Cisco 2960 IP Address conflict

Unanswered Question
Jan 29th, 2009

We have the following setup in our DataCentre and experience IP conflicts with the HSRP address. On the 2960 is 1 VLAN connected to a Catylyst 4000 switches with HSRP enable for the gateway of clients on the 2960. The probem we experience is customers on the 2960 switch add the HSRP address as a secondary IP on their Network connection and all traffic will route to their servers. Is there a way to prevent customers to use the HSRP address on their servers ? We have setup access list for each interface but this seems to happen on layer 2.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mark.cronin Thu, 01/29/2009 - 08:37

David

Can you send a config of the 2960 and the 4000 - remove any security info

Can you send a diagram

Mark

davidmalan Thu, 01/29/2009 - 09:11

I have attached the digram with basic connections and setup.

==========================================================================================

Cisco 2960

==========

hostname xxxxxxxxxxxxxxxxxxxxxxxx

!

logging buffered 200000 debugging

!

username xxxxxxxx privilege 15 password xxxxxxxx

username xxxxxxxxx privilege 15 password xxxxxxxxx

aaa new-model

aaa group server radius

!

no ip domain-lookup

!

!

!

no file verify auto

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 2

name ***Vlan_ABC_Local_LAN***

!

vlan 200

name xxx_management

!

vlan 210

name PDU-Management

!

vlan 845

name xxxx-Server-Vlan

!

interface FastEthernet0/1

description *** PDU 1 ***

switchport access vlan 210

switchport mode access

switchport port-security maximum 2

speed 10

duplex full

no cdp enable

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

!

interface FastEthernet0/2

description *** PDU 2 Bottom ***

switchport access vlan 210

switchport mode access

switchport port-security maximum 2

speed 10

duplex full

no cdp enable

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

interface FastEthernet0/7

description *** Not In Use ***

switchport access vlan 845

switchport mode access

switchport port-security maximum 2

ip access-group 7 in

speed 10

duplex full

no cdp enable

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

!

interface FastEthernet0/8

description *** Not In Use ***

switchport access vlan 845

switchport mode access

switchport port-security maximum 2

ip access-group 8 in

speed 10

duplex full

no cdp enable

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

....#

interface GigabitEthernet0/1

description *** Link to cat 4000-01 *** UPLINK to CAT4000

switchport access vlan 845

switchport trunk allowed vlan 210,845

switchport mode trunk

speed 100

duplex full

!

interface GigabitEthernet0/2 UPLINK to CAR4000

description *** cat 4000-02 ***

switchport access vlan 845

switchport trunk allowed vlan 210,845

switchport mode trunk

speed 100

duplex full

spanning-tree cost 20

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

shutdown

!

interface Vlan200

description ***Management Vlan ***

ip address XXXXXXXXXXXXXXXX

no ip route-cache

!

interface Vlan845

no ip address

no ip route-cache

!

ip default-gateway

no ip http server

ip radius source-interface Vlan200

logging facility syslog

access-list 1 remark ***Management ***

access-list 1 permit XXX.XXX.XXX.XXX

access-list 1 deny any log

access-list 5 permit XXX.XXX.XXX.XXX

access-list 6 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 8 permit XXX.XXX.XXX.XXX

==================================================================================

Cat4000

interface GigabitEthernet5/2

description *** 100mb Link to Int Gi0/1 ***

switchport access vlan 845

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 210,845

switchport mode trunk

switchport nonegotiate

speed 100

duplex full

udld port

spanning-tree guard root

Attachment: 
Tshi M Thu, 01/29/2009 - 09:40

I am a bit confused with the diagram. It appears that you are using one of the top switch VLAN845 address as the standby address on the bottom switch vlan845. And also both VLAN have the same priority.

Regards,

Edison Ortiz Thu, 01/29/2009 - 12:03

The probem we experience is customers on the 2960 switch add the HSRP address as a secondary IP on their Network connection and all traffic will route to their servers. Is there a way to prevent customers to use the HSRP address on their servers ? We have setup access list for each interface but this seems to happen on layer 2.

You should look into implementing Dynamic ARP Inspection:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html

HTH,

__

Edison.

davidmalan Fri, 01/30/2009 - 01:33

Hi

Sorry for the incomplete diagram, I have removed most of the config and IP address information. Your diagram is correct in the setup we currently have setup, the solution and setup work fine but the main problem are customers change their IP information on their servers (connected to the 2960 switch )to the HSRP address, and all traffic will route to the server with the default gateway (HSRP address) configured on that server.I have checked the Cisco website and couln't find information to configure dynamic arp inspection on a 2960 switch. The CAT 4000 just acts as a default gateway on the VLAN interface. So ,if someone configure the ip address 10.0.0.1 (HSRP address) as a secondary IP on their server it would route traffic to their server (referring to your diagram)

Edison Ortiz Fri, 01/30/2009 - 06:39

I have checked the Cisco website and couln't find information to configure dynamic arp inspection on a 2960 switch

2960 is a Layer2 switch so it's not involved on any Layer3 decision in your network. The configuration must be done in the 4500 switch as it's the only device acting as a Layer3 device.

HTH,

__

Edison.

Actions

This Discussion