Suggestions on Network operations

DP230 used Ask the Experts™
Dear Experts, I need suggestions on this network design. Is there anything we need to consider for improving HA, security, performance? Could you please help? Many thanks!

Core SW1, SW2: Cisco 3850 IP service
Access SW1, SW2: Cisco 2960 LANBase

- Between C1 and C2: EtherChannel Trunking native vlan 88
- Between C1 and C2, C1 and A1, A2, C2 and A1, A2: trunking interfaces native vlan 88
- C1: VTP Servers, other switches are VTP clients, version2
- VLAN 10 (LAN), 11 (LAN), 88 (management) synchronize between switches

- C1:
STP root primary for VLAN10, secodary for VLAN11
HSRP Active for  VLAN10, HSRP Standby for VLAN11 (standby .254)
DHCP pool VLAN10A, VLAN11A, default GW is .254, exclude address .1 - .50 and .53 - .254  (so 2 addresses .51, .52 are available, just for test)

- C2:
STP root primary for VLAN11, secodary for VLAN10
HSRP Active for  VLAN11, HSRP Standby for VLAN10
DHCP pool VLAN10B, VLAN11B, default GW is .254, exclude address .1 - .250 and .253 - .254  (so 2 addresses .251, .252 are available, just for test)

- Access switches: sw mode access / define VLAN on interfaces connected to PCs
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2011

1. User VTP version 3 or not at all since you are only dealing with 4 switches.
2. Configure trunks as port-channels between all the switches.
3. Assume you are using Rapid Spanning tree, if not, use it.
4. Portfast with bpdu guard on all access/host ports.

Nothing else I can think of.  Pretty simple design.
Network Security Engineer
Distinguished Expert 2018
If you are only referring to layer two here is what you should do:

Core layer:

2- EtherChannel ports for trunking base on source and destination Mac.

In my perspective, I strongly recommend VTP if you have more than 100+ users. The reason why is because the sequence # on the switch.
If you install a new switch and you forgot to make the switch in transparent mode, you would destroy all the Vlans in your server. Keep an eye on that.

VTP version 3 is if you want authentication btw switches, is a lot of work.Keep it simple with  V2. This version protect the password with a hash and will do the job.

Access layer:

1- Configure DHCP snoopy globally to stop dhcp traffic from malicious user. Then configure one port to permit DHCP traffic.
2- Each port should be configured only as access mode. Accepting only accept 2 mac address. Also set a shutdown violation.
3-  Configure ARP inspection after configure DHCP binding. that way you will protect your network with mac & IP spoof.

You can read more here.

That's about it.
Top Expert 2011

Incorrect Hemil. VTP 3 is the way to go. There's not much more configuration than VTP 2. VTP is better as you can't accidently delete vlans. You have to promote VTP servers to primary in order to make vlan changes. Also extended and private vlans are supported.
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018


Hi, I never said V3 was not a good option. All I mean to say was keep "things easy". If you have DHCP snoopy in place and all the port configuration for security you don't need that extra layer of authentication.

Now, I think you haven't seen problems with VTP. VTP is the most beautiful thing to propagate VLANS but it has downside. I don't know if you are familiar with the sequence numbers but if you install or format a switch and that switch is not in transparent mode could kill the rest of of the VLANS in your server VTP.

I seen this in large environment organizations. Like I've said it's just my opinion he can use VTP just be careful.
Top Expert 2011


You obviously haven't used VTP v3 before cause everything you just mentioned is avoided with VTP v3. It also is not any more complex to configure.

What do you keep talking about regarding VTP authentication in VTP v3???  It's the same steps to configure at VTPv2? Maybe you are confusing it with SNMP v3.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial