Posts with #cisco switches - cisco firewall tag
Conventional network security often focuses more on routers and blocking traffic from the outside. Switches are internal to the organization and designed to allow ease of connectivity, therefore only limited or no security measures are applied.
The following basic security features can be used to secure your switches/Cisco switches and network:
* Physically secure the device
* Use secure passwords
* Enable SSH access
* Enable port security
* Disable http access
* Disable unused ports
* Disable Telnet
Let’s look at how to implement and configure some of the above mentioned switch security features.
1. How to Configure the privileged EXEC password.
Use the enable secret command to set the password. For this activity, set the password to orbit.
SW1(config)#enable secret orbit
2. How to Configure virtual terminal (Telnet) and console passwords and require users to login.
A password should be required to access the console line. Even the basic user EXEC mode can provide significant information to a malicious user. In addition, the VTY lines must have a password before users can access the switch remotely.
Use the following commands to secure the console and telnet:
SW1(config)#line console 0
SW1(config-line)#line vty 0 15
3. How to Configure password encryption.
At this stage, the privileged EXEC password is already encrypted. To encrypt the line passwords that you just configured, enter the service password-encryption command in global configuration mode.
4. How to Configure and test the MOTD banner.
Configure the message-of-the-day (MOTD) using Authorized Access Only as the text. Follow these guidelines:
i. The banner text is case sensitive. Make sure you do not add any spaces before or after the banner text.
ii. Use a delimiting character before and after the banner text to indicate where the text begins and ends. The delimiting character used in the example below is %, but you can use any character that is not used in the banner text.
iii. After you have configured the MOTD, log out of the switch to verify that the banner displays when you log back in.
SW1(config)#banner motd %Authorized Access Only%
5. How to Configure Port Security
Enter interface configuration mode for FastEthernet 0/11 and enable port security.
Before any other port security commands can be configured on the interface, port security must be enabled.
* Notice that you do not have to exit back to global configuration mode before entering interface configuration mode for fa0/11.
6. How to configure the maximum number of MAC addresses.
To configure the port to learn only one MAC address, set the maximum to 1:
SW1(config-if)#switchport port-security maximum 1
7. How to configure the port to add the MAC address to the running configuration.
The MAC address learned on the port can be added to (“stuck” to) the running configuration for that port.
SW1(config-if)#switchport port-security mac-address sticky
8. How to Configure the port to automatically shut down if port security is violated.
If you do not configure the following command, SW1 only logs the violation in the port security statistics but does not shut down the port.
SW1(config-if)#switchport port-security violation shutdown
Use the show-mac-address- table command to confirm that SW1 has learned the MAC address for the intended devices, in this case PC1.
Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
20 0060.5c4b.cd22 STATIC Fa0/11
You can use the show port-security interface fa0/11 command to also verify a security violation with the command.
SW1#show port-security interface fa0/11
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00E0.F7B0.086E:20
Security Violation Count : 1
9. How to Secure Unused Ports
Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access. Disabling an unused port stops traffic from flowing through the port(s)
Step 1: Disable interface Fa0/10 on SW1.
Enter interface configuration mode for FastEthernet 0/17 and shut down the port.
Step 2: Disable interfaces Fa0/1 to Fa0/24 on SW1
SW1(config)#interface range fa0/1-24
More Cisco switches' tutorials: http://blog.router-switch.com/category/reviews/cisco-switches/
Cisco unveiled significant extensions to both of its major switching lines with the addition of 40/100G Ethernet capabilities.
The enhancements are intended to address the growth of 10G Ethernet in data centers, which Dell’Oro Group forecasts will be the major revenue contributor to Ethernet switching in the next five years. Growth in 10G necessitates larger pipes between switches to aggregate those links and forward traffic at faster rates to alleviate congestion and keep network operations running optimally, especially with trends like cloud, video and mobility sending more packets in all different directions.
Cisco is adding 40G Ethernet to its Catalyst 6500 switching line, and 40/100G Ethernet to its Nexus 7000 switch to aggregate 40G at the core, and interconnect data centers to service providers.
Cisco also rolled out two fixed configuration switches for high-density 10G Ethernet in campus aggregation and data center top-of-rack deployments.
