10-25-2007 06:56 PM - edited 03-05-2019 07:20 PM
I am setting up a pair of L3 4506 switches and want to enable port security features like dhcp snooping, dynamic arp inspection, and ip source guard. The two 4506 switches run Sup IV L3 functions, and Etherchanneling with STP between them, and have end users that will connect to them. In addition, a Windows AD DHCP server connects off of ports on switch 1.
I have succesfully enabled the ip dhcp snooping and dynamic arp inspection functions for the vlans, as well as the dhcp/arp inspect trusts on the DHCP both the server ports and the Port Channel between the switches.
Furthermore, the switchports for end users in these switches support Cisco 796x phones and PC that cascade off them.
The problem I have is this: There are two methods (that I know of) that phones with cascading pc's can connect off the 4506 ports:
1) Switchport mode access, switchport access vlan xx, and switchport voice vlan yy
2) Switchport trunk encapsulation dot1q, switchport trunk native xx (for PC), switchport voice vlan yy
With Option 1, the phones work but the dynamic arp inspection prevents the PC's from obtaining an IP address (I am aware that dyn arp inspect uses the dhcp snoop db that builds in the switches).
With Option 2, the phones and PC's work, but everytime any phone is reset/disconnected, STP reports a spanning tree change.
Is there a way to implement a varient of Option 1, or another Option, that will allow the PC's to work, and keep the switchport in non trunk mode so that phone resets/disconnects do not cause STP topology change notifications (e.g switchport vlan yy interface gix/x detail).
Any input on this would be helpful.
Thanks,
-Scott
Solved! Go to Solution.
10-25-2007 07:03 PM
On Option 2:
Change the spanning-tree portfast to spanning-tree portfast trunk.
Thanks,
Jake
10-25-2007 06:59 PM
Below are the actual switchport config versions:
OPTION 1:
interface GigabitEthernet2/46
switchport access vlan xx
switchport mode access
switchport voice vlan yy
qos trust device cisco-phone
qos trust cos
auto qos voip cisco-phone
storm-control broadcast level 50.00
storm-control action trap
tx-queue 3
priority high
shape percent 33
spanning-tree portfast
service-policy output autoqos-voip-policy
OPTION 2:
interface GigabitEthernet2/47
switchport trunk encapsulation dot1q
switchport trunk native vlan xx
switchport mode trunk
switchport voice vlan yy
qos trust device cisco-phone
qos trust cos
auto qos voip cisco-phone
storm-control broadcast level 50.00
storm-control action trap
tx-queue 3
priority high
shape percent 33
spanning-tree portfast
service-policy output autoqos-voip-policy
I thought I would try here before I open a TAC case.
Thanks
10-25-2007 07:03 PM
On Option 2:
Change the spanning-tree portfast to spanning-tree portfast trunk.
Thanks,
Jake
10-25-2007 07:21 PM
Jake your answer was money! Thanks as I found phone resets no longer cause stp topology changes to increase. One other item though related to this:
I'm also configuring "spanning-tree portfast bpduguard" at the global level to prevent stp loops. Will the the "trunk" statement added to the interface level "spanning-tree portfast" command affect the ports ability to prevent physical layer loops?
I'm thinking it should not have an adverse affect on bpduguard but want to confirm.
Many thanks again,
-Scott
10-25-2007 07:56 PM
Scott,
The "trunk" statement will not affect the global command you are running as the port when in trunk mode has portfast enabled.
Thanks,
Jake
11-30-2007 10:14 AM
How is dynamic ARP inspection keeping the PCs from getting an IP address?
11-30-2007 10:23 AM
What I found is that if a PC/device has a static IP address, and the "ip arp inspection trust" and "ip dhcp snooping trust commanda are not defined on the access port, then the switch will not add the mac-address to the ip DHCP snooping binding database, and therefore deny's the device access to the network.
I learned as well that the other alternative is to set a permenant dhcp reservation in the dhcp server, pull the static IP address off the PC, and then the devices ip is added to the dhcp snoop database and is allowed to connect to the network.
11-30-2007 10:32 AM
Thanks - We're using the option 1 you described and I don't want to change our access ports to trunk mode if I don't have to, so explaining your problem was associated with hard coded IP addresses makes sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide