first off let's have a look at how we go about selecting our switches and the minimum features that we need it is very essential that the switch we buy is standards compliant we don't want to buy non-standard devices because it will make integration with our management system very challenging and make future upgrades very difficult because non-standard compliance switches will not interoperate properly with standards compliance switches we also like to see that these switches have encrypted management so that would be secure shower for remote access or if the switch offers a web interface that access would be secured by using https we've also learned so far in this campus network design series that vlan trunking is essential for a campus network so the switches need to have vlan trunking support spanning tree is an absolute essential and we recommend that rapid spanning tree is the minimum the switch will support we also require simple network management protocol at least version 2 and version 3 has much better security we also would like to see the switch supporting snmp traps remote management and configuration backup is also essential the command line interface is preferred and also a serial console can be very desirable especially if access via the ip management connectivity is lost there are several other recommended features we'd like to see in switches as well and these include dhcp snooping which prevents end users from running a rogue dhcp server this happens a lot with little wireless routers the netgears linksys d-links and so forth when they are plugged in backwards now these routers are intended for home use but invariably they find their way into the campus network usually when a member of staff wants to extend the little network they have in their office of course they look at the little router and they see the ports one is labeled internet and then the four ports labeled lan and then they think oh well we can't plug internet in because that's for internet so they plug the lan port into the office network that you've provided and what that does it then provides the little router's dhcp server full access to the campus these lan ports are intended for home users to plug in their devices and get an ip address so they can use the internet you don't want these routers to be connected into your campus network and you don't want the dhcp server that runs in these little routers to be visible to anyone at all so dhcp snooping allows the uplink ports towards legitimate dhcp server to be trusted and all the other ports to be marked as untrusted if dhcp offers arrive on any of these untrusted ports they're immediately dropped and that will protect the campus network from any unauthorized dhcp servers being connected to it the second feature we would like to see is ra guard with more and more campuses now deploying ipv6 this prevents end users from sending ipv6 router advertisements out onto the campus network this happens a lot with all the windows devices which have ipv6 enabled these devices if they don't get a v6 address or try and build an automatic tunnel to somewhere that is configured in the kernel that actually has v6 connectivity once the tunnel is set up these devices then announce themselves as ipv6 routers out for ethernet ports and suddenly all your user devices which are v6 capability will configure a v6 address and use this old windows device as the gateway to the internet this is not only a major security risk and could be a massive bottleneck for campus traffic as this traffic heads out to some unknown tunnel destination somewhere else in the world aria guard will prevent this from happening and is really quite necessary for a campus network the next feature is dynamic arp inspection a malicious host can perform man in the middle attack by sending gratuitous arp responses or responding to requests by providing bogus information what dynamic arp inspection does is allow the switch to look inside our packets and discard gratuities and invalid arp packets another feature that's useful is igmp snooping switches will normally flag multicast frames out every single port snooping on igmp traffic means that the switch can learn which stations are members of which group and then will only forward the multicast frames out to the devices that are members of the particular group this is very important for example when users run Norton Ghost.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.