* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Configuring the switch port.
Survey
Document related concepts
IEEE 802.1aq wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer network wikipedia , lookup
Distributed firewall wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Airborne Networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Parallel port wikipedia , lookup
Network tap wikipedia , lookup
Telephone exchange wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
Configuring Switches Lesson overview. In this lesson, we will cover. ● ● ● ● Switch overview. Spanning Tree Protocol. Switch installation considerations. Configuring the switch port. Switch overview. Most switches operate at Layer 2—the data link layer—of the OSI (Open Systems Interconnection) reference model. What makes a switch a switch is an application specific integrated circuit (ASIC) chip. The ASIC chip is used to make switching decisions in place of software based on media access control (MAC) addresses. This ability allows switches to break up collision domains, this allows switches to run in full duplex mode, and this allows switches to make faster decisions than either bridges or routers. When a switch receives a packet on a port, it makes some simple decisions based on its MAC table. It will make one of three decisions. It may decide to forward the packet, which is where the packet is directed out the port on which the destination MAC address resides. It may decide to filter the packet, which is where the packet is not directed out of ports that are not associated with the destination MAC address. The final decision that it may make is to flood the packet, which is where the packet is sent out all of the ports on the switch—except for the port on which it came in. Unmanaged vs. managed switches. An unmanaged switch is a simple switch—plug it in and it works. There is no method provided for configuration. An unmanaged switch is designed with ease of installation as its main attribute. Managed switches, on the other hand, can be configured through either the command line or a browser based interface. Managed switches provide for a high degree of network customization and control. A managed switch can also be set up so that an administrator can monitor its performance remotely and use protocols, such as SNMPv3 (Simple Network Management Protocol version 3), to make some modifications to its configuration. Highlights: ● ● ● Most switches operate at Layer 2 of the OSI model and have an ASIC chip used to make switching decisions in place of software. Switches break-up collision domains and run in full-duplex mode. When a switch receives a packet on a port, it makes one of three decisions based on its MAC table: ○ ● ● Forward: the packet is directed out the port that is associated with the destination MAC address. ○ Filter: the packet is not directed out ports that are not associated with the destination MAC address. ○ Flood: the packet is flooded out all ports (except the port that received the packet). An unmanaged switch is a simple switch designed with ease of installation as its main attribute. Managed switches can be configured to provide a high degree of network customization and control. Spanning Tree Protocol. Spanning Tree Protocol (STP) is a loop avoidance technology. A switching loop can occur on networks where there are multiple paths to reach destination MAC addresses. DEC (Digital Equipment Corporation) created STP to reduce the possibility of switching loops. With STP, the switches elect a root bridge to control the switched network. The switches will shut down ports that are not the best path to the root bridge, reducing the risk of loops. In an STP-enabled network, no network traffic can flow until after the STP process has taken place and a stable state has been achieved. The stable state is called convergence and it can take a significant amount of time with STP, up to 50 seconds. After convergence, the STPselected switch ports send out bridge protocol data unit (BPDU) packets to help maintain the stable state. Highlights: ● ● ● ● A switching loop can occur on networks where there are multiple paths to reach destination MAC addresses, which can be created when switches are connected together. The switches elect a root bridge to control the switched network and shut down ports that are not the best path to the root bridge. STP can take up to 50 seconds to achieve a stable state (convergence). After convergence, the STP selected switch ports send out BPDU packets to help maintain the stable state. STP port states. All switch ports in an STP-enabled network can be in one of five states. The disabled state is when the port is administratively shut down and it is not receiving or sending packets; it's just completely disabled. In the blocking state, the port will not forward packets, but it is still receiving BPDU packets and will drop all other packets. In the listening state, the port will not forward packets, but listens to BPDU packets to make sure that no loops can occur in preparation for the next state. The learning state is a state in which the port will not forward packets, but it is learning all of the paths in the network. It is populating its MAC address table in preparation for the next state. The last state in STP is the forwarding state. In this state, the port will forward and receive all packets that are flowing across the network that are directed to that port. The five states of STP: ● ● ● ● ● Disabled: administratively shut down. Blocking: will not forward packets, but is still receiving BPDU packets and will drop all other packets. Listening: will not forward packets, but listens to BPDU packets to make sure no loops can occur in preparation for the next state. Learning: will not forward packets, but is learning all of the paths in the network; it is populating its MAC address table. Forwarding: it will forward (send) and receive all packets. 802.1d. The IEEE liked STP so much that it created the 802.1d standard. This is their version of STP. All modern Layer 2 switches run the 802.1d standard by default. The 802.1d standard suffers from the same time constraints (slow convergence time) as STP. Highlights: ● ● 802.1d is the IEEE version of STP. Suffers from same time constraints as STP. Rapid Spanning Tree Protocol. The slow convergence time of 802.1d led to the creation of Rapid Spanning Tree Protocol (RSTP), which is also known as 802.1w. RSTP has a much faster convergence time than 802.1d. With RSTP enabled on all switches, a network can achieve its stable state in approximately five seconds. RSTP is not turned on by default on Layer 2 switches; it must be enabled by an administrator. 802.1w defines three possible port states. The first of these states is discarding. In this state, the port may be administratively disabled or it may be in a blocking mode or a listening mode. The next state is learning. In this state, the port is populating its MAC address table in preparation for forwarding packets. The final state is forwarding. In this state the port is actively forwarding packets. Highlights: ● ● With RSTP enabled on all switches, a network can achieve its stable state in approximately five seconds. RSTP is not turned on by default on Layer 2 switches and must be enabled by an administrator. The three states of RSTP: ● ● Discarding: the port may be administratively disabled or it may be in a blocking mode or listening mode. Learning: the port is populating its MAC address table in preparation for forwarding packets. ● Forwarding: the port is actively forwarding packets. Switch installation considerations. The business or enterprise network is more complex than the SOHO (small office/home office) network. A SOHO network may be able to get by with using one or more unmanaged switches and still operate adequately. Once beyond the level of a SOHO though, more thought and planning is required—as unmanaged switches are no longer up to the job. There are multiple issues to consider when installing a managed switch and it is wise to plan for those in advance to save time and reduce frustration. Some of the important considerations are outlined below. Will VLANs (Virtual Local Area Networks) be required? One of the first things to consider is whether or not there will be VLANs (virtual local area networks). While switches may break up collision domains, they do not break up broadcast domains. VLANs, on the other hand, will. VLANs take a single network environment and create smaller network segments by subnetting the network address range, effectively breaking up the broadcast domains of that network. VLANs are used in a switched network environment for a variety of reasons. Besides breaking up broadcast domains, using VLANs can also increase security by allowing administrators to limit access to network resources. The administrator can configure the VLANs and then assign users, nodes, or ports to a specific VLAN. All managed switches come with a native VLAN, which is determined by the manufacturer. This native VLAN is used to help manage the switch. As long as the VLAN information matches, VLAN traffic is allowed to cross between different ports on the same switch. For example, a host on VLAN2 can send traffic to another host on VLAN2 if they reside on the same switch. If multiple switches are connected together, in order for VLAN traffic to cross between the switches, trunk ports must be configured. Trunk ports are special ports that allow VLAN traffic to flow between different switches. For example, a host on VLAN2 can send traffic across a trunk port to another host on VLAN2 (on a different switch). VTP (virtual trunk port protocol) is a Cisco proprietary method of creating a virtual trunk port, which allows VLAN traffic to pass between switches and to automatically manage the VLAN environment. In order for different VLANs to communicate with each other, a router—or some other Layer 3 device—must be installed on the network. Highlights: ● ● ● VLANs take a single network environment and create smaller network segments by subnetting the network address range. VLANs are used in a switched network environment for a variety of reasons: ○ Break up broadcast domains into smaller pieces. ○ Increase security by limiting access to network resources. The administrator configures the VLANs and assigns users, nodes, or ports to a specific VLAN. ● ● ● ● The native VLAN—which is determined by the manufacturer—is used to help manage the switch. VLAN traffic is allowed to cross switch ports—as long as the VLAN information matches. VTP is a Cisco proprietary method of creating a virtual trunk port, allowing VLAN traffic to pass between switches. In order for different VLANs to communicate with each other, a router or other Layer 3 device must be installed. How will the switches be managed? A second consideration is how the switches are going to be managed. Switches may be managed out-of-band, which means that no network connection is required. This is achieved through the use of the console port on the switch. The console port is a specific port on managed switches used to connect to and configure or manage a switch. A rollover cable may be required to make the connection to the console port. Security should also be set on console ports to prevent unauthorized access through that console port. The other option for switch management is to use in-band management. With in-band management, a network connection is used to manage the switch. One of the most common methods of allowed in-band management is through the use of virtual terminals, or VTY connections. The most common VTY connections are Telnet or Secure Shell (SSH) sessions. Security should be set if Telnet is allowed on VTY-type connections. By default, SSH is a secured connection. If in-band management is going to be used, a default gateway address will need to be established. That default gateway address must be placed on an interface that belongs to the native VLAN (default VLAN). The default gateway on a switch is different than the default gateway on a router. On a switch, it is only used to manage the switch and not to pass other network traffic. As part of the setup and management of the switch, an administrator should configure which users and passwords are allowed to connect to the switch and what their level of access to the configuration is going to be. In-band and out-of-band management security settings may be different. Some users may be allowed in-band management access, while others may not, and vice versa. If AAA (Authentication, Authorization, and Accounting) protocols are used in the network, the switch must be configured to use them as well. Highlights: ● ● ● Switches may be managed out-of-band—no network connection required—through the use of the console port on the switch (note: security should be set on console ports). Switches may be configured to be managed in-band—a network connection is used to manage the switch—commonly through VTY connections using Telnet or SSH sessions (note: security should be set if Telnet is used). A default gateway address must be placed on an interface that belongs to the native VLAN in order to allow for in-band switch management. ● An administrator should configure which users and passwords are allowed to connect to the switch and what their level of access to the configuration is going to be. Configuring the switch port. When configuring the switch port, there are a number of vital settings that must be established. The most important of these are outlined below. Speed and duplexing. Most modern switch ports can auto-negotiate both the speed of the link and the duplexing mode used; however, in some cases, an administrator may need to manually set both the speed and the duplex in order for a connection to occur. Speed and duplexing errors are the most common cause for a link not being established between a switch and other devices. Highlights: ● ● Most modern switch ports can auto-negotiate the speed of the link and the duplexing mode used. Administrators may sometimes need to manually set the speed and the duplex for a connection to occur. VLAN assignment. All switch ports will belong to a VLAN. That VLAN will either be an administratively configured one or it will be the native VLAN. The most common native VLAN is VLAN 1, which should be administratively changed to a different VLAN to increase the security level on the switch (e.g., change VLAN 1 to VLAN 99). Highlights: ● ● All switch ports will belong to a VLAN, either an administratively configured one or the native VLAN. The native VLAN should be administratively changed for increased security. Trunking. Trunking is used to facilitate VLAN traffic between different switches in a network. Trunk ports are switch ports that are configured to carry VLAN traffic between switches. The standard protocol used is 802.1q. The 802.1q protocol strips off the VLAN tag. Actually, it changes that tag to match the native VLAN, which allows the traffic to cross over the port. Once on the other side, then the 802.1q port on the other side reinserts the original VLAN tag. Highlights: ● ● Trunking facilitates VLAN traffic between different switches. Switch ports configured with 802.1q are the trunk ports that allow traffic to cross between switches. Port bonding. In situations where greater bandwidth is desired, port bonding can be implemented using LACP (Link Aggregation Control Protocol). LACP is the protocol that is used to create a single logical channel from redundant connections between switches. It bonds those ports together. This will increase the bandwidth between the switches. Highlights: ● LACP can be used to create a single logical channel from redundant connections between switches to increase bandwidth between them. PoE (Power over Ethernet). Some switches come equipped with PoE (Power over Ethernet) ports. These ports, as well as carrying data, can also use one of two methods to provide current over the network cable. This gives these ports the ability to power small network devices, while at the same time communicating with them. The port itself may provide the current, or the port may instead allow the use of a power injector to provide the power. There are multiple PoE standards in place. The two most common are the PoE standard (802.3AF), which can provide up to 15.4 watts of current and the PoE+ standard (802.3AT), which can provide up to 30 watts of current. Highlights: ● ● Switches that come equipped with PoE ports can carry data and are also able to power small network devices. There are multiple PoE standards in place; the most common are: ○ PoE (802.3af): can provide 15.40 W of current. ○ PoE+ (802.3at): can provide 30.0 W of current. Port mirroring. Port mirroring may be enabled on a switch port. This allows the configured port to receive all network traffic going to and from a specific port. By using port mirroring, an administrator can examine and analyze the traffic going into and coming from a specific host or port. Port mirroring is most often used in conjunction with a packet analyzer (e.g., a network sniffer or packet sniffer). Port mirroring can create a significant amount of network overhead, so it should be used sparingly on an active network. Highlights: ● ● ● By using port mirroring, an administrator can examine and analyze the traffic going into and coming from a specific host or port. Port mirroring is most often used in conjunction with a packet analyzer. Port mirroring can create a significant amount of network overhead, so should be used sparingly on an active network. What was covered. Switch overview. Switches are Layer 2 devices used on networks to move packets (data) from source to destination based on MAC addresses. Unmanaged switches are simple and don’t provide a method for configuring their operations. Managed switches can be configured through the command line or some other interface. SNMP can be used with managed switches to ease the management process. Spanning Tree Protocol. A switching loop can occur on networks when there are redundant paths between nodes. DEC created STP as a means of preventing switching loops from occurring on networks. STP defines five port states: disabled, blocking, listening, learning, and forwarding. STP can take up to 50 seconds to reach convergence. The IEEE version of STP is 802.1d. RSTP (802.1w) was created to decrease the convergence time to approximately five seconds. RSTP defines three port states: discarding, learning, and forwarding. Switch installation considerations. Planning for a managed switch environment can save on time and frustration. Some installation considerations include: the creation of VLANs; in-band and out-of-band switch management, including establishing a default gateway address; user settings; and AAA settings, if required. Configuring the switch port. An administrator also needs to consider the settings for each individual port on a switch. Some of these considerations are: the speed and duplex used on the port, the VLAN assignment for the port, which ports will handle 802.1q trunking, if bandwidth could be increased by using LACP, and how many PoE or PoE+ ports are available to be used to power devices.