Announcement

Collapse
No announcement yet.

New SG 300-20 Cisco Managed Switch!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New SG 300-20 Cisco Managed Switch!

    Building a small office environment.

    WAN > pfSense (Firewall and Router > Switch (services computers and servers in AD domain)

    DNS and DHCP are provided by the Domain Controller.

    Things appear to be working okay. The only change I've made from the out of the box set up was pairing two ports for LAG connected to the NAS.

    I am looking for suggestions and input on optimizing the config on the switch from you fine experienced folks!

  • #2
    Re: New SG 300-20 Cisco Managed Switch!

    Per Cisco's guidelines under CCENT and CCNA certifications:
    1) shut down any physical port not currently used
    2) manually set trunks as trunks, do not allow negotiation
    3) set "service password-encryption" in running config so passwords are masked (not in plain text in running config)
    4) force login to console, aux and telnet/SSH (vty) ports
    5) set 'enable' password to prevent unintentional access to global config mode
    6) disable web server access for both http & https
    7) use sticky MAC addresses on access ports
    don't use VLAN1--leave it shutdown with no ip address; remote manage using a different vlan
    9) use an ACL to limit which ip addresses can access your vty ports
    10) use SSH rather than telnet to access the vty ports
    11) separate traffic inside switch by using vlans (i.e finance on vlan 10, management on vlan 20, IT on vlan 30, etc.)(this will require the use of either Layer 3 routing on the switch if capable, or a separate router, but cuts down on the amount of broadcast traffic every connected device sees)

    The bulk of these are for securing the switch from unauthorised manipulations, while the last one is just for more efficient traffic. Since there's only the 1 switch, settings for VTP and STP aren't an issue here, although you could add
    12) configure "spanning-tree portfast" on every port that has a PC/printer/server on it and will never see another switch. This speeds up the time it takes for a port to begin forwarding traffic after a switch reboot.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: New SG 300-20 Cisco Managed Switch!

      Awesome. Thank you for posting. I will work on this today.

      Additionally, here's a screenshot of what I have.

      Anything I need to do with DHCP relay, DNS, QoS or Spanning Tree? Not sure if this actually helps or optimizes anything.

      http://i.imgur.com/kWQE6.png

      Comment


      • #4
        Re: New SG 300-20 Cisco Managed Switch!

        Shouldnt have to mess with spanning tree at all if its just one switch. You could turn on rapid spanning tree (802.1w) if its not already running if your considering trunking another switch with this one in the future.. All the things RicklesP posted are good things to do. As already mentioned portfast and bpduguard on ports connected to end hosts. Also shut down any unused ports and place those disabled ports in a separate vlan. Dont think this switch can be managed via command line so http access will have to be enabled.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: New SG 300-20 Cisco Managed Switch!

          Originally posted by auglan View Post
          Shouldnt have to mess with spanning tree at all if its just one switch. You could turn on rapid spanning tree (802.1w) if its not already running if your considering trunking another switch with this one in the future.. All the things RicklesP posted are good things to do. As already mentioned portfast and bpduguard on ports connected to end hosts. Also shut down any unused ports and place those disabled ports in a separate vlan. Dont think this switch can be managed via command line so http access will have to be enabled.
          You are the man. Thanks again all.

          Comment

          Working...
          X