Solved

which is best PORT config for CISCO switches

Posted on 2015-02-13
8
58 Views
Last Modified: 2016-06-13
Hi Experts,

I have a simple question for you.
can you show me the best recommend settings for a cisco switch port ?
I use 2960X and 3650X

There are so many parameters around.
Maybe you can show me the different settings with a short info.
0
Comment
Question by:Eprs_Admin
  • 4
  • 2
  • 2
8 Comments
 

Author Comment

by:Eprs_Admin
Comment Utility
What about this setup for my ports ?

 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable

Open in new window

0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
That's like asking "What Cisco switch do I need?"  There's just too many variables to be able to answer the question.

I see in your post you're showing port security.  Does that mean the devices in your network never move to other ports?  If so, then port security may be a good thing to have.

Can you provide some information on the environment?  Are there phones connected to the switch? Is QOS required?  What's the security environment?
1
 
LVL 18

Accepted Solution

by:
Akinsd earned 250 total points
Comment Utility
I agree with Don. There's just too many variables depending on the options you want. Depending on IOS version, you can have more or less options as shown below

Switch(config-if)#?
  arp                          Set arp type (arpa, probe, snap) or timeout
  bandwidth              Set bandwidth informational parameter
  cdp                           Global CDP configuration subcommands
  channel-group        Etherchannel/port bundling configuration
  channel-protocol   Select the channel protocol (LACP, PAgP)
  delay                        Specify interface throughput delay
  description             Interface specific description
  duplex                     Configure duplex operation.
  exit                          Exit from interface configuration mode
  hold-queue            Set hold queue depth
  ip                             Interface Internet Protocol config commands
  mdix                       Set Media Dependent Interface with Crossover
  mls                          mls interface commands
  no                            Negate a command or set its defaults
  power                     Power configuration
  service-policy        Configure QoS Service Policy
  shutdown              Shutdown the selected interface
  spanning-tree       Spanning Tree Subsystem
  speed                     Configure speed operation.
  storm-control       storm configuration
  switchport             Set switching mode characteristics
  tx-ring-limit     Configure PA level transmit ring limit

Be mindful also that the commands shown above have multiple sub commands

With that said, there are a few basic things you can set
- For ports that will always connect to a computer or device, you want to hard code them as access ports (switchport mode access)
- Your access port will need vlan and native vlan (if trunk) changed or left at default value - vlan 1
(switchport access vlan 10)
(switchport trunk native vlan 99)
- Access ports that are no in use should be shut down
- Descriptions are good for quick identification (description WEB-SERVER-1)

Those are just the fundamentals
The port-security option is good to prevent unauthorized device connections
- In your example, it may be good to add a couple of port=security parameters
eg switchport port-security mac-address xx-xx-xx (especially for servers) this allows only that device to connect on that port
You could use other options like "sticky" to automatically memorize the Mac-address of current devices connected.
You could also use the "maximum" options to allow multiple devices to connect if your devices move from location to location as Don had asked.
QoS is also a good one - allows prioritizing or reserving bandwidth or capping bandwidth etc. Note however that the service-port command shown for QoS under the switch is a final step in a MQC configuration (Access-list, Class-map, Policy-map then Service policy). The service policy assigns an already created policy to a switch port
In short, it is solely based on what you want your design to be
I hope this helps
0
 

Author Comment

by:Eprs_Admin
Comment Utility
on my access switches just desktops and printers connected, no phones.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
Comment Utility
Then I would have:

switchport mode access
switchport access VLAN xx
spanning-tree portfast
spanning-tree bpduguard enable

Open in new window


I'm not a fan of bpdufilter but you could use that.  I just don't see the benefit for it today.

As for port security, if you need it, go ahead.  But it can become a management pain.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 250 total points
Comment Utility
You may want to configure autorecovery with port-security to lessen the management pain.
You can set the time as desired
eg
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#errdisable ?
  detect        Error disable detection
  flap-setting  Error disable flap detection setting
  recovery      Error disable recovery


Switch(config)#errdisable recovery ?
  cause     Enable error disable recovery for application
  interval  Error disable recovery timer value

Select the cause you want autorecovery to happen for
Switch(config)#errdisable recovery cause ?
  all                                         Enable timer to recover from all error causes
  arp-inspection                   Enable timer to recover from arp inspection error disable state
  bpduguard                         Enable timer to recover from BPDU Guard error
  channel-misconfig            Enable timer to recover from channel misconfig error
  dhcp-rate-limit                  Enable timer to recover from dhcp-rate-limit error
  dtp-flap                              Enable timer to recover from dtp-flap error
  gbic-invalid                        Enable timer to recover from invalid GBIC error
  inline-power                      Enable timer to recover from inline-power error
  link-flap                              Enable timer to recover from link-flap error
  loopback                            Enable timer to recover from loopback error
  mac-limit                            Enable timer to recover from mac limit disable state
  pagp-flap                            Enable timer to recover from pagp-flap error
  port-mode-failure             Enable timer to recover from port mode change failure
  psecure-violation             Enable timer to recover from psecure violation error
  security-violation             Enable timer to recover from 802.1x violation error
  sfp-config-mismatch        Enable timer to recover from SFP config mismatch error
  small-frame                       Enable timer to recover from small frame error
  storm-control                   Enable timer to recover from storm-control error
  udld                                   Enable timer to recover from udld error
  vmps                                 Enable timer to recover from vmps shutdown error

Then Select the desired interval
Switch(config)#errdisable recovery interval ?
  <30-86400>  timer-interval(sec)
0
 

Author Comment

by:Eprs_Admin
Comment Utility
this is a nice feature with the recovery after an error :-)
0
 

Author Closing Comment

by:Eprs_Admin
Comment Utility
Thanks a lot.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now