Solved: Re: 4506E Core and 2960S Access Switches IP Camera System - Page 2

ruckessbx1 · ‎03-19-2013

Hello All

I'm implementing my first Cisco network and needed a little guidance. Here's the scenario and how I would like for it to function:

2960S access switches will have PoE IP cameras and POS stations connected to them with fiber uplinks to core.
4506E core switch will have all access switches connected to Fiber SFP uplink ports. All fiber cables are Single Mode with LC connectors.
All PoE IP cameras and one NIC from camera server will be on network 172.16.0.0/16 and on default Vlan 1.
All end user computers and one NIC from camera server will be on network 192.168.1.0/16 and on Vlan 2. Vlan 2 is only needed on core switch.
All POS stations and standalone POS server will be on network 192.168.20.0/16 and on Vlan 3 on both access and core switch.

This will be a completely closed network, no internet access.
End user computers will access video unicast from server with raids.
All switches interconnect using fiber SFP 1GB transceivers.
Vlans do not have to communicate with eachother, just need Vlan 1 and 3 to be uplinked to core switch. This will involve setting ports as switchport mode trunk correct?
I gave all devices on networks static IP's, except for IP cameras which will obtain IP from DHCP.
When I plug in a PoE 15.4 watt camera, is the port set to auto detect by default so it powers up camera or do I manually enable PoE on port?

- I have to run DHCP on core switch, only on network 172.16.0.0/16 default Vlan 1 so my IP cameras can obtain an IP.

ip dhcp pool cameras

network 172.16.0.0 255.255.0.0

default-router 172.16.0.1

- On the PoE IP camera and POS station ports I'm thinking of configuring the following:

switchport mode access

spanning-tree portfast

Let me know what you guys think. I have a few weeks before these have to go to production. Any help and direction will be greatly appreciated!

I will be checking thread periodically and posting updates.

ruckessbx1 · ‎03-23-2013

Was it the 4500 that had the limitation?

I know the stacking technology but I dont think there should have been anything stopping you from creating another etherchannel.

No it was the 2960 that had limitations but I'll try it again. 7th stack meaning I configured channel-group 1 through 6 on stacked switches 1 through 6 but when I got to stack switches number 7 channel-group 7 would not take. The physical connections aren't plugged in yet. I'm just configuring before they go to production. Probably two more weeks before I plug in fiber uplinks and test connections.

crypto key generate rsa

Then it will ask you what length/bit you want the key to be. I normally go for 1024 bit key but as long as you have one it will be encrypted.

Once it ask me for key can it be just letters and what do you mean by 1024 bit key

THANKS!

Bilal Nawaz · ‎03-23-2013

Okay, so the concept of stacking needs to be understood.

2960's may not have enough capacity for more than 6 etherchannels.

I assumed you would have 8 individual stacks, not 8 stack members, which sounds like what you are trying to do.

When you have 8 stack members as 1 logical switch then there should not be a need to create more than one etherchannel to the 4500. You only need 1.

So instead of creating 8 etherchannels you create 1 etherchannel, and make up to 8 ports part of that one etherchannel. This in my view might be an overkill at the access layer, you normally see port-channels of this 8Gb bandwidth in datacenters.

(I'm not too sure if the 2960 has a limit on the physical interfaces per etherchannel)

Therefore you will have one logical 8Gb link between the 4500 and the 2960.
E.g.
2960
interface gi0/1
channel-group 1 mode active
!
interface gi1/1
channel-group 1 mode active
!
interface gi2/1
channel-group 1 mode active
!
interface gi3/1
channel-group 1 mode active
!
interface gi4/1
channel-group 1 mode active
!
interface gi5/1
channel-group 1 mode active
2960
interface gi6/1
channel-group 1 mode active
!
interface gi7/1
channel-group 1 mode active
!
Interface po 1
Description ## Etherchannel to 4500 ## Po1 ##
Switchport trunk encapsulation dot1q
Switchport mode trunk
Switchport trunk allowed vlan 1-4

With regards to crypto key generating, you can't type out letters as the 1024 is the length of the keypair - measured in bits! In short the higher it is the more tough to crack (the algorithm that is used to encrypt your connection is better as a result)
http://en.m.wikipedia.org/wiki/Key_size

I recommend 1024 as this will allow you to enable ssh v2 and disable v1.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ruckessbx1 · ‎03-24-2013

No it's 8 individual stacks. Each stack has two switches and 16 switches total, sorry for the miscommunication. When I went to the 7th stacked pair I came across the problem where it wouldn't take. It's okay I'll try again I'm sure I did something wrong. Does the stack switches have to be connected to core in order to configure etherchannel?

Note from:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swethchl.html

The network device to which your switch is connected can impose its own limits on the number of interfaces in the EtherChannel. For Catalyst 2950 switches, the number of EtherChannels is limited to six with eight ports per EtherChannel.

For channel-group-number, the range is 1 to 6. Each EtherChannel can have up to eight compatibly configured Ethernet interfaces.

I found this on Cisco site saying limit is six, this is my problem. I need to figure out another way to manage two uplinks per stack switches that won't cause loops.

I need two uplinks per stack pair of switches if I can't use etherchannel then what do you think of enabling udld on uplink interfaces? I don't need both uplinks working simultaneously I prefer to have one link down and on standby in case the active uplink dies. Let me know thanks.

About crypto key so after I type:

crypto generate key rsa

Then I get the request for length/bit and I type 1024 to enable ssh v2, got it!

Thank you much for all your time.

Bilal Nawaz · ‎03-24-2013

Oh I see!

So with each stack use the 'port-channel 1' for each of them.

e.g.

if we have one stack, it will only have only one etherchannel, therefore should only be port-channel 1 (the first of the 6). This could link to the 4500 on Portchannel 1

When we have the second stack, it will too have one etherchannel, which is port-channel 1 (the first of the 6).

This could link to the 4500 on Portchannel 2

and so on.... The port-channel number is locally significant only so you wont run in to loops if its configured the suggested way etc..

This way you can keep things simple and you will have ease of management this way.

No you do not need to connect physicals to configure

Hope this makes sense.

Please rate helpful posts, & mark any questions as answered thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ruckessbx1 · ‎03-24-2013

Oh so it would look like this?

1st stack both uplink interfaces - channel-group 1 mode active
2nd stack both uplink interfaces - channel-group 1 mode active
3rd stack both uplink interfaces - channel-group 1 mode active
4th stack both uplink interfaces - channel-group 1 mode active
5th stack both uplink interfaces - channel-group 1 mode active
6th stack both uplink interfaces - channel-group 1 mode active
7th stack both uplink interfaces - channel-group 2 mode active
8th stack both uplink interfaces - channel-group 2 mode active

I'm still a little confused so interface Port-channel 1 is what maxes out at 6? I thought it was channel-group?

Sorry Bilal, this is the last config I need help with please clarify no rush.

shillings · ‎03-25-2013

ruckessbx1 wrote:

This will trunk all local vlans on the switch, so you have to create the vlans if you are not using VTP. Be careful though, before connecting any switch device to your network, ensure that the switch is not the VTP server, should be transparent in most cases.

I'm using two 1GB uplinks from each 2960S Stack, one from each switch. How do I make sure one of the 2960S switches isn't the VTP server?

Just to reiterate Bill's comment to be careful with VTP when adding additional switches. Best to configure VTPv3 which offers protection from an unwanted overwrite of the VLAN database. It also supports the entire range of IEEE VLANs.

Bilal Nawaz · ‎03-24-2013

Sorry if I had miscommunicated this incorrectly to you.

On the 2960 stacks (all of them) use channel-group 1 mode active - this number is locally significant only, just within the 2960s themselves, they don't know about other switches that have portchannels with same numbers or not.

First stack both uplink interfaces - channel-group 1 mode active

2nd stack both uplink interfaces -
channel-group 1 mode active

3rd stack both uplink interfaces -
channel-group 1 mode active

4th stack both uplink interfaces -
channel-group 1 mode active

5th stack both uplink interfaces -
channel-group 1 mode active

6th stack both uplink interfaces -
channel-group 1 mode active

7th stack both uplink interfaces -
channel-group 1 mode active

8th stack both uplink interfaces -
channel-group 1 mode active

On the 4500 it will be different
For example:
Both uplinks for 1st stack you will do:
Channel-group 1 mode active

For the 2nd stack, you will do:
Channel-group 2 mode active

For 3rd stack, you will do:
Channel-group 3 mode active

And so on...

As long as they are different on the 4500 it's fine. Because the uplinks will be going to different stacks therefore requiring separate port-channels/etherchannels.

Yes, the 2960's have a limitation of 6 etherchannels.
If you are only creating one ether channel on a stack, just use channel-group 1 mode active.

Channel-group is the command that says 'This interface will be part of a logical link called port-channel'

So it's the same thing really.

When you do the channel-group 1 command or any number up to 6 to make a port part of that group you will notice it creates interface portchannel 1 or which ever number you chose. So it's only the switch itself that needs it not others, so it's okay to use number 1 across all of your 2960's

I hope this explains it better.
Kind regards

Bilal
Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ruckessbx1 · ‎03-25-2013

On the 4500 it will be different

For example:
Both uplinks for 1st stack you will do:
Channel-group 1 mode active

For the 2nd stack, you will do:
Channel-group 2 mode active

For 3rd stack, you will do:

Channel-group 3 mode active

And so on...

Will it go up to channel-group 7 and 8 on 4506?

