End-user port config - Best Practice

GT-RobGT-Rob Member Posts: 1,090
Yes I am still alive :P

Best Practice often comes down to a matter of opinion, but I was just curious what some of you guys consider 'standard port configs' for end users? Over the years our L2 ports have become a bit of a mess as far as standardization, so I am working on some 'templates' to hand down for cleaning it up. Just figured I would see how other people do this, and what are some of the things that go in (or don't go in)?

For starters, I have put in a bunch of "no commands" to make sure there is nothing ugly left over. For example, no spann bpdufilter, no spann portfast, no switch mode trunk, etc. Then sort of build the port back up. I thought about having them do an interface default command to be safe first, but don't want to limit this work to after hours.

Any other tricks you guys put on? Perhaps security related? And no, I don't want to get into MAC-Address administration right now. Also haven't fully decided to keep L2 QoS scheme (the LAN is extremely under subscribed).


  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□

    I would definitely throw in port security. This is a must on our networks now! The network that I have is very small, so outside of the bpduguard, the port-security is all I can offer. I am however personally interested in some of the responses to this post... So I'll have a close eye on this one. Good thread... depending on how much response this generates, maybe this can turn into a sticky for some of the best practices in the field. Thanks

    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    (conf)#default int f1/0/1

    this will wipe out any config and return it to the factory default state

    jsut a handy one to know :)

    first thing is to do

    (conf-if)#switchport mode access

    so force port in to access mode and if you need to

    (conf-if)#switchport access vlan xxx

    I would also suggest a

    #spanning tree portfast

    this can be done either globable or on a port by port bacises (iot only takes affect on ports in the access status)

    port security is always a nice one to do.

    the very basic limit a port to only allow one mac address to connect to it.

    (conf-if)# switchport portsecurity max 1

    but after this it very much depends on what you want to achive.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    DevilWAH wrote: »
    (conf)#default int f1/0/1

    this will wipe out any config and return it to the factory default state

    jsut a handy one to know :)

    that's a great tip!

    I also agree all ports should be set to access mode. Perhaps, not using your native VLAN and keeping all hosts from using it. I learned that from the CCNA security, has something to do with vlan hopping....

    trunk ports set to unconditional and disable DTP.

    switchport mode trunk
    switchport nonegotiate

    use BPDU guard and root guard.....

  • jason_lundejason_lunde Member Posts: 567
    Do you have a voice vlan in your network? We usually do the normal stuff like portfast, rootguard, etc.. Also, we like to add some port-security so that if more than X addresses come up it shuts down the port. This way we dont have to mess with mac address configuration, but the port will shut down if they plug in a switch, hub, wireless, etc, and the # of mac addresses > X. X is open for interpretation by the administrator, and you can make it pretty tight if you want to. Most of our other access port implementations though are pretty standard. A good, standardized description is always helpful as well. Not like "Jason's port", but more like "ABC Voice # Data #" has always been helpful for me.
  • rakemrakem Member Posts: 800
    here's a handy tip....

    switch(config-if)#switchport host
    switchport mode will be set to access
    spanning-tree portfast will be enabled
    channel group will be disabled

    Then, bpguguard, rootguard, vlan xxx
    also, no snmp trap link status
    CCIE# 38186
  • GT-RobGT-Rob Member Posts: 1,090
    All good points. We do have a Voice Vlan, but it is still far from deployed everywhere (maybe 100 total, of the 3000ish ports). Right now we enable that on a case by case as we setup a new extension, as we are still migrating to voice.

    The native VLAN is isolated and unroutable already.

    I have toyed with the idea of some kind of mac-address limit, still have to think about it some more though. I have a hard time pushing any security related ideas as that is just he culture here haha. It could actually be used to prevent network loops though. When a loop occurs, you are likely to see a large mac-address-table entry on those ports (due to arp flooding in and out of it), so if the limit was set to two it could prevent it.

    Portfast still makes me nervous. I generally only use it if it has to be there (phones, some of our blade trunks, etc.). I have been bitten before ;)

    Rootguard is another good one. This assumes you have designed your STP topology correctly though.

    Bpduguard should be a must have I think. Of course, if the other side has BPDUfilter it can be 'bypassed', but its a good measure with portfast to prevent a simple cable from being looped. Some of our desks have 2 jacks, and you will be surprised what a user will do. People hate seeing cables not plugged into something for some reason.
  • NuulNuul Member Posts: 158
    rakem wrote: »
    here's a handy tip....

    switch(config-if)#switchport host
    switchport mode will be set to access
    spanning-tree portfast will be enabled
    channel group will be disabled

    Hmmmm, is that one of the built in macros? I didn't know about that command, thanks for posting it.
  • rakemrakem Member Posts: 800
    Nuul wrote: »
    Hmmmm, is that one of the built in macros? I didn't know about that command, thanks for posting it.

    yep just a built in one.... no worries.
    CCIE# 38186
  • Dilbert65Dilbert65 Member Posts: 73 ■■□□□□□□□□
    Yoo-Hoo Admin type, this should be made a sticky or something. alot of great info so far.
  • jeanathanjeanathan Member Posts: 163
    Macro's are pretty cool. You can do a show parser macro on your switch to see what macro's you have out of the box.

    On my 3550 I have this macro for PC's

    #show parser macro
    output omitted...
    Macro name : cisco-desktop
    Macro type : default interface
    # macro keywords $access_vlan
    # Basic interface - Enable data VLAN only
    # Recommended value for access vlan should not be 1
    switchport access vlan $access_vlan
    switchport mode access

    # Enable port security limiting port to a single
    # MAC address -- that of desktop
    switchport port-security
    switchport port-security maximum 1

    # Ensure port-security age is greater than one minute
    # and use inactivity timer
    switchport port-security violation restrict
    switchport port-security aging time 2
    switchport port-security aging type inactivity

    # Configure port as an edge network port
    spanning-tree portfast
    spanning-tree bpduguard enable

    output truncated...

    On any interface configure it for PC's

    3550_24(config-if)#macro apply cisco-desktop $access_vlan 10
    %Warning: portfast should only be enabled on ports connected to a single
    host. Connecting hubs, concentrators, switches, bridges, etc... to this
    interface when portfast is enabled, can cause temporary bridging loops.
    Use with CAUTION

    %Portfast has been configured on FastEthernet0/19 but will only
    have effect when the interface is in a non-trunking mode.

    There are macro's for Desktop(PC), Cisco IP Phones, Switches, Routers, and Wireless AP's on my 3550.
    Struggling through the re-certification process after 2 years of no OJT for the CCNP.
Sign In or Register to comment.