01-06-2010 06:15 AM - edited 03-06-2019 09:10 AM
Hi
Can someone please check my config for my access switch, and please let me know if ive missed anything out that should be on there
cheers
Carl
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
logging monitor warnings
enable secret 5 $1$wqWP$ujYq.4EdEqtWDecUJaBR31
enable password 7 105D1C091518001F
!
username admin password 7 06021D20555A0617
aaa new-model
!
!
aaa authentication login default local
!
!
!
aaa session-id common
system mtu routing 1500
vtp mode transparent
udld enable
ip subnet-zero
ip dhcp bootp ignore
!
!
ip dhcp snooping vlan 50,74,128,228
ip dhcp snooping
no ip domain-lookup
ip domain-name xx.com
!
mls qos
!
crypto pki trustpoint TP-self-signed-3404475136
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3404475136
revocation-check none
rsakeypair TP-self-signed-3404475136
!
!
crypto pki certificate chain TP-self-signed-3404475136
certificate self-signed 01
30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343034 34373531 3336301E 170D3933 30333031 30303031
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34303434
37353133 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C119 0A0B85C8 6730ECD3 D41B18C8 0C0E1018 01486A33 684436E0 A4158CE9
DEA7255E 1F4EF521 16B368A0 3441968E DA707281 C56C698E FBECD329 9FED2ECF
0A51D938 0F41F3F8 F86F7C14 CF99A6B2 6B80A0B2 D1088528 6C85E64F 180EAD49
85DA5A40 844108CC DDC6E38C 68E3BB84 6A5FD9A5 024366E3 F8795995 04CE2CB0
6B530203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
551D1104 21301F82 1D4D442D 43323936 302D3231 362E6D75 656C6C65 7267726F
75702E63 6F6D301F 0603551D 23041830 16801484 9A041073 4A7596D7 827450CE
6AD009D5 B2BE9930 1D060355 1D0E0416 0414849A 0410734A 7596D782 7450CE6A
D009D5B2 BE99300D 06092A86 4886F70D 01010405 00038181 009A0799 EC19D499
04E50B3A BB0F2BAF 0947208A 7DCEEACB 69D10D6E 60B3A401 D64CBA0A 2EB2483C
05465FDB B6C35D1B E305C6D5 860C9E83 527F209C 63F87948 5C3CC98B 2B656A32
75F7246E 6BD4A091 E5BCADEB DDC98339 769D52A4 7F028255 5B91A0B1 0FFC944E
3DF0A6E5 543B04E9 89C30412 A5652116 F095C164 7F8A88E4 90
quit
!
!
!
!
!
archive
path tftp://xxx-cfg
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 50
name Printers
!
vlan 74
name Portacabins
!
vlan 128
name IP-Telephony
!
vlan 228
name Management
!
ip ssh version 2
!
!
interface FastEthernet0/1
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/2
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/3
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/4
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/5
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/6
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/7
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/8
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/9
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/10
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/11
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/12
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/13
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/14
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/15
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/16
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/17
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/18
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/19
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/20
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/21
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/22
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/23
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/24
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/25
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/26
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/27
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/28
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/29
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/30
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/31
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/32
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/33
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/34
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/35
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/36
switchport access vlan 74
switchport mode access
switchport nonegotiate
switchport voice vlan 128
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/37
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/38
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/39
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/40
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/41
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/42
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/43
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/44
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/45
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/46
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/47
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/48
switchport access vlan 50
switchport mode access
switchport nonegotiate
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
interface GigabitEthernet0/1
switchport trunk native vlan 228
switchport mode trunk
shutdown
mls qos trust dscp
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport trunk native vlan 228
switchport mode trunk
shutdown
mls qos trust dscp
ip dhcp snooping trust
!
interface GigabitEthernet0/3
description ***Connected to xx***
switchport trunk native vlan 228
switchport trunk allowed vlan 50,74,128,228
switchport mode trunk
mls qos trust dscp
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
ip dhcp snooping trust
!
interface GigabitEthernet0/4
shutdown
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan228
ip address xx 255.255.255.0
no ip route-cache
!
ip default-gateway xx
no ip http server
ip http secure-server
!
ip access-list standard R0
logging trap notifications
logging xx
snmp-server group xx v3 auth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F
snmp-server community xx RO
snmp-server location xx
snmp-server contact xx
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server host xx version 3 auth xx
!
control-plane
!
banner login
xx
!
line con 0
line vty 0 4
password 7 121D17160B1F030A
transport input ssh
line vty 5 15
password 7 121D17160B1F030A
transport input ssh
!
01-06-2010 06:45 AM
Hello Carl
Looks spot on ... At the first look, I see almost everything that an edge switch would need... Some small commands which can be added are as given below:
1) you can add an exec timeout for the vty lines, to make sure the device forcefully disconnects the users.. by default it is 10 min if im not wrong.. you can probably have a lower value as a standard for all devices..
2) You can also add a access-class in on the vty devices, restricting access to the device only from a management subnet..
3) On the IOS side, make sure you have latest IOS, with proper bug scrubbing done.. Also standardize the IOS all across your network.
4) I just see one snmp trap command on your list.. there are numerous traps that a switch can send.. you can have a look at the options, and enable if there are any other trap messages that you would need.
5) Optionally you can enable port security restricting access based on the number of mac addresses. this can make sure that users dont plug in hubs and connect numerous other users on the network. You anyway have bpduguard enabled which is the best practice.
6) shutdown unused ports and have full control of who is getting on your network.
7) Are you sure of the broadcast level set ? 1 % ? Make sure this doesnt drop necessary broadcasts/multicasts. If you already have switches running on your netwokr with these values, its fine.
Overall, it looks really good.
Hope this helps.. all the best..
Raj
01-07-2010 03:38 AM
hi there
Many thanks for the reply
can you please tell me more about the snmp traps? ie what useful ones should i be sending etc
Many thanks
Carl
01-07-2010 04:50 AM
Hi carl,
Check out the below link on snmp traps what are the useful one as you have already configured for linkup/down cold/warm start
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a05.shtml
Hope this helps out your query !!
Regards
Ganesh.H
01-07-2010 11:06 AM
Hi Carl
As Ganesh pointed out, there are numerous snmp notification traps available on a switch.. you can probably go to config t -> snmp-server traps ? to give more details on what your switch supports.. select which notifications might be useful for you and dont stuff the config with traps which arent needed.. for eg, if your switch doesnt run ospf or multicast, leave those off ! with regards to my other comments, you can implement it on a need basis..
Hope it helps.. all the best..
Raj
01-07-2010 11:23 AM
Hi Carl,
you will need to look at the bellow:
1- remove Spanning-tree guard root command from the access ports, there is no need for this because as soon as aport recieves BPDU , BPDU guard will put the port into errdisable state.
2- The storm control of broadcast and multicast levels are very small value, I would suggest changing it to higher valuse to 40 or 50%.
3- apply the (ip dhcp snooping trust) command at all appropriate interfaces connected to the DHCP servers too besides the trunks.
Other than that, your config looks ok and fine.
HTH
Mohamed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: