Trunk Port Threshold Best Practice?

Similar Messages

• Port Channel Best Practice

  Hi All,
  I have a MDS9509 with port channels going to my Cisco blade switches on my HP Proliant blade enclosure.
  I have NO ports left on my MDS9509, but DO have some remaining on the blade enclosure.
  The question is, can i port channel from the blade enclosure to another edge switch (MDS9148)?
  Is that a supported configuration/Best Practice and what are the ramifications if I do that?
  So I'm going from Core, to edge and then to edge switch with port channel.
  Thanks,
  Matt

  Hi Matthew,
  Sorry for the misunderstanding,  your to-be diagram cleared up a lot for me :-)
  First off, yes, it will work. There's no reason it shouldn't and if you have the external ports free on your 9124e, you can hook up a new switch.
  It's far from a conventional design, because blade switches are supposed to go in the Edge. It's not a best practice.
  What I would recommend is that you move some of the storage from your edge to the 9148, and treat it as a collapsed core, sharing an edge switch (the blade switch).  You can then ISL the 9148 and the 9509 together into a somewhat sensible topology.
  So for one fabric this would be
  (disk)---9148  --- 9509 -- (disks) (some moved to the left to free up space for ISLs)
                  9124e
  Or you can contact your sales team and look to swap some Linecards with higher port density ones.
  Lastly I would like to note that, however you link up the switches, most combinations available to you will 'work'.  So as a temp solution you can go ahead with the (core - blade - edge) scenario.  Just know that you'll be introducing bottlenecks and potential weak points into your network. 

• Metrics - Thresholds - Best Practices

  All,
  I installed em grid control 11g and configured the targets and notification rules. Now i am trying to set up thresholds, is there a best practice threshold values that someone can share for various metrics at weblogic level. I know this is a generic question and i can tune the thresholds for my environment/application usage. But there must be a ball-park threshold document somewhere for alert purposes.
  Thanks in advance,
  Prasad.

  Hi Prasad,
  There is no document giving recommendations on threshold values. Setting thresholds really depends on your environment. I recommend looking at performance history...looking at for instance a timeframe that had heavy load on the application/server but performance was good. Then set thresholds according to that....either adjust up or down as needed.
  Thanks,
  Nicole

• Looking For Guidance: Best Practices for Source Control of Database Assets

  Database Version: 11.2.0.3
  OS: RHEL 6.2
  Source Control: subversion
  This is a general question aimed at database professionals, however, it is not specific to any oracle version, etc.  Its a leadership question for other Oracle shops regarding source control.
  The current trunk, in my client's source control, is the implementation of a previous employee who used ER Studio.  After walking the batch scripts and subordinate files , it was determined that there would be no formal or elegant way to recreate the current version of the database from our source control - the engineers who have contributed to these assets are no longer employed or available for consulting.  The batch scripts are stale, if you will.
  To clean this up and to leverage best practices, I need some guidance on whether or not to baseline the current repository and how to move forward with additions of assets; tables, procs, pkgs, etc.  I'm really interested in how larger oracle shops organize their repository - what directories do you use, how are they labeled...are they labeled with respect to version?
  Assumptions:
  1. repository (database assets only) needs to be baselined (?)
  2. I have approval to change this database directory under the trunk to support best practices and get the client steered straight in terms of recovery and
  Knowns:
  1. the current application version in the database is 5.11.0 (that's my client's application version)
  2. this is for one schema/user of a database (other schemas under the database belong to different trunks)
  This is the layout that we currently have and for the privacy of the
  client I've made this rather generic.  I'd love to have a fresh
  start...how do I go about doing that...initially, I like using
  SqlDeveloper's ability to create sql scripts from a connected target. 
  product_name
    |_trunk
       |_database
         |_config
         |_data
         |_database
         |_integration
         |_patch
         |   |_5.2A.2
         |   |_5.2A.4
         |   |_5.3.0
         |   |_5.3.1
         |
         |_scripts
         |   |_config
         |   |_logs
         |
         |_server
  Thank you in advance.

  HiWe are using Data ONTAP 8.2.3p3 on our FAS8020 in 7-mode and we have 2 aggregates, a SATA and SAS aggregate. I want to decommission the SATA aggregate as I want to move that tray to another site. If I have a flexvol containing 3 qtrees CIFS shares can I use data motion (vol copy) to move the flex vol on the same controller but to a different aggregate without major downtime? I know this article is old and it says here that CIFS are not supported however I am reading mix message that on the version of data ONTAP we are now on does support CIFS and data motion however there will be a small downtime with the CIFS share terminating. Is this correct? Thanks

• Best practices for configure Rogue Detector AP and trunk port?

  I'm using a 2504 controller.  I dont have WCS.
  My questions are about the best way to configure a Rogue Detector AP.
  In my lab environment I setup the WLC with 2 APs.  One AP was in local mode, and I put the other in Rogue Detector mode.
  The Rogue Detector AP was connected to a trunk port on my switch.  But the AP needed to get its IP address from the DHCP server running on the WLC.  So I set the native vlan of the trunk port to be the vlan on which the WLC management interface resides.  If the trunk port was not configured with a native vlan, the AP couldn't get an address through DHCP, nor could the AP communicate with the WLC.  This makes sense because untagged traffic on the trunk port will be delivered to the native vlan.  So I take it that the AP doesn't know how to tag frames.
  Everything looked like it was working ok.
  So I connected an autonomous AP (to be used as the rogue), and associated a wireless client to it.  Sure enough it showed up on the WLC as a rogue AP, but it didn't say that it was connected on the wire.  From the rogue client I was able to successfully ping the management interface of the WLC.
  But the WLC never actually reported the rogue AP as being connected to the wired network.
  So my questions are:
  1. What is the correct configuration for the trunk port?  Should it not be configured with a native vlan?  If not, then I'm assuming the rogue detector AP will have to have a static IP address defined, and it would have to be told which vlan it's supposed to use to communicate with the WLC.
  2.  Assuming there is a rogue client associated with the rogue AP, how long should it reasonably take before it is determined that the rogue AP is connected to the wired network?  I know this depends on if the rogue client is actually generating traffic, but in my lab environment I had the rogue client pinging the management interface of the WLC and still wasn't being picked up as an on-the-wire rogue.
  Thanks for any input!!

  #what's the autonomous AP's(as Rogue AP) Wired and Wireless MAC address?
  it has to be +1 or -1 difference. If Wired MAC is x.x.x.x.x.05 and the wireless mac should be x.x.x.x.x.04 or 06. It is not going to detect if the difference is more than + 1 or - 1.
  #Does the switch sees the Rogue AP's wired MAC on its MAC table.
  Rogue Detector listens to ARPs to get all the Wired MAC info and forwards to WLC, It compares with Wireless MAC, if there is a +1 or -1 difference then it will be flagged as Rogue on wire. And the client that connected to it is also marked as found on wire.
  Regards to Trunking, Only Native vlan matters per trunk link, just configure the right vlan as native and we're done.
  It is not mandatory to keep the Rogue detector on Management vlan of wlc. It can also be on L3 vlan also as long as it can join the WLC to forward the learnt wired MACs.
  So if we don't have +1, -1 difference on Rogues then you've to use RLDP which will work with your existing setup to find Rogue on wire. there's a performance hit when we use this feature on local mode APs.
  Note: For AP join - AP can't understand Trunk, meaning if AP connected to Trunk it'll only talk to its native vlan irrespective of AP mode, however rogue detector listens to the Trunk port to learn MACs via ARPs from different VLANs and forwards to WLC using native vlan.

• Template(best practice) for Switch ports

  Hi,
  Looking for best practice advice on switchport config for client facing ports.
  We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!
  For Access Ports(First two should stop DTP I'm hoping?):
  switchport mode access
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree guard root
  switchport port-security maximum 10
  switchport port-security
  switchport port-security aging time 10
  And for trunk ports to clients:
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan xxx,xxx
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree bpdufilter enable
  spanning-tree guard root
  Thanks in advance.

  Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930
  That's Cisco's branch design doc from Design Zone.
  For those that want a fast answer:
  For VoIP phones and PC:
  interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23
  description phone with PC connected to phone
  switchport access vlan 102
  switchport mode access
  switchport voice vlan 101
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  mls qos trust device cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  For data only:
  interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28
  description DATA only ports
  switchport access vlan 102
  switchport mode access
  switchport port-security maximum 3
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  That's Cisco's recommendation.
  And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.

• Best Practice on trunking VSAN 1

  Hello all
  I'd appreciate feedback on wether this is looked upon as good practice or not.
  For all the Cisco SAN implementations I have done to date, I have always trunked VSAN1 (but obviously NOT used it for customer data).  I do this for a couple of reasons.
  1.  It is a good test for an ISL, you can initially trunk VSAN1 to be 100% all is OK, before affecting customer VSAN's
  2.  Fabric manager is not "erroring" by reporting segmented VSAN's
  What do the rest of you do?  Is there a Cisco best practice on this?
  Thanks
  Steven

  Steven,
  CFS stands for Cisco Fabric Services. It can be used to distribute configuration information between MDS switches to keep the configuration consistent. It  can be used for various things like NTP settings, Syslog config, call home config etc.
  You can find more information in the MDS documentation on CCO. See here for example:
  http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/sysmgnt/nxos/cfs.html
  CFS uses VSAN 1.
  As for best practices, there is a document also on CCO:
  http://www.cisco.com/en/US/prod/collateral/ps4159/ps6409/ps5990/white_paper_C11-515630.html
  This talks a bit about VSAN 1. I can tell you that I have installed lots of MDS SANs during the past 9 years and it is one of the things I’d do from experience. Use VSAN 1 for management purposes like CFS and put your real production traffic in other VSANs.
  Ralf

• Best Practice to Integrate CER with RedSky E911 Anywhere via SIP Trunk

  We are trying to integrate CER 9 with RedSky for V911 using a SIP trunk and need assistance with best practice and configuration. There is very little documentation regarding "best practice" for routing these calls to RedSky. This trunk will be handling the majority of our geographically dispersed company's 911  calls.
  My question is: should we use an IPsec tunnel for this? The only reference I found was this: http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/virtual-office/deployment_guide_c07-636876.htmlm which recommends an IPsec tunnel for the SIP trunk to Intrado. I would think there are issues with an unsecure SIP trunk for 911 calls. Looking for advice or specifics on how to configure this. Does the SIP trunk require a CUBE or is a CUBE only required for the IPsec tunnel?
  Any insight is appreciated.
  Thank you.

  you can use Session Trace in RTMT to check who is disconnecting the call and why.

• Looking for best practice Port Authentication

  Hello,
  I'm currently deploying 802.1x on a campus with Catalyst 2950 and 4506.
  There are lots of Printers and non-802.1x devices (around 200) which should be controlled by their mac-address. Is there any "best practice" besides using sticky mac-address learning.
  I'm thinking of a central place where alle mac-addresses are stored (i.e. ACS).
  Another method would be checking only the first part of the mac-address (vendor OID) on the switch-ports.
  Any ideas out there??
  regards
  Hubert

  check out the following link, this provides info on port based authentication, see if it helps :
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde59.html

• FC port channels between MDS and UCS FI best practice?

  Hi,
  We would like to create FC port channels between our UCS FI's and MDS9250 switches.
  At the moment we have 2 separate 8Gbps links to the FI's.
  Are there any disadvantages or reasons to NOT do this?
  Is it a best practice?
  Thanks.

  As Walter said, having port-channels is best practice.  Here is a little more information on why.
  Let's take your example of two 8Gbps links, not in a port-channel ( and no static pinning ) for Fibre Channel connectivity:
  Hosts on the UCS get automatically assigned ( pinned ) to the individual uplinks in a round-robin fashion.
  (1)If you have some hosts that are transferring a lot of data, to and from storage, these hosts can end up pinned to the same uplink and could hurt their performance. 
  In a port-channel, the hosts are pinned to the port-channel and not individual links.
  (2)Since hosts are assigned to an individual link, if that link goes down, the hosts now have to log back into the fabric over the existing working link.   Now you would have all hosts sharing a single link. The hosts will not get re-pinned to a link until they leave and rejoin the fabric.  To get them load balanced again would require taking them out of the fabric and adding them back, again via log out, power off, reload, etc...
  If the links are in a port-channel, the loss of one link will reduce the bandwidth of course, but when the link is restored, no hosts have to be logged out to regain the bandwidth.
  Best regards,
  Jim

• Best practices whil using Iron Port as MTA..

  We are planning to deploy ironport in our environment as a MTA and Spam. Currently we use qmail as MTA and Trend was a spam.
  Mail Flow
  External --> Qmail (DMZ) --> Trend Micro Spam Server (LAN) --> Exchange
  Kindly suggest as best practice and important features should enable to block spam.

  Something that may aid you in your readings --->
  https://supportforums.cisco.com/discussion/11429111/ask-expert-best-practices-configuring-email-security-appliance
  Snippet from there:
  Because everyone's mail flow is different (my company will receive different targeted spam than yours, for instance), obtaining the maximum potential can be as much an art as a science.
  Since we often are asked what extra steps can be taken to get the maximum potential out of your IronPort, we've published an external Knowledge Base article that lists *several* things you can do to stop as much spam as possible:
  Article #493: IronPort Anti-Spam Efficacy Checklist Link: http://tinyurl.com/eqpk6
  I cannot stress enough to use Step 11: Report mis-classified messages to IronPort.  Anytime you catch an email making it through our systems, we want to know. You cannot submit too many samples. (The same holds true for misclassifed HAM messages.) 
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Best practice for integrating a 3 point metro-e in to our network.

  Hello,
  We have just started to integrate a new 3 point metro-e wan connection to our main school office. We are moving from point to point T-1?s to 10 MB metro-e. At the main office we have a 50 MB going out to 3 other sites at 10 MB each. For two of the remote sites we have purchase new routers ? which should be straight up configurations. We are having an issue connecting the main office with the 3rd site.
  At the main office we have a Catalyst 4006 and at the 3rd site we are trying to connect to a catalyst 4503.
  I have attached configurations from both the main office and 3rd remote site as well as a basic diagram of how everything physically connects. These configurations are not working ? we feel that it is a gateway type problem ? but have reached no great solutions. We have tried posting to a different forum ? but so far unable to find the a solution that helps.
  The problem I am having is on the remote side. I can reach the remote catalyst from the main site, but I cannot reach the devices on the other side of the remote catalyst however the remote catalyst can see devices on it's side as well as devices at the main site.
  We have also tried trunking the ports on both sides and using encapsulation dot10q ? but when we do this the 3rd site is able to pick up a DHCP address from the main office ? and we do not feel that is correct. But it works ? is this not causing a large broad cast domain?
  If you have any questions or need further configuration data please let me know.
  The previous connection was a T1 connection through a 2620 but this is not compatible with metro-e so we are trying to connect directly through the catalysts.
  The other two connection points will be connecting through cisco routers that are compatible with metro-e so i don't think I'll have problems with those sites.
  Any and all help is greatly welcome ? as this is our 1st metro e project and want to make sure we are following best practices for this type of integration.
  Thank you in advance for your help.
  Jeff

  Jeff, form your config it seems you main site and remote site are not adjacent in eigrp.
  Try adding a network statement for the 171.0 link and form a neighbourship between main and remote site for the L3 routing to work.
  Upon this you should be able to reach the remote site hosts.
  HTH-Cheers,
  Swaroop

