Switches are dedicated, specialized computers that contain a central processing unit (CPU), random access memory (RAM), and an operating system. As shown in Figure , switches usually have several ports that hosts can connect to, as well as specialized ports for the purpose of management. Switches can be managed and the configuration can be viewed and changed through the console port.

¥æ´«¾¹¬O¯S»sªº±M¥Î¹q¸£¡A¾Ö¦³¤@Áû¤¤¥¡³B²z¾¹(CPU)¡BÀH¾÷¦s¨ú°O¾ÐÅé(RAM)¥H¤Î§@·~¨t²Î¡C¦p¹Ï ©Ò¥Ü¡A³q±`¥æ´«¾¹¤£¶È¦³´X­Ó¯àÅý¨ä¥L¥D¾÷³s¶i¨Óªº³s±µ°ð¡A¦Ó¥B¦³¤@¨Ç¬°¤FºÞ²z¥Î³~ªº±M¥Î³s±µ°ð¡C³z¹L¥D±±¥x³s±µ°ð¥i¥HºÞ²z³o¨Ç¥æ´«¾¹¡A¨ÃÀ˵ø¤Î­×§ï¥¦­Ìªº²ÕºA³]©w¡C

Several switches from the Cisco Catalyst 2900 series are shown in Figure . There are 12-port, 24-port, and 48-port models. The top two switches in Figure are fixed configuration symmetrical switches that offer FastEthernet on all ports or a combination of 10Mbps and 100Mbps ports. The next three switches are asymmetrical models with two fixed fiber or copper Gigabit Ethernet ports. The bottom four switches are asymmetrical models with modular Gigabit Interface Converter (GBIC) slots, which can accommodate a variety of copper and fiber media options.

¹Ï ®i¥Ü¤F«ä¬ìCatalyst 2950¨t¦Cªº´XºØ¥æ´«¾¹¡C¦³12­Ó³s±µ°ðªº¡B24­Ó³s±µ°ðªº¡BÁÙ¦³48­Ó³s±µ°ðªº«¬¸¹¡C¦b¹Ï ³Ì¤W­±¤G¥x¥æ´«¾¹¬O©T©w²ÕºAªº¹ïºÙ¦¡¥æ´«¾¹¡A¥þ³¡ªº³s±µ°ð³£¬O°ª³t¤A¤Óºô¸ô(FastEthernet)©Î10/100ªº¼Ë¦¡¡C±µ¤U¨Óªº¤T¥x¥æ´«¾¹¬O«D¹ïºÙ¦¡¡A¾Ö¦³¤G±ø©T±µ¥úÅ֩λɽuªºGigabit¤A¤Óºô¸ô(Gigabit Ethernet)ªº³s±µ°ð¡C³Ì¤U­±¥|¥x¥æ´«¾¹«h¬O«D¹ïºÙ¦¡¡A¾Ö¦³¼Ò²Õ¦¡Gigabit¤¶­±Âà´«¾¹(GigaBit Interface Converter, GBIC)ªº¼Ñ¤Õ¡A¥i®e³\¦U¦¡¦U¼Ëªº»É½u©Î¥úÅÖ´CÅ骺¿ï¾Ü¡C

The front panel of a switch has several lights to help monitor system activity and performance. These lights are called light-emitting diodes (LEDs). This page will discuss the LEDs on the front of a switch:

¥æ´«¾¹¥¿­±ªº­±ªO¦³´X­Ó¥úÂI¡A¥i¥HÀ°§UºÊ¬Ý¨t²Îªº°Ê§@»P®Ä¯à¡C³o¨Ç¥úÂIºÙ¬°µo¥ú¤G·¥Åé(light-emitting diodes, LEDs)¡C¥»­¶©Ò½Íªº¥æ´«¾¹«e­±ªº¿O¸¹¦³¡G

• System LED
• ¨t²Î¿O¸¹
• Remote Power Supply (RPS) LED
• »·ºÝ¨Ñ¹q¿O¸¹
• Port Mode LEDs
• ³s±µ°ð¼Ò¦¡¿O¸¹
• Port Status LEDs
• ³s±µ°ðª¬ºA¿O¸¹

The System LED shows whether the system is receiving power and functioning correctly.

¨t²Î¿O¸¹Åã¥Ü¨t²Î¬O§_±µ¦¬¨ì¨Ñ¹q¨Ã¥B¥¿±`¤u§@¡C

The RPS LED indicates whether or not the remote power supply is in use.

»·ºÝ¨Ñ¹q¿O¸¹(RPS LED)Åã¥Ü¬O¤£¬O¦b¨Ï¥Î»·ºÝªº¹q·½¨ÑÀ³¡C

The Mode LEDs indicate the state of the Mode button. The modes are used to determine how the Port Status LEDs are interpreted. To select or change the port mode, press the Mode button repeatedly until the Mode LEDs indicate the desired mode.

¼Ò¦¡¿O¸¹(Mode LEDs)Åã¥Ü¼Ò¦¡«ö¶sªºª¬ºA¡C¼Ò¦¡¬O¥Î¦b¨M©w¸Ó«ç»ò¸ÑÄÀ³s±µ°ðª¬ºA¿O¸¹(Port Status LEDs)¡C­n¿ï¾Ü©Î§ïÅܳs±µ°ð¼Ò¦¡¡A´N­«ÂЫöÀ£¼Ò¦¡«ö¶sª½¨ì¼Ò¦¡¿O¸¹Åã¥Ü·Q­nªº¼Ò¦¡¬°¤î¡C

Figure describes the Port Status LED colors as these are dependent on the value of the Mode LEDs.

¹Ï »¡©ú³s±µ°ðª¬ºA¿O¸¹ªºÃC¦â¡A³o¨ÇÃC¦âÀH¼Ò¦¡¿O¸¹ªº·N¸q¦Ó©w¡C

Once the power cable is connected, the switch initiates a series of tests called the power-on self test (POST). POST runs automatically to verify that the switch functions correctly. The System LED indicates the success or failure of POST. If the System LED is off but the switch is plugged in, then POST is running. If the System LED is green, then POST was successful. If the System LED is amber, then POST failed. POST failure is considered to be a fatal error. Reliable operation of the switch should not be expected if POST fails.

¥u­n¹q·½½u¦³±µ¤W¡A¥æ´«¾¹·|¶}©l¤@³s¦êªº´ú¸Õ¡A³oºÙ¬°¶}¾÷¦Û§Ú´ú¸Õ(power-on self test, POST)¡C¶}¾÷¦Û§Ú´ú¸Õ·|¦Û°Ê°õ¦æ¥HÃÒ¹ê³o¥x¥æ´«¾¹¥¿±`¹B§@¡C¨t²ÎLED¿O¸¹»¡©ú¤F¶}¾÷¦Û§Ú´ú¸Õªº¦¨¥\©Î¥¢±Ñ¡C¦pªG¨t²Î¿O¸¹¬Oº¶±¼ªº¡A¦ý¥æ´«¾¹ªº¹q·½½u¦³´¡µÛ¡Aªí¥Ü¶}¾÷¦Û§Ú´ú¸Õ¬O¥¿¦b°õ¦æ¡C¦pªG¨t²Î¿O¸¹¬Oºñ¦âªº¡A«h¶}¾÷¦Û§Ú´ú¸Õ¦¨¥\¡C¦pªG¨t²Î¿O¸¹¬O¶À½Å¦âªº¡A«h¶}¾÷¦Û§Ú´ú¸Õ¥¢±Ñ¤F¡C¶}¾÷¦Û§Ú´ú¸Õ¥¢±Ñ³Q»{¬°¬O­ÓÄY­«¿ù»~¡C°²¦p¶}¾÷¦Û§Ú´ú¸Õ¥¢±Ñ¡A´N¤£¯à°÷´Á±æ¥æ´«¾¹¯à°÷¹B§@¥¿±`¡C

The Port Status LEDs also change during POST. The Port Status LEDs turn amber for about 30 seconds as the switch discovers the network topology and searches for loops. If the Port Status LEDs turn green, the switch has established a link between the port and a target, such as a computer. If the Port Status LEDs turn off, the switch has determined that nothing is plugged into the port.

¦b¶}¾÷¦Û§Ú´ú¸Õªº®É­Ô¡A³s±µ°ðª¬ºAªºLED¿O¸¹¤]·|§ïÅÜ¡C·í¥æ´«¾¹§ä¨ìºô¸ô©Ý¾ë¨ÃÀˬd¬O§_¦³°j¸ôªº®É­Ô¡A³s±µ°ðª¬ºA¿O¸¹·|Âର¶À½Å¦â¬ù30¬í¡C¦pªG³s±µ°ðª¬ºA¿O¸¹Âରºñ¦â¡A´N¬O¥æ´«¾¹¬°¸Ó³s±µ°ð»P¬Y­Ó¥Ø¼Ð(¨Ò¦p¤@¥x¹q¸£)«Ø¥ß¦n³sµ²¡C¦pªG³s±µ°ð¿O¸¹º¶±¼¡A´N¬O¥æ´«¾¹¤w¸g§PÂ_¥X¨S¦³ªF¦è´¡±µ¦b¨º­Ó³s±µ°ð¤W¡C

In order to configure or check the status of a switch, connect a computer to the switch in order to establish a communication session. Use a rollover cable to connect the console port on the back of the switch to a COM port on the back of the computer.

¬°¤F³]©w©ÎÀˬd¥æ´«¾¹ªºª¬ºA¡A§â¤@³¡¹q¸£³s¤W¤@¥x¥æ´«¾¹¨Ó«Ø¥ß³q°T¥æ½Í¡C¥Î¤@±ørolloverÆl½u¡AÅý¥æ´«¾¹­I­±ªº¥D±±¥x³s±µ°ð(console port)³s½u¨ì¹q¸£ªº­I«áªº¤@­Ó³q°T³s±µ°ð(COM port)¡C

Start HyperTerminal on the computer. A dialog window will be displayed. The connection must first be named when initially configuring the HyperTerminal communication with the switch. Select the COM port to which the switch is connected from the pull-down menu, and click the OK button. A second dialog window will be displayed. Set up the parameters as shown in Figure , and click the OK button.

