I am setting up a pair of L3 4506 switches and want to enable port security features like dhcp snooping, dynamic arp inspection, and ip source guard. The two 4506 switches run Sup IV L3 functions, and Etherchanneling with STP between them, and have end users that will connect to them. In addition, a Windows AD DHCP server connects off of ports on switch 1.
I have succesfully enabled the ip dhcp snooping and dynamic arp inspection functions for the vlans, as well as the dhcp/arp inspect trusts on the DHCP both the server ports and the Port Channel between the switches.
Furthermore, the switchports for end users in these switches support Cisco 796x phones and PC that cascade off them.
The problem I have is this: There are two methods (that I know of) that phones with cascading pc's can connect off the 4506 ports:
With Option 1, the phones work but the dynamic arp inspection prevents the PC's from obtaining an IP address (I am aware that dyn arp inspect uses the dhcp snoop db that builds in the switches).
With Option 2, the phones and PC's work, but everytime any phone is reset/disconnected, STP reports a spanning tree change.
Is there a way to implement a varient of Option 1, or another Option, that will allow the PC's to work, and keep the switchport in non trunk mode so that phone resets/disconnects do not cause STP topology change notifications (e.g switchport vlan yy interface gix/x detail).
Jake your answer was money! Thanks as I found phone resets no longer cause stp topology changes to increase. One other item though related to this:
I'm also configuring "spanning-tree portfast bpduguard" at the global level to prevent stp loops. Will the the "trunk" statement added to the interface level "spanning-tree portfast" command affect the ports ability to prevent physical layer loops?
I'm thinking it should not have an adverse affect on bpduguard but want to confirm.
What I found is that if a PC/device has a static IP address, and the "ip arp inspection trust" and "ip dhcp snooping trust commanda are not defined on the access port, then the switch will not add the mac-address to the ip DHCP snooping binding database, and therefore deny's the device access to the network.
I learned as well that the other alternative is to set a permenant dhcp reservation in the dhcp server, pull the static IP address off the PC, and then the devices ip is added to the dhcp snoop database and is allowed to connect to the network.
Thanks - We're using the option 1 you described and I don't want to change our access ports to trunk mode if I don't have to, so explaining your problem was associated with hard coded IP addresses makes sense.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...