Uplink Interface Connectivity
Configure Uplink Interface Connectivity
49
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
In the following example, security is applied to the uplink interfaces connecting to routers:
Spanning-Tree Recommendations for an Uplink Interface Connecting to a
Distribution Switch
Note Complete this configuration on the distribution switches and not on the switch. The recommendations
listed below are not applicable when routers are used at the distribution layer.
Step 3 On uplink interfaces to distribution switches (Figure 6), ensure that the spanning-tree root for the
switch-stack VLANs is configured on the distribution switch pair.
Follow the below recommendations when the standalone distribution switches are used instead of a VSS
or VPC system:
• Make sure that the spanning-tree roots for the VLANs are distributed evenly between two standalone
distribution switches. For example, configure one switch as the spanning-tree root for all the even
VLANs, and configure the other switch as the spanning-tree root for all the odd VLANs. This
distribution configuration ensures that the spanning tree does not block all the VLANs on a single
uplink interface, and results in an even traffic flow on the uplink interfaces.
• If Hot Standby Router Protocol (HSRP) or Virtual Router Redundancy Protocol (VRRP) is
configured for the VLANs located on the standalone distribution switches, make sure that the VLAN
configuration on the active switch is the same on the switch that is the spanning-tree root for that
VLAN.
• Avoid flooding of traffic caused by asymmetric routing of traffic flows, by configuring the arp
timeout interface configuration command. This command adjusts the ARP aging timer to less than
the MAC address table aging timer on the Layer 3 VLAN interfaces of the distribution switches. By
default, the MAC address table aging timer is set to 5 minutes (300 seconds) on the switch.
For more information about spanning tree root configuration on the VSS, see the “Spanning Tree
Configuration Best Practice with VSS” section of the VSS Enabled Campus Design Guide.
For more information about spanning-tree root on distribution switches, see the “Spanning VLANs
across Access Layer Switches” section of the Campus Network for High Availability Design Guide.
interface Port-channel 1
ip arp inspection trust
ip snooping trust
ipv6 nd raguard attach-policy switch_ipv6_raguard
ipv6 guard attach-policy uplink_ipv6__guard
interface Port-channel 1
ip arp inspection trust
ip snooping trust
ipv6 nd raguard attach-policy router_ipv6_raguard
ipv6 guard attach-policy uplink_ipv6__guard
exit
!
interface Port-channel 2
ip arp inspection trust
ip snooping trust
ipv6 nd raguard attach-policy router_ipv6_raguard
ipv6 guard attach-policy uplink_ipv6__guard
To Next Page
Loading...
