+ Post New Thread
Results 1 to 10 of 10
Wired Networks Thread, Core Switch Config - Have I got it right? in Technical; Good Evening Ladies & Gents I'm looking to move our rather flat network to having VLAN's and a Guest Network. ...
  1. #1
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    941
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65

    Core Switch Config - Have I got it right?

    Good Evening Ladies & Gents

    I'm looking to move our rather flat network to having VLAN's and a Guest Network. The Guest Network only needs access to DHCP/DNS, the Gateway and our web servers (to stop traffic needlessly coming in via the web).

    The nice new core switch is a HP 5406zl and below is my first attempt at configuring it. I have limited knowledge of networking and I can trial run this just yet as the switch is in production. Can you see anything wrong with the following?

    (Ignore the fact that all ports are untagged at the moment - I'm yet to decide on which ports will serve which VLAN)

    Thanks in advance, Ben


    ; J8697A Configuration Editor; Created on release #K.15.07.0008
    ; Ver #02:1b.2f:36
    hostname "CoreSwitch"
    module 1 type J9538A
    module 2 type J9537A
    module 3 type J9307A
    ip access-list extended "Guest To Servers_Devices"
    10 remark "Allow Guest to CVS-VSRV-001"
    10 permit ip 10.6.136.0 0.0.3.255 10.6.183.31 0.0.0.0
    20 remark "Allow Guest to CVS-VSRV-002"
    20 permit ip 10.6.136.0 0.0.3.255 10.6.183.32 0.0.0.0
    30 remark "Allow Guest to CVS-VSRV-008"
    30 permit ip 10.6.136.0 0.0.3.255 10.6.183.38 0.0.0.0
    40 remark "Allow Guest to CVS-VSRV-009"
    40 permit ip 10.6.136.0 0.0.3.255 10.6.183.39 0.0.0.0
    50 remark "Allow Guest to CVS-VSRV-010"
    50 permit ip 10.6.136.0 0.0.3.255 10.6.183.40 0.0.0.0
    60 remark "Allow Guest to CVS-VSRV-011"
    60 permit ip 10.6.136.0 0.0.3.255 10.6.183.41 0.0.0.0
    70 remark "Allow Guest to CVS-VSRV-013"
    70 permit ip 10.6.136.0 0.0.3.255 10.6.183.43 0.0.0.0
    80 remark "Deny all access to other addresses"
    80 deny ip 10.6.136.1 0.0.3.255 10.6.176.0 0.0.7.255
    ip default-gateway 10.6.183.254
    ip routing
    ip directed-broadcast
    vlan 10
    name "Servers_Devices"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.183.1 255.255.255.0
    exit
    vlan 20
    name "English_Mezz_Library"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.176.1 255.255.255.0
    exit
    vlan 30
    name "Music_PA"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.177.1 255.255.255.128
    exit
    vlan 40
    name "Humanities"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.177.128 255.255.255.128
    exit
    vlan 50
    name "Lower_School_L10"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.178.1 255.255.255.0
    exit
    vlan 60
    name "Lower_School_L8"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.179.1 255.255.255.0
    exit
    vlan 70
    name "SixthForm_Art"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.180.1 255.255.255.128
    exit
    vlan 80
    name "Science"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.180.128 255.255.255.128
    exit
    vlan 90
    name "Technology_PE"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.181.1 255.255.255.0
    exit
    vlan 100
    name "Admin_Learning Support"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip helper-address 10.6.183.33
    ip address 10.6.182.1 255.255.255.0
    exit
    vlan 110
    name "Guest_Network"
    untagged A1-A8,B1-B24,C1-C24
    ip helper-address 10.6.183.31
    ip helper-address 10.6.183.32
    ip address 10.6.136.1 255.255.252.0
    ip access-group "Guest To Servers_Devices" in
    exit
    vlan 120
    name "Telephony"
    untagged A1-A8,B1-B24,C1-C24
    ip address 172.16.0.1 255.255.0.0
    exit
    fault-finder bad-driver sensitivity high
    fault-finder bad-transceiver sensitivity high
    fault-finder bad-cable sensitivity high
    fault-finder too-long-cable sensitivity high
    fault-finder over-bandwidth sensitivity high
    fault-finder broadcast-storm sensitivity high
    fault-finder loss-of-link sensitivity high
    fault-finder duplex-mismatch-hdx sensitivity high
    fault-finder duplex-mismatch-fdx sensitivity high
    fault-finder link-flap sensitivity high
    snmp-server community "public" unrestricted
    snmp-server contact "01234 567890" location "Server Room"
    no autorun
    no dhcp config-file-update
    no dhcp image-file-update
    password manager
    Last edited by Mr.Ben; 18th December 2012 at 05:09 PM.

  2. #2

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    Not overly familiar with HP (Cisco House here)

    Looks fairly sound apart from your access list is not restricting ports to just the services you need ( unless I am missing something)

    And you will want QOS on the Voice Vlan.

    Rob

  3. Thanks to twin--turbo from:

    Mr.Ben (18th December 2012)

  4. #3

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    also is the deny statement needed on HP? it's a given that all traffic is denied unless the ACL allows it, and if it is needed i would go with blocking traffic to 0.0.0.0/0.0.0.0 not just your subnet.

    Rob

  5. #4
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    941
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    Would I use something like this to limit the services (for the web server https in this instance?)

    permit tcp 10.6.136.0 0.0.3.255 10.6.183.43 0.0.0.0 eq https

    or

    permit tcp 10.6.136.0 0.0.3.255 10.6.183.43 0.0.0.0 eq 443

    I'm struggling on the syntax! what does the eq part stand for?

  6. #5

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    eq = equals

  7. Thanks to twin--turbo from:

    Mr.Ben (18th December 2012)

  8. #6
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    941
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    Duh!= Brain freeze!

    Thanks :-)

  9. #7

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    either 443 or https should be fine, Cisco will replace port numbers of known services anyway to make the config easier to read. HP may do the same.

    Rob

  10. #8
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    941
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    Quote Originally Posted by twin--turbo View Post
    also is the deny statement needed on HP? it's a given that all traffic is denied unless the ACL allows it, and if it is needed i would go with blocking traffic to 0.0.0.0/0.0.0.0 not just your subnet.

    Rob
    I'm not sure, the examples I have use it, but I'll try without as I'm in agreement - unless it's on the list your not getting in!

  11. #9
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,999
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106
    Also I would consider changing your snmp-server settings as well (unless you are using something to manage the switches using SNMP) as it's open to abuse currently. You want to set it to restricted or something like that so you can still query it for performance, CPU, Free mem etc (Cacti, Nagios etc). At the moment someone might be able to change your config with the right tool.

    As noted as well QOS for your voice VLAN just add "voice" on it's own (unser the VLAN context) will get you going with that.
    Last edited by ChrisH; 18th December 2012 at 07:10 PM.

  12. #10
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,427
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    You don't need the ip helpers for Servers_Devices as they will just broadcast as normal in the vlan

SHARE:
+ Post New Thread

Similar Threads

  1. Smoothwall Express - Have I got this right?
    By BatchFile in forum Internet Related/Filtering/Firewall
    Replies: 18
    Last Post: 6th December 2013, 09:15 AM
  2. Replies: 7
    Last Post: 30th July 2012, 09:24 AM
  3. Binary have I got it right?
    By My220x in forum General Chat
    Replies: 8
    Last Post: 28th July 2008, 11:11 AM
  4. Replies: 13
    Last Post: 3rd July 2008, 10:04 AM
  5. Have I Got Old News For You!
    By Dos_Box in forum IT News
    Replies: 1
    Last Post: 8th July 2005, 10:49 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •