Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!
Solved
which is best PORT config for CISCO switches
Posted on 2015-02-13
Hi Experts,
I have a simple question for you.
can you show me the best recommend settings for a cisco switch port ?
I use 2960X and 3650X
There are so many parameters around.
Maybe you can show me the different settings with a short info.
I have a simple question for you.
can you show me the best recommend settings for a cisco switch port ?
I use 2960X and 3650X
There are so many parameters around.
Maybe you can show me the different settings with a short info.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
2
2
8 Comments
Active today
What about this setup for my ports ?
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
Active today
That's like asking "What Cisco switch do I need?" There's just too many variables to be able to answer the question.
I see in your post you're showing port security. Does that mean the devices in your network never move to other ports? If so, then port security may be a good thing to have.
Can you provide some information on the environment? Are there phones connected to the switch? Is QOS required? What's the security environment?
I see in your post you're showing port security. Does that mean the devices in your network never move to other ports? If so, then port security may be a good thing to have.
Can you provide some information on the environment? Are there phones connected to the switch? Is QOS required? What's the security environment?
Active today
I agree with Don. There's just too many variables depending on the options you want. Depending on IOS version, you can have more or less options as shown below
Switch(config-if)#?
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
cdp Global CDP configuration subcommands
channel-group Etherchannel/port bundling configuration
channel-protocol Select the channel protocol (LACP, PAgP)
delay Specify interface throughput delay
description Interface specific description
duplex Configure duplex operation.
exit Exit from interface configuration mode
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
mdix Set Media Dependent Interface with Crossover
mls mls interface commands
no Negate a command or set its defaults
power Power configuration
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
storm-control storm configuration
switchport Set switching mode characteristics
tx-ring-limit Configure PA level transmit ring limit
Be mindful also that the commands shown above have multiple sub commands
With that said, there are a few basic things you can set
- For ports that will always connect to a computer or device, you want to hard code them as access ports (switchport mode access)
- Your access port will need vlan and native vlan (if trunk) changed or left at default value - vlan 1
(switchport access vlan 10)
(switchport trunk native vlan 99)
- Access ports that are no in use should be shut down
- Descriptions are good for quick identification (description WEB-SERVER-1)
Those are just the fundamentals
The port-security option is good to prevent unauthorized device connections
- In your example, it may be good to add a couple of port=security parameters
eg switchport port-security mac-address xx-xx-xx (especially for servers) this allows only that device to connect on that port
You could use other options like "sticky" to automatically memorize the Mac-address of current devices connected.
You could also use the "maximum" options to allow multiple devices to connect if your devices move from location to location as Don had asked.
QoS is also a good one - allows prioritizing or reserving bandwidth or capping bandwidth etc. Note however that the service-port command shown for QoS under the switch is a final step in a MQC configuration (Access-list, Class-map, Policy-map then Service policy). The service policy assigns an already created policy to a switch port
In short, it is solely based on what you want your design to be
I hope this helps
Switch(config-if)#?
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
cdp Global CDP configuration subcommands
channel-group Etherchannel/port bundling configuration
channel-protocol Select the channel protocol (LACP, PAgP)
delay Specify interface throughput delay
description Interface specific description
duplex Configure duplex operation.
exit Exit from interface configuration mode
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
mdix Set Media Dependent Interface with Crossover
mls mls interface commands
no Negate a command or set its defaults
power Power configuration
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
storm-control storm configuration
switchport Set switching mode characteristics
tx-ring-limit Configure PA level transmit ring limit
Be mindful also that the commands shown above have multiple sub commands
With that said, there are a few basic things you can set
- For ports that will always connect to a computer or device, you want to hard code them as access ports (switchport mode access)
- Your access port will need vlan and native vlan (if trunk) changed or left at default value - vlan 1
(switchport access vlan 10)
(switchport trunk native vlan 99)
- Access ports that are no in use should be shut down
- Descriptions are good for quick identification (description WEB-SERVER-1)
Those are just the fundamentals
The port-security option is good to prevent unauthorized device connections
- In your example, it may be good to add a couple of port=security parameters
eg switchport port-security mac-address xx-xx-xx (especially for servers) this allows only that device to connect on that port
You could use other options like "sticky" to automatically memorize the Mac-address of current devices connected.
You could also use the "maximum" options to allow multiple devices to connect if your devices move from location to location as Don had asked.
QoS is also a good one - allows prioritizing or reserving bandwidth or capping bandwidth etc. Note however that the service-port command shown for QoS under the switch is a final step in a MQC configuration (Access-list, Class-map, Policy-map then Service policy). The service policy assigns an already created policy to a switch port
In short, it is solely based on what you want your design to be
I hope this helps
Active today
Then I would have:
I'm not a fan of bpdufilter but you could use that. I just don't see the benefit for it today.
As for port security, if you need it, go ahead. But it can become a management pain.
switchport mode access
switchport access VLAN xx
spanning-tree portfast
spanning-tree bpduguard enable
I'm not a fan of bpdufilter but you could use that. I just don't see the benefit for it today.
As for port security, if you need it, go ahead. But it can become a management pain.
Active today
You may want to configure autorecovery with port-security to lessen the management pain.
You can set the time as desired
eg
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#errdisable ?
detect Error disable detection
flap-setting Error disable flap detection setting
recovery Error disable recovery
Switch(config)#errdisable recovery ?
cause Enable error disable recovery for application
interval Error disable recovery timer value
Select the cause you want autorecovery to happen for
Switch(config)#errdisable recovery cause ?
all Enable timer to recover from all error causes
arp-inspection Enable timer to recover from arp inspection error disable state
bpduguard Enable timer to recover from BPDU Guard error
channel-misconfig Enable timer to recover from channel misconfig error
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
dtp-flap Enable timer to recover from dtp-flap error
gbic-invalid Enable timer to recover from invalid GBIC error
inline-power Enable timer to recover from inline-power error
link-flap Enable timer to recover from link-flap error
loopback Enable timer to recover from loopback error
mac-limit Enable timer to recover from mac limit disable state
pagp-flap Enable timer to recover from pagp-flap error
port-mode-failure Enable timer to recover from port mode change failure
psecure-violation Enable timer to recover from psecure violation error
security-violation Enable timer to recover from 802.1x violation error
sfp-config-mismatch Enable timer to recover from SFP config mismatch error
small-frame Enable timer to recover from small frame error
storm-control Enable timer to recover from storm-control error
udld Enable timer to recover from udld error
vmps Enable timer to recover from vmps shutdown error
Then Select the desired interval
Switch(config)#errdisable recovery interval ?
<30-86400> timer-interval(sec)
You can set the time as desired
eg
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#errdisable ?
detect Error disable detection
flap-setting Error disable flap detection setting
recovery Error disable recovery
Switch(config)#errdisable recovery ?
cause Enable error disable recovery for application
interval Error disable recovery timer value
Select the cause you want autorecovery to happen for
Switch(config)#errdisable recovery cause ?
all Enable timer to recover from all error causes
arp-inspection Enable timer to recover from arp inspection error disable state
bpduguard Enable timer to recover from BPDU Guard error
channel-misconfig Enable timer to recover from channel misconfig error
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
dtp-flap Enable timer to recover from dtp-flap error
gbic-invalid Enable timer to recover from invalid GBIC error
inline-power Enable timer to recover from inline-power error
link-flap Enable timer to recover from link-flap error
loopback Enable timer to recover from loopback error
mac-limit Enable timer to recover from mac limit disable state
pagp-flap Enable timer to recover from pagp-flap error
port-mode-failure Enable timer to recover from port mode change failure
psecure-violation Enable timer to recover from psecure violation error
security-violation Enable timer to recover from 802.1x violation error
sfp-config-mismatch Enable timer to recover from SFP config mismatch error
small-frame Enable timer to recover from small frame error
storm-control Enable timer to recover from storm-control error
udld Enable timer to recover from udld error
vmps Enable timer to recover from vmps shutdown error
Then Select the desired interval
Switch(config)#errdisable recovery interval ?
<30-86400> timer-interval(sec)
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month13 days, 17 hours left to enroll
656 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.