Switch Concepts and Configuration

A switch is a discrete piece of hardware that connects various computers to a single local area network (LAN). In the OSI model, network switches function at layer 2 (Data link layer).

• On the basis of MAC addresses, switches are utilized to forward the packets.
• The switch makes it possible for the device that has been addressed to receive the data.  
•  It checks the destination address before properly routing the packet.
• Full duplex operation is used.
• Since the source and destination are communicating directly, packet collision is minimal.
• It does not broadcast the message since its bandwidth is constrained.

Switching

Messages are sent over the network of transmission media when a person uses the internet or another computer network from a location other than their immediate area. Switching is the term used to describe this method of moving data between computer networks.

Ethernet

Devices connected to the same Ethernet segment typically use this sort of communication on LAN networks to listen to the network media to determine whether they can transmit or whether they need to wait. Switches allow several devices to access the media simultaneously while hubs only allow one device to broadcast at once. There are three different methods of message transmission in Ethernet communication: Unicast, Multicast, and Broadcast.

• Unicast- In a unicast transmission, there is just one sender and one recipient in this mode. A frame is typically sent from one node to a particular destination during unicast transmission. This is the most typical method of communication on contemporary LANs, especially when employing internet-based protocols like HTTP, Telnet, and others.
• Multicast- The sender typically sends a frame to several nodes on the Ethernet segment during multicast communication. For instance, a user could need to talk to three other users at once during a teleconference. Multicast messages will be sent in this situation.
• Broadcast- In broadcast transmission, a frame is typically transmitted to every LAN device present. If the message being transmitted is intended for a big audience, this communication is also helpful.

Addressing

Physical addresses, which are frequently MAC addresses, are the type of addressing utilized in Ethernet. The address used to transmit frames is this one. Frames are created when packets are received from the network layer. This entails including details like the source and destination MAC addresses.

MAC Address

• The MAC address is the address used in Ethernet which is of 48 bits that make up the address and are represented by hexadecimal numerals.
• When discussing layer 3 addressing, we stated that an IP address is divided into two segments: the network segment and the host segment. A MAC address is also divided into two parts.
  • OUI (Organizational Unique Identifier) 
  • the number is given to the vendor
• The first 24 bits of the MAC address make up the OUI. Typically, it is the code that the IEEE has assigned to a specific vendor. For instance, the OUI in Cisco switches is typical: 0009.7C
• The vendor for that specific device often assigns a number to the next 24 bits. It gives the hardware of the device a distinct identity.
• The complete MAC address is often permanently hard-coded into the switch’s circuitry.

Operation modes in Ethernet

There are two modes of operation for Ethernet networks; the duplex decides whether the communication is unidirectional or bidirectional. There are two duplex modes: Half Duplex and Full Duplex.

•  Half Duplex- Data transfer in this sort of communication is one-way only, therefore a device can either send or receive frames, not both. This form of communication was employed when HUBs were prevalent in networks. For example, walkie-talkie, where you can only do one of those two things at once: talk or listen. CSCMA/CD is used to reduce collisions because they are likely to occur when using half-duplex communication.
• Full Duplex- Bidirectional data flow is made possible that indicating that devices utilizing this mode can simultaneously send and receive frames. This is typically the default mode of operation in contemporary switches. There are very few risks of collisions.

MAC Address Table

The routing decisions routers make are based on the data in the routing table. Similarly, the switches include an address database. The MAC-Address table is a database that serves as the foundation for how to switch forward frames. This database is used by the switch to identify the source and destination of frames when communicating. Following are the actions that are conducted when a switch wants to forward a frame.

1. The switch receives the frame from a port.
2. If the source port from which it received the frame is present, the switch verifies this. It adds the source MAC address to its MAC address table if it doesn’t.
3. The switch then determines whether its MAC address database contains the target port for the frame. If it does not, it broadcasts the frame to all ports except the one it received the frame on.
4. The switch adds the MAC address to the MAC-address database when the target node responds, and any further communication with this node will be unicast rather than broadcast.

Configuring the Switch

The many configuration modes included the interface configuration, the global configuration mode, the privileged executive mode, the user executive mode, and several more specific configuration modes. Here, we will set up some of a switch’s fundamental settings, such as:

• Hostnames
• passwords and banners
• IP address management
• settings for duplex mode
• Vty lines and console lines.

The configuration topology that we’ll be employing is displayed below.

 

We have 1 switch and 2 hosts in this topology. We’ll use the console wire to set up the switch. Follow the procedures below to create this topology in a packet tracer or a physical lab:

Hostnames, Console & Vty lines, Banners, and Passwords

Contrary to older switches like the catalyst switches, the CISCO IOS is utilized on more contemporary switches like the CISCO 2960 switch, which is the one we are utilizing. In order to specify the majority of the parameters on the SWITCH 1 command line interface, we must switch to global configuration mode. Enter the following commands to access this.

Switch>enable
Switch#configure
terminal

Explanation:

While the second command, “configure terminal,” will provide us access to the global configuration mode, the first command grants access to the privileged access mode.

We must first update the switch’s hostname from “switch” to “SWITCH_1” in the global configuration mode. Entering the command hostname <SWITCH_HOSTNAME> accomplishes this.

The command in our scenario is displayed below.

Switch(config)#hostnameSWITCH_1

The prompt will change from “switch(config)#” to “SWITCH_1(config)#” when this command is run.

The five telnet line settings, including the password, executive timeouts, and logging synchronous, must then be configured. The passwords on both lines are set to “cisco” using the commands below, and the timeouts are set to 15 minutes.

SWITCH_1(config)#line console 0
SWITCH_1(config-line)#password cisco
SWITCH_1(config-line)#login
SWITCH_1(config-line)#logging synchronous
SWITCH_1(config-line)#exec-timeout 15 0
SWITCH_1(config-line)#exit
SWITCH_1(config)#line vty 0 4
SWITCH_1(config-line)#password cisco
SWITCH_1(config-line)#login
SWITCH_1(config-line)#logging synchronous
SWITCH_1(config-line)#exec-timeout 15 0
SWITCH_1(config-line)#exit

Explanation:

The command logging synchronously will stop extraneous messages from popping up on the screen as you type and interfering with the command.

When someone tries to access the switch, a banner with a notice is displayed. We talked about a few of the factors that could influence an administrator’s decision to utilize a banner. In this instance, we’ll use a banner MOTD that has been set up with the command:

Banner motd#<MESSAGE>#

The beginning and conclusion of the message are denoted by the pound sign. In this instance, the message “WARNING. AUTHORIZED ACCESS ONLY!!!” will be used, and it is configured on SWITCH_1 using the command indicated below.

SWITCH_1(config)#Banner 
motd# WARNING. 
AUTHORIZED ACCESS ONLY!!!#

When setting routers, we discovered that an IP address was required to contact the router remotely using vty lines. Similar to a PC, switches require the configuration of an IP address, subnet mask, and default gateway. The IP address is used to control the switch.

• CISCO switches use VLAN 1 by default as the management VLAN, although it is recommended to modify this as it may present a security risk.
• We must build a management VLAN and give it a management IP address in order to enable management of the switch via a management interface. In our situation, we’ll utilize VLAN 99 and assign it the IP address 192.168.99.1, enabling remote telnet management of the switch.
• In order for the switch to be able to access traffic from distant networks, we also need to configure the default gateway.
• The default gateway in our scenario will be 192.168.1.1

We carry out the procedures listed below to configure the management interface.

NOTE: An SVI (Switched Virtual Interface) is configured using the “interface VLAN command”.

Step 1: Construct VLAN 99 as the management VLAN interface. We’ll use the following command:

SWITCH_1(config)#interface vlan 99

Step 2: Use the no shutdown command to activate and make the interface active after giving it an IP address and subnet mask.

SWITCH_1(config-if)#ip address 192.168.99.1 255.255.255.0
SWITCH_1(config-if)#no shutdown
SWITCH_1(config-if)#exit

Step 3: We must attach one of the switch interfaces to the VLAN 99 management VLAN, as demonstrated below. 

SWITCH_1(config)#interface fa0/5
SWITCH_1(config-if)#switchport mode access
SWITCH_1(config-if)#switchport access vlan 99
SWITCH_1(config-if)#end
SWITCH_1#copy runing-config startup-config

The command “IP default-gateway IP address>” is used to set up the IP default gateway so that traffic headed for distant networks can be redirected. This command is executed as illustrated below using the IP address 192.168.1.1 as the default gateway in this situation.

SWITCH_1(config)#ip default-gateway 192.168.1.1

Following this arrangement, all networked devices ought to be able to communicate with one another without further configuration.

Duplex Settings

The duplex mode controls whether communication will be unidirectional or bidirectional. On CISCO switches, the duplex is typically set to auto by default. Accordingly, if one side is using a half-duplex, the port will also be using a half-duplex.

The switch’s ports can be hard-coded to exclusively use a full duplex because that is the recommended option. The required commands are implemented on a switch in the interface configuration mode as shown below.

Switch(config)#interface fastEthernet 0/1
Switch(config-if)#duplex<full>

Port Security

Switches are susceptible to a variety of attacks, including:

• MAC address flooding: In this kind of assault, a node is typically used to allow access to a switch. After that, they employ a device to communicate false source MAC addresses to the switch. The MAC address is added to the mac-address-table, which can only store a set amount of MAC addresses, to enable switch operation. The switch starts acting like a hub by flooding frames out of the ports when this database is full, making it impossible for it to forward traffic using unicast. This indicates that every frame for every node in the network is visible to the attacker.
• MAC-address spoofing: In this attack, a hacker pretends to be a DHCP server and replies with an address that enables them to view traffic from a specific node while legitimate clients ask for addresses from the server.
• Other frequent assaults might target CDP, telnet, or other technical flaws that can be exploited by the switch.

One method for defending the switch against such attacks is by using port security. Before the switch is implemented, all ports or interfaces should be secured. The number of valid MAC addresses that can use a port is constrained by port security.

One method of protecting a Cisco switch is port security. The following methods that configuration choices employing port security can secure the switch.

1. Utilizing statically configured MAC addresses requires hardcoding a specific user node’s MAC address onto each port on a switch to designate that port to a certain user node. This indicates that only equipment with MAC addresses that match those configured can interact. This is a fantastic technique to establish security, however, given the size of the network, configuring the MAC addresses of the clients to the switch may be an administrative nightmare.
2. A good technique to assure security on a switch is to use dynamic secure MAC addresses. The MAC addresses of the user nodes are specified to be learned and stored by the switch ports.
3. Sticky MAC addresses can be used to make sure that only MAC addresses that have been dynamically learned can use the switch. Since these addresses are saved to the switch’s running configuration file, they are lost when rebooted.
4. The maximum number of MAC addresses that can use a specific port can also be specified. This is a reliable method of preventing MAC address spoofing.