Today I am looking at basic switching and switch operation.
But First …
It is good to add a reminder st this point that we are working exclusively with Ethernet when it comes to switches. Another point worth mentioning is this: I am sure you have a home network, likely with a wireless router. That router probably has some switch outputs (home units are router, switch and wireless access point in one), and one of those outputs is for upstream traffic; i.e. the WAN connection to the DSL or cable modem. If you have some Cisco switches, you’ll notice that they don’t really have an ‘upstream’ connection.
This is in part due to the home router being a 3 in 1 device (so the upstream port is essentially the router Ethernet port) but also, your Cisco switch is configurable. You can form trunks with multiple Ethernet ports to create upstream ports if such a thing is required, or in some cases, special high speed ports are a part of the switch, and they can be designated or configured as upstream.
Switch Port modes
Switch ports can be configured into several modes:
- Shutdown – This should be the default mode if the port is not being used
- Trunking – trunking will be covered in a later post
- Access – access mode is for connecting to hosts
- Error disabled – a shutdown mode created by a security violation
We can set the mode as follows:
s2950(config)#int fast 0/4
s2950(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
Generally we don’t use Dynamic as that is a security risk.
Side note: Dynamic trunking waits for another switch port to be connected to it via a cable, and then trunks with it. This exposes all of your VLANs to the second switch. If this is a rogue switch, you have just opened your network to it.
Basic Switch Security
There are a number of things we can do to keep our networks secure. In this post, we will be looking at some switch basics. Switches can be vulnerable as they are on the edge of the network, allowing users and undesirables alike to connect. How do we prevent the undesirables?
- Lock up your server room – basic but overlooked
- Unused VLAN – put unused ports in an unused VLAN rather than VLAN 1
- Use the shutdown command to close unused ports
- Prevent the port from trunking with the switchport mode access command
- Ports not used are put into blocking mode
We can secure our ports as we mentioned above, by shutting them down, but what about the ports we need to keep open. In this case we can use port security that is based MAC address. If the source MAC address is wrong, the port will block, shutdown or just indicate that there is a problem.
To set up port security, lets first open up a port in access mode.
int fast 0/4
switchport mode access - - puts the port into access mode
switchport port-security - - enables port security
So what options does port security give us?
s2950(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
Use the mac-address option to define a secure (or several secure) mac addresses.
maximum is the maximum number of ‘secure’ mac addresses on the port (default is one). If we don’t put an address on this, the port can take the first mac address it sees as the secure address.
violation describes the action taken by the port once a violation has occurred.
s2950(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
- shutdown is the default and shuts the port down. It drops the violating frames and puts an entry in the system log file.
- restrict drops the violating frames and logs the issue, but does not shut the port
- protect just drops the frames.
Lets assume we have a switch in a small office with a number of hosts attached. We can code the ports thus:
switchport mode access -- enables access mode
switchport port-security -- enables security
switchport port-security mac-address sticky -- automatically selects the first mac address as secure
switchport port-security maximum 1 -- only 1 secure mac address
switchport port-security violation shutdown -- shuts the port in case of violation
no shutdown -- opens the port
As the switch powers up or the hosts are connected, the security parameters are satisfied, and the hosts are able to connect to the WAN.
Now, lets say our intrepid employee at host C wants to connect his laptop, so he brings in a wireless router from home. He disconnects host C, plugs in his wireless router, plugs host C into one of his router ports and tries to continue to work. The problem for his is that he now can’t connect to the WAN. Why is this?
The problem for our intrepid employee, is that we don’t want an unsecured access point connected to our network, and in plugging his router in (which has a different MAC address from Host C), he has triggered the port security, putting his switch port into shutdown mode. This is where you get to explain network security again 🙂
To verify that we have our security settings correct, we can issue a per port, show command:
s2950#sh port-security int fast0/4
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0000.0000.0000
Security Violation Count : 0
Obviously I haven’t connected anything yet, so there is no sticky MAC address and the port is down (no cable attached)