Cisco Config Basics - User Port
This is my first post in a series I'm calling Cisco Config Basics. These posts will serve as a reference for anyone new to Cisco, or those of you just looking to compare your current configs. After the full config, I will explain each config item line-by-line.
In a campus network, the User Port has a lot riding on it - vlan config, security controls, DHCP protection, PoE settings...not to mention new IPv6 policy that is needed even if you're not running IPv6 in your network! As promised I will give the full config first, then explain everything:
User Port Config (Catalyst 2960X - IOS 15.2.2E6)
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 20
switchport port-security maximum 6
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security
load-interval 30
no snmp trap link-status
no logging event link-status
power inline police action log
no power efficient-ethernet
storm-control broadcast level pps 1k 500
storm-control action shutdown
storm-control action trap
spanning-tree portfast
ip dhcp snooping limit rate 100
ipv6 nd raguard attach-policy RA-BLOCK
ipv6 dhcp guard attach-policy DHCP-CLIENT
Whew, that's a decent amount of config! Let's take a look:
switchport access vlan 10
Sets the 'untagged' vlan for the port. Most end-user computers/devices are not vlan aware, so this is the vlan the connected device will join.
switchport mode access
Forces the port into access mode instead of 'dynamic desirable' - it will not negotiate to be a trunk port.
switchport voice vlan 20
Set the 'tagged' vlan for VoIP devices. VoIP phones need to know to tag their traffic to this vlan, usually done through CDP, LLDP, or DHCP options.
switchport port-security maximum 6
Allows a maximum of six devices (mac-addresses) connected to the port. At a minimum, two mac-addresses need to be allowed for their computer and phone. 6 devices allows for a little wiggle room, while still protecting the switch from any mac-address flooding attempts.
switchport port-security violation restrict
The 'restrict' parameter will drop traffic from any mac-addresses past the maximum (6) limit. You can also use the 'shutdown' option to shut down the port instead.
switchport port-security aging time 2
If a device is connected to a port, but inactive, it's mac-address will be flushed after 2 minutes. Devices that physically disconnect will have their mac-address flushed immediately.
switchport port-security
The port-security commands above do not take effect until port-security is enabled on the port with this command. By default, port-security will automatically shutdown the port when a new MAC address is detected, which is why we tuned the config above with 'violation restrict' and 'aging time 2'. You can see the port-security policy on an interface with the command 'show port-security interface g1/0/1'.
load-interval 30
By default, Cisco calculates the load (utilization) of an interface over a 5 minute average. This makes it harder to see bursty traffic, so I prefer to lower the interval to the minimum - 30 seconds.
no snmp trap link-status
No need to flood your snmp trap server with interface up/down events for user ports. This information isn't generally helpful since users will be connecting and disconnecting their computers all the time, better to get rid of the noise.
no logging event link-status
Same as the command above, but for your switch logs and syslog server.
power inline police action log
Instead of disabling a port for exceeding power allocation, a syslog message is generated, notifying you of a misbehaving device.
no power efficient-ethernet
Disables Energy Efficient Ethernet (EEE - 802.3az), which is supposed to reduce power consumption during idle usage, but I've seen weird behavior from a number of devices that is solved by disabled EEE.
storm-control broadcast level pps 1k 500
Storm-control is used to detect a flood of broadcast, unknown unicast, or unknown multicast traffic and shutdown the port. The first number represents the 'rising threshold' after which traffic is blocked. The second number is the 'falling threshold' where traffic will no longer be blocked if it falls back below this value. There are multiple ways to configure this feature (% utilization, bps, pps), but this example uses pps to enforce a 1000 packet-per-second threshold for broadcast traffic, which I have found to be a good general number to start. This number will vary and can be tuned depending on your environment.
storm-control action shutdown
When a storm is detected, the port is shutdown. The port can recover with the 'errdisable recovery' global policy shown below or manually typing 'no shutdown' in the interface configuration.
storm-control action trap
Also sends an SNMP trap when the storm is detected, in addition to the shutdown above.
spanning-tree portfast
Spanning-tree portfast places the port in the forwarding state immediately, instead of going through all the initial spanning-tree states. Helps the connected computer obtain an IP address and get on the network faster. Only use this if connecting to a non-switch device.
ip dhcp snooping limit rate 100
Limits the number of DHCP requests to 100 requests per second. This prevents a misconfigured or malicious device from DOS'ing your DHCP server.
ipv6 nd raguard attach-policy RA-BLOCK
Blocks rogue IPv6 router advertisement (RA) messages. Even if you do not use IPv6 in your network, a rogue device could start advertising itself as a IPv6 router and funnel traffic through itself, since most modern operating systems will prefer IPv6 over IPv4.
ipv6 dhcp guard attach-policy DHCP-CLIENT
This blocks IPv6 DHCP server replies and advertisements from unauthorized (end-user) ports.
