Although a switch will function right out of the box, it’s likely that the network administrator will want to configure various additional features of the switch. Normally, when configuring a switch for the first time, the technician connects the console cable that came with the switch. One end connects to the switch’s console port and the other to a serial port on a computer.
The technician then loads a terminal emulation program, such as HyperTerminal, setting the switch vendor’s specified configuration. These settings are often 9,600 bps, 8 data bits, no parity, and hardware flow control. Then it’s time to add power to the switch, usually by plugging in its power cord.
From there, it’s helpful to be familiar with the switch vendor’s configuration command syntax. Most vendors have either a menu driven or a command line interface (CLI) for initial configuration. Normally, configuration includes naming the switch, assigning a password, and setting the correct IP address, subnet mask, and default gateway for the network.
After the initial configuration of the switch, communication with the switch can be via Telnet for further configuration or ping to confirm the initial configuration.
Further configuration may include one or more of the following:
- Restricting the use of active ports
- Enabling Simple Network Management Protocol (SNMP) functions
- Setting Virtual LANs (VLANs) and their values
- Adjusting Spanning Tree Algorithm (STA) settings
- Specifying Quality of Service (QoS) usage
- Activating port mirroring, port copying, or port spanning for protocol analysis
- Providing multi-link trunking parameters
- Disabling unused ports
|Port Security Table|
|Port 1||02 60 8C 12 5A 61|
|Port 2||01 4C 39 6A 22 50|
|Port 3||04 02 31 51 7A 6C|
|Port 4||02 50 11 27 66 8A|
Many switches offer the ability to turn off any port that doesn’t have a device connected. This prevents unauthorized users who may have physical access to the switch from plugging a device into an unused port.
The next step in securing the switch is to manually enter the specific MAC address value that may be allowed to use each specific switch port. Any other device attaching to the port will be disallowed because of the different MAC address.
One downside of configuring port security on switches is that when a device moves, the switch or switches will have to be reconfigured before the device will be able to successfully communicate on the network. The upside is that the network administrator must be involved to verify any move.
VLAN technology helps improve network performance and security requirements of an organization. Historically, network broadcast traffic was managed or contained by routers. However, routers can add significant latency (delay) to packets as they are forwarded from one network to another network. VLANs separate traffic at layer 2 of the OSI model to manage network activity, such as broadcast traffic. It’s a switch’s version of a router’s subnet.
Different VLAN implementations are available with most fitting into one of two categories:
- Static VLAN assignment: A network administrator would configure a specific port for the VLAN appropriate for the user.
- Dynamic VLAN assignment: A network administrator can configure a VLAN membership policy server with the MAC addresses and associated VLANs for the addresses of the devices. As devices become active on the network, the switches query the VLAN membership policy server for the appropriate VLAN configuration for the port. The appropriate configuration is based on the MAC address of the device attached to the port.
In general, static VLAN assignment is most common at locations where devices don’t move around much. A dynamic VLAN assignment system is more common at locations where devices move about frequently.