I am setting up a pair of L3 4506 switches and want to enable port security features like dhcp snooping, dynamic arp inspection, and ip source guard. The two 4506 switches run Sup IV L3 functions, and Etherchanneling with STP between them, and have end users that will connect to them. In addition, a Windows AD DHCP server connects off of ports on switch 1.
I have succesfully enabled the ip dhcp snooping and dynamic arp inspection functions for the vlans, as well as the dhcp/arp inspect trusts on the DHCP both the server ports and the Port Channel between the switches.
Furthermore, the switchports for end users in these switches support Cisco 796x phones and PC that cascade off them.
The problem I have is this: There are two methods (that I know of) that phones with cascading pc's can connect off the 4506 ports:
1) Switchport mode access, switchport access vlan xx, and switchport voice vlan yy
2) Switchport trunk encapsulation dot1q, switchport trunk native xx (for PC), switchport voice vlan yy
With Option 1, the phones work but the dynamic arp inspection prevents the PC's from obtaining an IP address (I am aware that dyn arp inspect uses the dhcp snoop db that builds in the switches).
With Option 2, the phones and PC's work, but everytime any phone is reset/disconnected, STP reports a spanning tree change.
Is there a way to implement a varient of Option 1, or another Option, that will allow the PC's to work, and keep the switchport in non trunk mode so that phone resets/disconnects do not cause STP topology change notifications (e.g switchport vlan yy interface gix/x detail).
Any input on this would be helpful.