Switch Management – CompTIA Network+ N10-006 – 2.6

Switches can be managed in many different ways. In this video, you’ll learn about unmanaged vs. managed switches, console connections, virtual terminals, in-band vs. out-of-band communication, and methods of authenticating administrators.
<< Previous: Power Over EthernetNext: Wireless Network Devices >>

An unmanaged switch is one that has the most basic functionality. It has the fewest number of configuration options. You effectively plug it into power, you plug in your Ethernet cables, and you’ve got an Ethernet network. You generally don’t even have a fixed configuration. There’s no management log in, there’s no configuration settings, there’s no way to set up VLANs inside of an unmanaged switch.

It also doesn’t integrate well with other devices. There are no management protocols or link aggregation you can do. It is effectively something that provides just Ethernet connectivity and that’s it. But these have a relatively low price point. These don’t cost very much.

And if all you need is a bare bones network configuration, then an unmanaged switch might be for you. Managed switches, on the other hand, are much more intelligent. They may provide VLAN support so you can set up trunked links via 802.1Q and configure separate VLANs inside of the switch. You might be able to prioritize certain traffic over others, so your Voice over IP traffic would have the highest priority and your normal web browsing would be at a lower priority.

You might also have the ability to configure redundant connections and be able to prevent loops using things like Spanning Tree Protocol or STP. These switches may also provide additional management functionality and allow you to look at statistics and metrics using something like SNMP, or Simple Network Management Protocol. And if you are troubleshooting, you may want to do some port mirroring. So you could tell the switch to take everything going in and out of a particular interface and copy it to a protocol analyzer. There are a number of different ways to manage these switches.

One is through a console interface that’s on the switch itself. There’s usually a physical port you would connect to. It’s often an RJ45 connection, it might be a nine pin serial connection. But in either case, you need to be right next to the switch so that you can physically plug in a cable to the switch, plug the other end into your device– your laptop or your tablet– and be able to configure settings over that serial link. In most environments, though, you’re not going from closet to closet and physically plugging into switches to configure them.

You’re simply connecting to them over the network with their IP address. You might see this referred to as an SSH connection or a terminal application connection, or even a teletype connection, which is an older way of describing that particular communication. And you’re probably running an application like PuTTY or Terminal or SSH to create that terminal session over the network. We commonly call these over the network connections in-band connections. That means we’re using the same network that the switch is connected to to be able to manage that particular switch.

But what if the network has a problem? In those cases, you can’t use that network to be able to connect to that switch and manage it. And in those cases, you would use an out-of-band connection. With an out-of-band connection, we’re connecting to a serial port or a terminal connection that’s on the switch itself. So if you do have a problem with the network and you’re not able to access the switch from across the network connections, you can always go to the out-of-band connection to manage that device.

When you did connect to the switch, you’re generally prompted with a username and a password. This is one where you need some type of credential to prove that you are who you say you are so that you can then get into the device and configure the settings. This is one that usually has a default login when you first get the device. It’s usually admin, admin, or admin and password. And of course, you’ll be changing that login.

In fact, usually you’ll be disabling any local logins on the device so that there’s no way to get into the device with any of those default settings. Since you’re not using a local login to get into the device, you’re going to have that switch communicate back to a central repository of access controls. And that is called a AAA configuration. AAA stands for Authentication, Authorization, and Accounting. And it’s a way to have a centralized form of authentication for all of your network devices.

This way you can use the same login and access any of your network devices because they’re all using this AAA process. We’re generally configuring our switches to use very standardized protocols to perform this AAA function. We’re using RADIUS, or TACACS+, or LDAP and we’re usually communicating back to a central database. That way you can have one central set of usernames and passwords, and that’s what you would use to access any of your network infrastructure devices.

You can even set permissions so that if you are in the help desk, you might be able to see information inside of the switch, but if you’re part of the network team, your rights and permissions may allow you to make changes to those devices. Because this is coming from a centralized AAA server, you only need to go to one device to configure these permissions and rights. If somebody leaves the organization, you only need to turn off their access in the central AAA server. You don’t have to go to each individual switch to disable or enable certain functionality.