Chapter 4

Switch(LAN) Configuration
 Introduction
➢ Switching breaks up large collision domains into

smaller ones

➢ Collision domain is a network segment with two or

more devices sharing the same bandwidth.

➢ A hub network is a typical example of this type of

technology
 Cont.
▪ Each port on a switch is actually its own collision domain,

you can make a much better Ethernet LAN network just by

replacing your hubs with switches

▪ Layer 2 switches are faster than routers because they look at

the frame’s hardware addresses before deciding to either

forward the frame or drop it.
 Content Addressable Memory
(CAM)Table
 Refers to a dynamic table in a network switch that
maps MAC addresses to ports it is also known as
MAC or Filter table.
 The CAM table, or content addressable memory
table, is present in all switches for layer 2 switching
❑Conditions in which a switch will flood a frame out on all
ports except to the port on which the frame came in, as
follows:
❖Unknown unicast address
❖Broadcast frame (FF-FF-FF-FF-FF-FF)
❖Multicast frame(01-00-5E-00-00-00 to 01-00-5E-7F-FF-
FF)

SW1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0001.9744.73c0 DYNAMIC Fa0/1
1 00e0.b0de.eed5 DYNAMIC Fa1/1
Port Security

 All switch ports or interfaces should be secured before

the switch is deployed. (to protect traffic)

 Port security limits the number of valid MAC addresses

allowed on a port.

 If port security is enabled on a port,

 the port does not forward packets with source addresses

outside the group of defined addresses.

 and the maximum number of secure MAC addresses is

reached, a security violation occurs

Secure MAC Address Types

 a number of ways to configure port security

1. Static secure MAC addresses: manually configured

by using the switchport port-security mac-address
mac-address interface command (address stored in
the table and run-config)

2. Dynamic secure MAC addresses: addresses are

dynamically learned and stored only in the address
table (removed sw-restart)
Cont.

 Sticky secure MAC addresses: You can configure a

port to dynamically learn MAC addresses and then

save these MAC addresses to the running
configuration

 Sticky secure MAC addresses have these

characteristics:

➢ Enabled using: switchport port-security mac-

address sticky interface configuration command

 Cont.
 the interface converts all the dynamic secure MAC
addresses to sticky secure MAC addresses and adds all
sticky secure MAC addresses to the running
configuration.

 If you disable sticky learning or port security is disabled

the sticky secure MAC addresses remain in the running
configuration (removed from the address table)
Security Violation Modes

 It occurs when

 maximum number of secure MAC addresses have

been added to the address table,

 a station whose MAC address is not in the address

table attempts to access the interface.

 An address learned or configured on one secure

interface is seen on another secure interface in the

same VLAN.
 Cont.
 Modes to be configured based on actions to be taken if
a violation occurs
 protect: packets with unknown source addresses are dropped
until and you are not notified that a security violation has
occurred.
 restrict: packets with unknown source addresses are dropped
and you are notified. SNMP trap is sent, a syslog message is
logged, and the violation counter increments.
 shutdown: causes the interface to immediately become error-
disabled and turns off the port LED. SNMP trap, logs a
syslog message, and increments the violation counter.
 Configure Port Security
 SW1(config)#int fa0/1
 SW1(config-if)#switchport mode access
 SW1(config-if)#switchport port-security
 SW1(config-if)#switchport port-security mac-address sticky
 SW1(config-if)#switchport port-security maximum 1
 SW1(config-if)#switchport port-security violation shutdown
 SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security
Action
(Count) (Count) (Count)
----------------------------------------------------------------------------------
Fa0/1 1 1 0 Shutdown
---------------------------------------------------------------------------------
 Cont.

SW1#
Can you ping from PC 0 to PC 1?
Now disconnect the switch fa0/1 interface from PC 0 and re-connect it
with PC 2. Finally check whether you can ping from PC2 to PC 1.
Disabling unused ports: use shutdown command for an
interface or range of interfaces (ex. interface range fa0/1-24)
 Introduction to VLANs
 local area network which groups together a collection of
machines in a logical and non-physical way
 Using (VLANs) it is possible to be free of the limitations of the
physical architecture (geographic constraints, addressing
constraints, etc) by defining logical segmentation based on a
grouping together of machines using criteria (MAC addresses, port
numbers, protocol, etc).
 Types of VLANs
 depending on switching criteria and the level at which
the VLAN is conducted:
 level 1 VLAN (Port Based VLAN) based on the
connection ports on the switch;
 level 2 VLAN (MAC Address-Based VLAN)
based on the MAC addresses of the stations; much
more flexible than the port based VLAN because
the network is independent from the location of
the station
 VLAN…
 A level 3 VLAN: there are several types of level
3 VLANs:
 Network Address Based VLAN links subnets
according to the source IP address of the datagrams.
 provides great flexibility in so far as the configuration
of the switches changes automatically when a station
is moved.
 may be slight degradation in performance since the
information contained in the packets must be
analysed more closely.
 Protocol Based VLAN makes it possible to create a
virtual network by protocol type (for example TCP/IP,
IPX, AppleTalk, etc.), therefore grouping together all
the machines using the same protocol on the same
network.
 Advantage of VLAN
 Limits the size of broadcast domains
 Improves network performance
 Provides a level of security
Configuring VLANs
 Use config-vlan mode to configure
 normal-range VLANs (VLAN IDs 1 to 1005) -saved in the
VLAN database if VTP is in transparent or server mode
 extended-range VLANs (VLAN IDs 1006 to 4094) -are not
saved in the VLAN database
 Syntax
Switch(config)#vlan vlan_number
Switch(config-vlan)#name vlan_name
Switch(config-vlan)#exit
Switch# show vlan
Cont.
 By default, all ports are initially members of VLAN1.

