Wired Networks Thread, Core Switch Config - Have I got it right? in Technical; Good Evening Ladies & Gents
I'm looking to move our rather flat network to having VLAN's and a Guest Network. ...
-
18th December 2012, 05:05 PM #1 Core Switch Config - Have I got it right?
Good Evening Ladies & Gents
I'm looking to move our rather flat network to having VLAN's and a Guest Network. The Guest Network only needs access to DHCP/DNS, the Gateway and our web servers (to stop traffic needlessly coming in via the web).
The nice new core switch is a HP 5406zl and below is my first attempt at configuring it. I have limited knowledge of networking and I can trial run this just yet as the switch is in production. Can you see anything wrong with the following?
(Ignore the fact that all ports are untagged at the moment - I'm yet to decide on which ports will serve which VLAN)
Thanks in advance, Ben
; J8697A Configuration Editor; Created on release #K.15.07.0008
; Ver #02:1b.2f:36
hostname "CoreSwitch"
module 1 type J9538A
module 2 type J9537A
module 3 type J9307A
ip access-list extended "Guest To Servers_Devices"
10 remark "Allow Guest to CVS-VSRV-001"
10 permit ip 10.6.136.0 0.0.3.255 10.6.183.31 0.0.0.0
20 remark "Allow Guest to CVS-VSRV-002"
20 permit ip 10.6.136.0 0.0.3.255 10.6.183.32 0.0.0.0
30 remark "Allow Guest to CVS-VSRV-008"
30 permit ip 10.6.136.0 0.0.3.255 10.6.183.38 0.0.0.0
40 remark "Allow Guest to CVS-VSRV-009"
40 permit ip 10.6.136.0 0.0.3.255 10.6.183.39 0.0.0.0
50 remark "Allow Guest to CVS-VSRV-010"
50 permit ip 10.6.136.0 0.0.3.255 10.6.183.40 0.0.0.0
60 remark "Allow Guest to CVS-VSRV-011"
60 permit ip 10.6.136.0 0.0.3.255 10.6.183.41 0.0.0.0
70 remark "Allow Guest to CVS-VSRV-013"
70 permit ip 10.6.136.0 0.0.3.255 10.6.183.43 0.0.0.0
80 remark "Deny all access to other addresses"
80 deny ip 10.6.136.1 0.0.3.255 10.6.176.0 0.0.7.255
ip default-gateway 10.6.183.254
ip routing
ip directed-broadcast
vlan 10
name "Servers_Devices"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.183.1 255.255.255.0
exit
vlan 20
name "English_Mezz_Library"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.176.1 255.255.255.0
exit
vlan 30
name "Music_PA"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.177.1 255.255.255.128
exit
vlan 40
name "Humanities"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.177.128 255.255.255.128
exit
vlan 50
name "Lower_School_L10"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.178.1 255.255.255.0
exit
vlan 60
name "Lower_School_L8"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.179.1 255.255.255.0
exit
vlan 70
name "SixthForm_Art"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.180.1 255.255.255.128
exit
vlan 80
name "Science"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.180.128 255.255.255.128
exit
vlan 90
name "Technology_PE"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.181.1 255.255.255.0
exit
vlan 100
name "Admin_Learning Support"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip helper-address 10.6.183.33
ip address 10.6.182.1 255.255.255.0
exit
vlan 110
name "Guest_Network"
untagged A1-A8,B1-B24,C1-C24
ip helper-address 10.6.183.31
ip helper-address 10.6.183.32
ip address 10.6.136.1 255.255.252.0
ip access-group "Guest To Servers_Devices" in
exit
vlan 120
name "Telephony"
untagged A1-A8,B1-B24,C1-C24
ip address 172.16.0.1 255.255.0.0
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-hdx sensitivity high
fault-finder duplex-mismatch-fdx sensitivity high
fault-finder link-flap sensitivity high
snmp-server community "public" unrestricted
snmp-server contact "01234 567890" location "Server Room"
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
Last edited by Mr.Ben; 18th December 2012 at 05:09 PM.
-
-
IDG Tech News
-
18th December 2012, 06:28 PM #2 Not overly familiar with HP (Cisco House here)
Looks fairly sound apart from your access list is not restricting ports to just the services you need ( unless I am missing something)
And you will want QOS on the Voice Vlan.
Rob
-
Thanks to twin--turbo from:
Mr.Ben (18th December 2012)
-
18th December 2012, 06:32 PM #3 also is the deny statement needed on HP? it's a given that all traffic is denied unless the ACL allows it, and if it is needed i would go with blocking traffic to 0.0.0.0/0.0.0.0 not just your subnet.
Rob
-
-
18th December 2012, 06:40 PM #4 Would I use something like this to limit the services (for the web server https in this instance?)
permit tcp 10.6.136.0 0.0.3.255 10.6.183.43 0.0.0.0 eq https
or
permit tcp 10.6.136.0 0.0.3.255 10.6.183.43 0.0.0.0 eq 443
I'm struggling on the syntax! what does the eq part stand for?
-
-
18th December 2012, 06:42 PM #5
-
Thanks to twin--turbo from:
Mr.Ben (18th December 2012)
-
18th December 2012, 06:43 PM #6 Duh!= Brain freeze!
Thanks :-)
-
-
18th December 2012, 06:44 PM #7 either 443 or https should be fine, Cisco will replace port numbers of known services anyway to make the config easier to read. HP may do the same.
Rob
-
-
18th December 2012, 06:48 PM #8 
Originally Posted by
twin--turbo 
also is the deny statement needed on HP? it's a given that all traffic is denied unless the ACL allows it, and if it is needed i would go with blocking traffic to 0.0.0.0/0.0.0.0 not just your subnet.
Rob
I'm not sure, the examples I have use it, but I'll try without as I'm in agreement - unless it's on the list your not getting in!
-
-
18th December 2012, 07:08 PM #9 Also I would consider changing your snmp-server settings as well (unless you are using something to manage the switches using SNMP) as it's open to abuse currently. You want to set it to restricted or something like that so you can still query it for performance, CPU, Free mem etc (Cacti, Nagios etc). At the moment someone might be able to change your config with the right tool.
As noted as well QOS for your voice VLAN just add "voice" on it's own (unser the VLAN context) will get you going with that.
Last edited by ChrisH; 18th December 2012 at 07:10 PM.
-
-
18th December 2012, 09:00 PM #10 You don't need the ip helpers for Servers_Devices as they will just broadcast as normal in the vlan
-
SHARE: 
Similar Threads
-
By broc in forum Hardware
Replies: 7
Last Post: 30th July 2012, 09:24 AM
-
By BatchFile in forum Internet Related/Filtering/Firewall
Replies: 17
Last Post: 8th April 2011, 02:21 PM
-
By My220x in forum General Chat
Replies: 8
Last Post: 28th July 2008, 11:11 AM
-
By pete in forum Wireless Networks
Replies: 13
Last Post: 3rd July 2008, 10:04 AM
-
By Dos_Box in forum IT News
Replies: 1
Last Post: 8th July 2005, 10:49 AM
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
LinkBack URL
About LinkBacks
