cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1736
Views
0
Helpful
7
Replies

Cisco 2960 IP Address conflict

davidmalan
Level 1
Level 1

We have the following setup in our DataCentre and experience IP conflicts with the HSRP address. On the 2960 is 1 VLAN connected to a Catylyst 4000 switches with HSRP enable for the gateway of clients on the 2960. The probem we experience is customers on the 2960 switch add the HSRP address as a secondary IP on their Network connection and all traffic will route to their servers. Is there a way to prevent customers to use the HSRP address on their servers ? We have setup access list for each interface but this seems to happen on layer 2.

7 Replies 7

mark.cronin
Level 2
Level 2

David

Can you send a config of the 2960 and the 4000 - remove any security info

Can you send a diagram

Mark

I have attached the digram with basic connections and setup.

==========================================================================================

Cisco 2960

==========

hostname xxxxxxxxxxxxxxxxxxxxxxxx

!

logging buffered 200000 debugging

!

username xxxxxxxx privilege 15 password xxxxxxxx

username xxxxxxxxx privilege 15 password xxxxxxxxx

aaa new-model

aaa group server radius

!

no ip domain-lookup

!

!

!

no file verify auto

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 2

name ***Vlan_ABC_Local_LAN***

!

vlan 200

name xxx_management

!

vlan 210

name PDU-Management

!

vlan 845

name xxxx-Server-Vlan

!

interface FastEthernet0/1

description *** PDU 1 ***

switchport access vlan 210

switchport mode access

switchport port-security maximum 2

speed 10

duplex full

no cdp enable

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

!

interface FastEthernet0/2

description *** PDU 2 Bottom ***

switchport access vlan 210

switchport mode access

switchport port-security maximum 2

speed 10

duplex full

no cdp enable

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

interface FastEthernet0/7

description *** Not In Use ***

switchport access vlan 845

switchport mode access

switchport port-security maximum 2

ip access-group 7 in

speed 10

duplex full

no cdp enable

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

!

interface FastEthernet0/8

description *** Not In Use ***

switchport access vlan 845

switchport mode access

switchport port-security maximum 2

ip access-group 8 in

speed 10

duplex full

no cdp enable

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

....#

interface GigabitEthernet0/1

description *** Link to cat 4000-01 *** UPLINK to CAT4000

switchport access vlan 845

switchport trunk allowed vlan 210,845

switchport mode trunk

speed 100

duplex full

!

interface GigabitEthernet0/2 UPLINK to CAR4000

description *** cat 4000-02 ***

switchport access vlan 845

switchport trunk allowed vlan 210,845

switchport mode trunk

speed 100

duplex full

spanning-tree cost 20

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

shutdown

!

interface Vlan200

description ***Management Vlan ***

ip address XXXXXXXXXXXXXXXX

no ip route-cache

!

interface Vlan845

no ip address

no ip route-cache

!

ip default-gateway

no ip http server

ip radius source-interface Vlan200

logging facility syslog

access-list 1 remark ***Management ***

access-list 1 permit XXX.XXX.XXX.XXX

access-list 1 deny any log

access-list 5 permit XXX.XXX.XXX.XXX

access-list 6 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 7 permit XXX.XXX.XXX.XXX

access-list 8 permit XXX.XXX.XXX.XXX

==================================================================================

Cat4000

interface GigabitEthernet5/2

description *** 100mb Link to Int Gi0/1 ***

switchport access vlan 845

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 210,845

switchport mode trunk

switchport nonegotiate

speed 100

duplex full

udld port

spanning-tree guard root

I am a bit confused with the diagram. It appears that you are using one of the top switch VLAN845 address as the standby address on the bottom switch vlan845. And also both VLAN have the same priority.

Regards,

Please take a look at the attached

Are you trying to achieve this

Mark

Edison Ortiz
Hall of Fame
Hall of Fame

The probem we experience is customers on the 2960 switch add the HSRP address as a secondary IP on their Network connection and all traffic will route to their servers. Is there a way to prevent customers to use the HSRP address on their servers ? We have setup access list for each interface but this seems to happen on layer 2.

You should look into implementing Dynamic ARP Inspection:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html

HTH,

__

Edison.

davidmalan
Level 1
Level 1

Hi

Sorry for the incomplete diagram, I have removed most of the config and IP address information. Your diagram is correct in the setup we currently have setup, the solution and setup work fine but the main problem are customers change their IP information on their servers (connected to the 2960 switch )to the HSRP address, and all traffic will route to the server with the default gateway (HSRP address) configured on that server.I have checked the Cisco website and couln't find information to configure dynamic arp inspection on a 2960 switch. The CAT 4000 just acts as a default gateway on the VLAN interface. So ,if someone configure the ip address 10.0.0.1 (HSRP address) as a secondary IP on their server it would route traffic to their server (referring to your diagram)

I have checked the Cisco website and couln't find information to configure dynamic arp inspection on a 2960 switch

2960 is a Layer2 switch so it's not involved on any Layer3 decision in your network. The configuration must be done in the 4500 switch as it's the only device acting as a Layer3 device.

HTH,

__

Edison.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: