Link to home
Start Free TrialLog in
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSEFlag for United States of America

asked on

Cisco 3560+ Configuration suggestions

I would like comments and suggestions on the following switch configuration:

!
! No configuration change since last restart
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname <myswitch>
!
enable secret 5 <secret>
!
no aaa new-model
clock timezone cst -6
clock summer-time cst recurring
system mtu routing 1500
ip subnet-zero
ip routing
!
!
cluster commander-address <mac> member 3 name <cluster name> vlan 1
!
!
!
!
no errdisable detect cause link-flap
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery interval 60
no file verify auto
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 spanning-tree portfast
!
interface FastEthernet0/3
 spanning-tree portfast
!
interface FastEthernet0/4
 spanning-tree portfast
!
interface FastEthernet0/5
 spanning-tree portfast
!
interface FastEthernet0/6
 spanning-tree portfast
!
interface FastEthernet0/7
 spanning-tree portfast
!
interface FastEthernet0/8
 spanning-tree portfast
!
interface FastEthernet0/9
 spanning-tree portfast
!
interface FastEthernet0/10
 spanning-tree portfast
!
interface FastEthernet0/11
 spanning-tree portfast
!
interface FastEthernet0/12
 spanning-tree portfast
!
interface FastEthernet0/13
 spanning-tree portfast
!
interface FastEthernet0/14
 spanning-tree portfast
!
interface FastEthernet0/15
 spanning-tree portfast
!
interface FastEthernet0/16
 spanning-tree portfast
!
interface FastEthernet0/17
 spanning-tree portfast
!
interface FastEthernet0/18
 spanning-tree portfast
!
interface FastEthernet0/19
 spanning-tree portfast
!
interface FastEthernet0/20
 spanning-tree portfast
!
interface FastEthernet0/21
 spanning-tree portfast
!
interface FastEthernet0/22
 spanning-tree portfast
!
interface FastEthernet0/23
 spanning-tree portfast
!
interface FastEthernet0/24
 spanning-tree portfast
!
interface FastEthernet0/25
 spanning-tree portfast
!
interface FastEthernet0/26
 spanning-tree portfast
!
interface FastEthernet0/27
 spanning-tree portfast
!
interface FastEthernet0/28
 spanning-tree portfast
!
interface FastEthernet0/29
 spanning-tree portfast
!
interface FastEthernet0/30
 spanning-tree portfast
!
interface FastEthernet0/31
 spanning-tree portfast
!
interface FastEthernet0/32
 spanning-tree portfast
!
interface FastEthernet0/33
 spanning-tree portfast
!
interface FastEthernet0/34
 spanning-tree portfast
!
interface FastEthernet0/35
 spanning-tree portfast
!
interface FastEthernet0/36
 spanning-tree portfast
!
interface FastEthernet0/37
 spanning-tree portfast
!
interface FastEthernet0/38
 spanning-tree portfast
!
interface FastEthernet0/39
 spanning-tree portfast
!
interface FastEthernet0/40
 spanning-tree portfast
!
interface FastEthernet0/41
 spanning-tree portfast
!
interface FastEthernet0/42
 spanning-tree portfast
!
interface FastEthernet0/43
 spanning-tree portfast
!
interface FastEthernet0/44
 spanning-tree portfast
!
interface FastEthernet0/45
 spanning-tree portfast
!
interface FastEthernet0/46
 spanning-tree portfast
!
interface FastEthernet0/47
 spanning-tree portfast
!
interface FastEthernet0/48
 spanning-tree portfast
!
interface GigabitEthernet0/1
 switchport trunk encapsulation isl
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport trunk encapsulation isl
 switchport mode trunk
!
interface GigabitEthernet0/3
 switchport trunk encapsulation isl
 switchport mode trunk
!
interface GigabitEthernet0/4
 switchport trunk encapsulation isl
 switchport mode trunk
!
interface Vlan1
 ip address <ip> 255.255.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 <ip>
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 password <password>
 login
line vty 0 4
 password <password>
 login
line vty 5 15
 password <password>
 no login
!
ntp clock-period 36029200
ntp server <ip>
end

Please let me know if there are changes that would be recommended etc.  Thanks in advance!

-D-
ASKER CERTIFIED SOLUTION
Avatar of bkepford
bkepford
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

Thank you for your response.  Let's see what the other experts suggest.

-D-
Avatar of bkepford
bkepford
Flag of United States of America image
Just out of curiosity other then straight layer 2 connectivity on a single vlan, do you have any other requirements for your network?
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

Not really just looking for the most solid configuration.
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

Like should input flow control be enabled on the gigabit fiber eth ports etc...


-D-
Avatar of bkepford
bkepford
Flag of United States of America image
In my opinion flow control should only be used if you are experiencing congestion. If you check your links during peak usage and they have plenty of capacity yet it is better to leave it at the default.  
For your trunk links I would add them to an ether channel if they are going to the same switch and that other switch can support etherchannel.  I would also turn on udld (unidirectional link detection) again is the other switch supports the feature this will create the most redundancy and the most "solid" config
example
interface GigabitEthernet0/1
 switchport trunk encapsulation isl
 switchport mode trunk
 udld port
 channel-group 1 mode on
!
interface GigabitEthernet0/2
 switchport trunk encapsulation isl
 switchport mode trunk
 udld port
 channel-group 1 mode on

Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

I am seeing a lot of input errors:

GigabitEthernet1/0/5 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is <mac>
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX SFP
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:51, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:55:01
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 36000 bits/sec, 7 packets/sec
  5 minute output rate 155000 bits/sec, 34 packets/sec
     530836 packets input, 208730707 bytes, 0 no buffer
     Received 7173 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     21 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 2696 multicast, 0 pause input
     0 input packets with dribble condition detected
     659411 packets output, 515940865 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets


Does this look unreasonable?
-D-
Avatar of bkepford
bkepford
Flag of United States of America image
Well you have 530836 packets input and 21 input errors and it looks like a time frame of 55 minutes since your last clear counters.
This is a low percentage and from the amount of traffic I don't think it is congestion related. Obviously this isn't causing tons of drops and To answer your question it looks reasonable even with the input errors.
Of course you want the errors to stop so I would start with these questions. What is on the other side of the line and are you seeing any errors on that side?  How long is the run? Have you tried moving to another SFP port on the switch? Have you tested the cable?
 
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

The other side of the fiber link goes to a switch that is not reporting errors at all as far as input.


-D-
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

I have also seen interface resets.  Like 1 in a day.  Is this normal too?
Avatar of bkepford
bkepford
Flag of United States of America image
Nope, This is a duplex (a pair of fibers) mmf so have you tried switching the pairs on both sides as long as the connector isn't a duplex connector. It would be a good test. The reason I say this is from what your telling me the most likely problem is a slight cable quality issue.
Input errors tend to be a physical problem whether from interference or cable quality issue to bad SFP ports or modules.
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

Thank you very much for your input.  It is appreciated.


-D-