WS-3550 internet switch

Hey I work for a company and we have a really old 3com hub for our internet switch. I have a 3550 that I would like to replace it with. We have our firewall, vpn concentrator and internet router plugged into it. Our firewall outside interface is in half-duplex mode because of this 3com hub, can anyone provide a sh run of their internet switches? It would help me conceptualize the configuration I would need

Thanks a lot,
Cam

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

ciscojay-houston

I think it should be the other way around. Is this switch on the outside of your firewall? Sounds like it. If so, all of your ports would need to be on the same VLAN. Make sure that for security purposes, you don't assign an IP address to any of the VLAN interfaces of the switch. This will keep it as a layer 2 switch, and reduce your security risks from the Internet.

You can set your firewall to full duplex, along with any other devices that will plug into this switch.

On the switchport,you can set the duplex and speed accordingly. You can change the port number below, but here's a sample syntax you would use to set the speed and duplex on a particular interface.

conf t
int f0/1
speed 100
duplex full
exit
wr mem

nel

clamz wrote: »

Hey I work for a company and we have a really old 3com hub for our internet switch. I have a 3550 that I would like to replace it with. We have our firewall, vpn concentrator and internet router plugged into it. Our firewall outside interface is in half-duplex mode because of this 3com hub, can anyone provide a sh run of their internet switches? It would help me conceptualize the configuration I would need

Thanks a lot,
Cam

I dont think many would be stupid to give out configs willy nilly for security reasons.

Why dont you try and explain what you require or are stuck on and people can help. Also check the configuration guides from the cisco docs for the 3550. It has all the stuff you need.

clamz

ciscojay-houston wrote: »

I think it should be the other way around. Is this switch on the outside of your firewall? Sounds like it. If so, all of your ports would need to be on the same VLAN. Make sure that for security purposes, you don't assign an IP address to any of the VLAN interfaces of the switch. This will keep it as a layer 2 switch, and reduce your security risks from the Internet.

You can set your firewall to full duplex, along with any other devices that will plug into this switch.

On the switchport,you can set the duplex and speed accordingly. You can change the port number below, but here's a sample syntax you would use to set the speed and duplex on a particular interface.

conf t
int f0/1
speed 100
duplex full
exit
wr mem

Hey ciscojay, yeah good point on not setting the VLAN IP. Also, is it a good practice to hard set the ports to full duplex and 100 speed? Right now all 24 - ports are:

interface FastEthernet0/6
switchport mode dynamic desirable

Also,

interface Vlan1
no ip address

One more question, say my public block is 206.65.23.0 /24.. and my internet router is assigned to 206.65.23.1. On the internet switch, do I need to put in a gateway of last resort to the internet router? (i.e. ip route 0.0.0.0 0.0.0.0 206.65.23.1 255.255.255.0)

So the devices that are plugged into the internet switch know where to go?

Thanks

clamz

nel wrote: »

I dont think many would be stupid to give out configs willy nilly for security reasons.

Why dont you try and explain what you require or are stuck on and people can help. Also check the configuration guides from the cisco docs for the 3550. It has all the stuff you need.

hey good point, I should of clarified that I wanted just generic templates nothing with routable information,

Sorry for the confusion hehe

kryolla

clamz wrote: »

Hey ciscojay, yeah good point on not setting the VLAN IP. Also, is it a good practice to hard set the ports to full duplex and 100 speed? Right now all 24 - ports are:

interface FastEthernet0/6
switchport mode dynamic desirable

The above is to negotiate trunking not setting speed and duplex. We also hard code duplex and speed settings at my work. We had some issues with auto-negotiation

Also,

interface Vlan1
no ip address

One more question, say my public block is 206.65.23.0 /24.. and my internet router is assigned to 206.65.23.1. On the internet switch, do I need to put in a gateway of last resort to the internet router? (i.e. ip route 0.0.0.0 0.0.0.0 206.65.23.1 255.255.255.0)

So the devices that are plugged into the internet switch know where to go?

Thanks

The hosts will get the default gateway (your internet router) via DHCP if not then static. Gateway of last resort configured on a layer 2 switch is to send locally generated traffic off the subnet of the management vlan. Since you have no IP addresses in the switch I wouldnt worry about it. Why did you get a 3550 when a 2950 would of worked for your purpose

You are replacing a hub with a switch so the switch will work out of the box

tiersten

If you've got a hub there currently then any unmanaged switch will do the job. Using a L2/3 managed switch like a 3550 for this is a tad over the top. Even a 2950/2960 will be overkill for what you currently need.

clamz

kryolla wrote: »

The above is to negotiate trunking not setting speed and duplex. We also hard code duplex and speed settings at my work. We had some issues with auto-negotiation

The hosts will get the default gateway (your internet router) via DHCP if not then static. Gateway of last resort configured on a layer 2 switch is to send locally generated traffic off the subnet of the management vlan. Since you have no IP addresses in the switch I wouldnt worry about it. Why did you get a 3550 when a 2950 would of worked for your purpose

You are replacing a hub with a switch so the switch will work out of the box

You know I have a lot of layer two 2900XL's laying around. I should save my 3550 for L3 functionality, thanks!

networker050184

clamz wrote: »

You know I have a lot of layer two 2900XL's laying around. I should save my 3550 for L3 functionality, thanks!

Or just stash it away for your lab!

clamz

Hey guys I'm cutting over to the 2900XL tonight and had a question. I have hard set all of the interfaces on the new internet switch to duplex 100 and speed 10.

My firewall and vpn concentrator are not hard set right now, after I unplug them from the current switch do i have to apply those same commands to the outside interfaces on the VPN and Firewall? or should they negotiate the speed I set on the switch?

Thanks,
Cam

xwesleyxwillisx

You definately want to hard code the duplex and speed settings if you can (on the attached devices). This is especially true if they are 10/100 ports. If the switch is hard coded it will NOT negotiate with the attached devices.

I believe the default behavior for 10/100 ports with auto-negotiation is to default to 100/half if it can't negotiate. You'd probably get a "Error: Duplex mismatch" on the switch in that case also...

Short story is, if you can't hard code the firewall/VPN devices, don't hard code the switch ports.

clamz

xwesleyxwillisx wrote: »

You definately want to hard code the duplex and speed settings if you can (on the attached devices). This is especially true if they are 10/100 ports. If the switch is hard coded it will NOT negotiate with the attached devices.

I believe the default behavior for 10/100 ports with auto-negotiation is to default to 100/half if it can't negotiate. You'd probably get a "Error: Duplex mismatch" on the switch in that case also...

Short story is, if you can't hard code the firewall/VPN devices, don't hard code the switch ports.

Hmmmm, I think I will undo those ports then and let them auto-negotiate. That would suck if I plugged in the devices and received a duplex mismatch, thousands of users use this internet pipe