Global Switch Config
In addition to the user port config, there are global switch settings that are needed as well.
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree portfast bpduguard default
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause link-flap
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause storm-control
ipv6 nd raguard policy RA-ALLOW
device-role router
ipv6 nd raguard policy RA-BLOCK
device-role host #default role
ipv6 snooping logging packet drop
ipv6 snooping logging resolution-veto
ipv6 dhcp guard policy DHCP-CLIENT
device-role client #default role
ipv6 dhcp guard policy DHCP-TRUST
trusted-port
ip dhcp snooping vlan 1-4094
no ip dhcp snooping information option
ip dhcp snooping
interface Port-channel1
ip dhcp snooping trust
spanning-tree mode rapid-pvst
Enables rapid per-vlan spanning-tree, which I would recommend as the default spanning-tree setting for a Cisco network.
spanning-tree logging
Spanning-tree events are logged in the device logs and syslog.
spanning-tree portfast bpduguard default
Enables bpduguard on every port that has 'spanning-tree portfast' configured. With this, the switch will shutdown any port that recieves bpdus, which protects your network from rogue switches being plugged in and potentially becoming spanning-tree root.
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause link-flap
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause storm-control
Sets auto-recovery for the policies above (udld, bpduguard, link-flap, psecure-violation, dhcp-rate-limit, storm-control). Default recovery is 300 seconds. If the issue is still present after auto-recovery, the port will shut and wait another 300 seconds.
ipv6 nd raguard policy RA-ALLOW
device-role router
This defines a raguard policy you can attach to a port. This policy would be attached to a port connected to your IPv6 router, as the 'device-role router' allows RA's on the port.
ipv6 nd raguard policy RA-BLOCK
device-role host (default)
This raguard policy is meant to be attached to a user-facing port, and blocks any RA's received on the port.
ipv6 snooping logging packet drop
When IPv6 DHCP messages are dropped, a syslog message is generated.
ipv6 snooping logging resolution-veto
Additional logging in case the switch 'vetos' an IPv6 neighbor solicitation.
ipv6 dhcp guard policy DHCP-CLIENT
device-role client (default)
This defines a dhcp guard policy that you can attach to a port. With the role 'client' the port will block ingress IPv6 DHCP server reply and advertisement messages.
ipv6 dhcp guard policy DHCP-TRUST
trusted-port
The 'trusted-port' setting in this DHCP guard policy allows IPv6 DHCP server reply and advertisement messages. In the configuration example, we are applying the 'ipv6 dhcp guard policy DHCP-CLIENT' on each indivitual port, so we don't need to apply a trusted-port policy to the uplink interface. If you applied the 'DHCP-CLIENT' policy to the entire VLAN, then you would need to apply the trusted-port policy on an uplink, but unfortunately Cisco does currently support use of trusted-port policies on etherchannel interfaces.
ip dhcp snooping vlan 1-4094
You must specify which VLANs IPv4 DHCP snooping is enabled on, and so I enable it for all VLANs. Makes it easy when you add a new VLAN, you don't have to also modify your DHCP snooping config.
no ip dhcp snooping information option
Disables the switch from adding option 82 into the DHCP request before forwarding to DHCP server, which I've never seen needed (and can potentially break DHCP if you don't disable it).
ip dhcp snooping
Enables IPv4 DHCP snooping on the switch. DHCP snooping uses the concept of 'trust' to only allow DHCP server reply messages from specified ports. This protects you from someone plugging in a DHCP server and handing out IP addresses to your clients.
interface Port-channel1
ip dhcp snooping trust
This is an example of an IPv4 'trusted' DHCP port. I'm using a port-channel interface, but it can be any type of port, typically an interface that is facing your DHCP server.
Final Thoughts
After all that, is there anything still left for user facing ports? Of course, QoS! I won't be going over QoS in this post, but it's an important thing to research and implement correctly, especially if you have VoIP/Video in your environment.
The config above will vary based on your environment, but it's a solid start to configuring and securing your user edge. Please let me know if you have any suggestions or improvements in the comments below!