 Use the following commands to assign individual ports to

VLANs:
Switch(config)#interface fa#/#
Switch(config-if)#switchport access vlan vlan_no
Switch(config-if)# exit

 Use the following commands to assign a range ports to

VLANs:
Switch(config)#interface range fa#/start #- end#
Switch(config-if)#switchport access vlan vlan_no
Switch(config-if)#exit
VLAN Links

❑ Access links

❑ This type of link is only part of one VLAN

❑ It’s referred to as the native VLAN of the port.

❑ Any device attached to an access link is unaware of a VLAN

❑ Switches remove any VLAN information from the frame

before it’s sent to an access-link device.

❑ Trunk links

❑ carry the traffic of multiple VLANs

❑ A trunk link is a 100- or 1000Mbps point-to-point link

between two switches, between a switch and router.

 ❑Dynamic links

❑sets trunking mode to dynamically negotiate access or

trunk mode
VLAN Tagging
❑Is a VLAN identification given for a frame while

multiple VLANs frames travel on the same link

❑A trunk port supports frame tagging. Frame tagging

adds VLAN information to the frame.

❑IEEE 802.1Q is the standardized and approved method of

frame tagging
Exercise
VTP (VLAN Trunking Protocol)

 VTP is a Cisco proprietary protocol that allows VLAN

configuration to be consistently maintained across a

common administrative domain.

 VTP is a client/server messaging protocol that adds,

deletes, and renames VLANs in a single VTP domain.

Cont.
 VTP reduces the complexity of managing and
monitoring VLAN networks, allowing changes on one
switch to be propagated to another
 Switches transmit VTP messages only on 802.1Q and
inter-switch link(ISL) trunks.
 VLAN versions: 1 (commonly used), 2 and 3

 VTP modes:
 VTP Server

 VTP Client

 VTP Transparent
VTP Modes • Default
• Creates VLANs
• Modifies VLANs
• Deletes VLANs
• Sends/forwards
advertisements
• Synchronizes
• Saved in NVRAM

• Creates VLANs
• Modifies VLANs
• Deletes VLANs
• Forwards
advertisements
• Forwards • Does not
advertisements synchronize
• Synchronizes • Saved in NVRAM
• Not saved in
NVRAM
 VTP Configuration

✓ With VTP, each switch advertises messages (management

domain, configuration revision number, known VLANs,
and parameters for each VLAN) on its trunk ports through a
multicast.
✓ The VTP configuration revision number begins at zero and
increases by one when change occurs. (increase till
2,147,483,648)
Cont.
If a switch in server mode issues an update with a higher revision number than
the number currently in place, all switches will modify their databases to
match the new switch.
Configuration
Configure Domain, Password and vtp mode
Switch(config)#vtp version 2
Switch(config)#vtp mode server
Switch(config)#vtp domain dtu
Switch(config)#vtp password mypassword
Switch#show vtp status

The domain name and password are case sensitive and must be configured in
each switch that are in the same domain.
STP (Spanning Tree Protocol)

 Redundancy increases the availability of the network

topology

 When redundancy is introduced into a Layer 2 design, loops

and duplicate frames can occur.

 Loops and duplicate frames can have severe consequences on a

network.

 STP is an open standard protocol, used in a switched

environment to create a loop-free logical topology.

