01-29-2009 06:52 AM - edited 03-06-2019 03:44 AM
We have the following setup in our DataCentre and experience IP conflicts with the HSRP address. On the 2960 is 1 VLAN connected to a Catylyst 4000 switches with HSRP enable for the gateway of clients on the 2960. The probem we experience is customers on the 2960 switch add the HSRP address as a secondary IP on their Network connection and all traffic will route to their servers. Is there a way to prevent customers to use the HSRP address on their servers ? We have setup access list for each interface but this seems to happen on layer 2.
01-29-2009 08:37 AM
David
Can you send a config of the 2960 and the 4000 - remove any security info
Can you send a diagram
Mark
01-29-2009 09:11 AM
I have attached the digram with basic connections and setup.
==========================================================================================
Cisco 2960
==========
hostname xxxxxxxxxxxxxxxxxxxxxxxx
!
logging buffered 200000 debugging
!
username xxxxxxxx privilege 15 password xxxxxxxx
username xxxxxxxxx privilege 15 password xxxxxxxxx
aaa new-model
aaa group server radius
!
no ip domain-lookup
!
!
!
no file verify auto
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name ***Vlan_ABC_Local_LAN***
!
vlan 200
name xxx_management
!
vlan 210
name PDU-Management
!
vlan 845
name xxxx-Server-Vlan
!
interface FastEthernet0/1
description *** PDU 1 ***
switchport access vlan 210
switchport mode access
switchport port-security maximum 2
speed 10
duplex full
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
!
interface FastEthernet0/2
description *** PDU 2 Bottom ***
switchport access vlan 210
switchport mode access
switchport port-security maximum 2
speed 10
duplex full
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
interface FastEthernet0/7
description *** Not In Use ***
switchport access vlan 845
switchport mode access
switchport port-security maximum 2
ip access-group 7 in
speed 10
duplex full
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
!
interface FastEthernet0/8
description *** Not In Use ***
switchport access vlan 845
switchport mode access
switchport port-security maximum 2
ip access-group 8 in
speed 10
duplex full
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
....#
interface GigabitEthernet0/1
description *** Link to cat 4000-01 *** UPLINK to CAT4000
switchport access vlan 845
switchport trunk allowed vlan 210,845
switchport mode trunk
speed 100
duplex full
!
interface GigabitEthernet0/2 UPLINK to CAR4000
description *** cat 4000-02 ***
switchport access vlan 845
switchport trunk allowed vlan 210,845
switchport mode trunk
speed 100
duplex full
spanning-tree cost 20
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
shutdown
!
interface Vlan200
description ***Management Vlan ***
ip address XXXXXXXXXXXXXXXX
no ip route-cache
!
interface Vlan845
no ip address
no ip route-cache
!
ip default-gateway
no ip http server
ip radius source-interface Vlan200
logging facility syslog
access-list 1 remark ***Management ***
access-list 1 permit XXX.XXX.XXX.XXX
access-list 1 deny any log
access-list 5 permit XXX.XXX.XXX.XXX
access-list 6 permit XXX.XXX.XXX.XXX
access-list 7 permit XXX.XXX.XXX.XXX
access-list 7 permit XXX.XXX.XXX.XXX
access-list 7 permit XXX.XXX.XXX.XXX
access-list 7 permit XXX.XXX.XXX.XXX
access-list 7 permit XXX.XXX.XXX.XXX
access-list 7 permit XXX.XXX.XXX.XXX
access-list 7 permit XXX.XXX.XXX.XXX
access-list 7 permit XXX.XXX.XXX.XXX
access-list 7 permit XXX.XXX.XXX.XXX
access-list 8 permit XXX.XXX.XXX.XXX
==================================================================================
Cat4000
interface GigabitEthernet5/2
description *** 100mb Link to Int Gi0/1 ***
switchport access vlan 845
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 210,845
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
udld port
spanning-tree guard root
01-29-2009 09:40 AM
I am a bit confused with the diagram. It appears that you are using one of the top switch VLAN845 address as the standby address on the bottom switch vlan845. And also both VLAN have the same priority.
Regards,
01-29-2009 11:48 AM
01-29-2009 12:03 PM
The probem we experience is customers on the 2960 switch add the HSRP address as a secondary IP on their Network connection and all traffic will route to their servers. Is there a way to prevent customers to use the HSRP address on their servers ? We have setup access list for each interface but this seems to happen on layer 2.
You should look into implementing Dynamic ARP Inspection:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html
HTH,
__
Edison.
01-30-2009 01:33 AM
Hi
Sorry for the incomplete diagram, I have removed most of the config and IP address information. Your diagram is correct in the setup we currently have setup, the solution and setup work fine but the main problem are customers change their IP information on their servers (connected to the 2960 switch )to the HSRP address, and all traffic will route to the server with the default gateway (HSRP address) configured on that server.I have checked the Cisco website and couln't find information to configure dynamic arp inspection on a 2960 switch. The CAT 4000 just acts as a default gateway on the VLAN interface. So ,if someone configure the ip address 10.0.0.1 (HSRP address) as a secondary IP on their server it would route traffic to their server (referring to your diagram)
01-30-2009 06:39 AM
I have checked the Cisco website and couln't find information to configure dynamic arp inspection on a 2960 switch
2960 is a Layer2 switch so it's not involved on any Layer3 decision in your network. The configuration must be done in the 4500 switch as it's the only device acting as a Layer3 device.
HTH,
__
Edison.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide