Re: spanning tree & ip arp inspection c2821+c3560+c2960

Discussion in 'Cisco' started by Thrill5, Apr 16, 2009.

  1. Thrill5

    Thrill5 Guest

    Routers don't run spanning-tree (or arp inspection) on routed interfaces.
    If you have a switching hardware module (such as an NM-16ESW, NME-16ESW or
    HWIC-4ESW), then spanning does run, but only on those interfaces that are
    configured as layer 2 (access or trunk ports) and only the NME switch
    modules support arp inspection but this module is configured completely
    separate from the router. Interfaces that are trunked do not run arp
    inpection and using the router as the DHCP server has no impact on arp
    inpection or its configuration.


    "PrzemekD" <p.r.z.e.m.e.k@_tlen_.pl> wrote in message
    news:gs4bsv$dg3$...
    > Hello All.
    >
    > I would like obtain Your help, because subject is wide & I didn't find
    > explanation in Google nor manuals :(
    >
    > I need schematic guide rather than ready config - I will then dig further
    > to check &repair my configs.
    >
    > What should be minimal required configuration for rtr and switches to
    > properly run spanning-tree when router is a root?
    > What should be configured to have ip arp inspection when router is dhcp
    > server? (I have statically assigned IP addresses for DHCP pool)
    > What I need also to give acces to 2-3 servers whih have static addresses
    > configured (to do ip arp inspection)
    > What I need to run ip arp inspection on c2960?
    >
    > I realize that are BIG questions rather, but I believe here is Someone
    > which could explain a little
    >
    >
    > thanks in advance
    > Przemek
    >
    > Connections:
    >
    > router (adv ip serv.) -->c3560(ip base)-->c2960(ip base)
    >
    > Router config:
    > ----------------------
    > 1.DHCP for LAN (for vlan103)
    > 2. four vlans defined as "interface VlanXXX" (not as routed interface's
    > subinterface) Let's call them vlan101, vlan102, vlan103, vlan104
    > 3. internal 4-port switch: fa0/1/0 configured as a trunk containing that
    > four defined vlans (output to c3560)
    >
    > important parts of real config:
    >
    > ip dhcp pool LAN_USERS
    > import all
    > origin file flash:database.txt
    > default-router a.b.c.d
    > dns-server <router itself>
    > lease 0 17
    >
    > interface FastEthernet0/1/0
    > description TRUNK
    > switchport trunk native vlan 103
    > switchport mode trunk
    > logging event subif-link-status
    >
    > interface Vlan101
    > description ** Voice VLAN **
    > ip address x.y.z.w 255.255.255.0
    > ip directed-broadcast
    > ip nbar protocol-discovery
    > ip flow ingress
    > ip flow egress
    > ip virtual-reassembly
    >
    > interface Vlan103
    > description ** Old Data VLAN *
    > ip address q.w.e.r 255.255.255.0
    > ip nbar protocol-discovery
    > ip flow ingress
    > ip flow egress
    > ip dns view-group default-list
    > ip nat inside
    > ip virtual-reassembly
    > ip policy route-map lan-pbr
    >
    >
    > c3560 config:
    > ----------------------
    > 1. Gi0/1 as trunk, connected to the router's fa0/1/0
    > 2. all other ports assigned to their vlans as access...
    > 3. except Gi0/2, which is trunk - to connect c2960
    >
    > important parts of real config:
    >
    > no service dhcp
    > udld aggressive
    > ip subnet-zero
    >
    > errdisable recovery cause udld
    > errdisable recovery cause bpduguard
    > ...
    > ........................................................... (all others
    > possible - set like above)
    > ...
    > errdisable recovery cause arp-inspection
    > errdisable recovery cause loopback
    > errdisable recovery interval 30
    >
    > spanning-tree mode pvst
    > spanning-tree loopguard default
    > spanning-tree extend system-id
    > !
    > vlan internal allocation policy ascending
    > !
    > interface FastEthernet0/1 <-----(rest access ports -
    > like this)
    > switchport access vlan 104 <-----(different vlans here)
    > switchport mode access
    > switchport voice vlan 101
    > switchport port-security maximum 2
    > switchport port-security
    > switchport port-security aging time 2
    > switchport port-security violation restrict
    > switchport port-security aging type inactivity
    > srr-queue bandwidth share 10 10 60 20
    > srr-queue bandwidth shape 10 0 0 0
    > mls qos trust device cisco-phone
    > mls qos trust cos
    > auto qos voip cisco-phone
    > macro description cisco-desktop
    > spanning-tree portfast
    > spanning-tree bpduguard enable
    >
    > interface GigabitEthernet0/1
    > switchport trunk encapsulation dot1q
    > switchport trunk native vlan 103
    > switchport mode trunk
    > ip arp inspection trust
    > logging event trunk-status
    > logging event spanning-tree
    > logging event status
    > logging event subif-link-status
    > macro description cisco-router
    > spanning-tree portfast trunk
    > spanning-tree link-type point-to-point
    > !
    > interface GigabitEthernet0/2
    > switchport trunk encapsulation dot1q
    > switchport trunk native vlan 103
    > switchport mode trunk
    > ip arp inspection trust
    > auto qos voip trust
    > macro description cisco-switch
    > spanning-tree link-type point-to-point
    >
    >
    >
    >
    >
    > c2960 config:
    > --------------------
    > 1. Gi0/1 as trunk, connected to the c3560 Gi0/1
    > 2. all other ports assigned to their vlans as access...
    >
    > important parts of real config:
    >
    > no service dhcp
    > udld aggressive
    > ip subnet-zero
    >
    > errdisable recovery cause udld
    > errdisable recovery cause bpduguard
    > ...
    > ........................................................... (all others
    > possible - set like above)
    > ...
    > errdisable recovery cause arp-inspection
    > errdisable recovery cause loopback
    > errdisable recovery interval 30
    >
    >
    > spanning-tree mode pvst
    > spanning-tree extend system-id
    > !
    > vlan internal allocation policy ascending
    > !
    > interface FastEthernet0/1 <-----(rest access ports -
    > like this)
    > switchport access vlan 104 <-----(different vlans here)
    > switchport mode access
    > switchport voice vlan 101
    > switchport port-security maximum 2
    > switchport port-security
    > switchport port-security aging time 2
    > switchport port-security violation restrict
    > switchport port-security aging type inactivity
    > srr-queue bandwidth share 10 10 60 20
    > srr-queue bandwidth shape 10 0 0 0
    > mls qos trust device cisco-phone
    > mls qos trust cos
    > auto qos voip cisco-phone
    > macro description cisco-desktop
    > spanning-tree portfast
    > spanning-tree bpduguard enable
    >
    > interface GigabitEthernet0/1
    > switchport trunk native vlan 103
    > switchport mode trunk
    > srr-queue bandwidth share 10 10 60 20
    > queue-set 2
    > priority-queue out
    > mls qos trust cos
    > macro description cisco-switch
    > auto qos voip trust
    > spanning-tree link-type point-to-point
    >
    >
    > --
    >
    > best regards / pozdrawiam,
    > Przemek
    >
    >
    >
     
    Thrill5, Apr 16, 2009
    #1
    1. Advertising

  2. Thrill5

    tweety Guest

    On Apr 16, 8:17 am, "Thrill5" <> wrote:
    > Routers don't run spanning-tree (or arp inspection) on routed interfaces.
    > If you have a switching hardware module (such as an NM-16ESW, NME-16ESW or
    > HWIC-4ESW), then spanning does run, but only on those interfaces that are
    > configured as layer 2 (access or trunk ports) and only the NME switch
    > modules support arp inspection but this module is configured completely
    > separate from the router.    Interfaces that are trunked do not run arp
    > inpection and using the router as the DHCP server has no impact on arp
    > inpection or its configuration.
    >
    > "PrzemekD" <p.r.z.e.m.e.k@_tlen_.pl> wrote in message
    >
    > news:gs4bsv$dg3$...
    >
    >
    >
    > > Hello All.

    >
    > > I would like obtain Your help, because subject is wide & I didn't find
    > > explanation in Google nor manuals :(

    >
    > > I need schematic guide rather than ready config - I will then dig further
    > > to check &repair my configs.

    >
    > > What should be minimal required configuration for rtr and switches to
    > > properly run spanning-tree when router is a root?
    > > What should be configured to have  ip arp inspection when router is dhcp
    > > server? (I have statically assigned IP addresses for DHCP pool)
    > > What I need also to give acces to 2-3 servers whih have static addresses
    > > configured (to do  ip arp inspection)
    > > What I need to run ip arp inspection on c2960?

    >
    > > I realize that are BIG questions rather, but I believe here is Someone
    > > which could explain a little

    >
    > > thanks in advance
    > > Przemek

    >
    > > Connections:

    >
    > > router (adv ip serv.) -->c3560(ip base)-->c2960(ip base)

    >
    > > Router config:
    > > ----------------------
    > > 1.DHCP for LAN (for vlan103)
    > > 2. four vlans defined as "interface VlanXXX"  (not as routed interface's
    > > subinterface) Let's call them vlan101, vlan102, vlan103, vlan104
    > > 3. internal 4-port switch: fa0/1/0 configured as a trunk containing that
    > > four defined vlans (output to c3560)

    >
    > > important parts of real config:

    >
    > > ip dhcp pool LAN_USERS
    > >   import all
    > >   origin file flash:database.txt
    > >   default-router a.b.c.d
    > >   dns-server <router itself>
    > >   lease 0 17

    >
    > > interface FastEthernet0/1/0
    > > description TRUNK
    > > switchport trunk native vlan 103
    > > switchport mode trunk
    > > logging event subif-link-status

    >
    > > interface Vlan101
    > > description ** Voice VLAN **
    > > ip address x.y.z.w 255.255.255.0
    > > ip directed-broadcast
    > > ip nbar protocol-discovery
    > > ip flow ingress
    > > ip flow egress
    > > ip virtual-reassembly

    >
    > > interface Vlan103
    > > description ** Old Data VLAN *
    > > ip address q.w.e.r 255.255.255.0
    > > ip nbar protocol-discovery
    > > ip flow ingress
    > > ip flow egress
    > > ip dns view-group default-list
    > > ip nat inside
    > > ip virtual-reassembly
    > > ip policy route-map lan-pbr

    >
    > > c3560 config:
    > > ----------------------
    > > 1. Gi0/1 as trunk, connected to the router's fa0/1/0
    > > 2. all other ports assigned to their vlans as access...
    > > 3. except Gi0/2, which is trunk - to connect c2960

    >
    > > important parts of real config:

    >
    > > no service dhcp
    > > udld aggressive
    > > ip subnet-zero

    >
    > > errdisable recovery cause udld
    > > errdisable recovery cause bpduguard
    > > ...
    > > ........................................................... (all others
    > > possible - set like above)
    > > ...
    > > errdisable recovery cause arp-inspection
    > > errdisable recovery cause loopback
    > > errdisable recovery interval 30

    >
    > > spanning-tree mode pvst
    > > spanning-tree loopguard default
    > > spanning-tree extend system-id
    > > !
    > > vlan internal allocation policy ascending
    > > !
    > > interface FastEthernet0/1                    <-----(rest access ports -
    > > like this)
    > > switchport access vlan 104                <-----(different vlans here)
    > > switchport mode access
    > > switchport voice vlan 101
    > > switchport port-security maximum 2
    > > switchport port-security
    > > switchport port-security aging time 2
    > > switchport port-security violation restrict
    > > switchport port-security aging type inactivity
    > > srr-queue bandwidth share 10 10 60 20
    > > srr-queue bandwidth shape  10  0  0  0
    > > mls qos trust device cisco-phone
    > > mls qos trust cos
    > > auto qos voip cisco-phone
    > > macro description cisco-desktop
    > > spanning-tree portfast
    > > spanning-tree bpduguard enable

