New 3810M and 2530 Deployment questions

slciec · ‎11-08-2017

I am new to HPE switching but have worked with Cisco switching for the past 15 years. I have setup my configuration and everything seems to be working in the test environment.
I wondered if someone with more HPE switching experience than me could look over the configuration and let me know if the configs look ok? Also should i configure jumbo frames on all the switch to switch DAC connections or is 10GB connection sufficent?

Here is the inventory of what i am configuring.
Core Switch - Aruba 3810M 16SFP 2 Slot with 1 expansion SFP Installed.
Access Switches - 10 Aruba 2530-48G 2SFP.
All 2530 will connect to the 3810 with a 10GB DAC cable.
Most all ports on the 2530's will be on VLAN10.

3810M - Core Config
hostname "core1"
module 1 type jl075x
module 2 type jl075y
module 3 type jl075z
flexible-module A type JL083A
telnet-server listen data
web-management listen data
ip ssh listen data
ip route 0.0.0.0 0.0.0.0 10.2.2.2
ip route 10.200.1.0 255.255.255.0 172.1.2.2
ip route 10.201.1.0 255.255.255.0 172.1.2.2
ip route 10.202.1.0 255.255.255.0 172.1.2.2
ip routing
snmp-server community "public" unrestricted
snmp-server listen data
oobm
disable
no ip address
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1-16,A1-A2
untagged A3-A4
no ip address
exit
vlan 2
name "mgmt"
tagged 1-16
ip address 10.1.1.250 255.255.255.0
exit
vlan 7
name "wifi"
ip address 10.7.1.1 255.255.255.0
ip helper-address 10.1.1.100
exit
vlan 10
name "access"
tagged 1-16
ip address 10.20.1.1 255.255.254.0
ip helper-address 10.1.1.100
exit
vlan 30
name "main"
tagged 1-16
ip address 10.30.1.1 255.255.255.0
ip helper-address 10.1.1.100
exit
vlan 40
name "staff"
tagged 1-16
ip address 10.40.1.1 255.255.255.0
ip helper-address 10.1.1.100
exit
vlan 172
name "wan"
untagged A2
ip address 172.1.1.1 255.255.255.252
exit
vlan 254
name "secure"
untagged A1
ip address 10.2.2.2 255.255.255.252
exit
primary-vlan 2
no tftp server
tftp server listen data
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

2530 Access Switch 1 thru 10 Config.
hostname "accessXX"
ip default-gateway 10.1.1.250
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48,50
untagged 49
no ip address
exit
vlan 2
name "mgmt"
tagged 50
ip address 10.1.1.221 255.255.255.0
exit
vlan 10
name "access"
untagged 1-48
tagged 50
no ip address
exit
primary-vlan 2

TerjeAFK · ‎11-09-2017

Here are a few things I would consider:

* disable telnet/tftp and use SSH/SCP instead
* switch to SSL for webmanagement of the switches
* set the public SNMP community as read-only and use a separate community for read-write access
* enable Spanning Tree and maybe use loop-protection on interfaces where users can connect
* use NTP for time sync
* logging to a Syslog server if you don't use a separate management system with builtin logging
* broadcast limit on all interfaces
* DHCP snooping on the switches where end users will connect

I wouldn't worry about jumbo frames unless you know that the links will be highly utilized.

slciec · ‎11-09-2017

Thanks for the great info.

I am on the fence about enabling spanning tree. With my configuration is it something you would be concered with?

TerjeAFK · ‎11-09-2017

I regularly get log entries on my switches about Spanning Tree blocking ports, so I would seriously think about it.