RE: 3550 port-security and HSRP.

From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jul 05 2005 - 12:54:47 GMT-3

• Next message: Rajib Khan: "RE: 3550 port-security and HSRP."
• Previous message: Rajib Khan: "DLSW"
• Next in thread: Rajib Khan: "RE: 3550 port-security and HSRP."
• Maybe reply: Rajib Khan: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: Spyros Kranis: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Maybe reply: John Matus: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: Alexander Arsenyev (GU/ETL): "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: John Matus: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Guys,

Can anybody explain why the below works and what happens when the active router fails and the standby router takes over as far as the mac addresses are concerned?

With the config below, is a failover transparent to users on the attacked vlan?

TIA, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of alsontra@hotmail.com
Sent: Sunday, January 09, 2005 11:29 AM
To: 'Lai, Ben'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.

All,

Below is a 3550 configuration using bia-addresses. Anyone find a fault in
the logic?

R1
!
interface Ethernet0/0
 ip address 120.1.1.1 255.255.255.0
 half-duplex
 standby use-bia
 standby preempt
 standby 1 ip 120.1.1.254
 standby 1 priority 150
 standby 1 preempt
end

R1#sh stan
Ethernet0/0 - Group 1
  State is Active
    13 state changes, last state change 01:11:22
  Virtual IP address is 120.1.1.254
  Active virtual MAC address is 0050.3eef.6260
    Local virtual MAC address is 0050.3eef.6260 (bia)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.484 secs
  Preemption enabled
  Active router is local
  Standby router is 120.1.1.2, priority 100 (expires in 7.688 sec)
  Priority 150 (configured 150)
  IP redundancy name is "hsrp-Et0/0-1" (default)

R2

!
interface Ethernet0/0
 ip address 120.1.1.2 255.255.255.0
 ip pim sparse-dense-mode
 half-duplex
 ipv6 address 2001::/64 eui-64
 standby use-bia
 standby 1 ip 120.1.1.254
 standby 1 preempt
end

R2#sh stan
Ethernet0/0 - Group 1
  State is Standby
    19 state changes, last state change 01:11:41
  Virtual IP address is 120.1.1.254
  Active virtual MAC address is 0050.3eef.6260
    Local virtual MAC address is 0050.3efa.f540 (bia)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.678 secs
  Preemption enabled
  Active router is 120.1.1.1, priority 150 (expires in 8.470 sec)
  Standby router is local
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Et0/0-1" (default)

3550
!
interface FastEthernet0/1
 switchport mode access
 switchport port-security maximum 2
 switchport port-security aging time 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0050.3eef.6260
 no ip address
!
interface FastEthernet0/2
 switchport mode access
 switchport port-security maximum 2
 switchport port-security aging time 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0050.3efa.f540
 no ip address

-----Original Message-----
From: Lai, Ben [mailto:benlai_cn@hotmail.com]
Sent: Sunday, January 09, 2005 10:03 PM
To: 'Alsontra'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.

Firstly, can we use HSRP without a virtual MAC address for the virtual
router?
Secondly, I use sticky address because it is easy to copy the mac address of
the attached device to the configuration.

Rgds.

-----Original Message-----
From: Alsontra [mailto:alsontra@gmail.com]
Sent: 2005e941f9f% 22:44
To: 'Lai, Ben'
Subject: RE: 3550 port-security and HSRP.

Why are you using virtual MACs and also why are you using sticky address?
Are these requirements?

Al

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lai,
Ben
Sent: Sunday, January 09, 2005 7:51 PM
To: ccielab@groupstudy.com
Subject: 3550 port-security and HSRP.

Hi all:

Is there anybody used to configure PORT-SECURITY and HSRP?

The scenario is: there are two router connected with a CAT 3550 switch,
running HSRP,

When I configuration HSRP on the two routers and PORT-SECURITY on the 3550
switch, the problem occurs:

The configuration of the 3550 switch is as follow:

For example:

interface FastEthernet0/1

 switchport access vlan 2

 switchport mode access

switchport port-security

 switchport port-security maximum 2

 switchport port-security aging time 1

 switchport port-security violation restrict

 switchport port-security mac-address sticky 1111.1111.1111

 switchport port-security mac-address sticky AAAA.AAAA.AAAA(as the virtual
mac of HSRP)

interface FastEthernet0/3

 switchport access vlan 2

 switchport mode access

 switchport port-security

 switchport port-security maximum 2

 switchport port-security aging time 1

 switchport port-security violation restrict

 switchport port-security mac-address sticky 2222.2222.2222

the switch prompts error message with the virtual MAC address of HSRP.

How to deal with this?

• Next message: Rajib Khan: "RE: 3550 port-security and HSRP."
• Previous message: Rajib Khan: "DLSW"
• Next in thread: Rajib Khan: "RE: 3550 port-security and HSRP."
• Maybe reply: Rajib Khan: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: Spyros Kranis: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Maybe reply: John Matus: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: Alexander Arsenyev (GU/ETL): "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Maybe reply: ccie2be: "RE: 3550 port-security and HSRP."
• Maybe reply: Tom Lijnse: "RE: 3550 port-security and HSRP."
• Maybe reply: John Matus: "RE: 3550 port-security and HSRP."
• Maybe reply: hulbertj@comcast.net: "RE: 3550 port-security and HSRP."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3