And in an effort to bring legacy infrastructures into the virtual world, Cisco unveiled network virtualization capabilities for its Catalyst 6500, 4500 and ASR 1000 product lines, as well as a new data center appliance for scalable virtual services.
Cisco is offering two modules for the Nexus 7000: a two-port 100G Ethernet board, which would provide the switch with up to 32 non-blocking 100G Ethernet ports; and a six-port 40G Ethernet module which would provide up to 96 non-blocking 40G ports for the switch.
Of the major switching vendors, only Brocade is offering 100G Ethernet on a core platform -- its MLX series switching routers. Several other vendors are already offering 40G fixed, modular and uplink ports on their switches.
The technology has yet to go gangbusters though.
Notes: More News of Cisco Updates Its High-end Switches
"We see sporadic implementation" of 40/100G Ethernet, says Jon Oltsik, an analyst at Enterprise Strategy Group. "Cisco’s one of the first big players to go mainstream with it. It’s good for marketing – they’ll be perceived as a high-performance vendor."
Cisco also unveiled the Nexus 3064-X, which had been expected. The 3064-X is aimed at low latency financial services environments and features 48 1/10G Ethernet ports plus four 40G links.
And the company’s Nexus 1000V virtual switch, which resides on blade servers like the Cisco Unified Computing System, now supports the Virtual Extensible LAN (VXLAN) workload scaling capability Cisco announced last summer.
VXLAN is also new in Cisco’s Nexus 1010 new virtual services appliance. The VXLAN version is called the Nexus 1010-X and it is a dedicated hardware platform for provisioning and scaling network services in virtualized environments, like data centers and clouds.
For the campus environment and the Catalyst line, Cisco unveiled the Catalyst 6900 Series 40 Gigabit Ethernet Interface Module for the flagship Catalyst 6500 switch. It allows the switch to support up to 44 40G ports.
Cisco also rolled out the Catalyst 4500-X, a fixed aggregation switch targeted at space-constrained campus networks. It supports up to 40 10G Ethernet ports and 1.6Tbps of switching capacity through Cisco’s Virtual Switching System redundancy technique. It also includes support for Medianet video and NetFlow analysis services.
Lastly, Cisco unveiled software for its campus switches and routers designed to simplify network virtualization. Cisco Easy Virtual Network (EVN) runs on the Catalyst 6500 and 4500 switches, and ASR 1000 edge router, and allows operators to more easily create separate logical networks on a single physical infrastructure.
And in the data center, Cisco added features to the Nexus NX-OS operating system such as PowerOn Auto-Provisioning and Python scripting to customize network behavior based on events as they happen. These features are now available on Nexus 3000 series platforms, and planned for the Nexus 2000 and 5000 switches.
The 40/100G modules for the Nexus 7000 will be available in the second quarter. The 6900 module for the Catalyst 6500 will be available in April. The Nexus 3064-X will be available in March.
---Original News from Networkworld.com
During the early days of networking, it was difficult to implement VLANs across networks. Each VLAN was manually configured on each network switch. Managing a large switched network used to be a complicated tasks, VLAN trunking methods has helped to ease this problem.
VLAN Trunking Protocol (VTP) is a Cisco Proprietary which basic aim is to manage all configured VLANs across a switched network. VTP helps to propagate and maintain VLAN configurations consistency to other switches on the network.
VTP is a messaging protocol that uses layer 2 trunk frames to add, delete and rename VLANs on a single domain. It helps to centralize changes which are sent to other switches on the network.
A switch had to be configured in the role of a VTP server to manage your VLAN configuration on your network. The sever(s) will share VLAN information with other switches on the network which must use the same domain name.
VTP learns only normal-range VLANs (VLAN IDs 1 to 1005).
The primary role of VTP is to maintain VLAN configuration consistency across a network administration domain.
VTP stores VLAN configurations in the VLAN database called vlan.dat.
After a trunk is established between switches, VTP advertisement is exchanged between the switches. Both the server switch and client exchange and monitor advertisement from one another to ensure each has an accurate record of VLAN information. VTP advertisement will not be exchanged if the trunk between the switches is inactive.
In the diagram above, a trunk link is configured between switch S1, - VTP Server, S2 and S3 - VTP client. After a trunk is established between the switches, VTP summary advertisement is exchanged among the switches.
VTP Configuration Guidelines
Follow these steps to configure a Cisco Catalyst switch to use VTP successfully:
VTP Server Switches
i. Before you begin configuration, ensure that all of the switches are set to their default settings.
ii. Always reset the configuration revision number before installing a previously configured switch into a VTP domain. Not resetting the configuration revision number allows for potential disruption in the VLAN configuration across the rest of the switches in the VTP domain.
iii. Configure at least two VTP server switches in your network. Because only server switches can create, delete, and modify VLANs, you should make sure that you have one backup VTP server in case the primary VTP server becomes disabled. If all the switches in the network are configured in VTP client mode, you cannot create new VLANs on the network.
iv. Configure a VTP domain on the VTP server. Configuring the VTP domain on the first switch enables VTP to start advertising VLAN information. Other switches connected through trunk links receive the VTP domain information automatically through VTP advertisements.
v. If there is an existing VTP domain, make sure that you match the name exactly. VTP domain names are case-sensitive.
vi. If you are configuring a VTP password, ensure that the same password is set on all switches in the domain that need to be able to exchange VTP information. Switches without a password or with the wrong password reject VTP advertisements.
vii. Ensure that all switches are configured to use the same VTP protocol version. VTP version 1 is not compatible with VTP version 2. By default, Cisco Catalyst 2960 switches run version 1 but are capable of running version 2. When the VTP version is set to version 2, all version 2 capable switches in the domain auto configure to use version 2 through the VTP announcement process. Any version 1-only switches cannot participate in the VTP domain after that point.
viii. Create the VLAN after you have enabled VTP on the VTP server. VLANs created before you enable VTP are removed. Always ensure that trunk ports are configured to interconnect switches in a VTP domain. VTP information is only exchanged on trunk ports.
VTP Client Switches
i. As on the VTP server switch, confirm that the default settings are present.
ii. Configure VTP client mode. Recall that the switch is not in VTP client mode by default. You have to configure this mode.
iii. Configure trunks. VTP works over trunk links.
iv. Connect to a VTP server. When you connect to a VTP server or another VTP-enabled switch, it takes a few moments for the various advertisements to make their way back and forth to the VTP server.
v. Verify VTP status. Before you begin configuring the access ports, confirm that the revision mode and number of VLANs have been updated.
vi. Configure access ports. When a switch is in VTP client mode, you cannot add new VLANs. You can only assign access ports to existing VLANs.
Dynamic Host Configuration Protocol (DHCP) is a network application protocol used by devices (DHCP clients) to obtain configuration information for operation in an Internet Protocol network. This protocol reduces system administration workload, allowing devices to be added to the network with little or no manual intervention.
The diagram has the network topology. In this network the firewall is the gateway of the 10.16.74.0/24 network. Firewall and Servers will be excluded from the DHCP pool.
First step is to configure the inside (LAN) interface on the 10.16.74.0/24 network
FIREWALL(config-if)#ip address 10.16.74.1 255.255.255.0
Next assign the LAN ports for the correct VLAN in this case port 1 of firewall will be on VLAN 1
FIREWALL(config-if)#switchport access vlan 1
Lastly, configure the dhcp range and assign it to an interface. Configure DNS servers, one internal and one external in case the internal fails. Enable DHCP on the inside interface
FIREWALL(config)#dhcpd address 10.16.74.15-10.16.74.35 inside
FIREWALL(config)#dhcpd dns 10.16.74.10 22.214.171.124
FIREWALL(config)#dhcpd enable inside
In order to see which devices are receiving DHCP from the firewall run the following command
FIREWALL(config)#sh dhcpd binding
IP address Hardware address Lease expiration Type
Cisco Catalyst switches include remote configuration options such as connecting through telnet, SSH and web interface. If you are configuring a Cisco Catalyst switch but are uncomfortable with the Cisco command line (CLI), enabling configuration access through a web browser is a logic choice.
Things You'll Need
a. Cisco Catalyst switch with telnet access enabled
- Privileged Exec mode password
- Telnet access password
- IP address of the Cisco Catalyst switch
- Microsoft Windows computer with Microsoft telnet client software installed
Instructions to Enable a Web Interface on a Cisco Catalyst
1. Click the "Start" button, then click the "Run" box (Windows XP) or click the "Search" box (Windows 7 or Vista). Type "cmd" in the "Run" or "Search" box, and then press the "Enter" key. The command line window will appear.
2. Type "telnet x.x.x.x" and substitute the IP address of the Cisco Catalyst switch for the "x.x.x.x," and then press the "Enter" key.
3. Type the password when requested to connect to the Cisco Catalyst.
4. Type "enable" and press the "Enter" key. Type the Privileged Exec password when requested, and press the "Enter" key.
5. Type "config t" and press the "Enter" key.
6. Type "ip http server" and press the "Enter" key.
7. Type "end" and press the "Enter" key.
The Cisco Catalyst 4500 switch is a mid-range modular chassis network switch manufactured by Cisco Systems. A Cisco Catalyst 4500 comprises a chassis, power supplies, one or two supervisors, line cards and service modules.
The Cisco Catalyst 4500 Series includes two series of Catalyst chassis: The Classic and newly launched E-Series chassis. The Classic and E-Series Catalyst 4500 chassis come in four sizes: 3-slot (4503-E), 6-slot (4506-E), 7-slot (4507R+E/4507R-E), and 10-slot (4510R+E/4510R-E).
The Cisco Catalyst 4500 Series Switches enable borderless networks, providing high performance, mobile, and secure user experience through Layer 2-4 switching investments. It enables security, mobility, application performance, video, and energy savings over an infrastructure that supports resiliency, virtualization, and automation.
Cisco 4500 Series Switches provide borderless performance, scalability, and services with reduced total cost of ownership and superior investment protection.
Key features you need to be clear:
Performance and Density:
848 Gbps fabric with 48 Gbps per slot delivers a 2.6x increase in performance over previous generation
Industry’s highest PoEP port density with up to 240 ports of full 30 Watt PoEP
Unprecedented layer 2 - 4 application visibility and control with Flexible NetFlow
Only modular access platform that can guarantee Service Level Agreements with IP SLA
Cisco TrustSec with 802.1ae (MACSec) hop-by-hop encryption and Security Group Tags (hardware-ready)
Anomaly and malware prevention through predefined, policy-based responses with Flexible NetFlow
End-to-end campus deployment with single software release and common sparing
Complete Life Cycle Management: Design, Install, Operations and Upgrades
Simplified software licensing with a single image for LAN Base, IP base and Enterprise Services software
In Service Software Upgrades for industry leading availability
Zero-touch, intelligent provisioning through Auto SmartPorts, AutoInstall and AutoQoS
Comprehensive automation with Cisco IOS Embedded Event Manager
Proactive diagnostics and remediation with Cisco Smart Call Home
Industry-leading power management with Cisco EnergyWise
Backward and forward compatibility
Industry-leading investment protection with more than 10 years of backward compatibility
The benefits of Supervisor 7-E without line card upgrades
More details related to Cisco 4500 switches
Catalyst 4500 Line Cards
The Cisco Catalyst 4500 Series offers two classes of line cards: classic and E-Series. Classic line cards provide 6 gigabits of switching capacity per slot. E-Series line cards increase the per slot switching capacity to 24 gigabits.
Cisco 4500 switch power supplies
The Cisco 4500 is able to deliver high densities of Power over Ethernet across the chassis. Due to this, power supplies are a key element of configuration. The Cisco Catalyst 4500 E-Series offers AC power with several internal supplies: 1000W (data only), 1400W (data only), 1300W (data and PoE), 2800W (data and PoE), 4200W (data and PoE), and 6000W (data and PoE).
The Cisco Catalyst 4500 E-Series has two DC power options—one is optimized for data-only deployments in service provider central offices (part number PWR-C45-1400DC), and the other is used for high-power PoE deployments (PWR-C45-1400DC-P).
The Catalyst 4500 currently supports Cisco IOS Operating System.
Why Cisco 6500 Series is here to stay?
