The hardware device filters and forward network packets from one device to another. Data is processed in the network layer by switches. They receive data and forward it to the destination device. Routing functions are combined in the switches’ network layer so that data processing can be done quickly. This operates mainly in the LAN network, where the data is received and processed. The switch prevents loops creation, and forwarding the data packets is also done. It is used as a controller.
A switch is a layer 2 device used to forward packets from one device to another within the network. It delivers the packet through one of its ports on the basis of the destination MAC address and the entry in the MAC table.
What is the meaning of switching?
Switching means that the device (router or switch) receives the data on a certain port and forwards it to the appropriate port
Difference between a Bridge and a Switch:
| Bridge | Switch |
|---|---|
| Max Port: 16 | Max Port: 256 |
| forwarding decisions are based on software | forwarding decisions are based on hardware ASIC (faster than a bridge) |
| A bridge may not have a buffer. | A switch has buffers. |
Difference between Router and Switch:
| Parameters | Router | Switch |
| Operating Layer | A typical router can easily operate at the third layer (Network) in an OSI model. | The switches in a network operate at the second layer (Data Link Layer) in an OSI model. |
| Services Offered | A router can easily offer QoS, NetFlow, and NAT services. | A switch does not offer any such services. |
| Maintenance of Addresses | A router stores IP addresses in its routing table and maintains its own address. | A switch stores MAC addresses in its lookup table and maintains its own address. But in this case, a switch can easily learn the MAC addresses. |
| Ports | It is a networking device with 2/4/8 ports. | It is a type of multi-port bridge with 24/48 ports. |
| Duplex | It is less duplex in nature. | It is full-duplex in nature. Thus, no collision occurs here. |
| NAT | It can easily perform NAT. | It cannot perform NAT. |
| Speed Limit | It has a speed limit of about 1-10 Mbps (Megabytes per second) for wireless connection and 100 Mbps in case of a wired connection. | It has a speed limit of about 10/100 Mbps. |
| Routing Decision | A router helps its users in taking a faster routing decisions. | A switch will more likely take a routing decision which is way more complex. |
| Broadcast Domain | Every port in a router contains a broadcasting domain of its own. | A switch contains a broadcasting domain of its own except the implemented VLAN. |
| Faster Performance | In the case of various network environments (like WAN/MAN), a router will work much faster than the switches. | A switch can work comparatively faster than a router when deployed in a LAN environment. |
| Type of Addresses | The operations of a router revolve around the IP addresses. | In the case of switches, they work with the MAC addresses. It is because these operate within a single network only. |
| Wiring of Connections | It can easily work with both- wireless as well as wired situations of a network. | The uses of a switch are confined to only wired network connections. |
Access levels and modes
There are several Cisco access levels and modes that allow you to run different commands. You can learn more about each mode in the Cisco IOS command hierarchy, but the table below is a reference for our examples.
| Cisco Mode | What the prompt looks like | Command to enter from upper-level mode | Command to exit to upper-level mode |
|---|---|---|---|
| EXEC | Switch> | Default mode | logout or exit |
| Privileged EXEC (access from EXEC) | Switch# | enable | disable |
| Global configuration (access from Privileged EXEC) | Switch(Config)# | config t | CTRL/Z |
| Interface configuration (access from global configuration) | Switch(config-if)# | interface <interface name> | exit |
| Line level configuration (access from global configuration) | Switch(config-line)# | line <line name/ number> | exit |
How to configure a network switch
Now that you know the basics, we can move on to the commands. Here, we’ll walk through 10 of the most important basic network switch configuration steps.
While any particular production deployment will likely require specific additional steps (e.g. for additional hardening and user management), these commands will help you hit the ground running.
Step 1: Connect to the console
If you’re labbing with a simulator/emulator or accessing the CLI via SSH, you can skip this step.
You need to start with a connection to the console port. That means configuring your terminal emulator software and connecting your rollover cable between your switch’s console port and your PC.
Many Cisco switches use these serial settings:
- Baud rate: 9600
- Data bits: 8
- Stop bits: 1
- Parity: None
Assuming your PC’s serial port is COM1, if you use Putty and Windows, you can set the session up like this (under the “Serial” options in the menu):
Once your cable is connected and the session is set up, click open. Then press enters to get a response at the terminal window.
Step 2: Set a management IP and default gateway
The management IP address is where you can log in to the switch for future administrative tasks. Once your management IP is set up, you can use it to SSH into the switch and configure it over the network.
First, we access Privileged EXEC mode with the “enable” switch configuration command:
Switch>enable Switch#
From there, we enter Global Configuration mode with “config t” (or “configure terminal”):
Switch#config t [Enter configuration commands, one per line. End with “CNTL/Z”.] Switch(config)#
Next, we access the VLAN interface:
Switch(config)#interface vlan 1 Switch(config-if)#
Now, we can assign the management IP and subnet. In this example, I’ll assign 192.168.7.11 with a 255.255.255.0 subnet. Be sure to replace that with the correct values for your switch!
Switch(config-if)#ip address 192.168.7.11 255.255.255.0 Switch(config-if)#
We can exit interface configuration mode and assign a default gateway for the switch from global configuration mode.
Switch(config-if)#exit Switch(config)#ip default-gateway 192.1.68.7.1 Switch(config)#
Step 3: Set hostname and domain name
In addition to setting the IP address of the switch, you should give it a logical hostname. To do that, we enter global configuration mode and use the hostname command:
Switch(config)#hostname YoungsterCompany YoungsterCompany(config)#
Similarly, we can also add a domain name with the domain command:
YoungsterCompany(config)#ip domain-name cafeJohnny.local YoungsterCompany(config)#
Step 4: Set logins on VTY lines and console port
Strong passwords are an important part of hardening a managed switch, so next, we’ll add a password to all virtual terminal (VTY) lines. Our switch has 16 VTY lines which are used for remote access, so we’ll configure the entire range from 0-15:
YoungsterCompany(config)#line vty 0 15 YoungsterCompany(config-line)#password BigSecretDon'tT3ll@ny1 YoungsterCompany(config-line)#
Next, we’ll exit the VTY configuration, access console line 0, and assign it a separate password:
YoungsterCompany(config-line)#exit YoungsterCompany(config)#line console 0 YoungsterCompany(config-line)#password BigSecretForConsoleDon'tT3ll@ny1 YoungsterCompany(config-line)#
Step 5: Set Privileged EXEC password
In addition to password protecting the VTY and console lines, we can and should protect Privileged EXEC mode with a password.
We can do that from global configuration mode:
YoungsterCompany(config-line)#exit YoungsterCompany(config)#enable secret Top$ecretPrivEXECpassWORD YoungsterCompany(config)#
Note: Because switch security is a complex topic, and we’re focused on the basics, we won’t go into user management here. However, be sure to properly configure users or remote authentication servers before production deployment.
Step 6: Enable SSH
At some point, you’ll find yourself in need of access to your network devices, and you’re not physically in the same room as them. To access a switch’s CLI over the network, you’ll need to use Telnet or SSH. From a security perspective, Telnet is usually a non-starter because data is transmitted in plaintext. That leaves us with SSH.
The first step to enabling SSH is generating the RSA keys:
YoungsterCompany(config)#crypto key generate rsa The name for the keys will be: PepperAndEggSwitch.cafeJohnny Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [2048]: % Generating 2048-bit RSA keys, keys will be non-exportable...[OK] YoungsterCompany(config)#
Next, we’ll set the SSH version to 2:
YoungsterCompany(config)#ip ssh version 2 *Mar 4 7:4:9.374: %SSH-5-ENABLED: SSH 1.99 has been enabled YoungsterCompany(config)#
Now, we can set SSH up on specific VTY lines. I’ll use the first 6 lines here:
YoungsterCompany(config)#line vty 0 5 YoungsterCompany(config-line)#transport input ssh
Finally, we’ll tell the switch to check the local users’ database to authenticate users:
YoungsterCompany(config-line)#login local YoungsterCompany(config-line)#
Step 7: Create VLANs
One of the most obvious reasons to use a managed switch is the ability to create VLANs to separate network segments. We can do that by using the VLAN command and then assigning our VLAN a name. For example, to create VLAN 2 and name it “cafe”:
YoungsterCompany(config-line)#vlan 2 YoungsterCompany(config-vlan)#name cafe YoungsterCompany(config-vlan)#
You can now exit, and repeat these steps for as many VLANs as you need.
Step 8: Add access ports to a VLAN
After we create our VLANs, we can add ports to them. For example, to add ports 5, 6, and 7 as access ports in VLAN 2, we can use these switch configuration commands:
YoungsterCompany(config-vlan)#exit YoungsterCompany(config)#interface range fast YoungsterCompany(config)#interface range fastEthernet 0/5-7 YoungsterCompany(config-if-range)#switchport mode access YoungsterCompany(config-if-range)#switchport access vlan 2 YoungsterCompany(config-if-range)#
Step 9: Configure trunk ports
If you need one port to transmit traffic from multiple VLANs, you’ll need to designate it a “trunk port”. To make a port a trunk port, we simply access its configuration and set the mode to trunk. For example, to make port 2 on our switch a trunk port:
YoungsterCompany(config-if-range)#exit YoungsterCompany(config)#interface fastEthernet 0/2 YoungsterCompany(config-if)#switchport mode trunk YoungsterCompany(config-if)#
Step 10: Save configuration
When our configuration is complete, we can save our changes to the startup configuration. Don’t forget this step, or all your work will be gone come the next switch reboot!
YoungsterCompany(config-if)#exit YoungsterCompany(config)#exit YoungsterCompany# %SYS-5-CONFIG_I: Configured from console by console YoungsterCompany#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] YoungsterCompany#