Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2085
Views
15
Helpful
12
Replies

Improved config for Cisco 2960

Go to solution
Cuda
Level 1
Level 1

‎12-23-2022 03:12 PM

Good day, newbie here again.

I have 5 2960s working normally, but I'm looking to harden their security and improve their overall performance. The network is a simple one, with 3 vlans (guest wifi, corp wifi, and corp network).

One detail that annoys me is that all the switchesl get their respective IP via DHCP, but from time to time they do get the wrong IP.

I'm using pi-hole as dhcp server and I see several mac address per switch and I would like to disable the unused mac address so the switches get always the correct IP.

Should I use the switches as dhcp helpers? or just leave the pi-hole handle it? what's the best way?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Cuda

‎12-25-2022 09:04 AM

as i suggested before - its bad idea for the switch to get IP address from DHCP (does not matter either it reserved in DHCP)

if the DHCP goes offline switch looking to get the IP address you will have a big network issue.

Always make it simple network to manage network engineers as simple as it is.

other hand changed MAC address no reason we can see here until we know device model and what IOS code running. ( that makes it more complicated to digging the issue of what happened)

I would clean up the config setup and static IP and save the config, which ends the whole story. and move to other issues you having in the network.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

12 Replies 12

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-23-2022 03:20 PM

check cisco device hardening guide :

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

One detail that annoys me is that all the switchesl get their respective IP via DHCP, but from time to time they do get the wrong IP. - i would suggested to exclude IP address from the pool example  192.168.1.X to 192.168.1.20, either you reserve the IP address agained device Ethernet MAC Address (but i prefer to configure the switch the static IP, so you have control on the switch login)

if the IP address random changing on the switch IP side, you are not sure what device you making changes. and what device you going to loging to trouble shoot end device issue.

If you already have pi-hole i would suggest to leave since pi-hole has good security features of DNS, so your network is protected, bogus DNS queries.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-23-2022 03:34 PM

but from time to time they do get the wrong IP ?? how that happened ? I think there is misconfig of wifi wlan.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-23-2022 06:14 PM

@balaji.bandi provided a great reference for hardening your switches, but you also ask about improving overall performance.

Well for switches, basically you want to avoid bottlenecks and minimize switch hops, but as you have not described your topology, cannot really suggest much of anything else.

For wi-fi, optimizing performance is a book length subject, but without getting into all of the many RF issues, keep in mind that wi-fi is basically a "shared" media, i.e. it puts you back into the old hub days (also except for the very newest and best wi-fi, shared bandwidth is also often back in the hub days too).

Laugh, for the best wi-fi performance, all you need is one AP per user, where the user can obtain the maximum wi-fi "speed" their host can support.  (Reason for the "laugh", the latter is often rather expensive, so you generally need to balance cost against performance.  You also can juggle who really needs better wi-fi performance than someone else too.)

0 Helpful

Go to solution
ammahend
VIP Alumni
VIP Alumni

‎12-23-2022 09:25 PM

are you sure switches are getting wrong IP or client in 3 vlans (guest wifi, corp wifi, and corp network) getting wrong IP ? For Switch management its best to set static IP.

what kind of wireless you have, you have to have helper on switch or controller for client to get IP from your DHCP since you have multiple vlans, so I dont understand when you say " Should I use the switches as dhcp helpers? or just leave the pi-hole handle it?" unless you meant switch as DHCP server.

-hope this helps-
0 Helpful

Go to solution
Cuda
Level 1
Level 1

‎12-24-2022 11:16 AM

Ok, I do not know if there is something weird on the forum but TWO times already I have tried to post and both of them got deleted with no notification. Why?

This a test post.

----

Ok, I'm going to edit this post several times just in case it gets deleted again.

 

So, as I tried to say before, this project comes from a post I made back in 2021. For reference here is the link with further info: https://community.cisco.com/t5/switching/vlan-under-a-budget-2960s-phisically-and-logically/m-p/4744841

----

Ok, so far is it not being deleted, let's move on.

Here is the current diagram of the network:

Cuda_0-1671908624755.png

And here is the pi-hole with the IPs reserved for the switches.

Cuda_1-1671908691425.png

So, the pi-hole is giving out the IPs just fine on vlan600, vlan in which the switches have their vlan interface setup, BUT, I have seen 2 instances in which two switches changed their MAC addresses, so I had to edit the reservations. I do not know how that happen, but it did happen.

Does the DHCP UID has anything to do with it? because a normal PC shows just the MAC, but all switches show that long string.

Go to solution
paul driver
VIP
VIP

‎12-24-2022 01:57 PM

Hello

@Cuda wrote:

 

One detail that annoys me is that all the switchesl get their respective IP via DHCP, but from time to time they do get the wrong IP.

I'm using pi-hole as dhcp server and I see several mac address per switch and I would like to disable the unused mac address so the switches get always the correct IP.