Tried and true isn't a descriptor awarded lightly. It's earned only after emerging battle-hardened from the front lines. It doesn't matter if you're the only survivor of the super-soldier program, or the flagship switch in the armada that is Cisco - history speaks for itself. For just a moment let's take a quick look at that history.
The Cisco 6500 was debuted in 1999 at the end of a decade that brought us legends such as Pogs, Street Fighter 2, and the Macarena. Even the popularity of the internet was only beginning to catch on.
We began with the Supervisor 1 and its 32gb switch fabric. Next, we graduated to the Supervisor 2 still at 32gb but with the ability to go to 256gb with the switch fabric module. Then we got the Supervisor 720. The 720 introduced 720gb switch fabrics, and then eventually the VSS (virtual switching system) which expanded even further to an upwards of 1.4Tbps!
Now, Cisco has debuted the Supervisor 2T which grows the upwards limits to 2Tbps, and doubles the per slot bandwidth from 40gb to 80gb!
In addition to the newer supervisor engines, the chassis has also evolved. Now with the E series chassis, the Cisco Catalyst 6500 is capable of supporting the larger wattage power supplies and the newer supervisors and line cards. While it looks the same, these subtle differences help push the platform into the next generation.
What does that mean for the future of the Cisco 6500 platform?
Well with the announcement of new non-blocking 10gb cards and mention of 40gb support coming, it means that the Cisco 6500 series is here to stay. Some are saying it's here to stay for another 10 years. Bold words from an already aging platform. However, I'm reminded of the old adage "if it ain't broke, don't fix it." The Cisco 6500 switch was built around the idea of expandability, and dependability. It has proven itself time and again in both arenas.
So what does this mean for people who purchase pre-owned network hardware or are interested in the Catalyst 6500 switches? It means that purchasing a Cisco 6500 is an investment, and a wise one at that.
For people that already have the platform? They can continue to grow as needed, and as their companies and organizations grow. A recent Network World article mentioned that Cisco says it has 25,000 customers for the Catalyst 6500 and 700,000 chassis installed worldwide. That same article quoted John McCool, senior vice president and general management of Cisco's core technology group, saying: "We'd be silly to walk away from that installed base and loyal set of customers."
Knowing that Cisco is only continuing to develop for the 6500 platform is peace of mind that your budget dollars were spent well. In addition, new cards and expansions mean price drops and pre-owned market availability on current cards like the Supervisor 720′s and 6700 series line cards in the not too distant future.
Cisco engineers like me are ready and willing to help you talk through your 6500 growth, and the needs and requirements that come along with it. We can help you navigate the sometimes slippery slope of your network hardware upgrades and save you time and money along the way. We'd be happy to chat more in depth on the topic!
All things considered, the best just keeps getting better. The Cisco 6500 is here to stay and no one should feel bad about having this shield-slinging super-hero anywhere in their network. After all, it takes a veteran to show the new guys the ropes.
Comments from some Cisco fans:
It still has its uses, but IMHO the highly oversubscribed, high latency networking architectures of the past won't make sense in the modern Data Center even at the access layer. Even looking at newer Cisco products like the 5548, let alone even higher density products from companies like Force10, Juniper, Brocade and Arista, which have substantially higher densities, substantially lower cost per port, substantially better performance across the board. Not to mention they all use a tiny fraction of the power and space and emit a tiny fraction of the heat.
Art Fewell: Cisco 6500 iEven re-purposing this box in the campus has limited utility because of the power, space and heating requirements. Given that the price of 10gig is coming down drastically (on other platforms) and most campus access switches come with 10gig uplinks, so many enterprises are upgrading their campus cores to support higher densities of 10gig. Other platforms can support 64 10gig ports in 1 rack unit with again a small fraction of the overhead costs. These newer platforms have such a lower cost basis that even used 6500's are substantially more expensive. Even keeping an existing 6500 is often much more in overhead costs than purchasing newer higher density equipment.
Jason: Cisco 6500 is like the C-130 of the network devices. It does the heavy lifting of being the core router or switch of any enterprise or simply aggregating multiple devices on the edge of network. I think the reason it will go on for another decade, are the service modules, like ACE, NAM, VPN, FWSM, AIP etc... I think without these modules, having a 6500 in a SMB, would have been over kill.... The idea of integrating modules in 6500 is the main life saver of this legendary network ANVIL.
Ali_A: I have been working with C6500 since 2000 .great product with great features. You can do whatever you want with the switch .it can be your Service Chassis switch, Campus, Core , … . I always love them and happy to hear that Cisco have plan to support them (maybe) for another decade. The C6500 show its stability and versatility it the battlefield.i still have C6500+SUP-2 with FWSM installed as datacenter service chassis with no problem and constant software update (SUP-2 lasted software update was 2010 even the device is EOS) take the product survived longer. Also the great blue-print, Deign guide , Cisco-SAFE for C6500 make everything straight when you want to deployment the switch in a scenario , more easier without the risk of wrong deployment or down-time.
Static routes while manually intensive to keep up, are a very quick and effective way to route data from one subnet to different subnet. Let’s start with the basics.
What is a static route?
- a static route is a hard coded path in the router that specifies how the router will get to a certain subnet by using a certain path.
What do you mean by "hard coded"?
- you or someone has typed in the network ID and the next hop to get to the network specified
How do I add a static route into my Cisco router?
- Pretty simple
router# config t ; get into the configuration mode
router(config)# ip route A.B.C.D (destination network/host) A.B.C.D (mask) A.B.C.D (next hop); this is a simple static route
Are there any other ways to name the next hop except by using an IP address?
- Yes, you can use the port name i.e. ethernet0, E0, S0 and so on
What is "distance metric" that I can add at the end of the command?
- All routes have a value that allows the router to give a priority to which type of routing is used first. In static routes, the value is 1 which means no matter what other protocol you may have running like OSPF or RIP, the static route will always be used first. This can be changed to special needs. for example, if you have a frame link with ISDN back up, you can static routes for the frame and a second set of the same static routes but with a distance matric of 255. This means while the frame is up, it goes first but when the frame goes down, the router will try to use the 2nd static which is normally ignored due to the 255 value.
Why do I want to use static routes when there are neat routing protocols like OSPF?
- static routes are easy, no overhead either on the link or the the CPU of the router. They also offer good security when coupled with a tight IP mask like 252 which gives only 2 hosts on a given link
If static routes are so easy, why not use them all the time?
- Static routes while easy can be overwhelming in a large or complicated network. Each time there is a change, someone must manually make changes to reflect the change. If a link goes down, even if there is a second path, the router would ignore it and consider the link down.
One of the most common uses of a static map is the default classless route
- ip classless
- ip route 0.0.0.0 0.0.0.0 [next hop]
This static map says that everything is remote and should be forwarded to the next hop( or supernet) which will take care fo the routing.
Dial on demand is also a big user of static routes. Many times with dial up or ISDN, you do not have the bandwidth or you do not want to pay the connection fees for routing updates so you use static routes.
Static routes allow you to set up load balancing after a fashion. Keep in mind that the IOS load balances across routes first and not interfaces. The easiest way to configure multiple routes on the same interface is to use the secondary IP command
interface serial 0
ip address 192.0.0.1 255.255.255.0
ip address 192.0.0.2 255.255.255.0 secondary ! second route on same interface
interface serial 1
ip address 126.96.36.199 255.255.255.0
ip address 188.8.131.52 255.255.255.0 secondary
ip route 184.108.40.206 255.255.255.0 220.127.116.11; goes to serial 0
ip route 18.104.22.168 255.255.255.0 22.214.171.124; goes to serial 0
ip route 126.96.36.199 255.255.255.0 188.8.131.52; goes to serial 1
interface ethernet 0
ip address 184.108.40.206 255.255.255.0
interface serial 0
ip address 220.127.116.11 255.255.255.0
ip address 18.104.22.168 255.255.255.0 secondary
interface serial 1
ip address 22.214.171.124 255.255.255.0
ip address 126.96.36.199 255.255.255.0 secondary
The traffic would go out router 1 across the two IPs on serial 0 first then across 1 IP on serial 1
This gives you unequal load balancing.
Notes: This is just the basics of static routing. You can get very creative if you want and take things further then described here. I would suggest "Routing TCP/IP Vol 1" from Cisco Press for more information.