 Cont.
To prevent switching loops, STP:
✓ Forces certain interfaces into a standby or blocked state
✓ Leaves other interfaces in a forwarding state
✓ Reconfigures the network by activating the appropriate
standby path, if the forwarding path becomes unavailable
Configuring STP .
•By default, STP is enabled for every port on the
switch.
•To re-enable STP, use the
Switch(config)#spanning-tree vlan vlan-id

•To disable STP, on a per-VLAN basis:

Switch(config)#no spanning-tree vlan vlan-id

show spanning-tree
show spanning-tree summary
Inter-VLAN Communication
•Although VLANs extend to span multiple switches, only
members of the same VLAN can communicate.
•A Layer 3 device provides connectivity between different
VLANs.
•Method of accomplishing the inter-VLAN routing
✓ Using a separate interface connection to the Layer 3 device for each
VLAN.
✓ Using a feature called subinterfaces.
✓ Subinterfaces logically divide one physical interface into multiple
logical pathways.(Known as router-on-a-stick)
To configure inter-VLAN routing, use the
following steps:
1. Configure a trunk port on the switch.
Switch(config)#interface fa0/2
Switch(config-if)#switchport mode trunk
2. On the router, configure a FastEthernet interface with no IP
address or subnet mask.
Router(config)#interface fa0/1
Router(config-if)#no ip address
Router(config-if)#no shutdown
 Cont.
3. On the router, configure one subinterface with an IP address and subnet
mask for each VLAN. Each subinterface has an 802.1Q encapsulation.
Router(config)#interface fa0/0.10
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 192.168.10.1 255.255.255.0
4. Use the following commands to verify the inter-VLAN routing
configuration and functionality.
Switch#show trunk
Router#show ip interfaces
Router#show ip interfaces brief
Router#show ip route
 WAN Devices and Technologies

➢ WAN services help to connect networks at a broad

geographic distance, from a few to thousands of kilometres

➢ serial connections with copper cables are most commonly

used but recently fiber optical cables play an important role

in connection at both LAN and WAN.

➢ Great bandwidth, great distance, very little signal loss,

high speed, security are some features of fiber optical cable.

 WAN Devices & Terminologies

 Router: provides internetworking and WAN access

interfaces
 Data Terminal Equipment (DTE): the router at the
customer side
 Data Communications Equipment (DCE): provides a
clocking signal used to synchronize data transmission
between DCE and DTE devices.
 Customer Premise Equipment (CPE): devices located
at the customer side.
 Cont.
 Demarcation Point: the physical point where the public

network ends and the private network of a customer begins

 Local loop: A cable connects the CPE to the nearest

exchange or Central Office (CO) of the service provider. In

other words, it is the physical link that connects from the
demarcation point to the edge of the service provider’s
network
CSU/DSU: for Channel Service Unit/Data Service Unit, used on digital
lines such as T1, T3 or E1
•provides clocking signal to the customer equipment interface and
terminates the channelized transport media to a leased line
•Now a days current routers integrate CSU/DSU capabilities
 Modem: short for Modulator/Demodulator,
 it allows a computer to send and receive information
over telephone lines by converting digital data into
an analogue signal and vice versa.
WAN technologies

An enterprise connects to WAN services:

•Leased lines (or point-to-point link)
•enables a one-to-one connection for the basic function of
data delivery across a link
•link requires a separate physical interface and a separate
CSU/DSU.
• Protocols: HDLC(High-Level Data-Link Control) and PPP
Cont.
•Packet-Switching
•connect many routers to the packet-switching service
using a single serial link on each router
•Protocols: Asynchronous Transfer Mode (ATM) ,Frame-Relay
PPP Protocol
 open standard protocol that is mostly used to provide connections over
point-to-point serial links.
 PPP has two sub-protocols:
 Link Control Protocol - responsible for establishing, maintaining and
terminating the point-to-point link.
 Network Control Protocol - provides interaction with different Network
layer protocols.
Establish a PPP session
1. Link establishment phase: each PPP device sends LCP packets to
configure and test the data link
2. Authentication phase (optional): If authentication is enabled, either
PAP or CHAP will be used
3. Network layer protocol phase: PPP sends NCP packets to choose
and configure Network Layer protocol (OSI Layer 3) to be encapsulated
and sent over the PPP data link
PPP Authentication Methods
 Password Authentication Protocol (PAP)
 two-way handshake
 Challenge Handshake Authentication Protocol (CHAP):
 more secure than PAP and uses three-way handshake authentication
PAP Configuration

 encapsulation ppp command enables PPP encapsulation

Server(config)#username CLIENT1 password DTU
Server(config)#int s1/1
Server(config-if)#encapsulation ppp
Server(config-if)#ppp authentication pap
Server(config-if)#no shutdown
Client(config)#int s1/0
Client(config-if)#encapsulation ppp
Client(config-if)#ppp pap sent-username CLIENT1 password DTU
Client(config-if)#no shutdown
 If your configuration is correct then you will see the status
“up/up” on your serial interfaces.
CHAP Configuration

Server(config)#username Client password DTU

Server(config)#interface Serial 1/1
Server(config-if)#encapsulation ppp
Server(config-if)#ppp authentication chap
Server(config-if)#no shutdown
Client(config)# username Server password DTU
Client(config)#interface Serial 1/0
Client(config-if)#encapsulation ppp
Client(config-if)#ppp authentication chap
Client(config-if)#no shutdown
 show interface <interface> command shows us the configured
encapsulation type
 debug ppp authentication or debug ppp negotiation command:
are used to check PPP authentication