SWITCH

A switch is used to network multiple computers together. Switches made for the consumer market are typically small, flat boxes with 4 to 8 Ethernet ports. These ports can connect to computers, cable or DSL modems, and other switches. High-end switches can have more than 50 ports and often are rack mounted. Switches are more advanced than hubs and less capable than routers. Unlike hubs, switches can limit the traffic to and from each port so that each device connected to the switch has a sufficient amount of bandwidth. For this reason, you can think of a switch as a "smart hub." However, switches don't provide the firewall and logging capabilities that routers do. Routers can often be configured by software (typically via a Web interface), while switches only work the way the hardware was designed. The term "switch" can also be used to refer to a small lever or button on computer hardware. And while it has nothing to do with computers, "riding switch" means riding backwards in skateboarding and snowboarding.

An introduction to VLAN Trunking

There are many Network Devices in the Data Center that require multi-homing (multiple network adapters) to tie in to multiple network segments. As the number of those systems increase, it becomes more and more difficult to provide the network infrastructure (due to the sheer number of Ethernet connections that need to be provided) from the perspective of cost, space, and wire management. A technology called VLAN (Virtual LAN broadcast domains logically segmented on an Ethernet switch) trunking that was once primarily the domain of network switches has now trickled down to the rest of the Data Center to address these issues. Now it is possible for these multi-homing devices to be multi-homing in function without the need for multiple physical network adapters and the additional infrastructure associated with them. VLAN trunking allows a single network adapter to behave as n number of virtual network adapters, where n has a theoretical upper limit of 4096 but is typically limited to 1000 VLAN network segments. In the case where a single gigabit Ethernet adapter is trunked in place of using multiple FastEthernet adapters, higher performance at a lower cost while increasing flexibility can be achieved. This really is the best of all worlds. Applications of VLAN Trunking: Here are some common examples of Network Devices that benefit from VLAN trunking:

Routers Firewalls (software or hardware) Transparent proxy servers VMWare hosts Wireless Access Points

VLAN encapsulation types: There are several types of VLAN encapsulation. The two most common types are Ciscos proprietary ISL (Inter Switch Link) and the IEEE 802.1q specification. ISL is an older standard that Cisco was using to connect its switches and routers, but now that 802.1q is ratified, all of the newer Cisco gear either support both ISL and 802.1q or only 802.1q. Older Cisco equipment may only support ISL trunking, so you must look up the individual specifications of your gear before attempting to connect them. The 802.1q standard works by injecting a 32 bit VLAN tag into the Ethernet frame of all network traffic in which 12 of those bits define the VLAN ID. The VLAN ID simply declares what VLAN the Ethernet frame belongs to, and the switch uses that ID to sort out and place the frames in their proper VLANs. Once a frame reaches the end of the line or hits a non-trunked port, the VLAN tag is stripped from the frame because it no longer needs it. This also means that if you attempt to trunk a host to a non-trunked port, it obviously will not work because that non-trunked port will strip the VLAN tags upon entry. Note that there are very serious security implications of using VLAN technology; I will elaborate on that in a future article on VLAN Layer 2 security. Given that a VLAN tag must be inserted into each and every Ethernet frame, it does mean that there is a little overhead in terms of slightly increased frame sizes and some CPU over head required to inject the tags. Because of this, separate physical network adapters will always perform better than virtual network adapters on a single adapter of the same speed. But remember, this performance deficiency is quickly reversed if a single gigabit Ethernet adapter is used in place of multiple FastEthernet adapters. Given all the rewards of VLAN trunking, the small overhead is more than justified. Trunking requirements: VLAN Trunking requires that the network switch, the network adapter, and the drivers for the operating system all support VLAN tagging in order for them to trunk. Almost any enterprise grade switch made by Cisco, Extreme, Foundry, and others support 802.1q. A few examples of this on the smaller scale are the Ciscos 2950 series and Netgears FSM726. Most high end client adapters support VLAN trunking, but one of the most common ones you will find is the Intel Pro/100 and Pro/1000 adapters because it is included on almost every server manufactures motherboard. For those without an integrated Intel adapter, a separate Pro/1000 PCI card can be bought for as little $40. Drivers support on the Intel adapters are excellent and covers almost everything from BSD to Linux to Windows client and server operating systems. My follow up article on how to actually implement VLAN trunking will focus on Cisco and Intel equipment. Stay tuned

Cisco Switch Configuration How-To Managing VLANs

As this switch is solitary, VLAN database communication protocols are not needed. Remote Cisco switch management happens through IP addresses attached to particular VLANs. We just need to make sure that no IP addresses are attached to any VLANs. VLAN 1 (it can't be deleted):
switch >en switch#conf t switch(config)# interface vlan 1 switch(config-if)#no ip address switch(config-if)#shutdown switch(config-if)#end switch#

Create a VLAN for unassigned interfaces

switch>en switch#conf t switch(config)#vlan 100 switch(config-vlan)#name unused_interfaces switch(config-vlan)#end switch_1#

Create a VLAN for Management (which we won't use; this is to make sure that VLAN 1 is separated from management functions)
switch>en switch#conf t switch(config)#vlan 4094 switch(config-vlan)#name MANAGEMENT switch(config-vlan)#end switch_1#

To delete VLANS, first we have to reassign all interfaces to the unused interfaces VLAN (see page on interface management). This is because when VLANs are recreated, then any interfaces that were part of that VLAN previously would be connected to it again!
switch>en

switch#conf t switch(config)# no vlan 900 switch(config)# end switch#

To disable trunking on an interface:

switch>en switch#conf t switch(config)#interface gigabitEthernet 1/1 switch(config-if)# switchport mode access switch(config-if)#end switch#

To assign an interface to a VLAN:

switch#conf t switch(config)#interface gigabitEthernet 1/11 switch(config-if)#switchport access vlan 900 switch(config-if)#end switch#

To configure port security. It seems that MAC address spoofing is possible from Guest OSes, while the virtual machine uses the host's interfaces in bridging mode.it would be possible for an experiment to interfere with all others simply by filling the switch's CAM table. To counter this, while allowing as much spoofing as possible (this is an experimental facility), the first switchport port-security command enables port-security on the interface gi1/1. The second command switchport portsecurity maximum 64 sets the maximum number of secure MAC addresses for the interface. The maximum value is 3072
switch#show port-security address

Max Addresses limit in System (excluding one mac per port) : 3072

so with 48 interfaces, each may have up to 3072/48=64 MAC addresses. The last command switchport port-security violation restrict sets the violation mode to restrict, which will drop packets with unknown MAC addresses. The other option would be to shutdown the port if a violation occurs, which we don't want to have happen. No snmp traps are generated as snmp is disabled

switch>en

switch#conf t switch(config)#interface gigabitEthernet 1/1 switch(config-if)#switchport port-security switch(config-if)#switchport port-security maximum 64 switch(config-if)#switchport port-security violation restrict switch(config-if)#end