Switch:
As with hubs, Ethernet implementations of network switches
support either 10/100 Mbit/s or 10/100/1000 Mbit/s ports Ethernet
standards. Large switches may have 10 Gbit/s ports. Switches differ from hubs in that they can have ports of different
speed.The network switch, packet switch (or just switch) plays an integral part in most Ethernet local area networks or LANs. Mid-to-large sized LANs contain a number of linked managed switches. Small office, home office (SOHO) applications typically use a single switch, or an all-purpose converged device such as gateway access to small office/home office broadband services such as DSL router or cable, Wi-Fi router. In most of these cases, the end user device contains a router and components that interface to the particular physical broadband technology, as in the Linksys 8-port and 48-port devices. User devices may also include a telephone interface to VoIP.
In the context of a standard 10/100 Ethernet switch, a switch operates at the data-link layer of the OSI model to create a different collision domain per switch port. If you have 4 computers A/B/C/D on 4 switch ports, then A and B can transfer data between them as well as C and D at the same time, and they will never interfere with each others' conversations. In the case of a "hub" then they would all have to share the bandwidth, run in half-duplex and there would be collisions and retransmissions. Using a switch is called micro-segmentation. It allows you to have dedicated bandwidth on point to point connections with every computer and to therefore run in full duplex with no collisions.
Role of switches in networks
Network switch is a marketing term rather than a technical one. Switches may operate at one or more OSI layers, including physical, data link, network, or transport (i.e., end-to-end). A device that operates simultaneously at more than one of these layers is called a multilayer switch, although use of the term is diminishing.In switches intended for commercial use, built-in or modular interfaces make it possible to connect different types of networks, for example Ethernet, Fibre Channel, ATM, and 802.11. This connectivity can be at any of the layers mentioned. While Layer 2 functionality is adequate for speed-shifting within one technology, interconnecting technologies such as Ethernet and token ring are easier at Layer 3.
Interconnection of different Layer 3 networks is done by routers. If there are any features that characterize "Layer-3 switches" as opposed to general-purpose routers, it tends to be that they are optimized, in larger switches, for high-density Ethernet connectivity.
In some service provider and other environments where there is a need for much analysis of network performance and security, switches may be connected between WAN routers as places for analytic modules. Some vendors provide firewall, network intrusion detection, and performance analysis modules that can plug into switch ports. Some of these functions may be on combined modules.
In other cases, the switch is used to create a mirror image of data that can go to an external device. Since most switch port mirroring provides only one mirrored stream, network hubs can be useful for fanning out data to several read-only analyzers, such as intrusion detection systems and packet sniffers.
Router:
A router is a device
that forwards data packets along networks.
A router is connected to at least two networks, commonly two LANs or WANs
or a LAN and its ISP's network. Routers are located at gateways,
the places where two or more networks connect, and are the critical device that
keeps data flowing between networks and keeps the networks connected to the
Internet. When data is sent between locations on one network or from one
network to a second network the data is always seen and directed to the correct
location by the router. They accomplish his by using headers
and forwarding tables to determine the best path for forwarding the data
packets, and they use protocols such as ICMP
to communicate with each other and configure the best route between any two
hosts.
The
Internet itself is a global network
connecting millions of computers and smaller networks so you can see
how crucial the role of a router is to our way of communicating and computing.Why Would we Need a Router?
For most home users, they may want to set-up a LAN (local Area Network) or WLAN (wireless LAN) and connect all computers to the Internet without having to pay a full broadband subscription service to their ISP for each computer on the network. In many instances, an ISP will allow you to use a router and connect multiple computers to a single Internet connection and pay a nominal fee for each additional computer sharing the connection. This is when home users will want to look at smaller routers, often called broadband routers that enable two or more computers to share an Internet connection. Within a business or organization, you may need to connect multiple computers to the Internet, but also want to connect multiple private networks — and these are the types of functions a router is designed for.
Routers for Home & Small Business:
Not all routers are created equal since their job will differ slightly from network to network. Additionally, you may look at a piece of hardware and not even realize it is a router. What defines a router is not its shape, color, size or manufacturer, but its job function of routing data packets between computers. A cable modem which routes data between your PC and your ISP can be considered a router. In its most basic form, a router could simply be one of two computers running the Windows 98 (or higher) operating system connected together using ICS (Internet Connection Sharing). In this scenario, the computer that is connected to the Internet is acting as the router for the second computer to obtain its Internet connection.
Going a step up from ICS, we have a category of hardware routers that are used to perform the same basic task as ICS, albeit with more features and functions. Often called broadband or Internet connection sharing routers, these routers allow you to share one Internet connection between multiple computers.
Basic Network Diagram
(Configuration Example)
First we configure Switch 1:
Switch>en
Switch#configure terminal
Switch(config)#
switch(config)#hostname SW1
SW1(config)#enable password
cisco
SW1(config)#vlan 1
SW1(config)#name test
SW1(config)#interface vlan1
SW1(config-if)#ip address
192.168.30.5 255.255.255.0
SW1(config-if)#no shutdown
SW1(config-if)#exit
SW1(config)# ip default-gateway 192.168.30.1
SW1(config)#
SW1(config)#line vty 0 15
SW1(config-line)#password
cisco
SW1(config-line)#login
SW1(config)#exit
SW1(config)#
SW1# copy running-config
startup-config
SW1#
Configuring
Switch2:
Switch>en
Switch#configure terminal
Switch(config)#
switch(config)#hostname SW2
SW2(config)#enable password
cisco
SW2(config)#vlan 1
SW2(config)#name test
SW2(config)#interface vlan1
SW2(config-if)#ip address
192.168.10.5 255.255.255.0
SW2(config-if)#no shutdown
SW2(config-if)#exit
SW2(config)# ip default-gateway 192.168.10.1
SW2(config)#
SW2(config)#line vty 0 15
SW2(config-line)#password
cisco
SW2(config-line)#login
SW2(config)#exit
SW2(config)#
SW2# copy running-config
startup-config
SW2#
Router1:
Router>en
Router#configure terminal
Router(config)#hostname RT1
RT1(config)#enable password
cisco
RT1(config)#interface
fastEthernet o/1
RT1(config-if)#ip address
192.168.30.1 255.255.255.0
RT1(config-if)#no shutdown
RT1(config-if)#
RT1(config-if)#exit
RT1(config)#interface
fastEthernet 0/0
RT1(config-if)#ip address
192.168.20.1 255.255.255.252
RT1(config-if)#no shutdown
RT1(config-if)#
RT1(config-if)#exit
RT1(config)#
RT1(config)#line vty 0 4
RT1(config-line)#password
cisco
RT1(config-line)#login
RT1(config-line)#exit
RT1(config)#
RT1(config)#ip route 0.0.0.0
0.0.0.0 192.168.20.2
RT1(config)#exit
RT1# copy running-config startup-config
RT1#
Router2:
Router>en
Router#configure terminal
Router(config)#hostname RT2
RT2(config)#enable password cisco
RT2(config)#interface fastEthernet o/1
RT2(config-if)#ip address 192.168.10.1 255.255.255.0
RT2(config-if)#no shutdown
RT2(config-if)#
RT2(config-if)#exit
RT2(config)#interface fastEthernet 0/0
RT2(config-if)#ip address 192.168.20.2 255.255.255.252
RT2(config-if)#no shutdown
RT2(config-if)#
RT2(config-if)#exit
RT2(config)#
RT2(config)#line vty 0 4
RT2(config-line)#password cisco
RT2(config-line)#login
RT2(config-line)#exit
RT2(config)#
RT2(config)#ip route 0.0.0.0 0.0.0.0 192.168.20.1
RT2(config)#exit
RT2# copy running-config
startup-config
RT2#
Test
Ping 192.168.10.10 pc from 192.168.30.10 pc.
Also ping 192.168.30.10 pc from 192.168.10.10 pc.
Both PCs are pinging.
Vlan with wireless setup
Requirements
·
Cisco Aironet
Access Points and Wireless
Bridges
·
Cisco Catalyst
Switches
Note :- We can
use the switch side of this configuration with any of these hardware or
software:
1.
Catalyst
6x00/5x00/4x00 that runs CatOS or IOS
2.
Catalyst
35x0/37x0/29xx that runs IOS
3.
Catalyst
2900XL/3500XL that runs IOS
Conventions
A VLAN is a switched network that is logically
segmented by functions, project teams, or applications rather
than on a physical or geographical basis. For example,
all workstations and servers used by a particular
workgroup team can be connected to the same VLAN,
regardless of their physical connections to the network
or the fact that they can be intermingled with other
teams. Use VLANs to reconfigure the network through
software rather than physically unplug or move the
devices or wires.
A VLAN can be thought of as a broadcast domain that
exists within a defined set of switches. A VLAN
consists of a number of end systems, either hosts or
network equipment (such as bridges and routers),
connected by a single bridging domain. The bridging
domain is supported on various pieces of network
equipment, such as LAN switches, that operate bridging
protocols between them with a separate group for
each VLAN.
When you connect a device to a Cisco Catalyst switch,
the port where the device is connected is a member of
VLAN 1. The MAC address of that device is a part of
VLAN 1. You can define multiple VLANs on a single
switch, and you can configure a switch port on most
Catalyst models as a member of multiple VLANs.
When the number of ports in a network exceeds the port
capacity of the switch, you must cross−connect
multiple switch chassis, which defines a trunk. The
trunk is not a member of any VLAN, but a conduit over
which traffic passes for one or more VLANs.
In fundamental terms, the key in the configuration of
an access point to connect to a specific VLAN is to
that, if the SSID on an access point is configured to
recognize a specific VLAN ID or name, a connection to
the VLAN is established. When this connection is made,
associated wireless client devices that have the same
SSID can access the VLAN through the access point. The
VLAN processes data to and from the clients the
same way that it processes data to and from wired
connections. You can configure up to 16 SSIDs on your
access point, so you can support up to 16 VLANs. You
can assign only one SSID to a VLAN.
You extend VLANs into a wireless LAN when you add IEEE
802.11Q tag awareness to the access point.
Frames destined for different VLANs are transmitted by
the access point wirelessly on different SSIDs with
different WEP keys. Only the clients associated with
that VLAN receive those packets. Conversely, packets
that come from a client associated with a certain VLAN
are 802.11Q tagged before they are forwarded onto
the wired network.
For example, employees and guests can access the
wireless network of a company at the same time and be
administratively separate. A VLAN maps to an SSID, and
the wireless client attaches to the appropriate SSID.
In networks with wireless bridges, you can pass
multiple VLANs across the wireless link in order to provide
connectivity to a VLAN from separate locations.
If 802.1q is configured on the FastEthernet interface
of an access point, the access point always sends
keepalives on VLAN1 even if VLAN 1 is not defined on
the access point. As a result, the Ethernet switch
connects to the access point and generates a warning
message. There is no loss of function on either the access
point or the switch, but the switch log contains
meaningless messages that can cause more important messages
to be wrapped and not seen.
This behavior creates a problem when all SSIDs on an
access point are associated to mobility networks. If all
SSIDs are associated to mobility networks, the
Ethernet switch port to which the access point is connected can
be configured as an access port. The access port is
normally assigned to the native VLAN of the access point,
which is not necessarily VLAN1. This causes the
Ethernet switch to generate warning messages noting that
traffic with an 802.1q tag is sent from the access
point.
You can eliminate the excessive messages on the switch
if you disable the keepalive function.
If you ignore minor points in these concepts when you
deploy VLANs with Cisco Aironet wireless
equipment, you can experience unexpected performance,
for example:
The failure to limit allowed VLANs on the trunk to
those defined on the wireless device
If VLANs 1, 10, 20, 30 and 40 are defined on the
switch, but only VLANs 1, 10 and 30 are defined on
the wireless equipment, you must remove the others
from the trunk switchport.
•
Misuse of the designation of infrastructure SSID
When you install access points, only assign the
infrastructure SSID when you use an SSID on:
workgroup bridge devices
<00Α8>
repeater access points
<00Α8>
non−root bridges
<00Α8>
It is a misconfiguration to designate the infrastructure
SSID for an SSID with only wireless laptop
computers for clients, and causes unpredictable
results.
In bridge installations, you can only have one
infrastructure SSID. The infrastructure SSID must be
the SSID that correlates to the Native VLAN.
•
Misuse or incorrect design of guest mode SSID
designation
When you define multiple SSIDs/VLANs on Cisco Aironet
wireless equipment, one (1) SSID can be
assigned as guest mode SSID with the SSID broadcast in
802.11 radio beacons. The other SSIDs are
not broadcast. The client devices must indicate which
SSID to connect.
•
Failure to recognize that multiple VLANs and SSIDs
indicate multiple OSI Model Layer 3 subnets
Deprecated versions of Cisco Aironet software permit
binding multiple SSIDs to one VLAN. Current
versions do not.
•
OSI Model Layer 3 routing failures or incorrect
designs
Each SSID and its linked VLAN must have a routing
device and some source to address clients, for
example a DHCP server or the scope on a DHCP server.
•
Misunderstand or incorrectly configure Native VLAN
•
Significance
of Native VLAN
When you use an IEEE 802.1Q trunk port, all frames are
tagged except those on the VLAN configured as the
"native VLAN" for the port. Frames on the
native VLAN are always transmitted untagged and are normally
received untagged. Therefore, when an AP is connected
to the switchport, the native VLAN configured on the
AP must match the native VLAN configured on the
switchport.
Note:
If there is a
mismatch in the native VLANs, the frames are dropped.
This scenario is better explained with an example. If
the native VLAN on the switchport is configured as
VLAN 12 and on the AP, the native VLAN is configured
as VLAN 1, then when the AP sends a frame on its
native VLAN to the switch, the switch considers the
frame as belonging to VLAN 12 since the frames from
the native VLAN of the AP are untagged. This causes
confusion in the network and results in connectivity
problems. The same happens when the switchport
forwards a frame from its native VLAN to the AP.
The configuration of native VLAN becomes even more
important when you have a Repeater AP setup in your
wireless network. You cannot configure multiple VLANs
on the Repeater APs. Repeater APs support only the
native VLAN. Therefore, the native VLAN configuration
on the root AP, the switch port to which the AP is
connected, and the Repeater AP, must be the same.
Otherwise traffic through the switch does not pass to and
from the Repeater AP.
An example for the scenario where the mismatch in the
Repeater AP's native VLAN configuration can create
problems is when there is a DHCP server behind the
switch to which the root AP is connected. In this case the
clients associated with the Repeater AP do not receive
an IP address from the DHCP server because the
frames (DHCP requests in our case) from the Repeater
AP's native VLAN (which is not the same as root AP
and the switch) are dropped.
Also, when you configure the switch port,
ensure that all
the VLANs that are configured on the APs are
allowed on the switchport.
For example, if
VLANs 6, 7, and 8 exist on the AP (Wireless Network) the
VLANs have to be allowed on the switchport. This can
be done using this command in the switch:
switchport trunk allowed vlan add 6,7,8
By default, a switchport configured as a trunk allows
all VLANs to pass through the trunk port. Refer to
Interaction with Related Switches for more information
on how to configure the switchport.
Note:
Allowing all VLANs on the AP can also become a problem
in some cases, specifically if it is a large
network. This can result in high CPU utilization on
the APs. Prune the VLANs at the switch so that only the
VLAN traffic that the AP is interested in passes
through the AP to avoid high CPU.
VLANs on Access Points
In this section, you are presented with the
information to configure the features described in this document.
Note:
In order to find additional information on the
commands used in this document, use the Command
Lookup Tool (
registered
customers only
) .
Concepts with Access Points
This section discusses concepts about how to deploy
VLANs on access points and refers to this network
diagram.
In this sample network, VLAN 1 is the Native VLAN, and
VLANs 10, 20, 30 and 40 exist, and are trunked to
another switch chassis. Only VLANs 10 and 30 are
extended into the wireless domain. The Native VLAN is
required to provide management capability and client
authentications.
Access
Point Configuration
In order to configure the access point for VLANs,
complete these steps:
1.From the AP GUI, click Services > VLAN to
navigate to the Services: VLAN page . The first step is to configure the native
VLAN. From the Current VLAN List, select New
.
a. Enter the VLAN number of the Native VLAN in the
VLAN ID box. The VLAN number must match the Native VLAN configured on the
switch.
b. Because interface BVI 1 is associated to the sub interface
of the Native VLAN, the IP address assigned to interface BVI 1 must be in the same
IP subnet as other infrastructure devices on the network (that is, the
interface SC0 on a Catalyst switch that runs Cat OS.)
c. Select the checkbox for the Native VLAN.
d. Select check boxes for the radio interface or
interfaces where this VLAN applies.
e. ClickApply
Or, from the CLI, issue these commands:
AP# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
AP(config)# interface Dot11Radio0.1
AP(config−subif)# encapsulation dot1Q 1 native
AP(config−subif)# interface FastEthernet0.1
AP(config−subif)# encapsulation dot1Q 1 native
AP(config−subif)# end
AP# write memory
2. In order to configure other VLANs, follow these
steps:
From the Current VLAN List, select1 New
.
a. Enter the VLAN number of the desired VLAN in the
VLAN ID box. The VLAN numbermust match a VLAN configured on the switch.
b. Select check boxes for the radio interface or
interfaces where this VLAN applies.
c. Click Apply
.
Or, from the CLI, issue these commands:
AP# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
AP(config)# interface Dot11Radio0.10
AP(config−subif)# encapsulation dot1Q 10
AP(config−subif)# interface FastEthernet0.10
AP(config−subif)# encapsulation dot1Q 10
AP(config−subif)# end
AP# write memory
D. Repeat steps 2a through 2d for each VLAN desired or
enter these commands from the CLI with appropriate changes to the subinterface
and VLAN numbers:
AP# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
AP(config)# interface Dot11Radio0.30
AP(config−subif)# encapsulation dot1Q 30
AP(config−subif)# interface FastEthernet0.30
AP(config−subif)# encapsulation dot1Q 30
AP(config−subif)# end
AP# write
memory
3. The next step is to associate the configured VLANs
to the SSIDs. In order to do this, click Security >SSID Manager
Note: You do not need to associate every VLAN defined
on the access point with an SSID. For xample, for security reasons, most access
point nstallations do not associate an SSID with the ative VLAN.
a.
In order to
create a new SSID, choose New
b.
Enter the desired
SSID (case−sensitive) in the SSID box.
c.
Select the
desired VLAN number to associate this SSID with from the dropdown list.
Note: In order to keep this
document within its intended scope, security for an SSID is not addressed.
d.
Click apply−RadioX
o create the SSID on the selected radio, or Apply−all to create it on
allradios.
Or from the CLI, issue these commands:
AP# configure terminal
]Enter configuration commands, one per line. End with CNTL/Z.
AP(config)# interface Dot11Radio0
AP(config−if)# ssid Red
AP(config−if−ssid)# vlan 10
AP(config−if−ssid)# end
AP# write memory
4. Repeat steps 3a through 3d for each SSID desired or
enter these commands from the CLI with appropriate changes to the SSID.
AP# configure
terminal
Enter configuration commands, one per line. End with CNTL/Z.
AP(config)# interface Dot11Radio0
AP(config−if)# ssid Green
AP(config−if−ssid)# vlan 30
AP(config−if−ssid)# end
AP# write memory
VLANs on Bridges
Concepts on BridgesThis section discusses concepts
related to how to deploy VLANs on bridges and refers to this network diagram.In
this sample network, VLAN 1 is the Native VLAN, and VLANs 10, 20, 30 and 40
exist. Only VLANs 10 and 30 are extended to the other side of the link. The
wireless link is encrypted.
In order to encrypt data that passes over the radio
link, apply encryption to only the SSID of the Native VLAN. That encryption
applies to all other VLANs. When you bridge, there is no need to associate a
separate
SSID with each VLAN. VLAN configurations is the same
on both the root and non−root bridges.
Bridge
Configuration
In order to configure the bridge for VLANs, like the
sample network diagram, complete these steps:
1. From the AP GUI, clickServices > VLANto navigate
to the Services: VLAN page.
a.
The first step is
to configure the Native VLAN. In order to do this, choose \ from
theCurrent VLAN List.
b.
Enter the VLAN
number of the Native VLAN in the VLAN ID box. This must match the Native VLAN
configured on the switch.
c.
Because interface
BVI 1 is associated to the sub interface of the Native VLAN, the IP address assigned
to interface BVI 1 must be in the same IP subnet as other infrastructure
devices on the network (i.e. interface SC0 on a Catalyst switch that runs
CatOS.)
d.
Select the
checkbox for the Native VLAN.
e.
Click Apply
Or, from the CLI, issue these commands:
bridge# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
bridge(config)# interface Dot11Radio0.1
bridge(config−subif)# encapsulation dot1Q 1 native
bridge(config−subif)# interface FastEthernet0.1
bridge(config−subif)# encapsulation dot1Q 1 native
bridge(config−subif)# end
bridge# write memory
2. In order to configure other VLANs, follow these
steps:
a. From the
Current VLAN List, select New
b. Enter the VLAN number of the desired VLAN
in the VLAN ID box. The VLAN number must match a VLAN configured on the switch.
c. Click Apply
Or, from the
CLI, issue these commands:
bridge# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
bridge(config)# interface Dot11Radio0.10
bridge(config−subif)# encapsulation dot1Q 10
bridge(config−subif)# interface FastEthernet0.10
bridge(config−subif)# encapsulation dot1Q 10
bridge(config−subif)# end
bridge# write memory
d. Repeat
steps 2a through 2c for each VLAN desired or enter the commands from the CLI
with appropriate changes to the subinterface and VLAN numbers.
AP# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
bridge(config)# interface Dot11Radio0.30
bridge(config−subif)# encapsulation dot1Q 30
bridge(config−subif)# interface FastEthernet0.130
bridge(config−subif)# encapsulation dot1Q 30
bridge(config−subif)# end
bridge# write memory
3. From the
SSID Manager (under the Security > SSID Manager
menu item,) associate the Native VLAN
with an SSID.
Note: When you
bridge, the only SSID that you must associate with a VLAN is the one that
correlates to the Native VLAN. You must designate this SSID as the
Infrastructure SSID.
a.
From the Current
SSID List, select New
b.
Enter the desired
SSID (case−sensitive) in the SSID box.
c.
Select the VLAN
number that correlates to the Native VLAN from the dropdown list.
Note: In order to keep this document within its
intended scope, security for an SSID is not addressed.
d. Click Apply to create the SSID on the radio
and associate it to the Native VLAN.