±Ò°Ê¹q¸£¤¤ªºHyperTerminal³nÅé¡AµM«á·|Åã¥Ü¤@­Ó¼·¸¹µøµ¡¡C ·íªì©l³]©wHyperTerminal»P¥æ´«¾¹³q°T®É¡A¥²»Ý¬°¸Ó³s½u©R¦W¡C±q¤U©Ô¿ï³æ¿ï¨ú¥Î¨Ó³s¨ì¥æ´«¾¹ªºCOM³s±µ°ð¡AµM«á«ö¤@¤UOK«ö¶s¡C²Ä¤G­Ó¼·¸¹µøµ¡´N·|«_¥X¨Ó¡C¦p¹Ï ©Ò¥Ü«Ø¥ß°Ñ¼Æ¡AµM«á«ö¤@¤UOK«ö¶s¡C

Plug the switch into a wall outlet. The initial bootup output from the switch should be displayed on the HyperTerminal screen. This output shows information about the switch, details about POST status, and data about the switch hardware.

§â¥æ´«¾¹¹q·½½u´¡¤W´¡®y¡Cªì©lªº±Ò°Ê¿é¥X´N·|Åã¥Ü¦bHyperTerminalªº¿Ã¹õ¤W¡C ³o¨Ç¿é¥XÅã¥Ü¤F¦³Ãö¥æ´«¾¹¡B¶}¾÷¦Û§Ú´ú¸Õª¬ºAªº²Ó¸`¡B¥H¤Î¦³Ãö¥æ´«¾¹µwÅ骺¸ê®Æ¡C

After the switch has booted and completed POST, prompts for the System Configuration dialog are presented. The switch may be configured manually with or without the assistance of the System Configuration dialog. The System Configuration dialog on the switch is simpler than that on a router.

¥æ´«¾¹¶}¾÷¨Ã§¹¦¨¶}¾÷¦Û§Ú´ú¸Õ¤§«á¡A¦³­Ó¨t²Î³]©w(System Configuration)¹ï¸Üªº´£¥Ü¤å¦r·|¥X²{¡C¥æ´«¾¹¥i¥H¦³¨t²Î³]©w¹ï¸Üªº´£¥Ü¤å¦rªº»²§U¨Ó°µ¤â°Ê³]©w¡A¤]¥i¥H¤£­n»²§U¨Ó°µ¤â°Ê³]©w¡C¥æ´«¾¹ªº¨t²Î³]©w¹ï¸Ü¤ñ¸ô¥Ñ¾¹ªºÁÙ­n²³æ¡C

The CLI for Cisco switches is very similar to the CLI for Cisco routers.

«ä¬ì¥æ´«¾¹ªº©R¦C¦C¤¶­±«D±`Ãþ¦ü©ó«ä¬ì¸ô¥Ñ¾¹ªº©R¥O¦C¤¶­±¡C

To use the help system enter a question mark (?).

Áä¤J°Ý¸¹(?)°õ¦æhelp©R¥O¡C

The default mode is User EXEC mode. The User EXEC mode is recognized by its prompt, which ends in a greater-than character (>).

¹w³]¼Ò¦¡¬O¨Ï¥ÎªÌ°õ¦æ¼Ò¦¡(User EXEC mode)¡C¨Ï¥ÎªÌ°õ¦æ¼Ò¦¡¥i¥Ñ´£¥Ü²Å¸¹ÃѧO¡A´£¥Ü²Å¸¹¬O¥H¤@­Ó¤j©ó¦r¤¸(>)µ²§À¡C

The enable command is used to enter Privileged EXEC mode from User EXEC mode. Privileged EXEC mode is also recognized by its prompt, which ends in a pound-sign character (#).

enable«ü¥O¬O¥Î¨Ó±q¨Ï¥ÎªÌ°õ¦æ¼Ò¦¡¶i¤J¯SÅv°õ¦æ¼Ò¦¡ªº¡C¯SÅv°õ¦æ¼Ò¦¡¤]¥i¥Ñ´£¥Ü²Å¸¹ÃѧO¡A¬O¥H¤@­Ó(#)°O¸¹µ²§À¡C

When powered up for the first time, a switch has default data in the running configuration file. The default hostname is Switch.  No passwords are set on the console or virtual terminal (vty) lines.

²Ä¤@¦¸¶}¾÷±Ò°Ê®É¡A¥æ´«¾¹¥¿¦b¹B§@ªº²ÕºAÀÉ´N¦³¹w³]ªº¸ê®Æ¡C¹w³]ªº¥D¾÷¦WºÙ¬°Switch¡C¦b¥D±±¥x»PµêÀÀ²×ºÝ½u¸ô³£¨S³]©w±K½X¡C

A switch may be given an IP address for management purposes. This is configured on the virtual interface, VLAN 1. By default, the switch has no IP address.

¬°¤FºÞ²zªº¥Øªº¡A¥æ´«¾¹À³¸Ó­nµ¹­ÓIP¦ì§}¡C³o¶µ³]©w³Q¦w±Æ¦bµêÀÀ¤¶­±VLAN 1¡C¦b¹w³]±¡ªp¤U¡A¥æ´«¾¹¨Ã¨S¦³IP¦ì§}¡C

The switch ports or interfaces are set to auto mode , and all switch ports are in VLAN 1. VLAN 1 is known as the default management VLAN.

¥æ´«¾¹³s±µ°ð©Î¤¶­±³£³]¬°¦Û°Ê¼Ò¦¡ ¡A¦Ó¥B©Ò¦³ªº³s±µ°ð³£¦bVLAN 1¤¤¡C VLAN 1¬O¹w³]ªººÞ²zVLAN¡C

The flash directory by default, has a file that contains the IOS image, a file called env_vars, and a sub-directory called html. After the switch is configured, the flash directory will contain a file called config.text as well as a VLAN database. As seen in Figure , the flash directory does not contain a config.text file or a VLAN database file called vlan.dat.

§Ö°{¥Ø¿ý(flash directory)¹w³]¦³¤@­ÓÀÉ®×»P¤@­Ó¤l¥Ø¿ý¡AÀÉ®×¥]§tµÛ¤@®Mºô¸ô§@·~¨t²Î¬M¹³¡A¬O­Ó¥s°µenv_varsªºÀɮסA¤l¥Ø¿ý«h¦W¬°html¡C¥æ´«¾¹³]©w¤F¤§«á¡A§Ö°{¥Ø¿ý´N·|¥]§t¦³¤@¥÷ºÙ¬°config.textªºÀɮסA¥H¤Î¤@®MµêÀÀ°Ï°ìºô¸ôªº¸ê®Æ®w(VLAN database)¡C¦p¹Ï ©Ò¥Ü¡A§Ö°{¥Ø¿ý¨Ã¨S¦³¤@­Ó¥sconfig.textªºÀɮשΤ@¥÷¥svlan.datµêÀÀ°Ï°ìºô¸ô¸ê®Æ®wÀɮסC

The IOS version and the configuration register settings can be verified with the show version command.

ºô¸ô§@·~¨t²Îªºª©¥»»P²ÕºA¼È¦sªº³]©w³£¥i¥H¥Îshow version«ü¥O¨ÓÀˬd¡C

In this default state, the switch has one broadcast domain and the CLI can be used to manage and configure the switch through the console port. The Spanning-Tree Protocol is also enabled, and allows the bridge to construct a loop-free topology across an extended LAN.

¦b³o¼Ë¹w³]ª¬ºA¤¤¡A¥æ´«¾¹¾Ö¦³¤@­Ó¼s¼½ºô°ì(broadcast domain)¡A¦Ó©R¥O¦C¤¶­±(CLI)¥i¥Î¨Ó³z¹L¥D±±¥x³s±µ°ðºÞ²z¨Ã³]©w¥æ´«¾¹¡CÂX¥R¾ð¨ó©w(Spanning-Tree Protocol)¤]¬O±Ò¥Îªº¡A¨Ã¥B®e³\¾ô±µ¾¹¯à°÷¸ó¶VÂX¥Rªº°Ï°ìºô¸ô¨Ó«Ø¥ß¤@²ÕµL°j¸ô©Ý¾ë(loop-free topology)¡C

For small networks, the default configuration may be sufficient. The benefits of better performance with microsegmentation are obtained immediately.

¹ï¤p«¬ºô¸ô¦Ó¨¥¡A¥Î¹w³]²ÕºA³]©wÀ³¸Ó´N°÷¤F¡A¦]¬°¥i¥ß§Y¦¬¨ì·L°Ï¬q(microsegmentation)®Ä²v¸û¨Îªº¦n³B¡C

A switch may be preconfigured and only passwords may need to be entered for the User EXEC or Privileged EXEC modes. Switch configuration mode is entered from Privileged EXEC mode.

¤@¥x¥æ´«¾¹¥i¥H¹w¥ý²ÕºA¦¨¶i¤J¨Ï¥ÎªÌ°õ¦æ¼Ò¦¡©Î¯SÅv°õ¦æ¼Ò¦¡¥u»Ý­n¿é¤J±K½X¡C¥æ´«¾¹²ÕºA¼Ò¦¡¬O¸g¥Ñ¯SÅv°õ¦æ¼Ò¦¡¶i¤Jªº¡C

In the CLI, the default Privileged EXEC mode prompt is Switch#. In User EXEC mode the prompt is Switch>.

¦b©R¥O¦C¤¶­±¤¤¡A¹w³]ªº¯SÅv°õ¦æ¼Ò¦¡´£¥Ü¤å¦r¬OSwitch#¡C¦b¨Ï¥ÎªÌ°õ¦æ¼Ò¦¡¡A´£¥Ü¤å¦r«h¬OSwitch>¡C

The following steps will ensure that a new configuration will completely overwrite the current configuration:

¤U¦C¨BÆJ¥i«OÃÒ¤@²Õ·sªº²ÕºA±N·|§¹¾ãÂл\±¼²{¦³ªº²ÕºA¡G

• To remove the current VLAN information, delete the VLAN database file called vlan.dat from the flash directory
• ²¾°£²{¦³ªºµêÀÀ°Ï°ìºô¸ôªº¸ê°T¡A±q§Ö°{¥Ø¿ý¤¤§R±¼¦WºÙ¬°vlan.datªºµêÀÀ°Ï°ìºô¸ô¸ê®Æ®wÀÉ®×
• Erase the back up configuration file called startup-config
• §R±¼¦WºÙ¬°startup-configªº³Æ¥÷²ÕºAÀÉ®×
• Restart the switch with the reload command
• ¥Îreload©R¥O­«·s±Ò°Ê¥æ´«¾¹

• Security, documentation, and management are important for every network device.

