Switch Config Thoughts

I am routing through all my networks config files and I wanted to get a second opinion on this particular one.  Everything works, the system does what it should, but I want to make sure I do not have any extraneous configurations, or maybe there is something I could be doing better.


sh run
Building configuration...

Current configuration : 14475 bytes
!
! Last configuration change at 05:48:11 UTC Tue Mar 2 1993
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname Lab_378_Eng
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$37zN$nqGmsmJm3vwxl5Mij3ss21
!
username ******** privilege 15 secret 5 ***********
username ******** privilege 0 secret 5 ************
username ******* privilege 15 secret 5 ****************
username ******** privilege 0 secret 5 ****************
username ******** privilege 15 secret 5 **************
username ******** privilege 15 secret 5 *************
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
switch 1 provision ws-c3750g-48ts
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
no ip source-route
ip routing
no ip domain-lookup
!
!
!
!
!
crypto pki trustpoint TP-self-signed
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-4265178240
 enrollment selfsigned
 subject-name cn=IOS-self-signed-certificate-4265178240
 revocation-check none
 rsakeypair TP-self-signed-4265178240
!
!
crypto pki certificate chain TP-self-signed
crypto pki certificate chain TP-self-signed-4265178240
!
!
!
port-channel load-balance src-ip
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 3
 name SEA******
!
vlan 7
 name Native_VLAN
!
vlan 10
 name ****_VLAN
!
vlan 99
 name Unused_Ports
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 2
!
!
!
!
!
!
interface GigabitEthernet1/0/1
 description WINDOWS SERVER
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 description SOLARIS SERVER
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 description SOLARIS SERVER
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 description CLIENT 1
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 description CLIENT 1
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 description CLIENT 2
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 description CLIENT 2
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 description CLIENT 3
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 description CLIENT 3
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
 description CLIENT 4
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 description CLIENT 4
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 description CLIENT 5
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 description CLIENT 5
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 description CLIENT 6
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 description CLIENT 6
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 description CLIENT 7
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 description CLIENT 7
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 description WINDOWS NAS
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 description VIDEO SERVER
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 description TERMINAL SERVER #1
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 description TERMINAL SERVER #2
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
 description **** COMPUTER GROUP
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 description VIDEO MATRIX SWITCH
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 description ******* SWITCH
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 ip access-group ********_****_Ingress in
 spanning-tree portfast
!
interface GigabitEthernet1/0/25
 description UPS #1
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/26
 description UPS #2
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/27
 description UPS #3
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/28
 description UPS #4
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/29
 description UPS #5
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/30
 description *************
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/31
 description ************
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/32
 description SOLARIS SERVER
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/33
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/34
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/35
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/36
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/37
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/38
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/39
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/40
 description TEMP_IAVASURE
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/41
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/42
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/43
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/44
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/45
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/46
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/47
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/48
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/49
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/50
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/51
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/52
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan3
 no ip address
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan7
 no ip address
 shutdown
!
interface Vlan10
 description ****_VLAN
 ip address xxx.xxx.78.1 255.255.255.0
!
interface Vlan99
 no ip address
 shutdown
!
ip http server
ip http secure-server
!
!
!
ip access-list extended ********_****_*_Ingress
 remark ICMP Security
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 deny   icmp any any mask-reply
 remark Block incoming traffic attempting to spoof an internam source
 deny   ip xxx.xxx.78.0 0.0.0.255 any
 remark Block SQL Packets
 deny   tcp any any eq 1433
 remark ******** rule tracking
 permit ip any any log
!
ip sla enable reaction-alerts
logging esm config
!
snmp-server group snmpusers v3 auth
snmp-server community Seawatch RO R0
!
!
!
banner login ^C
Blah blah blah
^C
banner motd ^C
********************************************************************

********************************************************************
^C
!
line con 0
 exec-timeout 5 0
 logging synchronous
line vty 0 4
 transport input ssh
line vty 5 15
 transport input none
!
ntp server xxx.xxx.78.10 prefer
end

Thoughts?
LVL 6
Glen KrinskySystems AdministratorAsked:
Who is Participating?
 
stilldmoneyCommented:
Here are some of my observations:

All in all your config looks well thought out... some minor improvements which may help in case of troubleshooting:
on your interfaces connection to network devices (servers, switches, routers) you may want to hardcode the duplex & transmission (not required but best practice)
you can be more specific on your int descriptors. Since you're using vlans maybe you can use a naming scheme like Client6v10 or Client6v3 to distinguish between client 6 on vlan10 and vlan3
on your port-security max 10 policy is there a specific action that you want to happen when your ports reach the max allowed? You can use "switchport port-security violation restrict" from the int-config to enable logging or "switchport port-security violation shutdown" to shutdown the port once it exceeds the max
int 48-52 are shutdown which is good practice when your not using ports
you have some ports config'd for vlans 99, 7, and 3 but the vlans are shutdown (just wanted to bring that to your attention)

Like I said earlier all in all very clean config's just minor recommendations.

Cheers!
0
 
fastcudaCommented:
On a security aspect, you could add password checking ('login local') on your console and vtys. Also, maybe add a acl for the vtys too. But everything else looks fine.
0
 
stilldmoneyCommented:
one last thing... you have ip http server and ip http secure-server running. Unless you are using the http server service you may want to consider disabling. Best practice.
0
 
Glen KrinskySystems AdministratorAuthor Commented:
Thanks for the extra sets of eyeys guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.