Embed Size (px)
Citation preview
James OryszczynPresident, TBJ Consulting LLC
Break-1521 - Switches - Configuring and Best Practices
Who Am I
• I am President of TBJ Consulting LLC
• I have been working on Network Infrastructure for over 15 years
• Have help numerous school’s and Enterprise’s with Design and Implementation of switching/routing ETC….
Agenda
• Discuss Spanning Tree• Discuss VLANS• Discuss Layer 3• Discuss Interoperability
At the End of the PresentationI will discuss a survey you can take to determine if you are following best practices
Spanning Tree• Who can tell me what this does and why it is needed?
• Do all switch manufactures enable it by default?
• How does it determine who is the master?
Spanning Tree• Most misconfigured items on the network• Need to make sure you set the root bridge to your core• Some switches (HP) come with spanning tree disabled• Can lead to network loops and also High Switch CPU• If mulit-vendor, make sure spanning-tree types match.• Should run Per VLAN spanning tree• Enable Port-fast on all edge ports
Spanning Tree ExamplesHP • Same MSTP Config name. Name is case sensitive.• Core-1(config)# spanning-tree config-name "B10"• ! Same MSTP Revision number.• Core-1(config)# spanning-tree config-revision 1• ! Same MSTP Instances definition• Core-1(config)# spanning-tree instance 1 vlan 10 20 108• Core-1(config)# spanning-tree instance 2 vlan 30 40• ! Enables Spanning Tree• Core-1(config)# spanning-tree• !Core-switch specific configuration:• !Core-1 is Root in Instance 1• Core-1(config)# spanning-tree instance 1 priority 0
HP Spanning Tree White Paper• http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/
How_to_improve_and_harden_spanning-tree_configuration_Configuration_note_Dec_08_A4.pdf
Spanning Tree ExamplesCiscospanning-tree mode rapid-pvstspanning-tree portfast bpdufilter defaultpanning-tree vlan priority 10,14,18,40,190,212,216,220 24576spanning-tree vlan priority 4,12,16,20,64,210,214,218,1000 28672
On Edge Port enable spanning-tree port fastWhat is port fast? It allows the Port to become active faster than the traditonal 60 second’s• interface GigabitEthernet 1/0/11• spanning-tree portfast
Cisco White Paperhttp://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml
Spanning Tree ExamplesJuniperset protocols vstp vlan 10 bridge-priority 16kset protocols vstp vlan 1000 bridge-priority 16k
Juniper Port fastset protocols stp interface ge-0/0/0.0 edge
White paper found herehttp://www.juniper.net/us/en/local/pdf/implementation-guides/8010002-en.pdf
VLAN’s• Why are VLAN’s needed?• Who here has more than 1 VLAN?• Is using VLAN 1 recommend?
VLAN’s• Why are VLAN’s needed?• Who here has more than 1 VLAN?• Is using VLAN 1 recommended?
VLAN’s• Should use VLAN’s to separate traffic• Should not use VLAN 1, it is a security risk• If network is large enough, create a VLAN for
network devices• Be careful not to create to many VLAN’s• Network with 250 nodes over, should have
more than 1 VLAN
VLAN ConfigurationJuniper VLAN Configurationhttp://www.juniper.net/techpubs/en_US/junos9.4/topics/task/configuration/bridging-vlans-ex-series-cli.html
Cisco VLAN Configurationhttp://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml
HP VLAN Configuration• http://www.hp.com/rnd/support/config_examples/primary_vlan.pdf
VLAN Security Issues(Why not to use VLAN1)
• MAC Flooding Attack• 802.1Q and ISL Tagging Attack• Double-Encapsulated 802.1Q/Nested VLAN Attack• ARP Attacks• Private VLAN Attack• Multicast Brute Force Attack• Spanning-Tree Attack• Random Frame Stress Attack
Switch Trunking Configuration• How to Get VLAN to cross switches• Puts a tag in the packet with the VLAN-ID• Make sure you use Industry Standards for
VLAN Trunks• Make sure you set the Native VLAN-ID to
something other than VLAN 1
Switch Trunking Configuration Continued..• Make sure you prune switch trunks for only
needed VLANs• Do not need all VLANS on all Switches
Switch Trunking Configuration Continued..• Make sure you prune switch trunks for only
needed VLANs• Do not need all VLANS on all Switches
Switch Trunking Configuration Continued..• Make sure you prune switch trunks for only
needed VLANs• Do not need all VLANS on all Switches• If you are going to have Multiple Vendors, Use
LACP uplinks
Switch Trunking Configuration Continued..Ciscointerface FastEthernet0/13switchport trunk encapsulation dot1qswitchport mode trunkswitchport trunk native vlan 11switchport trunk allowed vlan 2
Juniperset interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members NAC-Guest-Vlanset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-Switch-MGMTset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-WiFi-Privateset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-34-Voice set interfaces ge-0/0/1 unit 0 family ethernet-switching native-vlan-id TPA-Switch-MGMT
Switch Trunking Configuration Continued..Juniper
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members NAC-Guest-Vlanset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-Switch-MGMTset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-WiFi-Privateset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TPA-34-Voice set interfaces ge-0/0/1 unit 0 family ethernet-switching native-vlan-id TPA-Switch-MGMT
HPvlan 2HP2910al(Vlan-2)#tagged 48
Switch Layer 3 best practices• Should have redundant switches• Should use a standard such as VRRP for
redundancy in the core• If possible, do layer 3 uplinks instead of layer 2• What are Layer3 uplinks?
Layer 3 Uplinks• Connections between switches are routed• Helps eliminate spanning tree and loops• Millisecond failover instead of up to 60 sec’s• Helps keep broadcast traffic down• Cost can be a concern
Backups• How often do you backup your switches?• Do you use a tool to automate your backups?• Do you have an email notifying you of changes?• A simple tool like a product call CATTOOLS can backup your
environment and is low cost. http://www.kiwisyslog.com/kiwi-cattools-overview/
• Price is $750 plus maintenance.
Code Upgrades• How often do you upgrade your switches?• Do you use the recommended release when installing?• Do you have plan on when/how you upgrade your switches
Should attempt to upgrade yearlyShould use the recommended release at that timeCisco, Juniper have links to the recommended releasesThey are no different than PC’s, they need to be patched
Port Security• Do you disable unused and unneeded ports?• Do you restrict how many devices can connect to a port?• Do you prevent against a rouge DHCP server on the
network?
Port Security can help• Allows to disable ports after a certain number of devices• DHCP snooping can prevent rouge DHCP servers
Port Security Example
• Do you disable unused and unneeded ports?• Do you restrict how many devices can connect to a port?• Do you prevent against a rouge DHCP server on the
network?
Port Security can help• Allows to disable ports after a certain number of devices• DHCP snooping can prevent rouge DHCP servers
Additional Best Practices• Should configure time zones on switches• Should configure NTP on switches• Should use SSH instead of telnet• Should change default username and password• Should use radius if possible
Survey
If you give me your Business Card I will provide you an assessment about your current Switched Network
