Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Switch Config Best Practice 2950 3550

Status
Not open for further replies.
jdeisenm

jdeisenm

MIS
Nov 3, 2004
199
US
I'm configuring about 15 switches (3550's and 2950's) and am organizing my config. Am I missing anything?

These devices will sit in wire closets, will participate in a vtp domain, and won't have any IP phones. The gig 1 ports will uplink to a core switch via LX gbic's and the gig 2 ports will connect to other switches in the closet with gigastack modules (our method of redundancy). The core has vtp pruning enabled and is the spanning tree root.

!
! VTP
!
vtp mode client
vtp domain abc
vtp password abc
!
!
! YES's
!
hostname abc
enable secret xyz
service password-encryption
ip default gateway 10.x.x.x
!
! NO's
!
no enable password
no ip domain-lookup
no ip http server
!
!
! MANAGEMENT VLAN
!
int vlan 100
ip addr 10.x.x.x 255.255.255.0
!
! COPPER INTERFACES USER VLAN
!
interface range fa0/1 - 48
sw ac vlan 200
spanning-tree portfast
no cdp enable
!
interface range g0/1 - 2
! 3550 only
switchport trunk encapsulation dot1q
switchport mode trunk
!
! CLOCK
!
clock timezone PST -8
clock summer-time PDT recurring
ntp server 10.x.x.x
!
! SNMP
!
snmp-server community xyz RW
snmp-server location xyz
snmp-server contact abc
!
! CONSOLE
!
line con 0
password xyz
login
line vty 0 15
password xyz
login
 
Sort by date Sort by votes
Best Practise would be:

Use 2 Core switches to provide redundancy - only link your Access Switches to the Cores - no Access Ports (Hosts) connected directly to Core (provide separate Server Access Layer).

Access Switch Gig Uplink 1 to Core 1 and Uplink 2 to Core 2. Interconnect the Cores with a Layer-3 Port-Channel

DO NOT use VTP, use Transparent Mode and create VLAN's locally on each switch

Have unique Data & Voice VLANs (if using Voice) per switch, and only trunk these VLANs from the Core (or the distribution layer in larger networks) to the Access Layer

Do not use a separate Management VLAN, simply place the Management interface in either the local Voice or Data VLAN

Hard-Code your trunk uplinks and disable DTP (nonegotiate)

Enable UDLD on Fibre Uplinks

Use centralised AAA - TACACS+ or RADIUS, with a local fallback user/password in case the TACACS+/RADIUS Server is not reachable.

Protect you switch management with ACL's on the VTY lines and SNMP Strings, disable HTTP & HTTPS


This may sound a bit OTT but with provide you with a stable, fault-tolerant network with very quick, strict failover and recovery times.


HTH

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
584
madwok
madwok
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
371
Geraldine Souza
Geraldine Souza
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
692
BIS
BIS
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
282
bfordz
bfordz
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
221
NavinNet
NavinNet

Part and Inventory Search

Sponsor

Back
Top