Adding Virtual Switches
License:
Control
Supported Devices:
Series 3
You can add virtual switches from the Virtual Switches tab of the Device Management page. You can also add switches as you configure switched interfaces.
You can assign only switched interfaces to a virtual switch. If you want to create a virtual switch before you configure the switched interfaces on your managed devices, you can create an empty virtual switch and add interfaces to it later.
Tip To edit an existing virtual switch, click the edit icon () next to the switch.
To add a virtual switch:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to add the virtual switch, click the edit icon (
).
The Interfaces tab appears.
Step 3 Click
Virtual Switches
.
The Virtual Switches tab appears.
Step 4 Click
Add Virtual Switch
.
The Add Virtual Switch pop-up window appears.
Step 5 In the
Name
field, type a name for the virtual switch. You can use alphanumeric characters and spaces.
Step 6 Under
Available
, select one or more switched interfaces to add to the virtual switch.
Tip Interfaces that you have disabled from the Interfaces tab are not available; disabling an interface after you add it removes it from the configuration.
Step 7 Click
Add
.
Step 8 Optionally, from the
Hybrid Interface
drop-down list, select a hybrid interface that ties the virtual switch to a virtual router. For more information, see Setting Up Hybrid Interfaces.
Step 9 Click
Save
.
The virtual switch is added. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Tip To configure advanced settings for the switch, such as static MAC entries and spanning tree protocol, see Configuring Advanced Virtual Switch Settings.
Configuring Advanced Virtual Switch Settings
License:
Control
Supported Devices:
Series 3
When adding or editing a virtual switch, you can add static MAC entries, enable Spanning Tree Protocol (STP), drop Bridge Protocol Data Units (BPDU), and enable strict TCP enforcement.
Over time, a virtual switch learns MAC addresses by tagging return traffic from the network. Optionally, you can manually add a static MAC entry, which designates that a MAC address resides on a specific port. Regardless of whether you ever receive traffic from that port, the MAC address remains static in the table. You can specify one or more static MAC addresses for each virtual switch.
STP is a network protocol used to prevent network loops. BPDUs are exchanged through the network, carrying information about network bridges. The protocol uses BPDUs to identify and select the fastest network links, if there are redundant links in the network. If a network link fails, Spanning Tree fails over to an existing alternate link.
If your virtual switch routes traffic between VLANs, similar to a router on a stick, BPDUs enter and exit the device through different logical switched interfaces, but the same physical switched interface. As a result, STP identifies the device as a redundant network loop, which can cause issues in certain Layer 2 deployments. To prevent this, you can configure the virtual switch at the domain level to have the device drop BPDUs when monitoring traffic.
Note Cisco strongly recommends that you enable STP when configuring a virtual switch that you plan to deploy in a device cluster.
To maximize TCP security, you can enable strict enforcement, which blocks connections where the three-way handshake was not completed. Strict enforcement also blocks:
-
non-SYN TCP packets for connections where the three-way handshake was not completed
-
non-SYN/RST packets from the initiator on a TCP connection before the responder sends the SYN-ACK
-
non-SYN-ACK/RST packets from the responder on a TCP connection after the SYN but before the session is established
-
SYN packets on an established TCP connection from either the initiator or the responder
Note that if you associate the virtual switch with a logical hybrid interface, the switch uses the same strict TCP enforcement setting as the virtual router associated with the logical hybrid interface. You cannot specify strict TCP enforcement on the switch in this case.
To configure advanced virtual switch settings:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device that contains the virtual switch you want to edit, click the edit icon (
).
The Interfaces tab appears.
Step 3 Click
Virtual Switches
.
The Virtual Switches tab appears.
Step 4 Next to the virtual switch that you want to edit, click the edit icon (
).
The Edit Virtual Switch pop-up window appears.
Step 5 Click
Advanced
.
The Advanced tab appears.
Step 6 To add a static MAC entry, click
Add
.
The Add Static MAC Address pop-up window appears.
Step 7 In the
MAC Address
field, type the address using the standard format of six groups of two hexadecimal digits separated by colons (for example, 01:23:45:67:89:AB).
Note Broadcast addresses (00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF) cannot be added as static MAC addresses.
Step 8 From the
Interface
drop-down list, select the interface where you want to assign the MAC address.
Step 9 Click
Add
.
The MAC address is added to the Static MAC Entries table.
To edit a MAC address, click the edit icon (
). To delete a MAC address, click the delete icon (
).
Step 10 Optionally, to enable the Spanning Tree Protocol, select
Enable Spanning Tree Protocol
. Select
Enable Spanning Tree Protocol
only if your virtual switch switches traffic between multiple network interfaces.
You cannot select
Drop BPDUs
unless you clear
Enable Spanning Tree Protocol
.
Step 11 Optionally, select
Strict TCP Enforcement
to enable strict TCP enforcement.
If you associate the virtual switch with a logical hybrid interface, this option does not appear and the switch uses the same setting as the virtual router associated with the logical hybrid interface.
Step 12 Optionally, select
Drop BPDUs
to drop BPDUs at the domain level. Select
Drop BPDUs
only if your virtual switch routes traffic between VLANs on a single physical interface.
You cannot select
Enable Spanning Tree Protocol
unless you clear
Drop BPDUs.
Step 13 Click
Save
.
Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Deleting Virtual Switches
License:
Control
Supported Devices:
Series 3
When you delete a virtual switch, any switched interfaces assigned to the switch become available for inclusion in another switch.
To delete a virtual switch:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Select the managed device that contains the virtual switch you want to delete and click the edit icon (
) for that device.
The Interfaces tab for that device appears.
Step 3 Click
Virtual Switches
.
The Virtual Switches tab appears.
Step 4 Next to the virtual switch that you want to delete, click the delete icon (
).
Step 5 When prompted, confirm that you want to delete the virtual switch.
The virtual switch is deleted. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.