cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1424
Views
5
Helpful
7
Replies

4506 Switchport configs w/DHCP Snooping/Dynamic Arp Inspection

swharvey
Level 3
Level 3

I am setting up a pair of L3 4506 switches and want to enable port security features like dhcp snooping, dynamic arp inspection, and ip source guard. The two 4506 switches run Sup IV L3 functions, and Etherchanneling with STP between them, and have end users that will connect to them. In addition, a Windows AD DHCP server connects off of ports on switch 1.

I have succesfully enabled the ip dhcp snooping and dynamic arp inspection functions for the vlans, as well as the dhcp/arp inspect trusts on the DHCP both the server ports and the Port Channel between the switches.

Furthermore, the switchports for end users in these switches support Cisco 796x phones and PC that cascade off them.

The problem I have is this: There are two methods (that I know of) that phones with cascading pc's can connect off the 4506 ports:

1) Switchport mode access, switchport access vlan xx, and switchport voice vlan yy

2) Switchport trunk encapsulation dot1q, switchport trunk native xx (for PC), switchport voice vlan yy

With Option 1, the phones work but the dynamic arp inspection prevents the PC's from obtaining an IP address (I am aware that dyn arp inspect uses the dhcp snoop db that builds in the switches).

With Option 2, the phones and PC's work, but everytime any phone is reset/disconnected, STP reports a spanning tree change.

Is there a way to implement a varient of Option 1, or another Option, that will allow the PC's to work, and keep the switchport in non trunk mode so that phone resets/disconnects do not cause STP topology change notifications (e.g switchport vlan yy interface gix/x detail).

Any input on this would be helpful.

Thanks,

-Scott

1 Accepted Solution

Accepted Solutions

On Option 2:

Change the spanning-tree portfast to spanning-tree portfast trunk.

Thanks,

Jake

View solution in original post

7 Replies 7

swharvey
Level 3
Level 3

Below are the actual switchport config versions:

OPTION 1:

interface GigabitEthernet2/46

switchport access vlan xx

switchport mode access

switchport voice vlan yy

qos trust device cisco-phone

qos trust cos

auto qos voip cisco-phone

storm-control broadcast level 50.00

storm-control action trap

tx-queue 3

priority high

shape percent 33

spanning-tree portfast

service-policy output autoqos-voip-policy

OPTION 2:

interface GigabitEthernet2/47

switchport trunk encapsulation dot1q

switchport trunk native vlan xx

switchport mode trunk

switchport voice vlan yy

qos trust device cisco-phone

qos trust cos

auto qos voip cisco-phone

storm-control broadcast level 50.00

storm-control action trap

tx-queue 3

priority high

shape percent 33

spanning-tree portfast

service-policy output autoqos-voip-policy

I thought I would try here before I open a TAC case.

Thanks

On Option 2:

Change the spanning-tree portfast to spanning-tree portfast trunk.

Thanks,

Jake

Jake your answer was money! Thanks as I found phone resets no longer cause stp topology changes to increase. One other item though related to this:

I'm also configuring "spanning-tree portfast bpduguard" at the global level to prevent stp loops. Will the the "trunk" statement added to the interface level "spanning-tree portfast" command affect the ports ability to prevent physical layer loops?

I'm thinking it should not have an adverse affect on bpduguard but want to confirm.

Many thanks again,

-Scott

Scott,

The "trunk" statement will not affect the global command you are running as the port when in trunk mode has portfast enabled.

Thanks,

Jake

jkeeffe
Level 2
Level 2

How is dynamic ARP inspection keeping the PCs from getting an IP address?

What I found is that if a PC/device has a static IP address, and the "ip arp inspection trust" and "ip dhcp snooping trust commanda are not defined on the access port, then the switch will not add the mac-address to the ip DHCP snooping binding database, and therefore deny's the device access to the network.

I learned as well that the other alternative is to set a permenant dhcp reservation in the dhcp server, pull the static IP address off the PC, and then the devices ip is added to the dhcp snoop database and is allowed to connect to the network.

Thanks - We're using the option 1 you described and I don't want to change our access ports to trunk mode if I don't have to, so explaining your problem was associated with hard coded IP addresses makes sense.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: