Suggestions on Network operations

Dear Experts, I need suggestions on this network design. Is there anything we need to consider for improving HA, security, performance? Could you please help? Many thanks!

net.PNG
Core SW1, SW2: Cisco 3850 IP service
Access SW1, SW2: Cisco 2960 LANBase

- Between C1 and C2: EtherChannel Trunking native vlan 88
- Between C1 and C2, C1 and A1, A2, C2 and A1, A2: trunking interfaces native vlan 88
- C1: VTP Servers, other switches are VTP clients, version2
- VLAN 10 (LAN), 11 (LAN), 88 (management) synchronize between switches

- C1:
STP root primary for VLAN10, secodary for VLAN11
HSRP Active for  VLAN10, HSRP Standby for VLAN11 (standby .254)
DHCP pool VLAN10A, VLAN11A, default GW is .254, exclude address .1 - .50 and .53 - .254  (so 2 addresses .51, .52 are available, just for test)

- C2:
STP root primary for VLAN11, secodary for VLAN10
HSRP Active for  VLAN11, HSRP Standby for VLAN10
DHCP pool VLAN10B, VLAN11B, default GW is .254, exclude address .1 - .250 and .253 - .254  (so 2 addresses .251, .252 are available, just for test)

- Access switches: sw mode access / define VLAN on interfaces connected to PCs
LVL 5
DP230Network AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
1. User VTP version 3 or not at all since you are only dealing with 4 switches.
2. Configure trunks as port-channels between all the switches.
3. Assume you are using Rapid Spanning tree, if not, use it.
4. Portfast with bpdu guard on all access/host ports.

Nothing else I can think of.  Pretty simple design.
0
Hemil AquinoNetwork EngineerCommented:
If you are only referring to layer two here is what you should do:

Core layer:

1- RSPT
2- EtherChannel ports for trunking base on source and destination Mac.

In my perspective, I strongly recommend VTP if you have more than 100+ users. The reason why is because the sequence # on the switch.
If you install a new switch and you forgot to make the switch in transparent mode, you would destroy all the Vlans in your server. Keep an eye on that.

VTP version 3 is if you want authentication btw switches, is a lot of work.Keep it simple with  V2. This version protect the password with a hash and will do the job.


Access layer:

1- Configure DHCP snoopy globally to stop dhcp traffic from malicious user. Then configure one port to permit DHCP traffic.
2- Each port should be configured only as access mode. Accepting only accept 2 mac address. Also set a shutdown violation.
3-  Configure ARP inspection after configure DHCP binding. that way you will protect your network with mac & IP spoof.

You can read more here.
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

That's about it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Soulja53 6F 75 6C 6A 61 Commented:
Incorrect Hemil. VTP 3 is the way to go. There's not much more configuration than VTP 2. VTP is better as you can't accidently delete vlans. You have to promote VTP servers to primary in order to make vlan changes. Also extended and private vlans are supported.
0
Hemil AquinoNetwork EngineerCommented:
@soulja

Hi, I never said V3 was not a good option. All I mean to say was keep "things easy". If you have DHCP snoopy in place and all the port configuration for security you don't need that extra layer of authentication.

Now, I think you haven't seen problems with VTP. VTP is the most beautiful thing to propagate VLANS but it has downside. I don't know if you are familiar with the sequence numbers but if you install or format a switch and that switch is not in transparent mode could kill the rest of of the VLANS in your server VTP.

I seen this in large environment organizations. Like I've said it's just my opinion he can use VTP just be careful.
0
Soulja53 6F 75 6C 6A 61 Commented:
@hemil

You obviously haven't used VTP v3 before cause everything you just mentioned is avoided with VTP v3. It also is not any more complex to configure.

What do you keep talking about regarding VTP authentication in VTP v3???  It's the same steps to configure at VTPv2? Maybe you are confusing it with SNMP v3.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.