Addressing point-by-point.   > 1. On my topology (attached) is their an STP issue? There is no redundant > path, everything is just one direct line as it is.   There's no specific issue with your STP here, but your ISP is complaining because they don't want to see anyone else's STP processes interfering with theirs.   > 2. They mentioned: "What the log is saying is that we receive a BPDU in a > Non-Trunk port. This means that the Edge Switch (new) or the D-Link (spare) > port is sending a BPDU to our port." > - yes, it is a non-trunk port, but why is their 3650 works on my 2960X which > the port is also configured as a non-trunk port (access mode)?   By default, the switch isn't going to care about BPDUs, but it's a good practice to defend against STP interference by filtering/guarding against foreign STP influence. It sounds like your ISP has a BPDU guard set and is blocking the interface when BPDUs are received.   There are two solutions to this:   1. Put a BPDU filter on the ISP-facing interface. This will prevent the ISP from receiving BPDUs and complaining. 2. Disable STP for the ISP VLAN, which will disable BPDUs on all member interfaces.   > 3. They mentioned: "There are two reasons for this error: any of those switches are trying > to negotiate a Trunk or are using a wrong encapsulation (802.1q or ISL)." > - why would my switches (new,spare) negotiate a trunk if both of them are access ports? > And also, their port 24 in their 3650 is an access port as well.   Trunk negotiation is on by default. You've manually set access mode, so trunk negotiation won't change the status of the port, but the negotiation will still occur. Wrong encapsulation isn't going to be an issue as the 2960X and 3650 only do 802.1q. ISL isn't supported on either switch. As has been mentioned earlier, "switchport nonegotiate" will turn that process off, but it looks like the STP interference is the real problem here.   > 4. They mentioned: "Once these parameters are consistent, spanning tree automatically > unblocks the interface." > - correct me if I am wrong but I don't have a redundant path, I only have one direct line to > their 3650, how would an STP take effect and block the port, but if I connect it to my new > switch it blocks it?   It's likely the BPDU guard on their interface. I suspect it's not actually STP that's unblocking their interface, but an error recovery timer that re-enables interfaces after a period of time. If no BPDUs are received after the interface comes up, it doesn't go down again.   > Maybe I am just missing a picture here because of thinking too much, anyone's insight about > this, specially with the small things I messed would be greatly appreciate!   I would add a BPDU filter on the ISP-facing interface, give it a few minutes and see if forwarding starts again. It's one way to verify. ... View more

If all of the addresses provided are public, no NAT is required. You have a /30 facing the Internet provider, so if your WAN interface is .214, then your gateway is .213.   ip route 0.0.0.0 0.0.0.0 x.x.x.213 ... View more

That should already be attached to your WAN interface. ... View more

That's fairly easy to accomplish. Just attach the /29 to a loopback interface and source the tunnel off of that.   interface Loopback0  ip address x.x.x.x 255.255.255.248 ! interface Tunnel0  tunnel source Loopback0 ... View more

Odd. We're using different sequence crypto maps for redundancy at a couple of customers and they're working just fine. Admittedly, we're not using IKEv2, so that may change things up somewhat. ... View more

Create a second crypto map entry with a higher sequence number and the same parameters as the original. If the IKE/IPSec negotiation fails on the lower sequence, the higher sequence will engage. Low lifetimes and keepalives are good here in order to make sure that a failure is detected quickly. ... View more

It depends on how you want things set up. Your WAN interface will hold the /30 subnet and will be your NAT outside interface. The /29 can be assigned to an interface if you actually want to assign the addresses to other devices directly, or if you're just using the network as a NAT pool, you can just reference the addresses in your NAT statements. (This will actually let you use all eight addresses in the /29 as there's no real network in play.) Traffic destined for the /29 will be routed by the ISP to your router's WAN interface and your router will take care of it from there. How exactly do you want this /29 to be used? If you let me know, I can probably give more specific advice. ... View more

1. If in our new building we will do CAT5 instead of CAT6 are we able to still get the same speeds (as those of CAT6) for end users that are connecting to the LAN with CAT5 but with switches that support  Multigigabit? Or is it something that only works when having Wave 2 access points? First of all, CAT5 isn't sufficient for multigigabit (NBase-T) in the first place. You need a minimum of CAT5e. The most common application for NBase-T is in supporting 802.11ac Wave 2 APs, but as long as the end users are using NBase-T NICs, they will get the speed benefit as well.   2. Do you think that cables are still needed if you have 802.11ac Wave 2 access points? What are the advantages of having both wired and wireless infrastructure apart from redundancy? Would you go for both?  It depends on your requirements. A wired connection is always going to be faster, more secure, and more reliable than a wireless connection. This is because a wired connection will almost always have dedicated bandwidth over a closed physical channel with end-to-end management. Wireless connections share the connection with other subscribers to the AP and transmit over the air. Ultimately, wireless is about convenience more than anything else. That said, for most people, shared wireless connections and over the air encryption are good enough. It depends on your business requirements. ... View more

Even simpler: route-map RM_Filter_In permit 10 set community no-export ! router bgp xx neigbour x.x.x.x route-map RM_Filter_In in ! ISP1 neigbour x.x.x.x route-map RM_Filter_In in ! ISP2 ... View more