Hello all,
Recently I’ve got a opportunity to build a network for small buissness, therefore issues came with it.
I have 2 cisco switches :
ws-c3560-48ps s
ws-c2960-48tc s
The idea around network was to have ~70 ports occupied with 30 maybe in actual use, like 16cameras (with poe) and rest would be pcs, other 30 would be free sockets for upcoming pcs in future.
Issue came as per I never used cisco before and didn’t knew if i can just plug in ethernet cable from isp router to cisco switch (like you would do to any other cheepo dlink/tplink switch) and make it spread internet to all other devices, through investigation of issue I’ve came across the 3rd layer routing on one switch and tried to use it as router/switch but still no internet through network (tested with 3 pcs) but when setup-d local network seems working quite right, running local web servers work throu network, attaching freenas gives normal access to emby/nextcloud within the connected pcs.
So question is: Do i need an Cisco router to act as dhcp server for both routers and what way is best to setup em.
Therefore I summon @wendell to aid me in such enterpricy times that I’ve stumbled upon.
As well as I hope that @SgtAwesomesauce will come too.
Thanks in advance
Those switches cannot just be plugged directly into the Internet as they do not support NAT/PAT. You will need a separate router. Also, while the 3650 does support Layer 3 SVIs, it’s better on this scale to just have a router do Layer 3 for you.
You will also, at a minimum, enable spanning-tree port-fast by running these commands (assuming the switches have been wiped):
enable
conf t
spanning-tree portfast default
end
wr
Or else your ports will sit in the spanning-tree learning process (not passing traffic) for about half a minute every time they come up.
since you mentioned cameras i guess for security reasons, are the switches driven by a UPS? Otherwise a poweroutage would render the cameras useless which is a security design error.
No, any router can be used. I would avoid Cisco routers, especially old ones, their throughput is horrendous (esp. if you need to do a VPN) and full of CVEs and bugs (old ones at least). I’d just use pfSense or OPNSense, or some other firewall or router. If you really want to run Cisco, I’d get a new router, like the ISR 4000 series.
To be honest, even though I work on Cisco equipment every day, I’d avoid using Cisco in small environments. Old equipment will have tons of CVEs and use way too much power. If not properly configured you can have security issues with them, beyond the CVE they currently have. They’ll have features you’ll never use. Better to go with something new and supported, even if it’s not as feature heavy as Cisco gear is.
Sorry for bumping this, but only 1 more question:
Do I need to exclude my Switch1 and Switch2 ip addresses from dhcp pool on router? @SgtAwesomesauce@wendell
Thanks in advance.
However, many dhcp servers do arp checks to make sure someone isn’t taking an ip without permission, to avoid conflicts. So it’s usually not going to cause problems if you don’t, but it is best practice and will avoid problems down the road.
To add to this, avoid Firepower. Everyone I know at work that has had to deal with them says they’re an absolute pile of shit to deal with. Stick with ASA/ISR if you need to deal with them. Ideally, don’t use Cisco for routers as they really seem to like using Java to interface with them if they don’t have SSH enabled for CLI
Configure ip-address-helper on the switches to relay any DHCP requests if they’re on different subnets, otherwise as long as the VLAN’s are good and it’s on the same subnet it should find the DHCP server without issue
Thanks a lot, I’ve figured it out while i was using pc directly into router, it gave address that would be used by 1 switch, so i excluded it to avoid device getting that ip address be4 switch turn on.
Anyway I can say it’s pretty nice to learn to manage cisco gear from my point of view, as I haven’t done it earlier. + seller setup-ed 1 port with dhcp so i can manage stuff without cable (that’s getting shipped to me).