Redundancy Check error check using the Cyclic Redundancy Check (CRC) trailer portion of the Ethernet frame. (CRC) trailer portion of the Ethernet frame.

Switch Forwarding Method Switch Forwarding Method (2)(2)• Cut ThroughCut Through

– Fast-forward switching: Fast-forward switching: •Fast-forward switching offers the lowest Fast-forward switching offers the lowest

level of latency. Fast-forward switching level of latency. Fast-forward switching immediately forwards a packet after reading immediately forwards a packet after reading the destination address. the destination address.

• In fast-forward mode, latency is measured In fast-forward mode, latency is measured from the first bit received to the first bit from the first bit received to the first bit transmitted. transmitted.

•Fast-forward switching is the typical cut-Fast-forward switching is the typical cut-through method of switching.through method of switching.

Switch Forwarding Method Switch Forwarding Method (3)(3)

– Fragment-free switching: Fragment-free switching: • The switch stores the first 64 bytes of the frame The switch stores the first 64 bytes of the frame

before forwarding. before forwarding.

• The reason fragment-free switching stores only the The reason fragment-free switching stores only the first 64 bytes of the frame is that most network errors first 64 bytes of the frame is that most network errors and collisions occur during the first 64 bytes.and collisions occur during the first 64 bytes.

• Fragment-free switching tries to enhance cut-through Fragment-free switching tries to enhance cut-through switching by performing a small error check on the switching by performing a small error check on the first 64 bytes of the frame to ensure that a collision first 64 bytes of the frame to ensure that a collision has not occurred before forwarding the frame. has not occurred before forwarding the frame.

Symmetric and Asymmetric Symmetric and Asymmetric switching (1)switching (1)

• AsymmetricAsymmetric– Asymmetric switching enables more Asymmetric switching enables more

bandwidth to be dedicated to a server bandwidth to be dedicated to a server switch port switch port to prevent a bottleneckto prevent a bottleneck. . •This allows smoother traffic flows where This allows smoother traffic flows where

multiple clients are communicating with a multiple clients are communicating with a server at the same time. server at the same time.

•Memory buffering is required on an Memory buffering is required on an asymmetric switch. asymmetric switch.


• SymmetricSymmetric– On a symmetric switch all ports are of the On a symmetric switch all ports are of the

same bandwidth. same bandwidth. – Symmetric switching is optimized for a Symmetric switching is optimized for a

reasonably distributed traffic load, such as in a reasonably distributed traffic load, such as in a peer-to-peer desktop environment. peer-to-peer desktop environment.

** Most current switches are asymmetric ** Most current switches are asymmetric switchesswitches because this type of switch offers because this type of switch offers the greatest flexibility.the greatest flexibility.


Memory Buffering (1)Memory Buffering (1)

• Port-based Memory BufferingPort-based Memory Buffering– In port-based memory buffering, frames are In port-based memory buffering, frames are

stored in stored in queues that are linked to specific queues that are linked to specific incoming portsincoming ports. .

– A frame is transmitted to the outgoing port only A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue when all the frames ahead of it in the queue have been successfully transmitted.have been successfully transmitted.

– It is possible for a single frame to delay the It is possible for a single frame to delay the transmission of all the frames in memory transmission of all the frames in memory because of a busy destination port. because of a busy destination port.

– This delay occurs even if the other frames could This delay occurs even if the other frames could be transmitted to open destination ports.be transmitted to open destination ports.

Memory Buffering (2)Memory Buffering (2)

• Shared Memory Buffering Shared Memory Buffering – Shared memory buffering deposits all frames Shared memory buffering deposits all frames

into a into a common memory buffercommon memory buffer that all the that all the ports on the switch share. ports on the switch share.

– The amount of buffer memory required by a The amount of buffer memory required by a port is dynamically allocated. port is dynamically allocated.

– The frames in the buffer are linked dynamically The frames in the buffer are linked dynamically to the destination port.to the destination port.

– This allows the packet to be received on one This allows the packet to be received on one port and then transmitted on another port, port and then transmitted on another port, without moving it to a different queue.without moving it to a different queue.

Layer2 & Layer3 SwitchingLayer2 & Layer3 Switching

MAC Address is used to switching processIP Address is used to switching process

Layer3 Switch and RouterLayer3 Switch and Router

TestTest

Switch security (1)Switch security (1)

• MAC Address FloodingMAC Address Flooding– MAC address flooding is a common attack. MAC address flooding is a common attack. – When a Layer 2 switch receives a frame, the When a Layer 2 switch receives a frame, the

switch looks in the MAC address table for the switch looks in the MAC address table for the destination MAC address. destination MAC address.

– As frames arrive on switch ports, the source As frames arrive on switch ports, the source MAC addresses are learned and recorded in the MAC addresses are learned and recorded in the MAC address table. MAC address table.

– If an entry exists for the MAC address, the If an entry exists for the MAC address, the switch forwards the frame to the MAC address switch forwards the frame to the MAC address port designated in the MAC address table. port designated in the MAC address table.

– If the MAC address does not exist, the switch If the MAC address does not exist, the switch acts like a hub and forwards the frame out every acts like a hub and forwards the frame out every portport on the switch. on the switch.


– MAC flooding makes use of MAC table MAC flooding makes use of MAC table limitationlimitation to bombard the switch with to bombard the switch with fake source MAC addresses until the fake source MAC addresses until the switch MAC address table is full. switch MAC address table is full.

– The network intruder uses the attack tool The network intruder uses the attack tool to flood the switch with a large number of to flood the switch with a large number of invalid source MAC addresses until the invalid source MAC addresses until the MAC address table fills up. MAC address table fills up.


– When the MAC address table is full, the switch When the MAC address table is full, the switch floods all ports with incoming traffic because it floods all ports with incoming traffic because it cannot find the port number for a particular cannot find the port number for a particular MAC address in the MAC address table. MAC address in the MAC address table. The The switch, in essence, acts like a hub.switch, in essence, acts like a hub.

– Some network attack tools can generate Some network attack tools can generate 155,000 MAC entries on a switch per minute. 155,000 MAC entries on a switch per minute.

– Over a short period of time, the MAC address Over a short period of time, the MAC address table in the switch fills up until it cannot accept table in the switch fills up until it cannot accept new entries. new entries.

– When the MAC address table fills up with invalid When the MAC address table fills up with invalid source MAC addresses, the switch begins to source MAC addresses, the switch begins to forward all frames that it receives to every port.forward all frames that it receives to every port.



Spoofing Attack


• DHCP starvation attackDHCP starvation attack. . – The attacker PC continually requests IP The attacker PC continually requests IP

addresses from a real DHCP server by addresses from a real DHCP server by changing their source MAC addresses. changing their source MAC addresses.

– If successful, this kind of DHCP attack If successful, this kind of DHCP attack causes all of the leases on the real DHCP causes all of the leases on the real DHCP server to be allocated, thus preventing server to be allocated, thus preventing the real users (DHCP clients) from the real users (DHCP clients) from obtaining an IP address.obtaining an IP address.


DHCP Snooping

Switch Security (8)Switch Security (8)

• CDP AttacksCDP Attacks– CDP contains information about the device, such as the CDP contains information about the device, such as the

IP address, software version, platform, capabilities, and IP address, software version, platform, capabilities, and the native VLAN. the native VLAN.

– When this information is available to an attacker, they When this information is available to an attacker, they can use it to find exploits to attack your network, can use it to find exploits to attack your network, typically in the form of a typically in the form of a Denial of Service (DoS) attack.Denial of Service (DoS) attack.

– Because CDP is unauthenticated and encrypted , an Because CDP is unauthenticated and encrypted , an attacker could craft bogus CDP packets and have them attacker could craft bogus CDP packets and have them received by the attacker's directly connected Cisco received by the attacker's directly connected Cisco device. device.

– To address this vulnerability, it is recommended that you To address this vulnerability, it is recommended that you disable the use of CDP on devicesdisable the use of CDP on devices that do not need to that do not need to use it.use it.


• Telnet AttacksTelnet Attacks

• The Telnet protocol can be used by an The Telnet protocol can be used by an attacker to gain remote access to a Cisco attacker to gain remote access to a Cisco network switch. network switch.

• You can configure a You can configure a login passwordlogin password for the vty for the vty lines and set the lines to require password lines and set the lines to require password authentication to gain access. authentication to gain access.

• This provides an essential and basic level of This provides an essential and basic level of security to help protect the switch from security to help protect the switch from unauthorized access. unauthorized access.

• However, it is not a secure method of securing However, it is not a secure method of securing access to the vty lines. access to the vty lines.

Switch security (10)Switch security (10)• Brute Force Password AttackBrute Force Password Attack

• The first phase of a brute force password attack starts The first phase of a brute force password attack starts with the attacker using a list of common passwords and a with the attacker using a list of common passwords and a program designed to try to establish a Telnet session program designed to try to establish a Telnet session using each word on the dictionary list. using each word on the dictionary list.

• In the second phase of a brute force attack, the attacker In the second phase of a brute force attack, the attacker uses a program that creates sequential character uses a program that creates sequential character combinations in an attempt to "guess" the password. combinations in an attempt to "guess" the password. – Given enough time, a brute force password attack can crack Given enough time, a brute force password attack can crack

almost all passwords used.almost all passwords used.

• More advanced configurations allow you to limit who can More advanced configurations allow you to limit who can communicate with the vty lines by using access lists. communicate with the vty lines by using access lists.


• DoS AttackDoS Attack

• In a DoS attack, the attacker exploits a flaw in the In a DoS attack, the attacker exploits a flaw in the Telnet server software running on the switch that Telnet server software running on the switch that renders the Telnet service unavailable. renders the Telnet service unavailable.

• This sort of attack is mostly a nuisance because it This sort of attack is mostly a nuisance because it prevents an administrator from performing switch prevents an administrator from performing switch management functions.management functions.

• Vulnerabilities in the Telnet service that permit DoS Vulnerabilities in the Telnet service that permit DoS attacks to occur are usually addressed in security attacks to occur are usually addressed in security patches that are included in newer Cisco IOS patches that are included in newer Cisco IOS revisions. revisions.


Configuring switch security Configuring switch security (13)(13)

Basic Switch configurationBasic Switch configuration

W.lilakiatsakunW.lilakiatsakun

Boot sequence (1)Boot sequence (1)

• The switch loads the boot loader software. The The switch loads the boot loader software. The boot loader is a small program stored in boot loader is a small program stored in NVRAM and is run when the switch is first NVRAM and is run when the switch is first turned on.turned on.

• The boot loader:The boot loader:– Performs low-level CPU initialization. It initializes the Performs low-level CPU initialization. It initializes the

CPU registers, which control where physical memory CPU registers, which control where physical memory is mapped, the quantity of memory, and its speed. is mapped, the quantity of memory, and its speed.

– Performs power-on self-test (POST) for the CPU Performs power-on self-test (POST) for the CPU subsystem. It tests the CPU DRAM and the portion of subsystem. It tests the CPU DRAM and the portion of the flash device that makes up the flash file system. the flash device that makes up the flash file system.

Boot sequence (2)Boot sequence (2)

– Initializes the flash file system on the system board. Initializes the flash file system on the system board. – Loads a default operating system software image into Loads a default operating system software image into

memory and boots the switch. The boot loader finds memory and boots the switch. The boot loader finds the Cisco IOS image on the switch by first looking in a the Cisco IOS image on the switch by first looking in a directory that has the same name as the image file directory that has the same name as the image file (excluding the .bin extension). (excluding the .bin extension). • If it does not find it there, the boot loader software searches If it does not find it there, the boot loader software searches

each subdirectory before continuing the search in the original each subdirectory before continuing the search in the original directory.directory.

• The operating system then initializes the The operating system then initializes the interfaces using the Cisco IOS commands found interfaces using the Cisco IOS commands found in the operating system configuration file, in the operating system configuration file, config.text, stored in the switch flash memory.config.text, stored in the switch flash memory.

Recover from system crashRecover from system crash

• The boot loader also provides access into the The boot loader also provides access into the switch if the operating system cannot be used. switch if the operating system cannot be used.

• The boot loader has a command-line facility that The boot loader has a command-line facility that provides access to the files stored on Flash provides access to the files stored on Flash memory before the operating system is loaded. memory before the operating system is loaded.

• From the boot loader command line you can From the boot loader command line you can enter commands to format the flash file system, enter commands to format the flash file system, reinstall the operating system software image, or reinstall the operating system software image, or recover from a lost or forgotten password.recover from a lost or forgotten password.

Managing interfaces (1)Managing interfaces (1)• An access layer switch is much like a PC in that you An access layer switch is much like a PC in that you

need to configure an IP address, a subnet mask, and a need to configure an IP address, a subnet mask, and a default gateway. default gateway.

• To manage a switch remotely using TCP/IP, you need To manage a switch remotely using TCP/IP, you need to assign the switch an IP address. to assign the switch an IP address.

• In the figure, you want to manage S1 from PC1, a In the figure, you want to manage S1 from PC1, a computer used for managing the network. To do this, computer used for managing the network. To do this, you need to assign switch S1 an IP address. you need to assign switch S1 an IP address. – This IP address is assigned to a virtual interface called a This IP address is assigned to a virtual interface called a

virtual LAN (VLAN), and then it is necessary to ensure the virtual LAN (VLAN), and then it is necessary to ensure the VLAN is assigned to a specific port or ports on the switch. VLAN is assigned to a specific port or ports on the switch.

• The default configuration on the switch is to have the The default configuration on the switch is to have the management of the switch controlled through VLAN 1. management of the switch controlled through VLAN 1. However, a best practice for basic switch However, a best practice for basic switch configuration is to change the management VLAN to a configuration is to change the management VLAN to a VLAN other than VLAN 1. VLAN other than VLAN 1.

Managing interfaces (2)Managing interfaces (2)




• Use the Use the show ip interface briefshow ip interface brief to verify port operation and to verify port operation and status.status.

• The The mdix automdix auto Command Command

• When the auto-MDIX feature is enabled, the switch detects When the auto-MDIX feature is enabled, the switch detects the required cable type for copper Ethernet connections and the required cable type for copper Ethernet connections and configures the interfaces accordingly. configures the interfaces accordingly. – Therefore, you can use either a crossover or a straight-through Therefore, you can use either a crossover or a straight-through

cable for connections to a copper 10/100/1000 port on the cable for connections to a copper 10/100/1000 port on the switch, regardless of the type of device on the other end of the switch, regardless of the type of device on the other end of the connection.connection.

• The auto-MDIX feature is enabled by default on switches The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later. For releases running Cisco IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default.auto-MDIX feature is disabled by default.


• Configure Duplex and SpeedConfigure Duplex and Speed• You can use theYou can use the duplex duplex interface interface

configuration command to specify the configuration command to specify the duplex mode of operation for switch ports. duplex mode of operation for switch ports.

• You can manually set the duplex mode and You can manually set the duplex mode and speed of switch ports to avoid inter-vendor speed of switch ports to avoid inter-vendor issues with autonegotiation. issues with autonegotiation.

• Although there can be issues when you Although there can be issues when you configure switch port duplex settings to configure switch port duplex settings to auto, in this example, S1 and S2 switches auto, in this example, S1 and S2 switches have the same duplex settings and speeds. have the same duplex settings and speeds.


Managing MAC Address Managing MAC Address Table(1)Table(1)• Switches use MAC address tables to determine Switches use MAC address tables to determine

how to forward traffic between ports. how to forward traffic between ports. – These MAC tables include dynamic and static addresses. These MAC tables include dynamic and static addresses.

• Dynamic addressesDynamic addresses are source MAC addresses are source MAC addresses that the switch learns and then ages when they that the switch learns and then ages when they are not in use. are not in use.

• You can change the aging time setting for MAC You can change the aging time setting for MAC addresses. addresses. – The default time is 300 seconds. The default time is 300 seconds. – Setting too short an aging time can cause addresses to Setting too short an aging time can cause addresses to

be prematurely removed from the table. be prematurely removed from the table. – Setting too long an aging time can cause the address Setting too long an aging time can cause the address

table to be filled with unused addresses, which prevents table to be filled with unused addresses, which prevents new addresses from being learned. new addresses from being learned.

Managing MAC Address Managing MAC Address Table(2)Table(2)• The switch provides dynamic addressing by The switch provides dynamic addressing by

learning the source MAC address of each learning the source MAC address of each frame that it receives on each port.frame that it receives on each port.

• Then switch adds the source MAC address Then switch adds the source MAC address and its associated port number to the MAC and its associated port number to the MAC address table. address table.

• As computers are added or removed from As computers are added or removed from the network, the switch updates the MAC the network, the switch updates the MAC address table, adding new entries and aging address table, adding new entries and aging out those that are currently not in use.out those that are currently not in use.

Managing MAC Address Managing MAC Address Table(3)Table(3)• A network administrator can specifically assign A network administrator can specifically assign

static MAC addresses to certain ports. static MAC addresses to certain ports. • Static addressesStatic addresses are not aged out, and the are not aged out, and the

switch always knows which port to send out switch always knows which port to send out traffic destined for that specific MAC address.traffic destined for that specific MAC address.

• As a result, there is no need to relearn or As a result, there is no need to relearn or refresh which port the MAC address is refresh which port the MAC address is connected to. connected to.

• One reason to implement static MAC addresses One reason to implement static MAC addresses is to provide the network administrator is to provide the network administrator complete control over access to the networkcomplete control over access to the network..– Only those devices that are known to the network Only those devices that are known to the network

administrator can connect to the network.administrator can connect to the network.

Managing MAC Address Managing MAC Address Table(4)Table(4)• To create a static mapping in the MAC address To create a static mapping in the MAC address

table, use the table, use the – mac-address-table static <MAC address> vlan {1-4096, mac-address-table static <MAC address> vlan {1-4096,

ALL} interfaceinterface-idALL} interfaceinterface-id

• To remove a static mapping in the MAC address To remove a static mapping in the MAC address table, use the table, use the – no mac-address-table static <MAC address> vlan {1-no mac-address-table static <MAC address> vlan {1-

4096, ALL} interfaceinterface-id4096, ALL} interfaceinterface-id

• The maximum size of the MAC address table The maximum size of the MAC address table varies with different switches. varies with different switches. – For example, the Catalyst 2960 series switch can store up For example, the Catalyst 2960 series switch can store up

to 8,192 MAC addresses. to 8,192 MAC addresses. – There are other protocols that may limit the absolute There are other protocols that may limit the absolute

number of MAC address available to a switch.number of MAC address available to a switch.

Verifying switch Verifying switch configurationconfiguration

Backup and Restore switch Backup and Restore switch configurationsconfigurations

Backup to TFTP serverBackup to TFTP server

• Step 1. Verify that the TFTP server is running on your Step 1. Verify that the TFTP server is running on your network.network.

• Step 2. Log in to the switch through the console port or a Step 2. Log in to the switch through the console port or a Telnet session. Enable the switch and then ping the TFTP Telnet session. Enable the switch and then ping the TFTP server.server.

• Step 3. Upload the switch configuration to the TFTP server. Step 3. Upload the switch configuration to the TFTP server. Specify the IP address or hostname of the TFTP server and Specify the IP address or hostname of the TFTP server and the destination filename. The Cisco IOS command is: the destination filename. The Cisco IOS command is:

#copy system:running-config #copy system:running-config tftp:[[[//location]/directory]/filename] tftp:[[[//location]/directory]/filename] #copy nvram:startup-config #copy nvram:startup-config tftp:[[[//location]/directory]/filename].tftp:[[[//location]/directory]/filename].

Restore from TFTP serverRestore from TFTP server

• Step 1. Copy the configuration file to the appropriate TFTP Step 1. Copy the configuration file to the appropriate TFTP directory on the TFTP server if it is not already there.directory on the TFTP server if it is not already there.

• Step 2. Verify that the TFTP server is running on your Step 2. Verify that the TFTP server is running on your network.network.

• Step 3. Log in to the switch through the console port or a Step 3. Log in to the switch through the console port or a Telnet session. Enable the switch and then ping the TFTP Telnet session. Enable the switch and then ping the TFTP server.server.

• Step 4. Download the configuration file from the TFTP server Step 4. Download the configuration file from the TFTP server to configure the switch. Specify the IP address or hostname of to configure the switch. Specify the IP address or hostname of the TFTP server and the name of the file to download. The the TFTP server and the name of the file to download. The Cisco IOS command is: Cisco IOS command is: #copy tftp:[[[//location]/directory]/filename] system:running-#copy tftp:[[[//location]/directory]/filename] system:running-config or #copy tftp:[[[//location]/directory]/filename] config or #copy tftp:[[[//location]/directory]/filename] nvram:startup-config.nvram:startup-config.

Clearing Configuration Clearing Configuration Information Information • You can clear the configuration information from You can clear the configuration information from

the startup configuration. the startup configuration. • To clear the contents of your startup configuration, To clear the contents of your startup configuration,

use the use the – erase nvram: erase nvram: – erase startup-configerase startup-config

Configure Console PasswordConfigure Console Password

Configure Virtual Terminal Configure Virtual Terminal AccessAccess

Configure EXEC Mode Configure EXEC Mode PasswordPassword

Password Recovery steps Password Recovery steps (1)(1)• Step 1. Connect a terminal or PC with terminal-emulation Step 1. Connect a terminal or PC with terminal-emulation

software to the switch console port.software to the switch console port.• Step 2. Set the line speed on the emulation software to 9600 Step 2. Set the line speed on the emulation software to 9600

baud.baud.• Step 3. Power off the switch. Reconnect the power cord to Step 3. Power off the switch. Reconnect the power cord to

the switch and within 15 seconds, press the Mode button the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button.amber and then solid green. Then release the Mode button.

• Step 4. Initialize the Flash file system using the flash_init Step 4. Initialize the Flash file system using the flash_init command.command.

• Step 5. Load any helper files using the load_helper Step 5. Load any helper files using the load_helper command.command.

• Step 6. Display the contents of Flash memory using the dir Step 6. Display the contents of Flash memory using the dir flash command:flash command:

Directory of flash:Directory of flash:13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX11 -rwx 5825 Mar 01 1993 22:31:59 config.text11 -rwx 5825 Mar 01 1993 22:31:59 config.text18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat16128000 bytes total (10003456 bytes free)16128000 bytes total (10003456 bytes free)

Password Recovery steps Password Recovery steps (2)(2)• Step 7. Rename the configuration file to Step 7. Rename the configuration file to

config.text.old, which contains the password config.text.old, which contains the password definition, using the definition, using the rename flash:config.text rename flash:config.text flash:config.text.oldflash:config.text.old command. command.

• Step 8. Boot the system with the Step 8. Boot the system with the bootboot command. command. • Step 9. You are prompted to start the setup Step 9. You are prompted to start the setup

program. program. – Enter N at the prompt, and then when the system prompts Enter N at the prompt, and then when the system prompts

whether to continue with the configuration dialog, enter N.whether to continue with the configuration dialog, enter N.

• Step 10. At the switch prompt, enter privileged Step 10. At the switch prompt, enter privileged EXEC mode using the enable command.EXEC mode using the enable command.

• Step 11. Rename the configuration file to its original Step 11. Rename the configuration file to its original name using the name using the rename flash:config.text.old rename flash:config.text.old flash:config.textflash:config.text command. command.

Password Recovery steps Password Recovery steps (3)(3)• Step 12. Copy the configuration file into memory Step 12. Copy the configuration file into memory

using the using the copy flash:config.text system:running-copy flash:config.text system:running-configconfig command. After this command has been command. After this command has been entered, the follow is displayed on the console:entered, the follow is displayed on the console:

Source filename [config.text]? Source filename [config.text]? Destination filename [running-config]?Destination filename [running-config]?

• Press Return in response to the confirmation Press Return in response to the confirmation prompts. The configuration file is now reloaded, prompts. The configuration file is now reloaded, and you can change the password.and you can change the password.

• Step 13. Enter global configuration mode using the Step 13. Enter global configuration mode using the configure terminalconfigure terminal command. command.

Password Recovery steps Password Recovery steps (4)(4)• Step 14. Change the password using the Step 14. Change the password using the enable enable

secretpasswordsecretpassword command. command.

• Step 15. Return to privileged EXEC mode using the Step 15. Return to privileged EXEC mode using the exitexit command. command.

• Step 16. Write the running configuration to the Step 16. Write the running configuration to the startup configuration file using the startup configuration file using the copy running-copy running-config startup-configconfig startup-config command. command.

• Step 17. Reload the switch using the Step 17. Reload the switch using the reloadreload command.command.

Configure Login & MOTD Configure Login & MOTD BannerBanner

Configuring Telnet Configuring Telnet

• Telnet is the default vty-supported protocol Telnet is the default vty-supported protocol on a Cisco switch. on a Cisco switch.

• Initially, the vty lines are unsecured Initially, the vty lines are unsecured allowing access by any user attempting to allowing access by any user attempting to connect to themconnect to them

Configuring Port security (1)Configuring Port security (1)

• Secure MAC Address TypesSecure MAC Address Types

• Static secure MAC addressesStatic secure MAC addresses: MAC addresses are manually : MAC addresses are manually configured by using the configured by using the switchport port-security mac-switchport port-security mac-addressmac-addressaddressmac-address interface configuration command. interface configuration command. – MAC addresses configured in this way are stored in the address MAC addresses configured in this way are stored in the address

table and are added to the running configuration on the switch. table and are added to the running configuration on the switch.

• Dynamic secure MAC addressesDynamic secure MAC addresses: MAC addresses are : MAC addresses are dynamically learned and stored only in the address table. dynamically learned and stored only in the address table. – MAC addresses configured in this way are removed when the MAC addresses configured in this way are removed when the

switch restarts. switch restarts.

• Sticky secure MAC addressesSticky secure MAC addresses: You can configure a port to : You can configure a port to dynamically learn MAC addresses and then save these MAC dynamically learn MAC addresses and then save these MAC addresses to the running configuration. addresses to the running configuration.


• Sticky MAC AddressesSticky MAC Addresses

• When you enable sticky learning on an interface by using the When you enable sticky learning on an interface by using the switchport port-security mac-address stickyswitchport port-security mac-address sticky interface interface configuration command,configuration command,– the interface converts all the dynamic secure MAC addresses, the interface converts all the dynamic secure MAC addresses,

including those that were dynamically learned before sticky including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration. all sticky secure MAC addresses to the running configuration.

• If you disable sticky learning by using the If you disable sticky learning by using the no switchport port-no switchport port-security mac-address stickysecurity mac-address sticky interface configuration command interface configuration command or the running configuration is removed, the sticky secure or the running configuration is removed, the sticky secure MAC addresses remain part of the running configuration but MAC addresses remain part of the running configuration but are removed from the address table. are removed from the address table. – The addresses that were removed can be dynamically The addresses that were removed can be dynamically

reconfigured and added to the address table as dynamic reconfigured and added to the address table as dynamic addresses. addresses.

Configuring Port security (3)Configuring Port security (3)• When you configure sticky secure MAC addresses When you configure sticky secure MAC addresses

by using the by using the switchport port-security mac-address switchport port-security mac-address sticky mac-addresssticky mac-address interface configuration interface configuration command, these addresses are added to the command, these addresses are added to the address table and the running configuration.address table and the running configuration.– If port security is disabled, the sticky secure MAC If port security is disabled, the sticky secure MAC

addresses remain in the running configuration. addresses remain in the running configuration.

• If you save the sticky secure MAC addresses in the If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the configuration file, when the switch restarts or the interface shuts down, the interface does not need to interface shuts down, the interface does not need to relearn these addresses.relearn these addresses.– If you do not save the sticky secure addresses, they are If you do not save the sticky secure addresses, they are

lost. If sticky learning is disabled, the sticky secure MAC lost. If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and addresses are converted to dynamic secure addresses and are removed from the running configuration. are removed from the running configuration.


• Security Violation ModesSecurity Violation Modes• The maximum number of secure MAC addresses have The maximum number of secure MAC addresses have

been added to the address table, and a station whose been added to the address table, and a station whose MAC address is not in the address table attempts to MAC address is not in the address table attempts to access the interface. access the interface.

• An address learned or configured on one secure An address learned or configured on one secure interface is seen on another secure interface in the interface is seen on another secure interface in the same VLAN.same VLAN.

• Violation modes are configured on a port: Violation modes are configured on a port: • protectprotect: When the number of secure MAC addresses : When the number of secure MAC addresses

reaches the limit allowed on the port, packets with reaches the limit allowed on the port, packets with unknown source addresses are unknown source addresses are droppeddropped until you until you remove a sufficient number of secure MAC addresses or remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. increase the number of maximum allowable addresses. You are not notified that a security violation has You are not notified that a security violation has occurredoccurred. .


• restrictrestrict: When the number of secure MAC addresses : When the number of secure MAC addresses reaches the limit allowed on the port, packets with reaches the limit allowed on the port, packets with unknown source addresses are unknown source addresses are droppeddropped until you until you remove a sufficient number of secure MAC addresses remove a sufficient number of secure MAC addresses or increase the number of maximum allowable or increase the number of maximum allowable addresses. In this mode, addresses. In this mode, you are notified that a you are notified that a security violation has occurred. Specifically, an SNMP security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the trap is sent, a syslog message is logged, and the violation counter increments. violation counter increments.

• shutdownshutdown: In this mode, a port security violation : In this mode, a port security violation causes the interface to immediately become causes the interface to immediately become error-error-disabled and turns off the port LEDdisabled and turns off the port LED. It also sends an . It also sends an SNMP trap, logs a syslog message, and increments the SNMP trap, logs a syslog message, and increments the violation counter. violation counter. – When a secure port is in the error-disabled state, you can bring When a secure port is in the error-disabled state, you can bring

it out of this state by entering the shutdown and no shutdown it out of this state by entering the shutdown and no shutdown interface configuration commands. This is the default mode.interface configuration commands. This is the default mode.





Configuring Port security Configuring Port security (10)(10)

Configuring Port security Configuring Port security (11)(11)

Configuring Port security Configuring Port security (12)(12)• Disable Unused PortsDisable Unused Ports

• A simple method many administrators use to help A simple method many administrators use to help secure their network from unauthorized access is secure their network from unauthorized access is to disable all unused ports on a network switch. to disable all unused ports on a network switch.

• It is simple to disable multiple ports on a switch. It is simple to disable multiple ports on a switch. Navigate to each unused port and issue this Cisco Navigate to each unused port and issue this Cisco IOS IOS shutdownshutdown command. command.

• An alternate way to shutdown multiple ports is to An alternate way to shutdown multiple ports is to use the use the interface rangeinterface range command. command. – If a port needs to be activated, you can manually enter If a port needs to be activated, you can manually enter

the no shutdown command on that interface.the no shutdown command on that interface.

Documents

Switched LAN Architecture W.lilakiatsakun. Hierarchical LAN Model (1)