• ASA 5505 Best Practice Guidance Requested

  I am hoping to tap into the vast wealth of knowledge on this board in order to gain some "best practice" guidance to assist me with the overall setup using the ASA 5505 for a small business client.  I'm fairly new to the ASA 5505 so any help would be most appreciated!
  My current client configuration is as follows:
  a) business internet service (cable) with a fixed IP address
  b) a Netgear N600 Wireless Dual Band router (currently setup as gateway and used for internet/WiFi access)
  c) a Cisco SG-500-28 switch
  d) one server running Windows Small Business Server 2011 Standard (primary Domain Controller)
       (This server is currently the DNS and DHCP server)
  e) one server running Windows Server 2008 R2 (secondary Domain Controller)
  f) approximately eight Windows 7 clients (connected via SG-500-28 switch)
  g) approximately six printers connected via internal network (connected via SG-500-28 switch)
  All the servers, clients, and printers are connected to the SG-500-28 switch.
  The ISP provides the cable modem for the internet service.
  The physical cable for internet is connected to the cable modem.
  From the cable modem, a CAT 6 ethernet cable is connected to the internet (WAN) port of the Netgear N600 router.
  A Cat 6 ethernet cable is connected from Port 1 of the local ethernet (LAN) port on the N600 router to the SG-500-28 switch.
  cable modem -> WAN router port
  LAN router port -> SG-500-28
  The ASA 5505 will be setup with an "LAN" (inside) interface and a "WAN" (outside) interface.  Port e0/0 on the ASA 5505 will be used for the outside interface and the remaining ports will be used for the inside interface.
  So my basic question is, given the information above of our setup, where should the ASA 5505 be "inserted" to maximize its performance?  Also, based on the answer to the previous question, can you provide some insight as to how the ethernet cables should be connected to achieve this?
  Another concern I have is what device will be used as the default gateway.  Currently, the Netgear N600 is set as the default gateway on both Windows servers.  In your recommended best practice solution, does the ASA 5505 become the default gateway or does the router remain the default gateway?
  And my final area of concern is with DHCP.  As I stated earlier, I am running DHCP on Windows Small Business Server 2011 Standard.  Most of the examples I have studied for the ASA 5505 utilize its DHCP functionality.  I also have done some research on the "dhcprelay server" command.  So I'm not quite sure which is the best way to go. First off, does the "dhcprelay server" even work with SBS 2011?  And secondly, if it does work, is the best practice to use the "dhcprelay" command or to let the ASA 5505 perform the DHCP server role?
  All input/guidance/suggestions with these issues would be greatly appreciated!  I want to implement the ASA 5505 firewall solution following "best practices" recommendations in order to maximize its functionality and minimize the time to implement.
  FYI, the information (from the "show version" command) for the ASA 5505 is shown below:
  Cisco Adaptive Security Appliance Software Version 8.4(7)
  Device Manager Version 7.1(5)100
  Compiled on Fri 30-Aug-13 19:48 by builders
  System image file is "disk0:/asa847-k8.bin"
  Config file at boot was "startup-config"
  ciscoasa up 2 days 9 hours
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  Internal ATA Compact Flash, 128MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                               Number of accelerators: 1
  0: Int: Internal-Data0/0    : address is a493.4c99.8c0b, irq 11
  1: Ext: Ethernet0/0         : address is a493.4c99.8c03, irq 255
  2: Ext: Ethernet0/1         : address is a493.4c99.8c04, irq 255
  3: Ext: Ethernet0/2         : address is a493.4c99.8c05, irq 255
  4: Ext: Ethernet0/3         : address is a493.4c99.8c06, irq 255
  5: Ext: Ethernet0/4         : address is a493.4c99.8c07, irq 255
  6: Ext: Ethernet0/5         : address is a493.4c99.8c08, irq 255
  7: Ext: Ethernet0/6         : address is a493.4c99.8c09, irq 255
  8: Ext: Ethernet0/7         : address is a493.4c99.8c0a, irq 255
  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
  10: Int: Not used            : irq 255
  11: Int: Not used            : irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces       : 8              perpetual
  VLANs                             : 3              DMZ Restricted
  Dual ISPs                         : Disabled       perpetual
  VLAN Trunk Ports                  : 0              perpetual
  Inside Hosts                      : 10             perpetual
  Failover                          : Disabled       perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 10             perpetual
  Total VPN Peers                   : 12             perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has a Base license.

