Can someone please sanity check my switch config

Unanswered Question
Jan 6th, 2010
User Badges:

Hi

Can someone please check my config for my access switch, and please let me know if ive missed anything out that should be on there


cheers


Carl


version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxx

!

boot-start-marker

boot-end-marker

!

logging monitor warnings

enable secret 5 $1$wqWP$ujYq.4EdEqtWDecUJaBR31

enable password 7 105D1C091518001F

!

username admin password 7 06021D20555A0617

aaa new-model

!

!

aaa authentication login default local

!

!

!

aaa session-id common

system mtu routing 1500

vtp mode transparent

udld enable

ip subnet-zero

ip dhcp bootp ignore

!

!

ip dhcp snooping vlan 50,74,128,228

ip dhcp snooping

no ip domain-lookup

ip domain-name xx.com

!

mls qos

!

crypto pki trustpoint TP-self-signed-3404475136

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3404475136

revocation-check none

rsakeypair TP-self-signed-3404475136

!

!

crypto pki certificate chain TP-self-signed-3404475136

certificate self-signed 01

30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33343034 34373531 3336301E 170D3933 30333031 30303031

31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34303434

37353133 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100C119 0A0B85C8 6730ECD3 D41B18C8 0C0E1018 01486A33 684436E0 A4158CE9

DEA7255E 1F4EF521 16B368A0 3441968E DA707281 C56C698E FBECD329 9FED2ECF

0A51D938 0F41F3F8 F86F7C14 CF99A6B2 6B80A0B2 D1088528 6C85E64F 180EAD49

85DA5A40 844108CC DDC6E38C 68E3BB84 6A5FD9A5 024366E3 F8795995 04CE2CB0

6B530203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603

551D1104 21301F82 1D4D442D 43323936 302D3231 362E6D75 656C6C65 7267726F

75702E63 6F6D301F 0603551D 23041830 16801484 9A041073 4A7596D7 827450CE

6AD009D5 B2BE9930 1D060355 1D0E0416 0414849A 0410734A 7596D782 7450CE6A

D009D5B2 BE99300D 06092A86 4886F70D 01010405 00038181 009A0799 EC19D499

04E50B3A BB0F2BAF 0947208A 7DCEEACB 69D10D6E 60B3A401 D64CBA0A 2EB2483C

05465FDB B6C35D1B E305C6D5 860C9E83 527F209C 63F87948 5C3CC98B 2B656A32

75F7246E 6BD4A091 E5BCADEB DDC98339 769D52A4 7F028255 5B91A0B1 0FFC944E

3DF0A6E5 543B04E9 89C30412 A5652116 F095C164 7F8A88E4 90

quit

!

!

!

!

!

archive

path tftp://xxx-cfg

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 50

name Printers

!

vlan 74

name Portacabins

!

vlan 128

name IP-Telephony

!

vlan 228

name Management

!

ip ssh version 2

!

!

interface FastEthernet0/1

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/2

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/3

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/4

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/5

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/6

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/7

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/8

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/9

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/10

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/11

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/12

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/13

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/14

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/15

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/16

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/17

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/18

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/19

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/20

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/21

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/22

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/23

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/24

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/25

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/26

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/27

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/28

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/29

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/30

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/31

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/32

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/33

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/34

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/35

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/36

switchport access vlan 74

switchport mode access

switchport nonegotiate

switchport voice vlan 128

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/37

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/38

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/39

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/40

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/41

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/42

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/43

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/44

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/45

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/46

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/47

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface FastEthernet0/48

switchport access vlan 50

switchport mode access

switchport nonegotiate

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

!

interface GigabitEthernet0/1

switchport trunk native vlan 228

switchport mode trunk

shutdown

mls qos trust dscp

ip dhcp snooping trust

!

interface GigabitEthernet0/2

switchport trunk native vlan 228

switchport mode trunk

shutdown

mls qos trust dscp

ip dhcp snooping trust

!

interface GigabitEthernet0/3

description ***Connected to xx***

switchport trunk native vlan 228

switchport trunk allowed vlan 50,74,128,228

switchport mode trunk

mls qos trust dscp

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action trap

ip dhcp snooping trust

!

interface GigabitEthernet0/4

shutdown

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan228

ip address xx 255.255.255.0

no ip route-cache

!

ip default-gateway xx

no ip http server

ip http secure-server

!

ip access-list standard R0

logging trap notifications

logging xx

snmp-server group xx v3 auth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F

snmp-server community xx RO

snmp-server location xx

snmp-server contact xx

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server host xx version 3 auth xx

!

control-plane

!

banner login 

xx

!

line con 0

line vty 0 4

password 7 121D17160B1F030A

transport input ssh

line vty 5 15

password 7 121D17160B1F030A

transport input ssh

!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Wed, 01/06/2010 - 06:45
User Badges:
  • Red, 2250 points or more

Hello Carl


Looks spot on ... At the first look, I see almost everything that an edge switch would need... Some small commands which can be added are as given below:


1) you can add an exec timeout for the vty lines, to make sure the device forcefully disconnects the users.. by default it is 10 min if im not wrong.. you can probably have a lower value as a standard for all devices..

2) You can also add a access-class in on the vty devices, restricting access to the device only from a management subnet..

3) On the IOS side, make sure you have latest IOS, with proper bug scrubbing done.. Also standardize the IOS all across your network.

4) I just see one snmp trap command on your list.. there are numerous traps that a switch can send.. you can have a look at the options, and enable if there are any other trap messages that you would need.

5) Optionally you can enable port security restricting access based on the number of mac addresses. this can make sure that users dont plug in hubs and connect numerous other users on the network. You anyway have bpduguard enabled which is the best practice.

6) shutdown unused ports and have full control of who is getting on your network.

7) Are you sure of the broadcast level set ? 1 % ? Make sure this doesnt drop necessary broadcasts/multicasts. If you already have switches running on your netwokr with these values, its fine.


Overall, it looks really good.


Hope this helps.. all the best..


Raj

carl_townshend Thu, 01/07/2010 - 03:38
User Badges:

hi there


Many thanks for the reply


can you please tell me more about the snmp traps? ie what useful ones should i be sending etc


Many thanks


Carl

sachinraja Thu, 01/07/2010 - 11:06
User Badges:
  • Red, 2250 points or more

Hi Carl


As Ganesh pointed out, there are numerous snmp notification traps available on a switch.. you can probably go to config t -> snmp-server traps ? to give more details on what your switch supports.. select which notifications might be useful for you and dont stuff the config with traps which arent needed.. for eg, if your switch doesnt run ospf or multicast, leave those off ! with regards to my other comments, you can implement it on a need basis..


Hope it helps.. all the best..


Raj

Mohamed Sobair Thu, 01/07/2010 - 11:23
User Badges:
  • Gold, 750 points or more

Hi Carl,


you will need to look at the bellow:


1- remove Spanning-tree guard root command from the access ports, there is no need for this because as soon as aport recieves BPDU , BPDU guard will put the port into errdisable state.


2- The storm control of broadcast and multicast levels are very small value, I would suggest changing it to higher valuse to 40 or 50%.



3- apply the (ip dhcp snooping trust) command at all appropriate interfaces connected to the DHCP servers too besides the trunks.



Other than that, your config looks ok and fine.



HTH

Mohamed

Actions

This Discussion