    >
    > > interface GigabitEthernet0/1
    > > switchport trunk encapsulation dot1q
    > > switchport trunk native vlan 103
    > > switchport mode trunk
    > > ip arp inspection trust
    > > logging event trunk-status
    > > logging event spanning-tree
    > > logging event status
    > > logging event subif-link-status
    > > macro description cisco-router
    > > spanning-tree portfast trunk
    > > spanning-tree link-type point-to-point
    > > !
    > > interface GigabitEthernet0/2
    > > switchport trunk encapsulation dot1q
    > > switchport trunk native vlan 103
    > > switchport mode trunk
    > > ip arp inspection trust
    > > auto qos voip trust
    > > macro description cisco-switch
    > > spanning-tree link-type point-to-point

    >
    > > c2960 config:
    > > --------------------
    > > 1. Gi0/1 as trunk, connected to the c3560 Gi0/1
    > > 2. all other ports assigned to their vlans as access...

    >
    > > important parts of real config:

    >
    > > no service dhcp
    > > udld aggressive
    > > ip subnet-zero

    >
    > > errdisable recovery cause udld
    > > errdisable recovery cause bpduguard
    > > ...
    > > ........................................................... (all others
    > > possible - set like above)
    > > ...
    > > errdisable recovery cause arp-inspection
    > > errdisable recovery cause loopback
    > > errdisable recovery interval 30

    >
    > > spanning-tree mode pvst
    > > spanning-tree extend system-id
    > > !
    > > vlan internal allocation policy ascending
    > > !
    > > interface FastEthernet0/1                    <-----(rest access ports -
    > > like this)
    > > switchport access vlan 104                <-----(different vlans here)
    > > switchport mode access
    > > switchport voice vlan 101
    > > switchport port-security maximum 2
    > > switchport port-security
    > > switchport port-security aging time 2
    > > switchport port-security violation restrict
    > > switchport port-security aging type inactivity
    > > srr-queue bandwidth share 10 10 60 20
    > > srr-queue bandwidth shape  10  0  0  0
    > > mls qos trust device cisco-phone
    > > mls qos trust cos
    > > auto qos voip cisco-phone
    > > macro description cisco-desktop
    > > spanning-tree portfast
    > > spanning-tree bpduguard enable

    >
    > > interface GigabitEthernet0/1
    > > switchport trunk native vlan 103
    > > switchport mode trunk
    > > srr-queue bandwidth share 10 10 60 20
    > > queue-set 2
    > > priority-queue out
    > > mls qos trust cos
    > > macro description cisco-switch
    > > auto qos voip trust
    > > spanning-tree link-type point-to-point

    >
    > > --

    >
    > > best regards / pozdrawiam,
    > > Przemek- Hide quoted text -

    >
    > - Show quoted text -


    Hi do routers not run spanning tree if they are bridging ( bridge
    group 1 ieee?
     
    tweety, Apr 18, 2009
    #2
    1. Advertising

  3. Thrill5

    Thrill5 Guest

    Yes, an interfaces running a bridge group would also run spanning-tree.

    "tweety" <> wrote in message
    news:...
    On Apr 16, 8:17 am, "Thrill5" <> wrote:
    > Routers don't run spanning-tree (or arp inspection) on routed interfaces.
    > If you have a switching hardware module (such as an NM-16ESW, NME-16ESW or
    > HWIC-4ESW), then spanning does run, but only on those interfaces that are
    > configured as layer 2 (access or trunk ports) and only the NME switch
    > modules support arp inspection but this module is configured completely
    > separate from the router. Interfaces that are trunked do not run arp
    > inpection and using the router as the DHCP server has no impact on arp
    > inpection or its configuration.
    >
    > "PrzemekD" <p.r.z.e.m.e.k@_tlen_.pl> wrote in message
    >
    > news:gs4bsv$dg3$...
    >
    >
    >
    > > Hello All.

    >
    > > I would like obtain Your help, because subject is wide & I didn't find
    > > explanation in Google nor manuals :(

    >
    > > I need schematic guide rather than ready config - I will then dig
    > > further
    > > to check &repair my configs.

    >
    > > What should be minimal required configuration for rtr and switches to
    > > properly run spanning-tree when router is a root?
    > > What should be configured to have ip arp inspection when router is dhcp
    > > server? (I have statically assigned IP addresses for DHCP pool)
    > > What I need also to give acces to 2-3 servers whih have static addresses
    > > configured (to do ip arp inspection)
    > > What I need to run ip arp inspection on c2960?

    >
    > > I realize that are BIG questions rather, but I believe here is Someone
    > > which could explain a little

    >
    > > thanks in advance
    > > Przemek

    >
    > > Connections:

    >
    > > router (adv ip serv.) -->c3560(ip base)-->c2960(ip base)

    >
    > > Router config:
    > > ----------------------
    > > 1.DHCP for LAN (for vlan103)
    > > 2. four vlans defined as "interface VlanXXX" (not as routed interface's
    > > subinterface) Let's call them vlan101, vlan102, vlan103, vlan104
    > > 3. internal 4-port switch: fa0/1/0 configured as a trunk containing that
    > > four defined vlans (output to c3560)

    >
    > > important parts of real config:

    >
    > > ip dhcp pool LAN_USERS
    > > import all
    > > origin file flash:database.txt
    > > default-router a.b.c.d
    > > dns-server <router itself>
    > > lease 0 17

    >
    > > interface FastEthernet0/1/0
    > > description TRUNK
    > > switchport trunk native vlan 103
    > > switchport mode trunk
    > > logging event subif-link-status

    >
    > > interface Vlan101
    > > description ** Voice VLAN **
    > > ip address x.y.z.w 255.255.255.0
    > > ip directed-broadcast
    > > ip nbar protocol-discovery
    > > ip flow ingress
    > > ip flow egress
    > > ip virtual-reassembly

    >
    > > interface Vlan103
    > > description ** Old Data VLAN *
    > > ip address q.w.e.r 255.255.255.0
    > > ip nbar protocol-discovery
    > > ip flow ingress
    > > ip flow egress
    > > ip dns view-group default-list
    > > ip nat inside
    > > ip virtual-reassembly
    > > ip policy route-map lan-pbr

    >
    > > c3560 config:
    > > ----------------------
    > > 1. Gi0/1 as trunk, connected to the router's fa0/1/0
    > > 2. all other ports assigned to their vlans as access...
    > > 3. except Gi0/2, which is trunk - to connect c2960

    >
    > > important parts of real config:

    >
    > > no service dhcp
    > > udld aggressive
    > > ip subnet-zero

    >
    > > errdisable recovery cause udld
    > > errdisable recovery cause bpduguard
    > > ...
    > > ........................................................... (all others
    > > possible - set like above)
    > > ...
    > > errdisable recovery cause arp-inspection
    > > errdisable recovery cause loopback
    > > errdisable recovery interval 30

    >
    > > spanning-tree mode pvst
    > > spanning-tree loopguard default
    > > spanning-tree extend system-id
    > > !
    > > vlan internal allocation policy ascending
    > > !
    > > interface FastEthernet0/1 <-----(rest access ports -
    > > like this)
    > > switchport access vlan 104 <-----(different vlans here)
    > > switchport mode access
    > > switchport voice vlan 101
    > > switchport port-security maximum 2
    > > switchport port-security
    > > switchport port-security aging time 2
    > > switchport port-security violation restrict
    > > switchport port-security aging type inactivity
    > > srr-queue bandwidth share 10 10 60 20
    > > srr-queue bandwidth shape 10 0 0 0
    > > mls qos trust device cisco-phone
    > > mls qos trust cos
    > > auto qos voip cisco-phone
    > > macro description cisco-desktop
    > > spanning-tree portfast
    > > spanning-tree bpduguard enable

    >
    > > interface GigabitEthernet0/1
    > > switchport trunk encapsulation dot1q
    > > switchport trunk native vlan 103
    > > switchport mode trunk
    > > ip arp inspection trust
    > > logging event trunk-status
    > > logging event spanning-tree
    > > logging event status
    > > logging event subif-link-status
    > > macro description cisco-router
    > > spanning-tree portfast trunk
    > > spanning-tree link-type point-to-point
    > > !
    > > interface GigabitEthernet0/2
    > > switchport trunk encapsulation dot1q
    > > switchport trunk native vlan 103
    > > switchport mode trunk
    > > ip arp inspection trust
    > > auto qos voip trust
    > > macro description cisco-switch
    > > spanning-tree link-type point-to-point

    >
    > > c2960 config:
    > > --------------------
    > > 1. Gi0/1 as trunk, connected to the c3560 Gi0/1
    > > 2. all other ports assigned to their vlans as access...

    >
    > > important parts of real config:

    >
    > > no service dhcp
    > > udld aggressive
    > > ip subnet-zero

    >
    > > errdisable recovery cause udld
    > > errdisable recovery cause bpduguard
    > > ...
    > > ........................................................... (all others
    > > possible - set like above)
    > > ...
    > > errdisable recovery cause arp-inspection
    > > errdisable recovery cause loopback
    > > errdisable recovery interval 30

    >
    > > spanning-tree mode pvst
    > > spanning-tree extend system-id
    > > !
    > > vlan internal allocation policy ascending
    > > !
    > > interface FastEthernet0/1 <-----(rest access ports -
    > > like this)
    > > switchport access vlan 104 <-----(different vlans here)
    > > switchport mode access
    > > switchport voice vlan 101
    > > switchport port-security maximum 2
    > > switchport port-security
    > > switchport port-security aging time 2
    > > switchport port-security violation restrict
    > > switchport port-security aging type inactivity
    > > srr-queue bandwidth share 10 10 60 20
    > > srr-queue bandwidth shape 10 0 0 0
    > > mls qos trust device cisco-phone
    > > mls qos trust cos
    > > auto qos voip cisco-phone
    > > macro description cisco-desktop
    > > spanning-tree portfast
    > > spanning-tree bpduguard enable

    >
    > > interface GigabitEthernet0/1
    > > switchport trunk native vlan 103
    > > switchport mode trunk
    > > srr-queue bandwidth share 10 10 60 20
    > > queue-set 2
    > > priority-queue out
    > > mls qos trust cos
    > > macro description cisco-switch
    > > auto qos voip trust
    > > spanning-tree link-type point-to-point

    >
    > > --

    >
    > > best regards / pozdrawiam,
    > > Przemek- Hide quoted text -

    >
    > - Show quoted text -


    Hi do routers not run spanning tree if they are bridging ( bridge
    group 1 ieee?
     
    Thrill5, Apr 20, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Amy L.
    Replies:
    0
    Views:
    2,443
    Amy L.
    Jul 24, 2003
  2. ted

    vpn problem with c2821

    ted, Jan 15, 2008, in forum: Cisco
    Replies:
    2
    Views:
    3,297
    S Reese
    Jan 16, 2008
  3. ted
    Replies:
    2
    Views:
    1,437
    johnv
    Jan 17, 2008
  4. Morph
    Replies:
    6
    Views:
    1,524
  5. bod43
    Replies:
    0
    Views:
    653
    bod43
    Apr 23, 2009
Loading...

Share This Page