  Hey Jon,
  Again, many thanks for the info!
  I guess I left that minor detail out concerning the Guest network.  I have a second Netgear router that I am using for Guest netowrk access.  It is plugged in to one of the LAN network ports on the first Netgear router.
  The second Netgear (Guest) router is setup on a different subnet and I am letting the router hand out IP addresses using DHCP.
  Basic setup is the 192.168.1.x is the internal network and 192.168.11.x is the Guest network.  As far as the SBS 2011 server, it knows nothing about the Guest network in terms of the DHCP addresses it hands out.
  Your assumption about the Guest network is correct, I only want to allow guest access to the internet and no access to anything internal.  I like your idea of using the restricted DMZ feature of the ASA for the Guest network.  (I don't know how to do it, but I like it!)  Perhaps you could share more of your knowledge on this?
  One final thing, the (internal) Netgear router setup does provide the option for a separate Guest network, however it all hinges on the router being the DHCP server.  This is what led me to the second (Guest) Netgear router because I wanted the (internal) Netgear router NOT to use DHCP.  Instead I wanted SBS 2011 to be the DHCP server.  That's what led to the idea of a second (Guest) router with DHCP enabled.
  The other factor in all this is SBS 2011.  Not sure what experience you've had with the Small Business Server OS's but they tend to get a little wonky if some of the server roles are disabled.  For instance, this is a small busines with a total of about 20 devices including servers, workstations and printers.  Early on I thought, "nah, I don't need this IPv6 stuff," so I found an article on how to disable it and did so.  The server performance almost immediately took a nose dive.  Rebooting the server went from a 5 minute process to a 20 minute process.  And this was after I followed the steps of an MSDN article on disabling IPv6 on SBS 2011!  Well, long story short, I enabled IPv6 again and the two preceeding issues cleared right up.  So, since SBS 2011 by "default" wants DHCP setup I want to try my best to accomodate it.  So, again, your opinion/experiece related to this is a tremendous help!
  Thanks!

• Best Practice - WAP connecting switchport configuration.

  Is there a best practice for deploying the WAP's in a WAP/WLC infrastructure?  Should the connecting switchport be an Access port or a Trunk port?  I've seen this implemented in both fashions and wasn't sure if one was a better choice than the order.  What is the difference?
  My other question is regarding applying additional switchport configurations.  Is there anything wrong with applying either spanning-tree portfast, spanning-tree bpdguard, or switchport port-security. 

  Hi Ken,
  Access port all the time, everywhere, UNLESS the AP is configured for HREAP/FLEX then trunk. Or if you deploy a AP in monitor mode then TRUNK.
  QOS -- if its access port trust dscp. If you truck trust cos.
  No you are fine. Portfast is highly recommended.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Best practice about dial-peer creating when using analog lines

  Hi,
  I am trying to find out what is the best practice when creating dial-peer for analog lines on CME, should I use trunk group or create separate dial-peer for each FXO ports? If I use trunk group, is there any advantage ( lesser dial-peer)  or disadvantage?
  Thanks!

  The advantage of trunk groups is that a single dial peer can point to for instance PSTN, rather then multiple dialpeers, with varying preference, each pointing to a separate FXO. Funtionally I can't see much difference. So I guess it also comes down to personal preference.
  =============================
  Please remember to rate useful posts, by clicking on the stars below. 
  =============================