  ¦w¥þ©Ê¡B¤å¥ó¤Æ»PºÞ²z¹ï©ó¨C¤@³¡ºô¸ô³]³Æ¨Ó»¡«Ü­«­n¡C

  A switch should be given a hostname, and passwords should be set on the console and vty lines.

  ¤@¥x¥æ´«¾¹À³¸Ó­n¦³­Ó¥D¾÷¦WºÙ¡A¨Ã¥B­n¦b¥D±±¥x(console)»PµêÀÀ²×ºÝ½u¸ô(vty lines)¤W³]©w±K½X¡C

  A switch should be assigned an IP address so that it can be accessed remotely using Telnet or other TCP/IP applications. A switch should be assigned a default gateway so that when working from the command line interface, other networks can be accessed.

  ¬°¤FÅý¥æ´«¾¹¥i¸g¥ÑTelnet©Î¨ä¥LªºTCP/IPÀ³¥Îµ{¦¡¦s¨ú¡AÀ³¸Ó­n³]©wIP¦ì§}»P¤@­Ó¹w³]¹h¹D¦ì§}¡C©Ò¥H·í¦b©R¥O¦C¤¶­±¾Þ§@®É¨ä¥Lºô¸ô¯à°÷¶i¥X¥æ´«¾¹¡C

By default, VLAN 1 is the management VLAN. The management VLAN is used to manage all of the network devices on a network. In a switch-based network, all network devices should be in the management VLAN. All ports belong to VLAN 1 by default. A best practice is to remove all of the access ports from VLAN 1 and place them in another VLAN. This allows for management of network devices while keeping traffic from the network hosts off of the management VLAN.

¦b¹w³]±¡ªp¤U¡AVLAN 1¬O¥Î¨ÓºÞ²zªºµêÀÀ°Ï°ìºô¸ô¡C¦b¥H¥æ´«¾¹¬°¥Dªººô¸ô¤¤¡A©Ò¦³ªººô¸ô³]³Æ³£­n¦b³o­ÓºÞ²zªºµêÀÀ°Ï°ìºô¸ôùØÀY¡C¦b¹w³]±¡ªp¤U©Ò¦³ªºPorts³£ÄÝ©óVLAN1¡A³Ì¦nªº½m²ß´N¬O±N©Ò¦³ªºPorts±qVLAN1¤¤²¾°£±N¥¦­Ì©ñ¦b¨ä¥LVLAN¡A³o¼Ë¤¹³\¤@³¡ºÞ²z¤u§@¯¸¯à°÷¦s¨ú¡B³]©w¨ÃºÞ²z©Ò¦³ªººô¸ô³]³Æ¡C

The Fast Ethernet switch ports default to auto-speed and auto-duplex. This allows the interfaces to negotiate these settings. Network administrators can manually configure the interface speed and duplex values if necessary.

°ª³t¤A¤Óºô¸ô¥æ´«¾¹(Fast Ethernet switch)ªº³s±µ°ð¹w³]¬O¦Û°Ê½Õ¾ã³t²v»P¦Û°Ê½Õ¾ã¬°¥bÂù¤u©Î¥þÂù¤u¡C³o¼Ë¥i®e³\¤¶­±¯à°÷¥æ¯A³o¨Ç³]©w¡C¦p¦³¥²­n¡Aºô¸ôºÞ²z¤H­û¯à°÷¤â°Ê½Õ¾ã¤¶­±ªº³t²v»PÂù¤u­È¡C

Some network devices can provide a web-based interface for configuration and management purposes. Once a switch is configured with an IP address and gateway, it can be accessed in this way. A web browser can access this service using the IP address and port 80, the default port for http. The HTTP service can be turned on or off, and the port address for the service can be chosen.

¬°¤F³]©w»PºÞ²zªº¥Øªº¡A¦³¨Çºô¸ô³]³Æ¤]´£¨Ñ¤F¤@®Mºô­¶¤¶­±(web-based interface)¡C¤@¥¹¥æ´«¾¹³]¦³¤@­ÓIP¦ì§}»P¹h¹D¡A´N¥i¥H±q©Ò³]©wªº³q¹D¨Ó¦s¨ú¡Cºô­¶ÂsÄý¾¹¯à°÷¨Ï¥ÎIP¦ì§}»P80¸¹³s±µ°ð(HTTPªº¹w³]³s±µ°ð)¡A¨Ó¦s¨ú³o¶µªA°È¡CHTTPªA°È¥i¥H³Q¶}±Ò©ÎÃö³¬¡AªA°È©Ò¨Ï¥Îªº³s±µ°ð¦ì§}¤]¥i¥H¬D¿ï¡C

Any additional software such as an applet can be downloaded to the browser from the switch. Also, the switch can be managed by a browser based graphical user interface (GUI).   

