?
Solved

Switch Config Thoughts

Posted on 2012-08-15
4
Medium Priority
?
686 Views
Last Modified: 2012-08-18
I am routing through all my networks config files and I wanted to get a second opinion on this particular one.  Everything works, the system does what it should, but I want to make sure I do not have any extraneous configurations, or maybe there is something I could be doing better.


sh run
Building configuration...

Current configuration : 14475 bytes
!
! Last configuration change at 05:48:11 UTC Tue Mar 2 1993
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname Lab_378_Eng
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$37zN$nqGmsmJm3vwxl5Mij3ss21
!
username ******** privilege 15 secret 5 ***********
username ******** privilege 0 secret 5 ************
username ******* privilege 15 secret 5 ****************
username ******** privilege 0 secret 5 ****************
username ******** privilege 15 secret 5 **************
username ******** privilege 15 secret 5 *************
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
switch 1 provision ws-c3750g-48ts
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
no ip source-route
ip routing
no ip domain-lookup
!
!
!
!
!
crypto pki trustpoint TP-self-signed
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-4265178240
 enrollment selfsigned
 subject-name cn=IOS-self-signed-certificate-4265178240
 revocation-check none
 rsakeypair TP-self-signed-4265178240
!
!
crypto pki certificate chain TP-self-signed
crypto pki certificate chain TP-self-signed-4265178240
!
!
!
port-channel load-balance src-ip
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 3
 name SEA******
!
vlan 7
 name Native_VLAN
!
vlan 10
 name ****_VLAN
!
vlan 99
 name Unused_Ports
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 2
!
!
!
!
!
!
interface GigabitEthernet1/0/1
 description WINDOWS SERVER
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 description SOLARIS SERVER
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 description SOLARIS SERVER
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 description CLIENT 1
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 description CLIENT 1
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 description CLIENT 2
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 description CLIENT 2
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 description CLIENT 3
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 description CLIENT 3
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
 description CLIENT 4
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 description CLIENT 4
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 description CLIENT 5
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 description CLIENT 5
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 description CLIENT 6
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 description CLIENT 6
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 description CLIENT 7
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 description CLIENT 7
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 description WINDOWS NAS
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 description VIDEO SERVER
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 description TERMINAL SERVER #1
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 description TERMINAL SERVER #2
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
 description **** COMPUTER GROUP
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 description VIDEO MATRIX SWITCH
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 description ******* SWITCH
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 ip access-group ********_****_Ingress in
 spanning-tree portfast
!
interface GigabitEthernet1/0/25
 description UPS #1
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/26
 description UPS #2
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/27
 description UPS #3
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/28
 description UPS #4
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/29
 description UPS #5
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/30
 description *************
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/31
 description ************
 switchport access vlan 3
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/32
 description SOLARIS SERVER
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/33
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/34
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/35
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/36
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/37
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/38
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/39
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/40
 description TEMP_IAVASURE
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 spanning-tree portfast
!
interface GigabitEthernet1/0/41
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/42
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/43
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/44
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/45
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/46
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/47
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/48
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/49
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/50
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/51
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/52
 switchport access vlan 99
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 shutdown
 spanning-tree portfast
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan3
 no ip address
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan7
 no ip address
 shutdown
!
interface Vlan10
 description ****_VLAN
 ip address xxx.xxx.78.1 255.255.255.0
!
interface Vlan99
 no ip address
 shutdown
!
ip http server
ip http secure-server
!
!
!
ip access-list extended ********_****_*_Ingress
 remark ICMP Security
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 deny   icmp any any mask-reply
 remark Block incoming traffic attempting to spoof an internam source
 deny   ip xxx.xxx.78.0 0.0.0.255 any
 remark Block SQL Packets
 deny   tcp any any eq 1433
 remark ******** rule tracking
 permit ip any any log
!
ip sla enable reaction-alerts
logging esm config
!
snmp-server group snmpusers v3 auth
snmp-server community Seawatch RO R0
!
!
!
banner login ^C
Blah blah blah
^C
banner motd ^C
********************************************************************

********************************************************************
^C
!
line con 0
 exec-timeout 5 0
 logging synchronous
line vty 0 4
 transport input ssh
line vty 5 15
 transport input none
!
ntp server xxx.xxx.78.10 prefer
end

Thoughts?
0
Comment
Question by:airborne1128
  • 2
4 Comments
 
LVL 1

Assisted Solution

by:fastcuda
fastcuda earned 600 total points
ID: 38296785
On a security aspect, you could add password checking ('login local') on your console and vtys. Also, maybe add a acl for the vtys too. But everything else looks fine.
0
 
LVL 1

Accepted Solution

by:
stilldmoney earned 1400 total points
ID: 38299118
Here are some of my observations:

All in all your config looks well thought out... some minor improvements which may help in case of troubleshooting:
on your interfaces connection to network devices (servers, switches, routers) you may want to hardcode the duplex & transmission (not required but best practice)
you can be more specific on your int descriptors. Since you're using vlans maybe you can use a naming scheme like Client6v10 or Client6v3 to distinguish between client 6 on vlan10 and vlan3
on your port-security max 10 policy is there a specific action that you want to happen when your ports reach the max allowed? You can use "switchport port-security violation restrict" from the int-config to enable logging or "switchport port-security violation shutdown" to shutdown the port once it exceeds the max
int 48-52 are shutdown which is good practice when your not using ports
you have some ports config'd for vlans 99, 7, and 3 but the vlans are shutdown (just wanted to bring that to your attention)

Like I said earlier all in all very clean config's just minor recommendations.

Cheers!
0
 
LVL 1

Expert Comment

by:stilldmoney
ID: 38299125
one last thing... you have ip http server and ip http secure-server running. Unless you are using the http server service you may want to consider disabling. Best practice.
0
 
LVL 6

Author Closing Comment

by:airborne1128
ID: 38302476
Thanks for the extra sets of eyeys guys!
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question