Chapter 1

LAN Design
Module : Switched Networks
3rd Year
2021/2022

1
Part 1
LAN Characteristics

3
 What is a local network ?
 It is a network whose size ranges from a few meters (direct link between peripheral
equipment) to a few kilometers (with interconnection equipment).
 Geographically limited (company, school, building,...)
 Speeds ranging from 100 Mb/s to 10Gb/s
 Widespread technology for a wired infrastructure: Ethernet
 Components

End Devices Interconnexion Cables Protocoles

Equipement

4
Interconnexion Equipement
Equipment Function Illustration

Repeater Not really interconnecting equipment

Regenerate signal

Hub Connecting multiple hosts together in the same

collision domain
Switch Connecting various elements while physically
segmenting the network into collision domains
Bridge Connecting two network segments
Homogeneous bridge: the technologies of the
segments are the same
Heterogeneous bridge: the technologies are
different
Router/ Connecting different local networks.
Gateway 5
 Interconnecting Cables
 The twisted pair

Cross-over

8-core twisted Connector Twisted

copper cable RJ45 pair

6
 Why do we need a model in a LAN?
Network Design Model
 A design model is used to build networks according to certain architectural rules that enable them to meet the
current and future needs of businesses and their users.

Principles of a design model

 Hierarchy: the model offers functional levels: Core/Distribution/Access

 Modularity: it easily supports growth and change. Scaling the network is made easier by adding new modules
instead of redesigning the entire network architecture.
 Resilience: it supports high availability (HA) (close to 100% availability)
 Flexibility: changes in the business can be adapted to the network quickly as needed
 Security: security is built in at every layer

7
 3-layer hierarchical model

The Core layer provides connectivity between

all devices in the Distribution layer. It is also
known as the "backbone" of the network and
its main role is to transfer a large volume of
network traffic in the most efficient way.

The Distribution layer provides the

interconnection between the Access and Core
layers. Distribution layer switches must be
capable of handling the load of all traffic
coming from the Access devices. These
switches should have a high density of high-
speed ports.

The Access layer is the layer that connects end-

users to the network.
8
 Collapsed Model (2 layers)
• Some smaller network infrastructures do not
require a dedicated core layer.
 In this case, a collapsed core topology can be
simplified by reducing the number of layers from
three to two in a two-tier model.

• In a collapsed core topology, each core layer

switch has a redundant link to each distribution
layer switch.

• Distribution layer switches connect to each

other with redundant links.

9
 Collision / Broadcast domains (1/3)
Collision domain is a set of entities that share the same communication
medium. If two entities send data at a time T then there is a data collision and
the data must be retransmitted.

Collision domain

10
 Collision / Broadcast domains (2/3)
Broadcast Domain is a logical area of a computer network where any machine
connected to the network can directly transmit to all other machines in the same
domain.

Broadcast Broadcast
Domain Domain

11
Collision / Broadcast domains (3/3)

Broadcast
Domain 1

Broadcast Domain Broadcast

Domain 2
Broadcast Domain 3

12
Part 2
Characteristics and basic configuration of a Switch

13
 Equipement characteristics
Each network equipment is composed of :

• Shell: A user interface for requesting specific

tasks from a computer via the CLI.
• Kernel: The element that provides
communication between the hardware and the
interpreter
• Hardware: Physical part of the equipment.

A network operating system using CLI (such as

Cisco IOS, installed on a switch or router) allows :
• use a keyboard to run CLI-based network programs
• Use a keyboard to enter text commands
• display images on a screen.

14
 Configuration Modes
 User EXEC Mode: it allows access to only a limited
number of basic monitoring commands.
 Privileged EXEC Mode: it allows access to all
commands and features.
 Global configuration mode: From global config mode,
CLI configuration changes are made that affect the operation
of the device as a whole.
 Subconfiguration modes
• Line configuration mode- Used to configure console,
SSH, Telnet, or AUX access.
• Interface configuration mode- Used to configure a
switch port or router network interface.

15
 Basic IOS command Structure
 A network administrator must know the basic IOS command structure to be able to use
the CLI for device configuration.
 A Cisco IOS device supports many commands. Each IOS command has a specific
format, or syntax, and can only be executed in the appropriate mode.

16
 Configuration Files
There are two system files that store the device configuration:

• startup-config - This is the saved configuration file that is stored in NVRAM. It contains all the
commands that will be used by the device upon startup or reboot.
Note: Flash does not lose its contents when the device is powered off.

• running-config - This is stored in Random Access Memory (RAM). It reflects the current configuration.
Modifying a running configuration affects the operation of a Cisco device immediately. RAM is volatile
memory. It loses all of its content when the device is powered off or restarted.

17
 Switch basic configuration (1/8)
Device name
 The default name should be changed to something more
descriptive. By choosing names wisely, it is easier to
remember, document, and identify network devices.
 Here are some important naming guidelines for hosts:
• Start with a letter
• Contain no spaces
• End with a letter or digit
• Use only letters, digits, and dashes
• Be less than 64 characters in length

18
 Switch basic configuration(2/8)
Disable DNS translation process
• By default, any single word entered on an IOS device that is not recognized as a valid command is
treated as a hostname. The device will try to translate that word to an IP address in a process that
can last about a minute.

• This can be annoying and this is why this feature is often turned off, especially in the lab
environments.
• If you don’t need to have a DNS server configured for your router, you can use the no ip domain-
lookup command to disable the DNS translation process.

Switch

19
 Switch basic configuration(3/8)
Passwords (1/2)
 Network devices, including home wireless routers, should always have passwords
configured to limit administrative access.
 All networking devices should limit administrative access by securing:
• privileged EXEC mode
• Console access
• Remote Telnet access with passwords.
 In addition, all plaintext passwords should be encrypted.
Console Access Telnet Access

20
 Switch basic configuration (4/8)
Passwords (2/2)
 Pour disposer d'un accès administrateur à toutes les commandes IOS, y compris la
configuration d’un équipement, vous devez obtenir un accès privilégié en mode
d'exécution.
 Deux manière de configurer le mot de passe d’accès privilégié
• « enable password password »
• « enable secret password »

 L’option « secret » permet l’hachage du mot de passe avec l’algorithme MD5 et son
enregistrement sous forme de cryptogramme le mot de passe créé.

21
 Switch basic configuration (5/8)
Banner Message

 This is an additional information message added to the device.

 It is vital to provide a method for declaring that only authorized personnel should
attempt to access the device
 To create a banner message of the day on a network device, use the banner motd
command. A delimiting character should be entered before and after the message.
The delimiting character can be any character as long as it does not occur in the message.

22
 Switch basic configuration (6/8)
Switch management interface
 To prepare a switch for remote management access, the switch must be configured
with an IP address and a subnet mask.
 Since the switch is a Layer 2 device, none of its interfaces can be configures with an
IP address  Configure a virtual management interface (SVI).
 By default this interface is the VLAN 1 interface,
 The configuration of this interface includes:
• Assigning the IP address
1
• Activating it with the command
"no shutdown" 1

23
 Switch basic configuration (7/8)
Default Gateway
 The default gateway is essential for the switch to communicate with other networks.
 The default gateway is the IP address of the router that delimits the broadcast domain
to which the switch belongs.
 The configuration is done with the command “ip default-gateway”

24
 Switch basic configuration (8/8)

Saving configurations
 If a configuration change is made, the running-config file will be modified. On
the other hand, the startup-config file will not be modified.
 To modify the startup configuration, it will be necessary to save the current
configuration (running-config) as the initial configuration (in the startup-config).
 Consequently, any modification made and not saved will be cancelled the next
time the switch is started.

25
Part 3
Switching Concepts

26
 Switch MAC Address Table (1/3)
 The switch MAC address table associates a physical port with a MAC address. It makes it
possible to identify the various hosts connected to the network by specifying the port number of
the switch to which connected host.
0260-8c01-1111 0260-ec02-2222
MAC Address Port number
0260-8c01-1111 1 0260-ab12-3333
0260-ec02-2222 2
0260-ab12-3333 3 2
1 3
0260-ef13-4444 4
0260-e718-5555 5 5 4

How to fill in the MAC address table?

• Manually 0260-e718-5555 0260-ef13-4444

• Dynamically by self-learning 27
 Switch MAC Address Table (2/3)

 The MAC Address Table is filled manually or dynamically by self-learning

 Self-learning is the process of automatically filling in the MAC Address Table, using the source
MAC addresses in the header of the frames received by the switch.

 If a switch receives traffic from a host A to a host B, it consults its MAC table:
• If B exists in its MAC table then the traffic is directed to the corresponding port
• Otherwise
1. Registration of the port corresponding to host A
2. Broadcast of the frame to all active ports except the ingress port (that of A)

28
 Switch MAC Address Table (3/3)
Example : Self-learning A B E F

MAC Address
Table 1 3
C D G H
Port
@MAC
number 2 4

T0 A 1
T0 : A communicates with B ==> A registered in the MAC table with port number
T1 B 1 1 and the frame is sent on ports 2,3,4
T1 : B communicates with A ==> B registered in the MAC table with port
number 1 and the frame is sent on port 1
T2 C 2
T2 : C communicates with F ==> C registered in the MAC table with port number
2 and the frame is sent on ports 1,3,4
T3 H 4 T3 : H communicates with C ==> H registered in the MAC table with port number 4
and the frame is sent on port 2
29
 How the switch works
2- Frame delimitation and address identification
1- Frame Receiving

Pc2
Pc1
Source

P4 Pc3
P5
Destination identification
P1
3- Switching table consulting
P3 @ MAC N° port
P2 Destinatio
Pc1 P4
Pc5 n
Pc2 P5
Pc4 Destinatio
Pc3 P1
Pc4 P2
n port

4- Frame transmission Pc5 P3

30
 Switch Forwarding Methods

 A switch will use one of two methods to make forwarding decisions after it receives a
frame:
• Store-and-forward switching - Receives the entire frame and ensures the frame is valid. Store-
and-forward switching is Cisco’s preferred switching method.

• Cut-through switching – Forwards the frame immediately after determining the destination MAC
address of an incoming frame and the egress port.

31
 Store and Forward Switching

 Store-and-forward has two primary characteristics:

• Error Checking – The switch will check the Frame Check Sequence (FCS) for CRC errors. Bad
frames will be discarded.
• Buffering – The ingress interface will buffer the frame while it checks the FCS. This also allows
the switch to adjust to a potential difference in speeds between the ingress and egress ports.

32
 Cut-Through Switching
 Cut-through forwards the frame immediately
after determining the destination MAC.
 Fragment (Frag) Free method will check the
destination and ensure that the frame is at
least 64 Bytes. This will eliminate runts.
Concepts of Cut-Through switching:
• Is appropriate for switches needing latency to be
under 10 microseconds
• Does not check the FCS, so it can propagate
errors
• May lead to bandwidth issues if the switch
propagates too many errors
• Cannot support ports with differing speeds going
from ingress to egress
33
 Manipulating MAC address table (1/2)
 The command that displays the MAC address table of a switch is:

 To display only dynamic entries, add the "dynamic" option.

 To display only static entries, add the "static" option.

34
 Manipulating MAC address table(2/2)
 The command to add a static entry to the MAC address table is:
S1(config)# mac-address-table static <adresse_MAC> vlan <ID_vlan> interface
<ID_interface>
 The command to remove the dynamic entries is :
S1# clear mac-address-table dynamic
 The command to delete a static entry is :
S1(config)# no mac-address-table static <adresse_MAC> vlan <ID_vlan>
interface <ID_interface>

35
Part 4
Switch Port Security

36
 Enabling Switch Port Security (1/3)
 In order to secure the network, only authorized machines
should be allowed to access it.
The switch ports must therefore be secured:
• By administratively shutting down all unused ports
• By limiting access to other ports to a set of authorized MAC
addresses.

The following command allows disabling unused ports :

S1(config)# interface range fa0/5-24,g0/1-2

S1(config-range-if)#shutdown

37
 Enabling Switch Port Security (2/3)
Port Security (1/2)
 Port security limits the number of valid MAC addresses allowed to transmit data through a
switch port.
 If port security is enabled on a port and an unknown MAC address sends data, the switch has
a security violation.
 The switch can be configured to learn about MAC addresses on a secure port in one of three
ways:
• Static : The administrator manually configures a static MAC address(es).
• Dynamic : When the switchport port-security command is entered, the current source MAC for the
device connected to the port is automatically secured but is not added to the running configuration.
If the switch is rebooted, the port will have to re-learn the device’s MAC address.
• Sticky : The administrator can enable the switch to dynamically learn the MAC address and “stick”
them to the running configuration
 Saving the running configuration will commit the dynamically learned MAC address to NVRAM.
38
 Enabling Switch Port Security (3/3)
Port Security (2/2)
 If a machine with an unauthorized MAC address uses the switch's port, it is a port security
violation.

 3 actions are possible upon a violation:

• PROTECT : data is deleted, no notification is presented by the switch
• RESTRICT : the data is deleted, a notification is presented by the switch, and the counter of
violations is incremented
• SHUTDOWN : This is the default mode. The port is disabled and the violation counter is
incremented. The port resumes normal operation only after the administrator re-activates it.

39
 Port Security Configuration

Change the port

MAC address
mode to « access »
recognition method
(sticky in this case)
Enable
port security

Specifying the
number of allowed
Action in case of MAC addresses
violation (default = 1)
(default = shutdown)
switchport port-security violation protect

40
 Observing the security configuration
Extract from the running config file

Protect

! The address number will only be incremented if

data is sent on port Fa0/19

We can use a PING request to test.

41
End chapter 1

42