WOW!
Not sure why you would have your network switches on DHCP, Even if you need to do this , it seems there isn't any reservation in the dhcp scope for those switches to receive the same ip allocation?-However strongly suggest those switches ip addressing to be changed to a manual assignment.

As for the hardening @balaji.bandi  link is a good reference, 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Cuda
Level 1
Level 1
In response to paul driver

‎12-25-2022 04:04 AM

@paul driver wrote:

Hello

@Cuda wrote:

And here is the pi-hole with the IPs reserved for the switches.

Cuda_0-1671969327239.png

 

 



WOW!
Not sure why you would have your network switches on DHCP, Even if you need to do this , it seems there isn't any reservation in the dhcp scope for those switches to receive the same ip allocation?-However strongly suggest those switches ip addressing to be changed to a manual assignment.

But they are there, the IP reservation is set.

Again, I'm no expert,  I though using DHCP was just easier (also to prove myself that I could tame DHCP), specially when you have  a lot of devices, using DHCP would be the way to go (I could be wrong, please do correct me). I also went with DHCP since the network is not bigger than /23 at most.

  • Main network is 192.168.0.0/23
  • Guest Wifi is 192.168.100.0/24
  • Employees Wifi is 192.168.200.0/24

So, since the main network is just a little bigger, my dhcp scope goes from 192.168.0.10 to 0.250, and beyond that I use it to reserve IP for important devices, and so far it has worked just fine. I also added ARP protection from the router so only the designated MAC has internet access with their correct IP.

I mean, is not at Expert level, but I do think I tried to do a good job, and so far I believe I have accomplished that.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Cuda

‎12-25-2022 04:53 AM

Friend I think you dont get what I mention before, 
DHCP for wireless client need special option 82 to make DHCP server (or DHCP local pool) know that this client from WLAN/SSID  that will get this range of IP. 

that the problem here it not problem if you use DHCP local or dedicate server. 

0 Helpful

Go to solution
Cuda
Level 1
Level 1
In response to MHM Cisco World

‎12-25-2022 06:45 AM - edited ‎12-25-2022 06:46 AM

OH oh, sorry. I forgot to add that the vlan interface of the switches is the same as the pi-hole. The pi-hole servers dhcp for the main network only, meanwhile the mikrotik serves dhcp for the wireless networks, being separated by their respective vlans.

As for the wifi, it is on a different subnet/vlan and there is no vlan interface enabled there.

The ip changes I mention, are , for example:

Switch one had mac address xx:xx:xx:01 and suddenly one day I notice that is no longer with that mac address but now shows xx:xx:xx:02. By now it happened a long time ago, like two months ago, but it happened to two switches, but the rest were fine and have been working fine.

After redoing the IP reservation it has not happen again. But I wonder, if the switches are capable of changing their vlan interface MAC like that.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Cuda

‎12-25-2022 09:04 AM

as i suggested before - its bad idea for the switch to get IP address from DHCP (does not matter either it reserved in DHCP)

if the DHCP goes offline switch looking to get the IP address you will have a big network issue.

Always make it simple network to manage network engineers as simple as it is.

other hand changed MAC address no reason we can see here until we know device model and what IOS code running. ( that makes it more complicated to digging the issue of what happened)

I would clean up the config setup and static IP and save the config, which ends the whole story. and move to other issues you having in the network.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Cuda
Level 1
Level 1
In response to balaji.bandi

‎12-25-2022 10:04 AM

Would like to quote something for anyone looking the answer on "why is it like that":

https://community.spiceworks.com/topic/24782-what-are-the-pros-and-cons-of-using-static-ips-vs-using-a-dhcp

PalamarTM;

I have worked in installations where both regimes were used. My personal preference is for DHCP for all client devices. Static IP for all resource devices.

Client devices (think user end points) include:

  • Desktops,
  • Laptops,
  • Thin Clients, etc.

Resource devices (thiink underlying infrastructure) include:

  • Servers,
  • Printer,
  • Routers,
  • Switches, etc

This in my opinion ensures that users can actively gain an IP address, in any location, expecially where laptop users roam around, to do what they need to do.

Obviously you have to design and manage your scopes well to ensure that you do not run out of IP addresses. But again this all comes down to designing your network correctly to ensure that static devices have their own IP range, and the client end points have their own IP range appropriate to the size of the organisation and its projected growth.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Cuda

‎12-25-2022 10:18 AM

for static IP for manage the SW sure Yes, 
but what I investigate is 
""Switch one had mac address xx:xx:xx:01 and suddenly one day I notice that is no longer with that mac address but now shows xx:xx:xx:02.""
Now I am no near my PC so I could not be sure bout my idea. 
but I will update you about why the mac is change from time to time. 
update soon today 

Customers Also Viewed These Support Documents