Interface po 1

Description ## Etherchannel to 4500 ## Po1 ##

Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk allowed vlan 1-4

Also how does it effect this config on both 2960 and 4506?

Thank you Bilal...

Bilal Nawaz · ‎03-25-2013

your first question... yes, I have 16 on the 4500 at the moment i think the limit is 64... will need to verify this.

The configs on your 2960's you use channel-group 1 mode active for all of them.

on your 4500 the channel-group command will increment for every stack as i explained previously.

Also dont forget your management IP's on your 2960's which will probably be the only thing different on your 2960's.

No problem, happy to help

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ruckessbx1 · ‎03-25-2013

Interface po 1

Description ## Etherchannel to 4500 ## Po1 ##

Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk allowed vlan 1-4

This is the config I'm still confused about. I got the channel-group down now thanks to you.

In the first line it says Interface po 1 shouldn't it be something like Interface gi1/2.

What does the "po" stand for?

Do I use these commands for every port I use as a trunk uplink on 2600 and 4500?

Bilal Nawaz · ‎03-25-2013

Po stands for Port-Channel

Coming to the config you are confused about lets say we have 4500 and the 2960 switch on level 1

on the 4500 we could configure our port-channels and channel-groups like this:

Firstly, which ever physical interfaces you have chosen for your uplinks then the portchannel to the switch on level 1

Interface gi2/1

channel-group 1 mode active

!

interface gi2/2

channel-group 1 mode active

!

interface po1

description ## Etherchannel to 2960 1st Floor ## Connects to Po1 ##

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1-4

Now we will configure the etherchannel for the 2nd switch on level 2

Interface gi2/3

channel-group 2 mode active

!

interface gi2/4

channel-group 2 mode active

!

interface po2

description ## Etherchannel to 2960 2nd Floor ## Connects to Po1 ##

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1-4

Next, configure the etherchannel for the 3rd switch on level 3

Interface gi2/5

channel-group 3 mode active

!

interface gi2/6

channel-group 3 mode active

!

interface po3

description ## Etherchannel to 2960 3rd Floor ## Connects to Po1 ##

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1-4

and so on and so forth.... All on the 4500.

All 2960's can be consistent i.e. all of them can have this configuration (apart from the description - which you can change):

2960 on level 1:

Interface gi1/0/1

channel-group 1 mode active

!

interface gi2/0/1

channel-group 1 mode active

!

interface po1

description ## Etherchannel to 4506 ## Connects to Po1 ##

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1-4

2960 on level 2:

Interface gi1/0/1

channel-group 1 mode active

!

interface gi2/0/1

channel-group 1 mode active

!

interface po1

description ## Etherchannel to 4506 ## Connects to Po2 ##

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1-4

2960 on level 3:

Interface gi1/0/1

channel-group 1 mode active

!

interface gi2/0/1

channel-group 1 mode active

!

interface po1

description ## Etherchannel to 4506 ## Connects to Po3 ##

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1-4

etc.....

As I said before, every time you do the channel-group 1 mode active command, it will create the interface portchannel 1.

This is the same for any other number.

I hope this makes sense now?

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ruckessbx1 · ‎03-25-2013

I think I got it! Please review attached word document and let me know what you think.

Thank you for all your help!

Bilal Nawaz · ‎03-26-2013

Hey, that looks fine!

Wanted to add that I had the management interface as the first IP on the 4506 (you may want to change this to 10.0.0.254)

Just remember the ip route '0.0.0.0 0.0.0.0 10.0.0.1' or .254 depending on what you choose for your 4506 management SVI. Applies to all 2960's and the management vlan on the 2960's will be different:

i.e.

4506 10.0.0.1 or 10.0.0.254

2960 1st floor - 10.0.0.2

2960 2nd floor - 10.0.0.3

2960 3rd floor - 10.0.0.4

etc...

Another thing I wanted to mention was your access ports didn't have the spanning-tree portfast command which I forgot to add. Also if you want to configure several interfaces in one go you can do this:

conf t

interface range gi1/0/1 - 24

description CAMERAS_RECORD

switchport

switchport mode access

switchport access vlan 1

spanning-tree portfast

This will configure the entire range from gi1/0/1 to 1/0/24.

Username and password can remain the same if you wish and also the local login configurations can be the same for all your devices, i.e.

line console 0

login local

!

line vty 0 4

transport input ssh

login local

For me, personally it is easier to draw this up on a diagram and then view, will give me a better understanding.

Just as an example:

Hope this helps.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

ruckessbx1 · ‎03-26-2013

Understood Bilal, thanks.

What program did you use to make diagram?

Bilal Nawaz · ‎03-27-2013

I used Microsoft Visio, with Cisco's stencils found here:

http://www.cisco.com/en/US/products/hw/prod_cat_visios.html

Please rate useful posts & remember to mark any solved questions as answered. Thank you.