Little help building a net 3

[joblack23]

It has been a while and last time I used stacked cisco configuration.
I have about 4 buildings quite far with fiber between. All cisco 2950 with fiber minibics. I have about 20 but looking to consolidate some servers and about 200 users. Questions:
would it be beneficial to use vlans? nothing on this network other then an engineering software, exchange and filtered internet.
I have a few laptops but rest are desktops. I remember a doc where cisco recomended forcing cards to 100full duplex. Anyone has done this and saw at least noticable improvement?
Anything else you cold recoment? it'll come back

Thanks in advance

 

[BuckWeet]

Nail your servers to 100/full if you'd like, but allow desktops to be Auto.. The administrative headache isn't worth the tradeoff.. Also the 'auto' negotiation issues have pretty much been fixed in todays age.

BuckWeet

 

[joblack23]

Thanks for your reply.
Would you recomend vlans? I will expect between 150 to 200 users. I was thinking to leave it as a flat network with no vlans. I don't expect a lot of broadcast (maybe from printers) and not sure if it would be a benefit to enable vlans.

As mentioned, it has been a while. Any new security features that i might need to enable?

Greatly appreciate if you could give me a list of things I should enable/disable to make it work good. Thanks again for your help.

 

[MrNick0483]

Even though you only have 150-200 users i would recommend each building to be put on its own VLAN at the very least. The configuration to accomplish this is not all that hard.

 

[maczen]

I agree,
Four buildings and two hundred users plus devices will still create a decent amount of broadcast traffic... Better performance and security for a simple task.. Nice exchange..

B Haines
CCNA R&S, ETA FOI

 

[joblack23]

Thanks guys for your info. I have a 3950 coreswitch on the main building. get 4 vlans on it, open trunking on the fiber channel or use VTP. Is there anything else on the 2950 switch other then add ports to vlans?

Thanks much for your help.

 

[joblack23]

Sorry, ment to type 3750 core switch. not 3950.

 

[burtsbees]

VTP, if you plan to use it. I would recommend it. More secure. Also, if you want to manage the 2950's, set the SVI IP address, and I would open something other than the default VLAN 1.

Burt

 

[maczen]

Portfast, BPUGuard, VTP (need to be careful with this one), No host traffic on management VLAN (VTP, CDP etc. only)..

As far as security goes here is a list of top 10 from Cisco where LAN switches are concerned...

Recommended Top 10 Steps

The following list summarizes the top 10 steps to securing a Cisco LAN switch:

1. Secure the device
2. Secure management access
3. Secure management applications
4. Implement VLAN security
5. Secure user access
6. Use port security
7. Secure STP operations
8. Mitigate DHCP starvation attacks
9. Mitigate MAC spoofing and IP spoofing attacks
10. Mitigate DHCP spoofing attacks

Hope this helps... By the way I watched a Cisco video that said that some 75% of attacks come from the LAN over Layer 2... (But then I read an article on Cisco website that said like 70% were internet based so I don't know.. LoL)


B Haines
CCNA R&S, ETA FOI

 

[joblack23]

Thanks again for everyone's help. I have a few questions about vtp since you mentioned I should be careful.
Are the 3750s and 2950s supporting version 1 and 2? As I recal version 2 supports token ring and transparent vtp.
Again, 150 to 200 users is relatively small network other then being spread out with 4 vlans.

Thanks again.

 

[maczen]

Just have to use the same version on all of them as far as I know.. Here is a link that explains the differences..

http://www.javvin.com/protocolVTP.html

I was referring to securing your access ports so that no one can plug a managed switch into a wall jack and wipe your VLAN databases... (the darker side of VTP.. LoL)

B Haines
CCNA R&S, ETA FOI

 

[Cluebird]

3750s and 2950s support VTPv2 but their default is for VTPv1. The two versions are not compatible. On some high end switches (6500) you can get VTPv3 which is compatible with either v1 or v2. VTP only works on switch trunk links. If a switch plugs into a wall jack and DTP negotiates a trunk dynamically or the rogue switch forces a trunk on it's side and the closet switch also trunks, you may have issues with the vlan database being overwritten, depending on the VTP configuration revision number.

 

[burtsbees]

Before plugging any new switches into the network, in other words, set them as vtp mode transparent or client---they default as server...evil Cisco...

Burt

 

[Cluebird]

Be careful with client. Clients can forward VTP information and if they have the bad database and a higher revision number, they can (and will) overwrite even servers. Always zeroize the revision number. Setting vtp transparent always resets the revision to 0. There are other ways but I will bring a switch into a VTP domain by first going to transparent mode then by going to client. Then, I'll nail up the trunks on both sides. The Client can learn the VTP domain if it hasn't already been set, so I also always use VTP passwords...those can't be learned dynamically.

 

[burtsbees]

I have seen server mode wipe out vlan databases, but not client. I am sure I have labbed that before...maybe I will again just to see. I have always set them as clients myself...

Burt

 

[joblack23]

Thanks to everyone for these great information. I was looking for a way to lock down the VTP per your post Cluebird but I have not been able to find out how to password protect the database. Please let me know what the command line is to password protect the VTP.

Thanks again.

 

[Cluebird]

Switch#config t
Switch(config)#vtp password whatever
Switch(config)#

 

[maczen]

joblack23,
Here is a link that gives you a full setup from transparent to adding the domain name, password and verifying everything.. Have fun!!!

http://jklogic.net/adding-a-cisco-switch-to-a-vtp-domain/

Just remember to place all unused ports in their own VLAN as access ports that are shut down and make all end user ports access ports with portfast and bpduguard/bpuguard....

It is recommended that only one switch be set up as VTP server and the rest are client unless you use transparent method.. Your call but VTP can mess you up quick if you are lax on it's security.. Takes just a sec to secure!

B Haines
CCNA R&S, ETA FOI

 

[joblack23]

Thanks for your help everyone. I think i have what I need as long as nothing changes.

Thanks again. this forum rocks.

 

[joblack23]

Sure enough things have changed again.
I have a total of 170 address on a privat network to use. I've done all the calculation and created my subnets.

Not sure if I've mentioned the 3750 I am using has 12gigabit ports,no copper and so the router connection will be on the 2950, port 24. The 170 addresses I want to break them in 2 vlans.

The default gateway sould be 1. But I am not sure how to redirect all internet routes through the 2950.

Thanks much.