Throughout the years while working for a Value Added Re-seller (VAR) that provides professional services, I always get asked about by clients countless questions regarding best practice configurations for access edge switches. Unfortunately there are no simple guides that I could find on google currently that discuss and demonstrate the most common best practice access edge configuration.
So in this blog I’m going to discuss key details about best practice configuration for access edge switches. First we’ll take a look at an example best practice configuration on a Cisco 3560-24PS-S then we’re going to go into key details regarding every section.
Example Configuration
Before you examine the configuration keep in mind this is an example configuration for an IDF closet access switch which has a single data and voice VLAN with two 1Gbpos Up-links in an ECLB.
Section by Section Examination
Now lets take a look at the configuration section by section and discuss what it does.
First we’ll start with the first eleven lines of configuration which is shown below;
version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec show-timezone year service password-encryption ! hostname BOS-3FL-IDF2-AS1 ! boot-start-marker boot-end-marker ! logging buffered 524288 informational logging rate-limit console 3 ! username radfail privilege 15 secret 5 $1$HQzW$8JATJQz.nIYKscMhpYMg0.
We can see the version of software which the configuration was written with is 12.2, the timestamp service has been modified to include the timezone and year which is helpful for local logging.
The hostname is defined as BOS-3FL-IDF2-AS1 which has several key bits of identifiable information. It is easy to draw a conclusion that this switch is located in a Boston office on the third floor in IDF2 and its access switch 1.
Logging buffered has been increased to 512KB and set to informational only and limits all console logging to 3 messages per second to prevent console buffer over-runs due to console debugging.
Also a single local username exist defined as “radfail”. This is clearly intended for use in the event a radius server has failed and radius authentication is impossible.
Next up is the Authentication, Authorization and Accounting configuration section;
aaa new-model ! ! aaa group server radius BOS_RADIUS server-private 10.4.11.15 auth-port 1645 acct-port 1646 key 7 096F4550080355A552E211B server-private 10.4.12.15 auth-port 1645 acct-port 1646 key 7 05290D56304A0A85C3D193B ip radius source-interface Vlan72 ! aaa authentication login default group BOS_RADIUS local aaa authorization console aaa authorization exec default group BOS_RADIUS local if-authenticated aaa accounting exec default start-stop group BOS_RADIUS ! ! aaa session-id common
The AAA group is used to define radius servers, as you can see we have two servers at 10.4.11.15 and 10.4.12.15 and the source of all radius traffic is interface Vlan72
The authentication, authorization and accounting profiles reference the BOS_RADIUIS server group. If you look closer, you’ll see that the authentication references the radius servers first and both of them are unresponsive, the authentication falls back to the local user database. Ie. the “radfail” user account we talked about earlier.
AAA Accounting is a mechinism used to log all commands executed on the switch by all users on a radius server used for auditing. This way if an individual changes the configuration on the switch, the changes they made are logged and you have a paper trail if there is a “SHTF” event.
The next small section as shown below is pretty self explanatory;
system mtu routing 1500 vtp mode transparent ip domain-name FREECCNAWORKBOOK.COM ip name-server 10.4.11.6 ip name-server 10.4.12.6
You will however notice that the VTP Mode is set to transparent. This means that all VLAN’s must be configured locally. In a secure environment it is recommended to avoid VTP.
Next we have our layer 2 security technologies which include DHCP and ARP Inspection as shown below;
ip dhcp snooping vlan 101-102 ip dhcp snooping database ftp:/user:pass@10.4.11.7/snoop-dbs/BOS-3FL-IDF1-AS1_SNOOP.DB ip dhcp snooping ip arp inspection vlan 101-102
DHCP Snooping is used to prevent rogue DHCP servers from causing problems on the network. Most people do not realize that a simple linksys router can cause problems in a corporate network when plugged into a cubical jack to give “additional ports”.
Dynamic ARP inspection is used to prevent PC’s on the network from sending fake ARP’s to execute a Man in the Middle Attack.
DHCP Snooping uses a database to ensure that in the event of a switch reboot, all machines on the network that currently have a DHCP ip address will not have their traffic dropped due to dynamic ARP inspection as DAI references the DHCP Snooping DB. In this case our DHCP Snooping DB is stored on an FTP server.
Next up we will see a ton of MLS QOS configuration. This configuration as shown below is all auto-generated from “Auto-QOS”
mls qos map policed-dscp 0 10 18 24 46 to 8 mls qos map cos-dscp 0 8 16 24 32 46 48 56 mls qos srr-queue input bandwidth 70 30 mls qos srr-queue input threshold 1 80 90 mls qos srr-queue input priority-queue 2 bandwidth 30 mls qos srr-queue input cos-map queue 1 threshold 2 3 mls qos srr-queue input cos-map queue 1 threshold 3 6 7 mls qos srr-queue input cos-map queue 2 threshold 1 4 mls qos srr-queue input dscp-map queue 1 threshold 2 24 mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55 mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63 mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45 mls qos srr-queue input dscp-map queue 2 threshold 3 46 47 mls qos srr-queue output cos-map queue 1 threshold 3 4 5 mls qos srr-queue output cos-map queue 2 threshold 1 2 mls qos srr-queue output cos-map queue 2 threshold 2 3 mls qos srr-queue output cos-map queue 2 threshold 3 6 7 mls qos srr-queue output cos-map queue 3 threshold 3 0 mls qos srr-queue output cos-map queue 4 threshold 3 1 mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45 mls qos srr-queue output dscp-map queue 1 threshold 3 46 47 mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23 mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35 mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39 mls qos srr-queue output dscp-map queue 2 threshold 2 24 mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55 mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63 mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7 mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15 mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14 mls qos queue-set output 1 threshold 1 100 100 50 200 mls qos queue-set output 1 threshold 2 125 125 100 400 mls qos queue-set output 1 threshold 3 100 100 100 400 mls qos queue-set output 1 threshold 4 60 150 50 200 mls qos queue-set output 1 buffers 15 25 40 20 mls qos ! ! auto qos srnd4
To learn more about the Auto-QOS configuration check out Medianet Campus QoS Design 4.0
When you have a unified network where you have VoIP Phones and Desktop connected to the same access edge switchport, QoS is a neccessary configuration to ensure call quality. In this example configuration we are assuming our network uses Cisco VoIP Phones.
Next up is our spanning-tree and VLAN information.
spanning-tree mode rapid-pvst spanning-tree logging spanning-tree extend system-id spanning-tree vlan 1-4094 priority 61440 ! vlan internal allocation policy ascending ! vlan 72 name BOS_NET_MGMT_10.14.72.0-24 ! vlan 101 name BOS_3FL_IDF2_DATA_10.14.101.0-2 ! vlan 102 name BOS_3FL_IDF2_VOICE_10.14.102.0-2
The spanning-tree mode is set to RAPID and the priority for this access edge switch is 61440 to ensure that it never becomes the root, we have 3 VLAN’s defined, MGMT, DATA and VOICE with easily identifiable VLAN Names.
Up next we have some more QoS configuration;
class-map match-all AUTOQOS_VOIP_DATA_CLASS match ip dscp ef class-map match-all AUTOQOS_DEFAULT_CLASS match access-group name AUTOQOS-ACL-DEFAULT class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS match ip dscp cs3 ! ! policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY class AUTOQOS_VOIP_DATA_CLASS set dscp ef police 128000 8000 exceed-action policed-dscp-transmit class AUTOQOS_VOIP_SIGNAL_CLASS set dscp cs3 police 32000 8000 exceed-action policed-dscp-transmit class AUTOQOS_DEFAULT_CLASS set dscp default police 10000000 8000 exceed-action policed-dscp-transmit !
This QoS section is used to apply classification to the access port ingress traffic. In a nut shell it references an Access-list to identify traffic and than sets QoS parameters in the packet which are used by the switch to assign specific priorities to the traffic based on the Packet QoS parameters.
Now we’re getting to the interface configuration section. First you’ll see a port-channel interface.
interface Port-channel1 description ### LACP LAG TO BOS-1FL-MDF-CS Po14 ### switchport trunk encapsulation dot1q switchport mode trunk ip arp inspection trust ip dhcp snooping trust
The configuration you see on this port-channel is pretty typical except for ip arp inspection trust and ip dhcp snooping trust. Basically these two commands are used to trust traffic on this uplink. Without these commands traffic would not pass and DHCP responses from the upstream DHCP Server would be dropped.
Now We’ve finally made it to the access port configuration. Access ports FastEthernet0/1 – 24 are all the same so lets just take a look at the interface configuration of FastEthernet0/1
interface FastEthernet0/24 description ### IDF2 ACCESS EDGE PORT ### switchport access vlan 101 switchport mode access switchport voice vlan 102 switchport port-security maximum 5 switchport port-security switchport port-security aging time 5 switchport port-security violation restrict switchport port-security aging type inactivity ip arp inspection limit rate 100 srr-queue bandwidth share 1 30 35 5 priority-queue out mls qos trust device cisco-phone mls qos trust cos auto qos voip cisco-phone storm-control broadcast level bps 1m storm-control multicast level bps 10m spanning-tree portfast spanning-tree bpduguard enable spanning-tree guard root service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY ip verify source ip dhcp snooping limit rate 100
Several lines of the interface configuration is fairly common, first we see the interface description followed by the access vlan config and switchport mode.
Since our switch is deployed in a Cisco Phone enviroment, we also have the voice vlan defined using the switchport voice vlan 102
Port Security is frowned upon in most environments however if implemented correctly it can help secure your network and prevent MAC address table over-runs.
The ip arp inspection rate limit 100 command limits the number of arp request to 100 per second.
The next six lines of config is used for QoS. SRR-Queue bandwidth share defines the shared amount of bandwidth assigned to each queue where priority-queue out enables the priority queue which is used to ensure voice traffic gets prioritization above all other traffic.
mls qos trust device cisco-phone is used to trust the markets of all traffic from the Cisco VoIP Phone. This command works in unison with the mls qos trust cos command.
The auto qos voice cisco-phone command is used to enable Auto-QoS on that port. In most situations Auto-QoS will meet the requirements of most companies when it comes to traffic prioritization. If the company has specialized applications than modification to the QoS policies may be needed.
Storm Control is a unique feature that limits traffic types to a specific level. In this case we’re limited all ingress broadcast traffic to 1Mbps and all ingress multi-cast traffic to 10Mbps.
Portfast, Bpduguard and root guard are typical access edge configurations to ensure spanning tree places the port into forwarding mode immediately, protect aginast unauthorized managed switches and ensure that access edge ports never become root ports.
The service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY is a service-policy defined in an earlier section used to classify ingress traffic according to access-list and set traffic QoS paramters.
IP Source guard which is enabled using the ip verify source is used to prevent host from impersonating other machines on the network.
Lastly we have our DHCP Snooping configuration which prevents users from plugging in rogue DHCP Servers and causing network problems. The ip dhcp snooping limit rate 100 command limits DHCP traffic to 100 packets per second.
This is a lot of access port configuration however all of it is used to ensure network functionality, reliability and security.
After the Access Ports we have our physical uplinks Gi0/1 and Gi0/2;
interface GigabitEthernet0/1 description ### Physical Uplink to BOS-1FL-MDF-CS SW1 Gi1/0/4 ### switchport trunk encapsulation dot1q switchport mode trunk ip arp inspection trust srr-queue bandwidth share 1 30 35 5 priority-queue out mls qos trust cos channel-group 1 mode active ip dhcp snooping trust ! interface GigabitEthernet0/2 description ### Physical Uplink to BOS-1FL-MDF-CS SW2 Gi2/0/4 ### switchport trunk encapsulation dot1q switchport mode trunk ip arp inspection trust srr-queue bandwidth share 1 30 35 5 priority-queue out mls qos trust cos channel-group 1 mode active ip dhcp snooping trust
The configuration here is pretty self explainatory as well as most of the config has already been discussed in previous sections. These two interfaces are configured as Trunk interfaces and placed in an etherchannel using LACP.