Functions of a Network Switch
A switch is a device that is used at the Access or OSI Layer 2; a switch can be used to connect multiple hosts (PCs) to the network.
Unlike a hub, a switch forwards a message to a specific host. When any host on the network or a switch sends a message to another host on the same network or same switch, the switch receives and decodes the frames to read the physical (MAC) address portion of the message.
Forwards Frames with MAC address
When a message is sent between hosts on a network or the same switch, the switch checks its MAC address table for the destination address. A switch MAC address table contains a list of all active ports, host or PCs MAC addresses that are attached to it. If the destination MAC address is not found in the table, the switch will not have the necessary information to forward the message. When the switch cannot determine where the destination host is located, it will flood or forward the message out to all attached hosts. Each host compares the destination MAC address in the message to its own MAC address, but only the host with the correct destination address processes the message and responds to the it.
How Switches Learn MAC addresses
A switch builds its MAC address table by examining the source MAC address of each frame that is sent between hosts. When a new host sends a message or responds to a flooded message, the switch immediately learns its MAC address and the port to which it is connected. The table is dynamically updated each time a new source MAC address is read by the switch. In this way, a switch quickly learns the MAC addresses of all attached hosts.
A switch prevents collisions by providing a circuit between the source and destination ports. This circuit provides a dedicated channel over which the hosts connected to the various ports on the switch can communicate. Each port is allocated with a separate bandwidth; these separate circuits allow many conversations to take place at the same time, without collisions occurring.
Main Types of Switches
Fixed configuration switches:-
These types of switches are fixed in their configuration. What that means is that you cannot add features or options to the switch beyond those that originally came with the switch. The particular model you purchase determines the features and options available. For example, if you purchase a 24-port gigabit fixed switch, you cannot add additional ports when you need them. There are typically different configuration choices that vary in how many and what types of ports are included.
These types of switches offer more flexibility in their configuration. Modular switches typically come with different sized chassis that allow for the installation of different numbers of modular line cards the line cards actually contain the ports. The line card fits into the switch chassis like expansion cards fit into a PC. The larger the chassis, the more modules it can support.
Stackable switches can be interconnected using a special back cable that provides high-bandwidth between the switches. Cisco introduced StackWise technology in one of its switch product lines. Stack Wise allows you to interconnect up to nine switches using fully redundant back plane connections. As you can see in the figure, switches are stacked one atop of the other, and cables connect the switches in daisy chain fashion. The stacked switches effectively operate as a single larger switch. Stackable switches are desirable where fault tolerance and bandwidth availability are critical and a modular switch is too costly to implement. Using cross-connected connections, the network can recover quickly if a single switch fails. Stackable switches use a special port for interconnections and do not use line ports for inter-switch connections. The speeds are also typically faster than using line ports for connection switches.
Layer 3 switches were conceived as a technology to improve on the performance of routers used in large local area networks (LANs) like corporate intranets. The key difference between Layer 3 switches and routers lies in the hardware technology used to build the unit. The hardware inside a Layer 3 switch merges that of traditional switches and routers, replacing some of a router's software logic with hardware to offer better performance in some situations.
Layer 3 switches often cost less than traditional routers. Designed for use within local networks, a Layer 3 switch will typically not possess the WAN ports and wide area network features a traditional router will always have.
Discussion: Router vs. Layer 3 Switches ---from Cisco learning home
Q: As we all know that Layer 3 switch can perform the routing tasks if routing is enabled. But I`ve some questions regarding this:
1. What is the main difference between this two?
2. What is the choosing criteria between this two i.e. when should I use which one? What’s about the cost effects?
3. Why router is needed if there is existence of Layer 3 Switch?
Re1: L3 switches do not have WAN interfaces.
You can connect Ethernet circuits to a switch so you only need a router if you want to connect traditional circuits such as E1 E1 SDH or old technology such as X21 V35 or async circuits. As far as I know Call Manager Express does not run on a switch but does on a router. Switches support Wi-Fi controller, Firewall so are quite powerful. So you need to understand the business requirement before deciding router or switch. Also routers can include switch modules.
Re2: If it routes, it's a router.
