http://www.switch-config.com/forum/switch-router-configuration-best/ Best practices for switch and router configuration in enterprise environment http://www.switch-config.com/forum/31 http://www.switch-config.com/forum/31 A. Install some Syslog server. Feel free to use some suggested in previouvs thread Monitor Your switches - SNMP setting B. Configure Your network devices to send notification to Your Syslog server. The basic settings command for Cisco switch is configure terminal logging host 192.168.1.2 end Then specify the events, you can forward to Your central store - Syslog server. The most popular is spanning tree configure terminal spanning-tree logging end or interface change state - shutdown / up with configure terminal interface GigabitEthernet 0/1 logging event link-status end In case of Port-channel interfaces, the command monitoring state of subinterfaces can be usefull" configure terminal interface Port-channel1 logging event subif-link-status end There are many next command, you can use to tune up your monitoring, you can set buffer, rate limit or forward log to console too, for example logging buffered 1024000 logging rate-limit 100 logging console informational Look in Your SwitchBackup application, in cloud snippets repository or see suggested Cisco web pages: Software Logging Guide on Cisco or How to configure logging on Cisco forum. Tue, 09 Feb 2016 17:08:08 GMT http://www.switch-config.com/forum/30 http://www.switch-config.com/forum/30 There are many security functions, implemented in LAN switches to help us to protect our LAN. Start to use it! To protect local network again rogue DHCP server (un authorized, false DHCP server), there is DHCP Snooping usually available. It allows us to say, which ports of switch can pass the DHCP answers by our DHCP server. There are usually trunks - uplink ports, and of  course the ports connected directly to the DHCP server. A :identifiy all ports towards the officila DHCP server, turn DHCP snooping function globaly on and set trust on ports towars DHCP servers. For exapmle allow on the port gi 1/0/24 use configure terminal ip dhcp snooping interface gi 1/0/24 ip dhcp snooping trust end B :in more complex network, option 82 in DHCP request is usually used to identify the source network segment (for DHCP scope). That is why the recomended setting on core and ditribution layer (non endpoint switches) is to allow distribute request incoming from trusted ports of other switches issuing config terminal ip dhcp snooping information option allow-untrusted end C :allow apply the function in specified VLAN configure terminal ip dhcp snooping vlan 10 - 20 end When You apply DHCP snooping protection to Your network successfuly, do not stop. The next step is to apply the ARP inspection , which uses DHCP snooping information to protect LAN clients before man-in-the-middle attacks. Stay tuned! See: Configuring DHCP Features on Cisco.com - http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_25_see/configuration/guide/scg/swdhcp82.pdf Thu, 07 Jan 2016 14:04:44 GMT http://www.switch-config.com/forum/29 http://www.switch-config.com/forum/29 A . Install some server software to collect SNMP traps and collect and monitor events. If you have no one installed in your network yet, install some of free - for example Zenoss Core (linux, available also Virtual Appliance, look at Zenoss.org ) or Mikrotik Dude (Windows, look at Mikrotik.com ). B . Investigate or create Your own community name (string for identification) - we use "My-SNMP-Community-String" in examples C . Configure Your network devices to send traps (notification about events) to Your server. There are many SNMP protocol versions, remember version 1 and 2c use plain text athentification, version 3 cipher datata in packet. Cipher access data is nice, but this process loads CPU of the device. So best practices is to use version 2c due to low CPU load, to allow read-only access, do not use default community strings (public, private) and to use reserved management and monitoring VLAN due to security and broadcast limitations . Cisco switch configuration example : We are using vendor predefined classification of the events: 1 — Critical. The condition affects service. 2 — Major. Immediate action is needed. 3 — Minor. Minor warning conditions. 4 — Informational. No action is required. This is the default.   configure terminal snmp-server community My-SNMP-Community-String RO snmp-server host 192.168.1.2 version 2c My-SNMP-Community-String snmp-server enable traps alarms 2 end HP switch configuration example : We are using vendor predefined classification of the events: none - send no log messages debug - send debug traps (for Internal use) all - send all log messages not-info - send all but informational-only messages critical - send critical-level log message informs - specify if informs will be sent, rather than notifications configure snmpserver host 192.168.1.2 My-SNMP-Community-String not-info snmpserver community My-SNMP-Community-String operator restricted snmpserver enable end 3Com or Huawei switch configuration example : Caution: Comware switches has usually SNMPv3 enabled in default setting snmp-agent trap enable snmp-agent targethost trap address udp-domain 192.168.1.2 udp-port 161 params securityname My-SNMP-Community-String snmp-agent community read My-SNMP-Community-String snmp-agent sys-info version v1 v2c undo snmp-agent sys-info version v3 snmp-agent Wed, 06 Jan 2016 14:33:53 GMT http://www.switch-config.com/forum/14 http://www.switch-config.com/forum/14 When configuring Cisco device remotely, prefer using "reload in XX" command always, when you plan to change management address, uplink port configurations and so on. reload in 20 - to ensure, that switch will be reloaded in twenty minutes .. apply new configuration.. .. test new configuration ... ..if ok, issue reload cancel write memory otherwise the switch will be reloaded and previous configuration wil be loaded.   You can use similliar commands in HP ProCurve or ProVision switches reload after 00:20 and cancel countdown by issue no reload Wed, 02 Jul 2014 10:26:09 GMT http://www.switch-config.com/forum/11 http://www.switch-config.com/forum/11 To reach a management VLAN from another network (a computer with another ip range and subnet setting), you need an ip default-gateway on L2 or ip route command. Suppose your network router acting as a gateway IP is 192.168.0.250. On L2 Cisco switch (for example 2690) use that commands to configure it: configure terminal ip default-gateway 192.168.0.250 or the following commands on L3 Cisco switch (for example 4500): configure terminal ip route 0.0.0.0 0.0.0.0 192.168.0.250   With using SwitchBackup software You can to analyze configurations in all your devices and correct it with a few simple steps: 1) make a new backup set at first by presing the button Backup All Devices 2) analyze it entering the analyze line ip default gateway 3) if some incorrect settings found, create a snippet: configure  terminal ip default-gateway 192.168.0.250 end and apply it to all your devices. if you have got some L3 devices in your network, analyze also the line ip route . Create new domain, copy all your L3 devices t the new domain, and create a new snippet including removing wrong parameters with no form of the ip route comand: configure terminal no ip route 0.0.0.0 0.0.0.0 192.168.0.1 ip route 0.0.0.0 0.0.0.0 192.168.0.250 end and apply it to all devices in new domain. Than backup new domain, analyze again, and if you are satisfied, save all running config applying save config snippet. Sun, 22 Jun 2014 06:44:21 GMT http://www.switch-config.com/forum/12 http://www.switch-config.com/forum/12 Use the command service password-encryption to encrypt all paswords in plain text configuration file on Cisco network devices. In SwitchBackup, you can use predefined snippet Encrypt password and apply it to all devices in the domain at once. You can also use off-line analyzer to find in all configuration backups the devices, where are not service password-encryption command present. Sun, 22 Jun 2014 07:06:01 GMT http://www.switch-config.com/forum/10 http://www.switch-config.com/forum/10 Usually each network environment must have an authorized time source. When we say authorized, we mean a source configured by administrator to get time from trusted source and to set time on network devices, like domain controller for workstations, DHCP server, core switch, main router and so on. You ought to configure that time source for your all your switches and routers too, in Cisco type simple: configure terminal ntp server 192.168.0.1   With SwitchBackup, you can simple check which ntp server is configured - use offline backup analyzer and test line ntp server If you need to correct setting in one ore more devices, you can use Code Snippet to make mass configuration of all devices at once. Suppose, you have find some Cisco switches with incorrect setting 192.168.0.10 and some without ntp server configured. Than create a snippet:   configure terminal no ntp server 192.168.0.10 ntp server 192.168.0.1 key 0 prefer end   and applay to all that devices. Sat, 21 Jun 2014 13:19:40 GMT