A switch configuration requires more than just setting the speed and duplex. In this video, you’ll learn about VLAN configurations, link aggregation, jumbo frames, and more.
When you’re configuring an interface on a switch, there are a number of different settings. And in this video, we’ll look at these different interface configurations.
One fundamental configuration is the speed and duplex of the interface. The speed refers to the speed of the Ethernet link. This would be a 10-megabit, 100-megabit, 1,000-megabit, or 1-gig, and a 10-gig connection. Commonly, we would also see a duplex configuration, where the duplex would be set to either half or full. Many times, this configuration is set to be automatic. This means that both devices will negotiate with each other and find the best option for both speed and duplex. Some organizations prefer to manually set these. And they will configure the speed and duplex within the switch and the device configuration itself.
One important consideration is that these settings need to match on both sides of the wire. So if you’re configuring a device to be 1-gig and full-duplex, then the switch on the other side of the wire needs to also be configured for 1-gig and full-duplex.
Another important configuration are the Layer 3 settings, or IP configurations. These would be set on Layer 3 interfaces that may be on a firewall or a router, or it could be on VLAN interfaces that are configured inside of a switch. We can also set IP addresses on management interfaces so that you have a way to communicate with these infrastructure devices.
This Layer 3 configuration would include IP addresses, subnet masks. This might be presented in dotted decimal notation, or it may be CIDR block notation. You may have to put a default gateway or route inside of this device. And it may also require domain name system configurations as well.
If you’re configuring the interface on a switch, you may have to define what VLAN is associated with that physical interface. Every port on a switch should be assigned to a particular VLAN. You might also need to configure VLANs across trunk configurations or define what VLANs are able to traverse a particular trunk, which would allow you to connect multiple switches together and still maintain communication between different VLANs. This would allow you to connect multiple switches together, but still maintain connectivity between the same VLANs.
Some communication across this trunk will not include a VLAN header, or what we call a VLAN tag. Untagged frames are called default VLANs. Sometimes, you’ll hear these referred to as a native VLAN. The rest of the VLANs will traverse the trunk by having a tag added to the Ethernet header. And that tag will be removed on the other side of the trunk.
Having a single link to connect switches is certainly useful for connectivity. But occasionally, you may need additional bandwidth between switches. There is a standard that allows you to put multiple connections between switches and use all of those connections as one large aggregated link. This is called port bonding or link aggregation. Sometimes, you’ll hear this referred to as LAG as an abbreviation for Link Aggregation. These multiple interfaces will act and look like one big interface to the switch. And often, there will be a control protocol that’s used to manage this. That control protocol is LACP, or Link Aggregation Control Protocol.
If you’re troubleshooting the communication on the switch, you may find it difficult to be able to see the packets that are traversing to individual devices. If you need to be able to capture some of that information, you may want to configure one of these interfaces as a port mirror. A port mirror will copy traffic from one or more interfaces on the switch to a separate interface that you can then plug in and perform packet captures. Some switches also support the ability to put the protocol analyzer on a different switch and mirror traffic from one switch to the protocol analyzer on another physical switch.
When we use a switch to perform that port mirroring, you’ll sometimes hear this called a SPAN, which is a Switched Port Analyzer Connection, or if you have a physical tap, you could always insert that physical tap directly into any of these network connections.
Here’s a scenario where we have an IPS being used in more of an offline mode. And we’ve set up a port mirror from the switch to redirect traffic to the IPS. If this device is going to communicate to the server, once it hits the switch, a copy of that information will, of course, be sent to the server, and another copy will be sent to the IPS. If another device communicates on the network, that switch port analyzer or port mirror will also create a copy of that traffic, send a copy to the destination station, and another copy to the IPS.
A standard Ethernet frame will support 1,500 bytes within a payload. But if you’re performing a backup or very large file transfer, you may find it more efficient to have larger payload sizes. This is supported in Ethernet through a function called jumbo frames, where you can increase the size of the payload up to 9,216 bytes, although it’s very common to simply set it to 9,000 bytes. This improves the efficiency of the overall traffic because you don’t have to send as many frames through the switch or routed network.
An important consideration, though, is that the two end stations and everything in between has to support jumbo frames. So any of the switches or routers we use must be configured to allow frames of 9,216 bytes or whatever is the norm on your network.
One challenge with Ethernet is that it is non-deterministic. That means there’s no way to determine how fast or slow traffic will be sent over this network. If a file transfer gets very busy and a device becomes overloaded, we need to have some way to tell the other device to slow down the communication so that we can have a more efficient communication. Switches in other devices only have so much buffer inside of them. And it’s very easy to overwhelm that buffer with a very large file transfer.
One way to manage this flow control of traffic is to use 802.3x. This is commonly called the pause frame because it sends a message to the other device telling it to pause for a moment before sending more traffic.
There have also been a number of additional enhancements for flow control through the years. So you may see some organizations using Quality of Service or Class of Service to be able to manage traffic flows.
Here’s a packet capture of a pause frame. You can see this is in the MAC control section of the frame. And there’s the part that says that this is a pause frame. This pause frame also includes a timer called a quanta, which designates how long the other device should wait before sending more traffic.
One concern we have with installing Ethernet connections inside of our offices is someone could walk in from the outside, plug in their own devices, and gain access to our internal network. One way to prevent this is by configuring an interface on the switch to have port security. This would prevent unauthorized users from gaining access to the network on any interface that has port security enabled.
This security is based on the MAC address that is used when someone connects to the network. We would configure each interface on the switch to have a port security configuration that would be specific to only the MAC addresses inside of our organization.
The operation of port security is relatively straightforward. You would configure a maximum number of source MAC addresses for each individual interface on a switch. This might be one MAC address, or it could be more than one MAC address.
We can also configure specific MAC addresses on that interface if we didn’t want to have the switch automatically determine what those MAC addresses would be. The switch is going to monitor all of the traffic coming into any of those interfaces. And it will keep a list of all of the MAC addresses associated with that inbound traffic. If the number of MAC addresses exceeds the configuration for that interface, the interface is automatically disabled and a message is sent to the network administrator.