L3-switch is a marketing term. It's a router with only Ethernet interfaces and lots of them. It also has a switching function to it. Which makes it both a router and a switch? The differences will vary based on model. It depends... Cost varies as well, everywhere from inexpensive to very expensive! And truly there isn't a "need". You need an L3 device of some sort to exit your subnet. How you design that, or what specific piece you use is entirely up to you.
Re3: Traditionally, Routers were devices that connected the LAN to the WAN and switches were just LAN devices and you may add a layer 3 switch to the lan if you had some vlans and didn't want to use a router.
However, as technology changes, the tradition of the WAN and LAN are fading. My "WAN" links are actually 1 gig single mode fiber circuits that terminate to an ethernet fiber interface on a Layer 3 switch, a 6500, 4500, 3750 or even a 3560. Now some will say that I have a MAN with those kinds of links. It seems that as Scott said, Cisco Marketing is still stuck on calling a router a device that terminates a traditional WAN link, I do agree that if the device routes, it is a router.... to some degree.
One thing I did notice regarding routers and layer 3 switches, and I will admit that router model and IOS version may play very heavily into this, and that is Routers seem to support more traffic monitoring features, such as netflow and nbar where as Layer 3 switches don't seem to have that kind of support.... until you get to the 6500.
Re4: Technically, the differences are:
1- L3 Switch do switching at layer 3 by preserving the source and destination mac and preserving the TTL value of the IP header of the 1st routed packet, so the first packet is routed using normal routing lookup, but after that all packet are switched.
2- router do normal routing lookup, but by introducing fast switching and CEF, packets are also now switched on a router.
3- Switches doesnt support some QoS features.
4- Switches doesnt support NAT.
5- The forwarding on switches is done on ASIC (Application Specific Integrated Circuits) which is done in hardware rather than a software.
6- Forwarding on routers are done in a software.
7- router supports different WAN technologies (modules) unlike switches.
Re5: I was just thinking about this. I didn't learn about Layer 3 switches until the bcmsn. I know in CCNA they were still really pushing the router vs switch concept. Talk about throwing a monkey wrench into things when you throw in the concept of Layer 3 switch.
So to review:
1. A pure router will do just that, typically no switch ports, in today’s cisco world I don't even know if they make one of these, wouldn't that be something like an ASA with 1 or (2) 100 mb or gig ports with a serial port or similiar?
2. A switch will just allow connections to edge devices, a true layer 2 switch like a 2960, Int vlan's is what allows management of the switch at layer 3. No routing between vlans, this is where router on a stick comes into play.
3. A layer 3 switch integrates both abilities, but it depends on the model on how integrated and featurific it is. Will it support netflow? Will it route between vlans? If you do a show ip route what will be displayed? How does it implement vlans, is it traditional vlan.dat file or will it do the switching way with show vlan? -- The simplest true layer 3 switch will support all switching features, but have the ability to do routed ports and route between the vlans. I have had a Integrated services router like a 1760 or 3725 or similiar where they had a small switch module, say 4-24 (100).
The definition of a layer 3 switch also may include the ability for a port to be either a routed port or a switched port, the commands switch port vs no switch port followed by having to assign it an ip address.
This is another point that also took some getting used to. In a port that can be either layer 2 or layer 3, or strictly layer 3 or layer 2. Example, a router can only do layer 3, so to do inter vlan routing while connecting to another switch via trunk port you have to give it sub interfaces to a physical switch port, give each one its own ip address and tag it with the encapsulation dot1q #. Router on a stick, vs. switchport mode trunk command with layer 3 interfaces via the "int vlan 1" with an ip address assignment.
While I understand the ccna approach to teaching fundamentals and where thing started, it no doubts confuses someone especially when a question asks about the differences between a hub/switch/router. In today’s world, hubs don't really exist, and in a large company odds are you’re going to be using a layer 3 switch.
Re6: Not sure that is accurate. I think most layer 3 switches can handle BGP, but to what extent? Full tables? Probably not. Dishing out money for 2 Cisco 2821's or Cisco 2921's is going to be way cheaper than purchasing another Cisco 6500 for our network....not to mention our Catalyst 6500 already does a lot of work...and now I am going to throw BGP at it....AH it would just shut off and give me the middle line card!