After the uplink config we have our VLAN interface configuration and other basic configuration as shown below;
interface Vlan1 description ### ADMIN DISABLED ### no ip address shutdown ! interface Vlan72 description ### MANAGEMENT INTERFACE ### ip address 10.14.72.6 255.255.255.0 ! ip default-gateway 10.14.72.1 ip classless no ip http server no ip http secure-server
Cisco recommends never to use VLAN_1 in a production environment. On this switch we’re using VLAN_72 as our Management interface. Because this access witch is layer 2 only, we have our default gateway set and we’ve disabled the HTTP and HTTPS IOS Services.
Up next is our ACL configuration section
ip access-list extended AUTOQOS-ACL-DEFAULT permit ip any any ip access-list extended VTY_MGMT_ACCESS permit tcp 10.14.201.0 0.0.0.255 any eq 22 deny ip any any log
The access list here are pretty simple. The first ACL is used for AutoQOS and the second is used for our VTY Access to control which source network has the ability to SSH into the switch. 10.14.201.0/24 is our IT Management network.
We also have SYSLogging enabled to forward syslog messages to the server 10.4.11.14 as defined by the logging 10.4.11.14 command
The login banner is pretty self explainatory. Having one of these is a legal must have to protect legal rights of the company in the event of unauthorized access.
banner login ^C ############################################################################ # WARNING WARNING WARNING WARNING WARNING WARNING # ############################################################################ # # # THIS IS A FREE CCNA WORKBOOK COMPUTER SYSTEM. THIS COMPUTER # # SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS AND NETWORK DEVICES # # (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR # # AUTHORIZED USE. FREE CCNA WORKBOOK SYSTEMS MAY BE MONITORED # # FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THAT THEIR USE IS # # AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION # # AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES, # # SURVIVABILITY AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE # # ATTACKS BY AUTHORIZED COMPANY ENTITIES TO TEST OR VERIFY THE SECURITY # # OF THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED, # # RECORDED, COPIED AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION, # # INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM MAY # # BE MONITORED. # # # # USE OF THIS FREE CCNA WORKBOOK SYSTEM, AUTHORIZED OR UNAUTHORIZED, # # CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE # # MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE # # COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL # # OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO # # MONITORING FOR THESE PURPOSES. # # # ############################################################################
The next two commands are used for troubleshooting. the alias exec cpu show proc cpu | exc 0.00%__0.00%__0.00% defiens a custom command where you can use the “cpu” command in privileged mode and it will show you all running processes that are utilizing the processor in the past 5 minutes.
The privilege exec level 1 show running is used to allow level 1 authenticated accounts to view the running configuration. This allow for help desk personnel to view the running configuration.
The line configuration is pretty typical as shown below;
line con 0 line vty 0 4 access-class VTY_MGMT_ACCESS in length 0 transport input ssh line vty 5 15 access-class VTY_MGMT_ACCESS in transport input ssh
We have an ACL on the vty lines and only allow SSH.
Our last bit of config is our NTP configuration. Using NTP is crucial to ensure accurate logging information.
ntp authentication-key 1 md5 0225150209575D72 7 ntp authentication-key 2 md5 04781A5F0D721E1F 7 ntp server 10.4.12.4 key 2 source Vlan72 ntp server 10.4.11.4 key 1 source Vlan72 prefer
This configuration defines the authentication keys 1 and 2. The servers are defined by IP address and which authentication key they use along with the soure VLAN for all NTP traffic. Server 10.4.11.4 is the preferred server, if it fails than 10.4.12.4 will be used.
If you have any questions or comments feel free to post!
Recent Comments