±q¥æ´«¾¹¯à¤U¸ü¤@¨ÇÃB¥~ªº³nÅé¨ìÂsÄý¾¹¤W¡A¨Ò¦pJavaªº¤pµ{¦¡(applet)¡C¦Ó¥B¡A¥æ´«¾¹¤]¯à°÷¥ÑÂsÄý¾¹¤¤ªº¹Ï«¬¨Ï¥ÎªÌ¤¶­±¨ÓºÞ²z¡C

Switches examine the source address of frames that are received on the ports to learn the MAC address of PCs or workstations that are connected to it. These learned MAC addresses are then recorded in a MAC address table. Frames that have a destination MAC address that has been recorded in the table can be switched out to the correct interface.

¥æ´«¾¹ÀËÅç±q³s±µ°ð©Ò±µ¨üªº°T®Øªº¨Ó·½¦ì§}¡A¥H¾Ç²ß³s½u¨ì¥¦ªº¨º¨Ç­Ó¤H¹q¸£©Î¤u§@¯¸ªºMAC ¦ì§}¡C³o¨Ç©Ò¾Ç¨ìªº´CÅé¦s¨ú±±¨î¦ì§}¡A«á¨Ó³Q°O¿ý¦b¤@­ÓMAC ¦ì§}ªí¤¤¡C°T®Ø¾Ö¦³ªº¥Ø¼ÐMAC¦ì§}­Y³Q°O¿ý¦b¦¹ªí¤¤¡A´N¯à°÷³QÂà´«¨ì¥¿½Tªº¤¶­±¡C

The show mac-address-table command can be entered in the Privileged EXEC mode to examine the addresses that a switch has learned.

¦b¯SÅv©R¥O¼Ò¦¡¿é¤Jshow mac-address-table«ü¥O¨ÓÀˬd¥æ´«¾¹¤w¸g¾Ç¨ìªº¦ì§}¡C

A switch dynamically learns and maintains thousands of MAC addresses. To preserve memory and for optimal operation of the switch, learned entries may be discarded from the MAC address table. Machines may have been removed from a port, turned off, or moved to another port on the same switch or a different switch. This can cause confusion when frames are forwarded. For all these reasons, if no frames are seen with a previously learned address, the MAC address entry is automatically discarded or aged out after 300 seconds.

¥æ´«¾¹¬O°ÊºA¦a¾Ç²ß¨ÃºûÅ@¼Æ¥H¤d­pªºMAC¦ì§}¡C¬°¤F«O¯d°O¾ÐÅé¨Ã¥B¦Ò¼{¨ì¥æ´«¾¹ªº²z·Q¹B§@¡A¤w¸g¾Ç¨ìªº°O¿ý¦³¥i¯à±qMAC¦ì§}ªí¤¤²¾°£¡C¾÷¾¹¥i¯à·|±q¬Y­Ó³s±µ°ð²¾¶}¡B³QÃö¾÷¡B©Î¬O²¾¨ì¦P¤@¥x¥æ´«¾¹¥t¤@­Ó³s±µ°ð©Î¥t¤@¥x¥æ´«¾¹¡C·í°T®Ø¶Ç°e®É¡A³o¥i¯à³y¦¨²V¶Ã¡C¬°¤F³oºØºØ­ì¦]¡A¦pªG¤@­Ó¤§«e¾Ç¨ìªº¦ì§}¥¼¥X²{¦b°T®Ø¤¤ªº¸Ü¡A¦b300¬í¤§«á¡A¨º­ÓMAC¦ì§}°O¿ý´N·|¦Û°Ê³Q²¾°£¡C

Rather than wait for a dynamic entry to age out, network administrators can use the clear mac-address-table command in Privileged EXEC mode. MAC address entries configured by network administrators can also be removed with this command. This method to clear table entries ensures that invalid addresses are removed immediately.

¦pªGºô¸ôºÞ²z¤H­û¤£·Qµ¥«Ý¤@µ§°ÊºA°O¿ý®É¶¡¨ì¤F³Q²¾°£¡A¥i¥H¦b¯SÅv°õ¦æ¼Ò¦¡¤¤¨Ï¥Îclear mac-address-table«ü¥O²M°£¬ö¿ý¡C ¥Ñºô¸ôºÞ²z¤H­û©Ò²ÕºAMAC¦ì§}ªº°O¿ý¡A¤]¯à°÷¥Î³o­Ó«ü¥O²¾±¼¡C³o­Ó²M±¼°O¿ýªíªº¤èªk½T¹ê¯à¥ß¨è²¾°£¨S¦³¥Îªº¦ì§}¡C

A MAC address can be permanently assigned to an interface. The following are reasons to assign a permanent MAC address to an interface:

