Great suggestions from everyone. Regarding VTP, if your orgainization uses it, then make sure your devices meet the standard. If you organization does not use it, then either disable VTP, or set the VTP mode to transparent. That should end the great debate about VTP - at least for this thread.
Regarding the drawing, are you going to daisy-chain or home-run the fiber back to the core switches? I strongly advise against the daisy-chain.
All host/edge/access ports should have this in their configuation (there may be minor variations based on your IOS):
switchport mode access
switchport access vlan [vlan]
spanning-tree bpduguard enable
spanning-tree guard root
If a port is not used, shut it down and turn off PoE if it's a PoE switch:
power inline never
Last, but not least, ask for help building an underground network. There may be building codes, rules, regulations, and you may need permits. My guess is someone else is handling that. You will have to decide singlemode or multimode for your fiber. Check out places like lanshack.com so you can make decisions about distances and speeds. This link has a good chart: http://www.lanshack.com/Fiber-Type-vs-Speed-and-Distance.aspx
Those industrial switches, the power, and the network cabling need protection. Companies such as Pentair and L-Com show NEMA enclosures that protect the switch and the cables from critters and water. Your cable installer should know the right ones to use. Here’s an example:
Sounds like a great project. I hope you haven’t abandoned this thread & I’d like to hear how it turns out.
Best of luck.
... View more
We played with some of the errdisable settings which will be removed when this switch and others move to production. Most remote sites won't need fiber, so we're also getting rid of all udld commands. I have bpduguard enabled on pretty much all my production switch access ports.
... View more
I also revisited the Cisco Catalyst 2960-X Series Switches Data Sheet (http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/data_sheet_c78-728232.html) and the CPU is a APM86392 600MHz dual core. So, I googled that and got the data sheet on the CPU: http://c1170156.r56.cf3.rackcdn.com/UK_AMC_APM86392-SGA600T_DS.pdf. According to the CPU datasheet, it could be faster.
To answer your question on that switch, all interfaces are shutdown and all copper interfaces are configured "power inline never."
I have another switch running the same code part & it's in a pod I'm configuring for a remote site. So, that one has dot1x, QoS, but again, no PoE and all SFP ports are disabled. Here's the interesting parts of the configuration:
no ip domain-lookup ip domain-name [mycompany].com vtp mode transparent
mls qos map cos-dscp 0 8 16 24 32 46 48 56 mls qos
spanning-tree mode rapid-pvst spanning-tree loopguard default spanning-tree portfast bpduguard default spanning-tree extend system-id auto qos srnd4 errdisable recovery cause udld errdisable recovery cause bpduguard errdisable recovery interval 60
no cdp run
interface Port-channel1 description Uplink_SW1 switchport trunk allowed vlan [3 VLANs] switchport mode trunk switchport nonegotiate
#Uplink switchport configuration:
interface GigabitEthernet1/0/1 description Uplink_SW1_Gi1/0/46 switchport trunk allowed vlan [3 VLANs] switchport mode trunk switchport nonegotiate power inline never channel-group 1 mode active
#Access switchport configuration:
interface GigabitEthernet1/0/2 switchport access vlan [workstation VLAN] switchport mode access switchport nonegotiate switchport port-security maximum 2 switchport port-security violation restrict switchport port-security aging time 5 switchport port-security aging type inactivity switchport port-security power inline never speed auto 100 storm-control broadcast level 10.00 storm-control multicast level 10.00
And here's the CPU utilization (didn't make much of a difference):
SW3#sho proc cpu sort 5min CPU utilization for five seconds: 29%/0%; one minute: 29%; five minutes: 29% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 160 11096203 1587145 6991 15.00% 14.98% 14.99% 0 Hulc LED Process 166 2697 576 4682 0.00% 0.00% 0.12% 0 Exec 171 90008 12697 7088 0.11% 0.11% 0.11% 0 HQM Stack Proces 6 101067 10982 9202 0.00% 0.09% 0.10% 0 Check heaps 172 37016 25386 1458 0.05% 0.04% 0.05% 0 HRPC qos request 389 1479 66 22409 0.00% 0.00% 0.01% 0 hulc running con
However, this pod of equipment (2 x 1921 routers & 3 2960X switches) are not under load. I will be monitoring this equipment after it's deployed and plan to post the results.
... View more
Running the latest & greatest with realistic expectations. This IOS release date is 17-FEB-2016 and the CPU utilization is still pretty high. This switch has nothing connected except for console and power. All interfaces are shutdown and all copper interfaces are configured "power inline never."
Before I made changes, the switch was showing 37% CPU utilization, mostly from the Hulc LED Process. This switch has no stack modules and is running the LAN base image.
Switch#show version Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(2)E4, RELEASE SOFTWARE (fc2) ~output omitted~ ROM: Bootstrap program is C2960X boot loader BOOTLDR: C2960X Boot Loader (C2960X-HBOOT-M) Version 15.2(3r)E1, RELEASE SOFTWARE (fc1) Switch uptime is 45 minutes System returned to ROM by power-on System restarted at 12:36:58 UTC Tue Jun 21 2016 System image file is "flash:/c2960x-universalk9-mz.152-2.E4/c2960x-universalk9-mz.152-2.E4.bin" Last reload reason: Reload command ~output omitted~ cisco WS-C2960X-48LPS-L (APM86XXX) processor (revision K0) with 524288K bytes of memory. ~output omitted~ Last reset from power-on 1 Virtual Ethernet interface 1 FastEthernet interface 52 Gigabit Ethernet interfaces The password-recovery mechanism is enabled. 512K bytes of flash-simulated non-volatile configuration memory. ~output omitted~ Motherboard assembly number : 73-16692-04 Power supply part number : 341-0528-01 ~output omitted~ Model revision number : K0 Motherboard revision number : A0 Model number : WS-C2960X-48LPS-L Daughterboard assembly number : 73-14200-03 ~output omitted~ Top Assembly Part Number : 68-100470-01 Top Assembly Revision Number : A0 Version ID : V03 CLEI Code Number : CMMLP00ARC Daughterboard revision number : A0 Hardware Board Revision Number : 0x18 Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 52 WS-C2960X-48LPS-L 15.2(2)E4 C2960X-UNIVERSALK9-M Configuration register is 0xF Switch#show processes cpu sorted 5min CPU utilization for five seconds: 29%/0%; one minute: 29%; five minutes: 30% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 160 604129 67145 8997 15.06% 14.99% 15.14% 0 Hulc LED Process 171 8252 552 14949 0.23% 0.25% 0.23% 0 HQM Stack Proces 6 4247 462 9192 0.00% 0.10% 0.11% 0 Check heaps 140 3414 1132 3015 0.00% 0.00% 0.04% 0 Exec 386 2145 106 20235 0.00% 0.00% 0.01% 0 hulc running con 21 24 545 44 0.05% 0.00% 0.00% 0 IPC Event Notifi 117 51 2685 18 0.00% 0.00% 0.00% 0 Hulc ILP Alchemy 172 1274 1088 1170 0.00% 0.00% 0.00% 0 HRPC qos request 8 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro 7 0 1 0 0.00% 0.00% 0.00% 0 Pool Manager 10 7 280 25 0.00% 0.00% 0.00% 0 WATCH_AFS
... View more
I saw a similar post regarding upgrades from a pair of older 5500 series to a pair of 5525X and think I've avoided most of the "gotchas" for deployment. I don't think we'll ever need to use the MGMT interfaces unless we install FireSIGHT / FirePOWER on a separate server. We considered doing a cluster, but we're going back to the primary / failover scenario for the implementation since that's how the current system is configured.
Please let me know if you see any issues with this:
ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA Version 9.4(2)11 (most stable per Cisco)
Device Manager Version 7.2(2)1
Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 200 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 750 perpetual Total VPN Peers : 750 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual IPS Module : Disabled perpetual Cluster : Enabled perpetual Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
We have a valid "Running Permanent Activation Key"
... View more
Thanks, p.dath. Exactly the kind of feedback I'm looking for. I should have noted that I'm using 1921 routers and 2960X switches. I also should have noted that PoE wasn't required, so that's why it's globally disabled. CDP is also globally disabled since there are no Cisco IP phones or APs - I may enable CDP on my uplinks.
The 2960X-24PS-L & 2960X-48LPS-L can power up to 12 ports up to 30W each or 24 ports up to 15.4W each. So, the 48-port switch doesn't allow PoE on all ports. The only problem with the chart in the data sheet is that it doesn't address the 802.3af Class 0 through 4 requirements for devices that draw less than 15.4W. However, that would be easy to figure out.
I could easily move cs5 to the SIGNAL queue since that will also keep the VOICE queue pure.
... View more
So, is the ACL on the router that works? If yes, then add that ACL to the non-working router.
If the ACL is on the router that doesn't work, then:
no access-list 23
In either case, test it before you save.
... View more
Anyone keen on QoS care to give a critique to what I've come up with here?
class-map match-any DATA match dscp af43 match dscp af31 af32 af33 match dscp af21 af22 af23 match dscp af11 af12 af13 class-map match-any SIGNAL match dscp cs3 match dscp cs2 match dscp cs6 match dscp cs7 class-map match-any VIDEO match dscp cs4 match dscp af41 af42 class-map match-any VOICE match dscp ef match dscp cs5 class-map match-all SCAVENGER match dscp cs1
policy-map ASE class VOICE priority percent 22 class VIDEO bandwidth percent 5 class SIGNAL bandwidth percent 5 class DATA bandwidth percent 42 fair-queue random-detect dscp-based class SCAVENGER bandwidth percent 1 random-detect dscp-based fair-queue class class-default set dscp default bandwidth percent 25 fair-queue random-detect dscp-based
CDP is globally disabled, the IP phones and digital PBX are in their own VLAN.
auto qos srnd4
The default gateway is on the data VLAN.
Here's a switchport for an IP phone or PBX:
interface GigabitEthernet1/0/21 switchport access vlan 7 switchport mode access switchport nonegotiate power inline never (optionally this could be enabled for an IP phone) speed auto srr-queue bandwidth share 1 30 35 5 priority-queue out authentication port-control auto mls qos trust cos auto qos trust spanning-tree portfast spanning-tree bpduguard enable spanning-tree guard root
Here's a switchport for a device, such as a workstation:
interface GigabitEthernet1/0/20 switchport access vlan 17 switchport mode access switchport nonegotiate power inline never speed auto 100 spanning-tree portfast spanning-tree bpduguard enable spanning-tree guard root
Here's the trunk (up to the router or to another switch):
interface GigabitEthernet1/0/1 description Uplink_RTRA switchport trunk allowed vlan 7,17,21 switchport mode trunk switchport nonegotiate power inline never spanning-tree portfast trunk
... View more
This post addresses the dual ISP & routing: https://supportforums.cisco.com/document/13576/how-configure-gre-tunnel This post addresses the load balancing: https://supportforums.cisco.com/discussion/11354131/load-balancing-internet-and-site-site-vpns-across-multiple-isp If neither post has the solution you're looking for, post a diagram & configuration. I'm still trying to wrap my head around this: "The routers are connected on the LAN side using G0/1 for HSRP via inbuilt ether switches." HTH
... View more
Dynamic Host Configuration Protocol (DHCP) can be configured either on a server or on the router. In many cases, the main site DHCP server may already have the correct scope and configuration for option 176 or 242 as needed. Since remote sites may not warrant the added expense of a server, the DHCP option commands can be configured on that remote site's router. DHCP options are vendor-specific. There is no single document I've found that addresses all the issues I'm going to cover here, so comments are more than welcome. I noticed this is an 8-year old thread. Keep in mind that VLAN separation is a fundamental best practice on the LAN that also defines the relationship between the switch and local router. Do not enable IP routing on your switches even if they have that capability. Keep in mind that minimizing data loss, jitter and delay are critical for voice applications. Avoid technologies that are historically unfriendly to voice, such as VPN, or GLBP. The network and phone systems should be properly configured with time synchronization, such as Cisco's Network Time Protocol (NTP). Also, make sure you're on the same page with the phone engineers regarding timezones. Here's an example if you're in the US Midwest: clock timezone CST -6 clock summer-time CDT recurring Avaya 4600 Series phones use Option 176 as the default DHCP Site Specific Option Number (SSON) with TFTP or HTTP. The 1600 and 9600 Series phones use Option 242 with HTTP or TLS. Both IP telephones use these servers as file servers, to download firmware and access scripts or settings files. Avaya uses a 46xxsettings.txt file that contains everything. The generic 46xxsettings.txt file is available for download from Avaya. That file resides on an Avaya server and your routers need to point to that server. Avaya engineers know how to tweak this file if necessary. Router configuration example (first, reserve the IPs you don't want assigned via DHCP): ip dhcp excluded-address 172.31.70.1 172.31.70.4 ip dhcp excluded-address 172.31.70.251 172.31.70.255 DHCP configuration with DHCP option 242: ip dhcp pool VoIP network 172.31.70.0 255.255.255.0 default-router 172.31.70.254 domain-name yourcompany.com option 242 ascii MCIPADD=[up to eight Avaya Call server IPs],MCPORT=1719,HTTPSRVR=[IP of Avaya HTTP server],HTTPDIR=[directory where the 46xxsettings.txt file resides] If you have a supplicant set up (wall jack -> IP phone -> PC), include the L2QVLAN because the phone will boot in the data VLAN; tell the IP phone to hop over to the VoIP VLAN: option 242 ascii MCIPADD=[up to eight Avaya Call server IPs],MCPORT=1719,HTTPSRVR=[IP of Avaya HTTP server],HTTPDIR=[directory where the 46xxsettings.txt file resides],L2QVLAN=70 If you also have older Avaya phones, include the DHCP option 176: option 176 ascii MCIPADD=[up to eight Avaya Call server IPs],MCPORT=1719,TFTPSRVR=[IP of Avaya TFTP server],TFTPDIR=[directory where the 46xxsettings.txt file resides],L2QVLAN=70 So, why up to eight Avaya Call servers in the MCIPADD option? Generally, you have a main site, so the first IP address will be the same for all your remote sites. That first address is your main, central, call server. If you have backup Avaya servers at a remote site, list the remaining IP address(es) - separated by a comma. Note: if you do not manually configure the L2QVLAN setting, it may revert to your default VLAN. That may be undesirable. Subinterface (to keep things simple, use the same number in your IP, subinterface, and VLAN): interface GigabitEthernet0/2.70 encapsulation dot1Q 70 ip address 172.31.70.254 255.255.255.0 no shutdown Switch configuration: disable cdp globally (cdp is not friendly to many non-Cisco IP phones) enable lldp for switchports connected to Avaya devices for 802.1x enable qos Configure separate VLANs for voice and data separation: Vlan 3 name DATA interface Vlan3 description DATA ip address 192.168.3.1 255.255.255.0 no shutdown Vlan 70 name VOICE interface Vlan70 description VOICE ip address 172.31.70.2 255.255.255.0 shutdown Switchport configuration (VoIP VLAN only): standalone IP phone: interface GigabitEthernet0/1 switchport mode access switchport access vlan 70 switchport nonegotiate mls qos trust dscp priority-queue out Trunk or uplink interface GigabitEthernet0/52 description [uplink - router or another switch] switchport trunk allowed vlan 3,70 switchport mode trunk switchport nonegotiate mls qos trust dscp priority-queue out IP phone supplicant configuration (VoIP & data vlans): interface GigabitEthernet0/1 switchport mode access switchport access vlan 3 switchport voice vlan 70 mls qos trust dscp priority-queue out Helpful Avaya documents (yes, they're old, but provide thorough explanations): http://downloads.avaya.com/css/P8/documents/100057468 https://downloads.avaya.com/css/P8/documents/100145934 https://downloads.avaya.com/elmodocs2/security/802_1x-LLDP.pdf
... View more
There are a couple of things missing that may help. First, where are the phone servers, all at the main site, or distributed? How many IP phones are at each site? With that information, you have a shot at determining the concurrent call count. This article provides excellent explanations of the different codecs and includes a link to Cisco's Voice Codec Bandwidth Calculator: http://www.cisco.com/c/en/us/support/docs/voice/voice-quality/7934-bwidth-consume.html#topic1 Also, check with your service provider and see if they require a command, such as "traffic-shape rate 10000000" on the main interface to complement the "bandwidth 10000" statement. Be careful, the bandwidth statement is in kbps and the traffic-shape rate command is in bps. Last, do you need to support anything else in the LLQs? If yes, again be careful, since Cisco's best practice is to allocate no more than 33% for the priority queues: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book/WANQoS.html Please update us and let us know if it's working.
... View more
I'm having a similar issue. Just got an RMA replacement and upgraded to the latest & greatest c3750-ipbasek9-mz.122-55.SE1. The switch works great via CLI. The only issue is that we provide RO access to the server admins via browser. I keep getting a "401 Unauthorized" message in the browser. Here is the config with some output suppressed: Now uploading the c3750-ipbasek9-tar.122-55.SE1.tar
... View more