End-user port config - Best Practice

GT-Rob

Yes I am still alive :P



Best Practice often comes down to a matter of opinion, but I was just curious what some of you guys consider 'standard port configs' for end users? Over the years our L2 ports have become a bit of a mess as far as standardization, so I am working on some 'templates' to hand down for cleaning it up. Just figured I would see how other people do this, and what are some of the things that go in (or don't go in)?



For starters, I have put in a bunch of "no commands" to make sure there is nothing ugly left over. For example, no spann bpdufilter, no spann portfast, no switch mode trunk, etc. Then sort of build the port back up. I thought about having them do an interface default command to be safe first, but don't want to limit this work to after hours.


Any other tricks you guys put on? Perhaps security related? And no, I don't want to get into MAC-Address administration right now. Also haven't fully decided to keep L2 QoS scheme (the LAN is extremely under subscribed).

peanutnoggin

GT-Rob,

I would definitely throw in port security. This is a must on our networks now! The network that I have is very small, so outside of the bpduguard, the port-security is all I can offer. I am however personally interested in some of the responses to this post... So I'll have a close eye on this one. Good thread... depending on how much response this generates, maybe this can turn into a sticky for some of the best practices in the field. Thanks

-Peanut

DevilWAH

(conf)#default int f1/0/1

this will wipe out any config and return it to the factory default state

jsut a handy one to know

first thing is to do

(conf-if)#switchport mode access

so force port in to access mode and if you need to

(conf-if)#switchport access vlan xxx

I would also suggest a

#spanning tree portfast

this can be done either globable or on a port by port bacises (iot only takes affect on ports in the access status)

port security is always a nice one to do.

the very basic limit a port to only allow one mac address to connect to it.

(conf-if)# switchport portsecurity max 1

but after this it very much depends on what you want to achive.

notgoing2fail

DevilWAH wrote: »

(conf)#default int f1/0/1

this will wipe out any config and return it to the factory default state

jsut a handy one to know

that's a great tip!


I also agree all ports should be set to access mode. Perhaps, not using your native VLAN and keeping all hosts from using it. I learned that from the CCNA security, has something to do with vlan hopping....

trunk ports set to unconditional and disable DTP.

switchport mode trunk
switchport nonegotiate

use BPDU guard and root guard.....

jason_lunde

Do you have a voice vlan in your network? We usually do the normal stuff like portfast, rootguard, etc.. Also, we like to add some port-security so that if more than X addresses come up it shuts down the port. This way we dont have to mess with mac address configuration, but the port will shut down if they plug in a switch, hub, wireless, etc, and the # of mac addresses > X. X is open for interpretation by the administrator, and you can make it pretty tight if you want to. Most of our other access port implementations though are pretty standard. A good, standardized description is always helpful as well. Not like "Jason's port", but more like "ABC Voice # Data #" has always been helpful for me.

rakem

here's a handy tip....

switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled


Then, bpguguard, rootguard, vlan xxx
also, no snmp trap link status

GT-Rob

All good points. We do have a Voice Vlan, but it is still far from deployed everywhere (maybe 100 total, of the 3000ish ports). Right now we enable that on a case by case as we setup a new extension, as we are still migrating to voice.

The native VLAN is isolated and unroutable already.


I have toyed with the idea of some kind of mac-address limit, still have to think about it some more though. I have a hard time pushing any security related ideas as that is just he culture here haha. It could actually be used to prevent network loops though. When a loop occurs, you are likely to see a large mac-address-table entry on those ports (due to arp flooding in and out of it), so if the limit was set to two it could prevent it.


Portfast still makes me nervous. I generally only use it if it has to be there (phones, some of our blade trunks, etc.). I have been bitten before

Rootguard is another good one. This assumes you have designed your STP topology correctly though.


Bpduguard should be a must have I think. Of course, if the other side has BPDUfilter it can be 'bypassed', but its a good measure with portfast to prevent a simple cable from being looped. Some of our desks have 2 jacks, and you will be surprised what a user will do. People hate seeing cables not plugged into something for some reason.

Nuul

rakem wrote: »

here's a handy tip....

switch(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

Hmmmm, is that one of the built in macros? I didn't know about that command, thanks for posting it.

rakem

Nuul wrote: »

Hmmmm, is that one of the built in macros? I didn't know about that command, thanks for posting it.

yep just a built in one.... no worries.

Dilbert65

Yoo-Hoo Admin type, this should be made a sticky or something. alot of great info so far.

jeanathan

Macro's are pretty cool. You can do a show parser macro on your switch to see what macro's you have out of the box.

On my 3550 I have this macro for PC's

#show parser macro
output omitted...
Macro name : cisco-desktop
Macro type : default interface
# macro keywords $access_vlan
# Basic interface - Enable data VLAN only
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access

# Enable port security limiting port to a single
# MAC address -- that of desktop
switchport port-security
switchport port-security maximum 1

# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity

# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable

output truncated...

On any interface configure it for PC's

3550_24(config-if)#macro apply cisco-desktop $access_vlan 10
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet0/19 but will only
have effect when the interface is in a non-trunking mode.

There are macro's for Desktop(PC), Cisco IP Phones, Switches, Routers, and Wireless AP's on my 3550.