show off your best switch config

[NettableWalker]

Has anyone got a really great switch config for something like a 3560 that would show the best layer 2 practices like VLANs, portfast, etherchannels, BPDUguard, Rapid-PVST, etc etc, a real work of art...


MCP,CCA, Net+, 1 quarter CCNP...

 

[leedsit]

Would`nt call it sexy but here`s one of my 3560 configs...

Current configuration : 11872 bytes
!
! Last configuration change at 09:07:32 BST Tue Jun 6 2006 by LSADMIN
! NVRAM config last updated at 09:09:23 BST Tue Jun 6 2006 by LSADMIN
!
version 12.2
no service pad
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
!
hostname THATWOULDBETELLING
!
logging buffered 10000 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxx password 7 xxxxxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa authentication login aaa group radius local
aaa authorization console
aaa authorization exec default group radius if-authenticated local
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
!

shutdown vlan 1000

!
ip subnet-zero
ip routing
no ip domain-lookup
!
ip multicast-routing distributed
!
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10 priority 28672
spanning-tree vlan 20 priority 24576
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
description ** Uplink to xxxxxxxx port E0/0 **
switchport access vlan 100
duplex full
speed 10
!
interface FastEthernet0/2
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/3
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/4
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/5
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/6
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/7
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/8
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/9
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/10
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/11
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/12
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/13
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/14
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/15
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/16
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/17
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/18
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/19
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/20
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/21
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/22
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/23
description ** Host Port **
switchport access vlan 10
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/24
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/25
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/26
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/27
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/28
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/29
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/30
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/31
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/32
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/33
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/34
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/35
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/36
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/37
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/38
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/39
description Network Symposium
switchport access vlan 20
switchport mode access
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/40
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/41
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/42
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/43
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/44
description ** Host Port **
switchport access vlan 20
switchport mode access
duplex full
speed 10
spanning-tree portfast
!
interface FastEthernet0/45
description Telecoms-OTM-Nic1
switchport access vlan 20
switchport mode access
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/46
description Nice01-Backup
switchport access vlan 20
switchport mode access
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/47
description Nice02-Live
switchport access vlan 20
switchport mode access
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/48
description ** ISL to xxxxxxxxxxx Port FA0/48 **
switchport access vlan 100
duplex full
speed 100
!
interface GigabitEthernet0/1
description ** Downlink to xxxxxxxx Port GI0/2 **
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20
switchport mode trunk
switchport nonegotiate
speed nonegotiate
!
interface GigabitEthernet0/2
description ** Downlink to xxxxxxxxxxxxx Port GI0/2 **
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20
switchport mode trunk
switchport nonegotiate
speed nonegotiate
!
interface GigabitEthernet0/3
switchport access vlan 1000
shutdown
!
interface GigabitEthernet0/4
switchport access vlan 1000
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.xx.xxx.xxx 255.255.255.128
ip helper-address 10.xx.xxx.xx
ip helper-address 10.xx.xxx.xx
standby 1 ip xx.xx.xxx.xx
!
interface Vlan20
ip address xx.xx.xx.xx 255.255.255.128
ip helper-address xx.xx.xx.xx
ip helper-address xx.xx.xxx.xx
ip pim sparse-dense-mode
standby 2 ip xx.xx.xx.xx
standby 2 priority 101
standby 2 preempt
standby 2 track FastEthernet0/1
!
interface Vlan100
ip address xx.xx.xx.xx 255.255.255.248
ip pim sparse-dense-mode
!
router ospf 1
router-id xx.xx.xx.xx
log-adjacency-changes
network xx.xx.xx.xx 0.0.0.0 area 0
network xx.xx.xx.xx 0.0.0.0 area 0
network xx.xx.xx.xx 0.0.0.0 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip http server
!
ip radius source-interface Vlan10
!
logging trap notifications
logging xx.xx.xx.xx
snmp-server community dededededed RW
snmp-server community dededededed RO
snmp-server enable traps tty
snmp-server enable traps stpx root-inconsistency loop-inconsistency
snmp-server host xx.xx.xx.xx ROmaybe
radius-server host xx.xx.xx.xx auth-port xxx acct-port xxx
radius-server source-ports xxxx-xxxx
radius-server key 7 xxxxxxxxxxx
!
control-plane
!
banner exec ^CCC




***************************************************
* *
* WARNING!!!! WARNING!!!! WARNING!!!! *
* THIS SESSION MAY BE MONITORED AND RECORDED, *
* THE OUTPUT FROM THIS SESSION CAN & WILL BE USED *
* AS EVIDENCE IN ANY PROSICUTION ARISING FROM *
* ANY COMPUTER MISUSE ON THIS NETWORK. *
* IF YOU ARE NOT AUTHORISED TO USE THIS SYSTEM, *
* TERMINATE THIS SESSION NOW *
* *
***************************************************



^C
banner motd ^CCC


THIS DEVICE IS PART OF A
------------------------

PRIVATE NETWORK
---------------


************************************************
* Unauthorised access or use of this equipment *
* is prohibited and constitutes an offence *
* under the Computer Misuse Act 1990. *
* If you are not authorised to use this *
* system, terminate this session now. *
************************************************
^C
!
line con 0
login authentication aaa
line vty 0 4
login authentication aaa
line vty 5 15
login authentication aaa
!
ntp clock-period 36028954
ntp source Vlan10
ntp server xx.xx.xx.xx
ntp server xx.xx.xx.xx
!
end

xx-xx-xx#


LEEroy
MCNE6,CCNA2,3/4 CCNP,CWNA,CCSA,Project+

 

[ADB100]

Just look on CCO for Cisco best practises.....

LEEroy - there are quite a few issues with that config...... VTP running in Server Mode, Trunk Native VLAN's, hard-coded user access ports?, OSPF running on the access VLAN's - to name but a few.....

HTH

Andy

 

[leedsit]

well that killed that one....

ADB100, That config works perfectly for the situation / environment that is was built for..... If you could eloborate on the issues then maybe everyone might get some valuable information / advice...


LEEroy
MCNE6,CCNP,CWNA,CCSA,Project+

 

[ADB100]

1. VTP in Server Mode - Cisco Best Practise is to either disable VTP (only available with CatOS) or use VTP Transparent. The pitfalls of VTP make it undesirable to use, plus administering your VLAN's locally on each switch allows tight control and management

2. Trunk Native VLAN's - Due to the various security threats the best practise for Trunk Native VLAN's is to use a unique Native VLAN for each trunk. You should also not use this VLAN for any data:

vlan 10
name Data-10
!
vlan 20
name Data-20
!
vlan 900
name Native-900
!
vlan 901
name Native-901
!
interface FastEthernet0/1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 10,20
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/2
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 10,20
switchport mode trunk
switchport nonegotiate
!

3. OSPF Running on Access VLAN's. OSPF should not run on access VLAN's where hosts are directly connected. Specific Routing VLAN's should be created and where possible routed interfaces (no switchport) should be used using /30 subnets where appropriate. Running OSPF on your access VLAN's makes them a security risk since a user could attach a router or simulate one and interfere with the routing table very easily. User Access VLAN's should be passified so routing adjacencies cannot be formed.

4. Host ports fixed at speed & duplex. There are a few different views on this but hard-coding interfaces can be problematic since NIC's do not always follow the configuration settings (Intel drivers.....). If you have ports that users are likely to disconnect and re-connect from (laptops?) then I would recommend either Auto Speed & Duplex or a fixed speed & Half-Duplex since if the duplex negotiation process fails the default action is to fallback to half duplex.

5. IP HTTP Server running. This is one of the first things you should disable on a switch since the HTTP process is subject to lots of security threats and DOS attacks.

6. Proxy-Arp is enabled on the VLAN interfaces. Another vulnerability; disable it. Same goes for IP Redirects.

7. IP Helpers configured but the default protocols haven't been restrained. With Windows Networking this can result in Browser issues with Browser elections happening across IP networks/subnets. Disable the unused protocols:

no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

8. No loopback interface defined for management and OSPF. You should create a loopback interface to manage the switch/router by (logging trap source loopback0, ip radius source-interface loopback0 etc). It is recommended to use a loopback interface so the routing protocols that use a RID can use this since it is an interface that won't go down.

9. Port Security. For access switches it is recommended to configure port security to restrict the number of MAC addresses learned per port. This stops users accidentally enabling the bridging software (Windows XP with wireless...) or deliberatly connecting hubs to increase the number of ports they have.

10. DHCP Snooping. Again for access switches it is recommended to configure DHCP Snooping to stop users connecting rogue DHCP Servers and thus starting a DOS attack (possible unintentionally but a DOS all the same).

11. Multicast Routing. I don't know the setup of the rest of your network so you may be running Auto-RP and Sparse-Mode anyway. The recommended mode of operation is however Sparse-Mode with either Auto-RP or Anycast-RP. Probably a design choice here so your configurations may be valid.



There are some good things though such as Rapid-PVST (you could argue MST should be used but for 2 VLAN's this isn't really an issue). AAA is enabled and you are using Radius to centrally authenticate users who administer the switch. You aren't using VLAN 1 for anything (except the control-plane traffic that always uses VLAN 1). You are logging and using SNMP to manage the switch. You are using NTP and are logging events with date/time stamps.

I must admit though that I have configured similar things to you but I wouldn't consider it a 'good' config, more of a solution to meet the customer requirements at the time.

HTH

Andy

 

[NettableWalker]

That's good, I learnt things there.

Thanks you guys.

What's the best way to do ACL's to restrict interVLAN traffic?

MCP,CCA, Net+, Half CCNP...

 

[leedsit]

Hi,

nice one ADB100, Ill take those things on board.... Thats why I like these forums.

Lee.

LEEroy
MCNE6,CCNP,CWNA,CCSA,Project+

 

[ADB100]

Another couple of things you should enable on access ports are BPDU Guard and BPDU Filtering. This should prevent users connecting switches into user ports and also limit BPDU's that are sent on purely access ports.

HTH

Andy

 

[leedsit]

Hi,

I beleived that BPDU Guard , BPDU filtering were features to switch on with plain old 802.1d spanning tree.... Rapid spanning tree has this covered within the Protocol... Edge ports detecting BPDU`s etc....

LEEroy
MCNE6,CCNP,CWNA,CCSA,Project+

 

[ADB100]

LEEroy

You are wrong here - although Rapid STP and MST incorporate (or at least have similar ones) a lot of the Cisco proprietary features (or at least have similar ones) they don't by default filter BPDU's on edge ports nor do they shut edge ports down if they receive BPDU's. This is what the Cisco features of BPDU Filter and BPDU Guard provide.

http://www.cisco.com/en/US/products..._guide_chapter09186a00805a7044.html#wp1033638

http://www.cisco.com/en/US/products..._guide_chapter09186a00805a7044.html#wp1032048

HTH

Andy

 

[leedsit]

Fair enough but still not an issue, the ports which are edge ports will loose their "edge" status and spanning tree will still protect.

LEEroy
MCNE6,CCNP,CWNA,CCSA,Project+

 

[ADB100]

LEEroy

I agree, but if you want to tightly control who and what is plugged into your network BPDU Guard is very effective (along with port-security). If anyone plugs a switch into one of your access ports to increase the number of ports available then BPDU Guard with shut the port down, if its a hub then port-security will restrict the number of devices that are allowed on the port.

ANdy