¤@­ÓMAC¦ì§}¯à°÷¥Ã¤[«ü©w¦b¤@­Ó¤¶­±¤W¡C¥H¤U¬O¦b¬°¤@­Ó¤¶­±«ü©w¥Ã¤[MAC¦ì§}ªº²z¥Ñ¡G

• The MAC address will not be aged out automatically by the switch.
• MAC¦ì§}±N¤£·|³Q¥æ´«¾¹¦Û°Ê²¾°£¡C
• A specific server or user workstation must be attached to the port and the MAC address is known.
• ¯S©w¦øªA¾¹©Î¨Ï¥ÎªÌªº¤u§@¯¸¥²¶·ªþ±µ¨ì³s±µ°ð¡A¦Ó¥Bª¾¹D¨äMAC¦ì§}¡C
• Security is enhanced.
• ¥[±j¦w¥þ©Ê¡C

The following command can be used to configure a static MAC address for a switch:

¥H¤U«ü¥O¯à°÷¥Î¨ÓÀ°¥æ´«¾¹³]©w¤@­ÓÀRºAMAC¦ì§}¡G

Switch(config)#mac-address-table static <mac-address of host > interface FastEthernet <Ethernet number > vlan <vlan name >

The following command can be used to remove a static MAC address for a switch:

¥H¤U«ü¥O¯à¥Î¨ÓÀ°¥æ´«¾¹²¾±¼¤@­ÓÀRºAMAC¦ì§}¡G

Switch(config)#no mac-address-table static <mac-address of host > interface FastEthernet <Ethernet number > vlan <vlan name >

Network security is an important responsibility for network administrators. Access layer switch ports are accessible through the structured cabling at wall outlets. Anyone can plug in a PC or laptop into one of these outlets. This is a potential entry point to the network by unauthorized users. Switches provide a feature called port security. It is possible to limit the number of addresses that can be learned on an interface. The switch can be configured to take an action if this is exceeded. Secure MAC addresses can be configured statically. However, it is a complex task to configure secure MAC addresses statically, and is usually prone to error.

ºô¸ôªº¦w¥þ¬Oºô¸ôºÞ²z¤H­ûªº­«­n¾³d¡C¦s¨ú¼h¯Åªº¥æ´«¾¹³s±µ°ð¡A¥i¸g¥ÑÀð¾À´¡¤Õªºµ²ºc¤Æ§G½u¨Ó¦s¨ú¡C½Ö³£¥i¥H§â¤@¥x­Ó¤H¹q¸£©Î½¥¤W«¬¹q¸£±µ¤W³o¨ä¤¤¤@­Ó´¡¤Õ¡C³o¬O­Ó¥i¯àÅý¥¼±ÂÅv¨Ï¥ÎªÌ¶i¤J¤º³¡ºô¸ôªº¤J¤f¡C¥æ´«¾¹´£¨Ñ¤@­Ó¥s°µ³s±µ°ð¦w¥þ©Ê(port security)ªº¥\¯à¡C¾Ç²ß­­¨î¤@­Ó¤¶­±ªº¦ì§}¼Æ¥Ø¬O¥i¯àªº¡C·í¼Æ¥Ø¶W¹Lªº®É­Ô¡A¥æ´«¾¹¥i¥H³Q³]©w¦¹®ÉÀ³±Ä¨úªº°Ê§@¡C ¦w¥þªºMAC¦ì§}¯à°÷³Q³]©w¬°ÀRºA¡C¤£¹L¡A³]©wÀRºA¦w¥þªºMAC¦ì§}¬O­Ó½ÆÂøªº¤u§@¡A¦Ó¥B³q±`®e©ö¥X¿ù¡C

An alternative approach is to set port security on a switch interface. The number of MAC addresses per port can be limited to 1. The first address dynamically learned by the switch becomes the secure address.

¥t¤@­Ó¤èªk¬O¦b¥æ´«¾¹¤¶­±¤W³]©w³s±µ°ð¦w¥þ©Ê¡C¨C­Ó³s±µ°ðMAC¦ì§}ªº¼Æ¥Ø¥i¥H­­©w¬°1¡C²Ä¤@­Ó°ÊºA¾Ç²ßªº¦ì§}´NÅܦ¨¦w¥þ¦ì§}¡C

To reverse port security on an interface use the no form of the command.

­n°fÂà¤@­Ó¤¶­±ªº³s±µ°ð¦w¥þ©Ê¡A¥i¥H¨Ï¥Î¬ÛÃö«ü¥Oªºno«¬¦¡¡C

The command show port security can be used to verify port security status.

show port security«ü¥O¯à°÷¥Î¨ÓÀËÅç³s±µ°ð¦w¥þ©Êªºª¬ºA¡C

The following are parameters that should be configured on a new switch that is added to a network:

¥H¤U¬O·sªº¥æ´«¾¹¥[¤J¤@­Óºô¸ô¤§«eÀ³¸Ó³]©wªº°Ñ¼Æ¡G

• Switch name
• ¥æ´«¾¹¦WºÙ
• IP address for the switch in the management VLAN
• ¦bºÞ²zªºµêÀÀ°Ï°ìºô¸ô¤¤¡A¥æ´«¾¹ªºIP¦ì§}
• A default gateway
• ¤@­Ó¹w³]¹h¹D
• Line passwords
• ³s½u±K½X

When a host is moved from one port or switch to another, configurations that can cause unexpected behavior should be removed. The switch can then be reconfigured to reflect the changes.

