Break-1521 - Switches - Configuring and Best Practices James Oryszczyn President, TBJ Consulting LLC Who Am I • I am President of TBJ Consulting LLC • I have been working on Network Infrastructure for over 15 years • Have help numerous school’s and Enterprise’s with Design and Implementation of switching/routing ETC…. Agenda • • • • Discuss Spanning Tree Discuss VLANS Discuss Layer 3 Discuss Interoperability At the End of the Presentation I will discuss a survey you can take to determine if you are following best practices Spanning Tree • Who can tell me what this does and why it is needed? • Do all switch manufactures enable it by default? • How does it determine who is the master? Spanning Tree • • • • • • • Most misconfigured items on the network Need to make sure you set the root bridge to your core Some switches (HP) come with spanning tree disabled Can lead to network loops and also High Switch CPU If mulit-vendor, make sure spanning-tree types match. Should run Per VLAN spanning tree Enable Port-fast on all edge ports Spanning Tree Examples HP • • • • • • • • • • • • Same MSTP Config name. Name is case sensitive. Core-1(config)# spanning-tree config-name "B10" ! Same MSTP Revision number. Core-1(config)# spanning-tree config-revision 1 ! Same MSTP Instances definition Core-1(config)# spanning-tree instance 1 vlan 10 20 108 Core-1(config)# spanning-tree instance 2 vlan 30 40 ! Enables Spanning Tree Core-1(config)# spanning-tree !Core-switch specific configuration: !Core-1 is Root in Instance 1 Core-1(config)# spanning-tree instance 1 priority 0 HP Spanning Tree White Paper • http://h40060.www4.hp.com/procurve/uk/en/pdfs/applicationnotes/How_to_improve_and_harden_spanningtree_configuration_Configuration_note_Dec_08_A4.pdf Spanning Tree Examples Cisco spanning-tree mode rapid-pvst spanning-tree portfast bpdufilter default panning-tree vlan priority 10,14,18,40,190,212,216,220 24576 spanning-tree vlan priority 4,12,16,20,64,210,214,218,1000 28672 On Edge Port enable spanning-tree port fast What is port fast? It allows the Port to become active faster than the traditonal 60 second’s • interface GigabitEthernet 1/0/11 • spanning-tree portfast Cisco White Paper http://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a0 08009467c.shtml Spanning Tree Examples Juniper set protocols vstp vlan 10 bridge-priority 16k set protocols vstp vlan 1000 bridge-priority 16k Juniper Port fast set protocols stp interface ge-0/0/0.0 edge White paper found here http://www.juniper.net/us/en/local/pdf/implementation-guides/8010002-en.pdf VLAN’s • Why are VLAN’s needed? • Who here has more than 1 VLAN? • Is using VLAN 1 recommend? VLAN’s • Why are VLAN’s needed? • Who here has more than 1 VLAN? • Is using VLAN 1 recommended? • • • • • VLAN’s Should use VLAN’s to separate traffic Should not use VLAN 1, it is a security risk If network is large enough, create a VLAN for network devices Be careful not to create to many VLAN’s Network with 250 nodes over, should have more than 1 VLAN VLAN Configuration Juniper VLAN Configuration http://www.juniper.net/techpubs/en_US/junos9.4/topics/task/configuration/bridging-vlansex-series-cli.html Cisco VLAN Configuration http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a0 08019e74e.shtml HP VLAN Configuration • http://www.hp.com/rnd/support/config_examples/primary_vlan.pdf VLAN Security Issues (Why not to use VLAN1) • • • • • • • • MAC Flooding Attack 802.1Q and ISL Tagging Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attacks Private VLAN Attack Multicast Brute Force Attack Spanning-Tree Attack Random Frame Stress Attack • • • • Switch Trunking Configuration How to Get VLAN to cross switches Puts a tag in the packet with the VLAN-ID Make sure you use Industry Standards for VLAN Trunks Make sure you set the Native VLAN-ID to something other than VLAN 1 Switch Trunking Configuration Continued.. • Make sure you prune switch trunks for only needed VLANs • Do not need all VLANS on all Switches Switch Trunking Configuration Continued.. • Make sure you prune switch trunks for only needed VLANs • Do not need all VLANS on all Switches Switch Trunking Configuration Continued.. • Make sure you prune switch trunks for only needed VLANs • Do not need all VLANS on all Switches • If you are going to have Multiple Vendors, Use LACP uplinks Switch Trunking Configuration Continued.. Cisco interface FastEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 11 switchport trunk allowed vlan 2 Juniper set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members NAC-Guest-Vlan set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-Switch-MGMT set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-WiFi-Private set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-34-Voice set interfaces ge-0/0/1 unit 0 family ethernet-switching native-vlan-id TPA-Switch-MGMT Switch Trunking Configuration Continued.. Juniper set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members NAC-Guest-Vlan set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-Switch-MGMT set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-WiFi-Private set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-34-Voice set interfaces ge-0/0/1 unit 0 family ethernet-switching native-vlan-id TPA-Switch-MGMT HP vlan 2 HP2910al(Vlan-2)#tagged 48 Switch Layer 3 best practices • Should have redundant switches • Should use a standard such as VRRP for redundancy in the core • If possible, do layer 3 uplinks instead of layer 2 • What are Layer3 uplinks? Layer 3 Uplinks • Connections between switches are routed • Helps eliminate spanning tree and loops • Millisecond failover instead of up to 60 sec’s • Helps keep broadcast traffic down • Cost can be a concern Backups • • • • How often do you backup your switches? Do you use a tool to automate your backups? Do you have an email notifying you of changes? A simple tool like a product call CATTOOLS can backup your environment and is low cost. http://www.kiwisyslog.com/kiwi-cattools-overview/ • Price is $750 plus maintenance. Code Upgrades • How often do you upgrade your switches? • Do you use the recommended release when installing? • Do you have plan on when/how you upgrade your switches Should attempt to upgrade yearly Should use the recommended release at that time Cisco, Juniper have links to the recommended releases They are no different than PC’s, they need to be patched Port Security • Do you disable unused and unneeded ports? • Do you restrict how many devices can connect to a port? • Do you prevent against a rouge DHCP server on the network? Port Security can help • Allows to disable ports after a certain number of devices • DHCP snooping can prevent rouge DHCP servers Port Security Example • Do you disable unused and unneeded ports? • Do you restrict how many devices can connect to a port? • Do you prevent against a rouge DHCP server on the network? Port Security can help • Allows to disable ports after a certain number of devices • DHCP snooping can prevent rouge DHCP servers Additional Best Practices • • • • • Should configure time zones on switches Should configure NTP on switches Should use SSH instead of telnet Should change default username and password Should use radius if possible Survey If you give me your Business Card I will provide you an assessment about your current Switched Network Questions????? Thank You………… You can contact me at [email protected]
© Copyright 2026 Paperzz