·í¤@¥x¥D¾÷±q¤@­Ó³s±µ°ð²¾¨ì¥t¤@­Ó³s±µ°ð¡A©Î¬O±q¤@¥x¥æ´«¾¹²¾©¹¥t¤@¥x¥æ´«¾¹ªº®É­Ô¡A¥i¯à·|³y¦¨¥¼¹w´Áªí²{ªº²ÕºAÀ³¸Ó­n²¾±¼¡C³o®É¥i¥H­«·s³]©w¥æ´«¾¹¡A¥H¤Ï¬M³o¨Ç§ïÅÜ¡C

Network administrators should document and maintain the operational configuration files for network devices. The most current running-configuration file should be backed up on a server or disk. This is not only essential documentation, but is very useful if a configuration needs to be restored.

ºô¸ôºÞ²z¤H­û¶·°O¿ý¨ÃºûÅ@¥¿¦b¨Ï¥Î¤¤ªººô¸ô³]³Æ²ÕºAÀÉ¡C³Ì·sªº¡B¥¿¦b¹B§@ªº²ÕºAÀÉÀ³¸Ó­n³Æ¥÷¦b¤@¥x¦øªA¾¹©ÎºÏºÐ¤¤¡C³o¤£¶È¬O°ò¥»ªº¤å¥ó»s§@¡A·í»Ý­nÁÙ­ì¤@¥÷²ÕºA®É¡A¤]¬O«Ü¦³¥Îªº¡C

The IOS should also be backed up to a local server. The IOS can then be reloaded to flash memory if needed.

ºô¸ô§@·~¨t²Î¤]±o³Æ¥÷¦b¤@¥x¥»¦a¦øªA¾¹¤¤¡C­Y¦³»Ý­n¡Aºô¸ô§@·~¨t²Î´N¥i¥H­«·s¸ü¤J¨ì§Ö°{°O¾ÐÅ餤¡C

For security and management purposes, passwords must be set on the console and vty lines. An enable password and an enable secret password must also be set. These practices help ensure that only authorized users have access to the User and Privileged EXEC modes of the switch.

¬°¤F¦w¥þ»PºÞ²zªº¥Øªº¡A¦b¥D±±¥x(console)»PµêÀÀ²×ºÝ¾÷³s½u(vty lines)¥²¶·­n³]©w±K½X¡C¦Ó¥B­n³]©w¤@­Ó¦³®Äªº±K½X»P¤@­Ó¦³®Äªº¥[±K±K½X¡C³o¨Ç¹ê§@¥i¥H¾á«O¡A¥u¦³±ÂÅvªº¨Ï¥ÎªÌ¤~¥i¥H¦s¨ú¥æ´«¾¹¨Ï¥ÎªÌ»P¯SÅvªº°õ¦æ¼Ò¦¡¡C

There will be circumstances where physical access to the switch can be achieved, but access to the User or Privileged EXEC mode cannot be gained because the passwords are not known or have been forgotten.

·|¦³¤@¨Ç±¡ªp¥²¶·¹ê»Ú¦s¨ú¥æ´«¾¹¡A¦ý¦]¬°¤£ª¾¹D©Î§Ñ±¼±K½X¡A´N¤£¯à°÷¨ú±o¦s¨ú¨Ï¥ÎªÌ©Î¯SÅvªº°õ¦æ¼Ò¦¡ªºÅv¤O¡C

In these circumstances, a password recovery procedure must be followed.

¦b³o¨Ç±¡ªp¤U¡A´N¥²¶·±Ä¥Î±K½X´_­ìµ{§Ç¡C

IOS and firmware images are periodically released with bugs fixes, new features, and performance improvements. If the network can be made more secure, or can operate more efficiently with a new version of the IOS, then the IOS should be upgraded.

ºô¸ô§@·~¨t²Î»P¶´Å骺¬M¹³®É±`·|§ó·s¡A¥]§t¤F¿ù»~­×¥¿¡B·s¥\¯à¥H¤Î®Ä¯àªº§ïµ½¡C°²¦p¨Ï¥Î·sª©ªººô¸ô§@·~¨t²Î¡Aºô¸ô¯à°÷Åܱo§ó¦w¥þ¤@ÂI¡A©ÎªÌ¯à°÷¹B§@±o§ó¦³®Ä²v¤@ÂI¡A¨º»òºô¸ô§@·~¨t²Î´NÀ³¸Ó­n§ó·s¡C

To upgrade the IOS, download a copy of the new image to a local server from the Cisco Connection Online (CCO) Software Center.

­n§ó·sºô¸ô§@·~¨t²Î¡A¥i¥H±q«ä¬ì½u¤W³s±µ(Cisco Connection Online, CCO)ªº³nÅ餤¤ß§â¤@¥÷·sªº¬M¹³½Æ¥»¤U¸ü¨ì¤@¥x¥»¦a¦øªA¾¹¡C