From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jul 05 2005 - 15:52:49 GMT-3
Thanks, Spyros. I figured that if the command, use-bia, is configured, only
1 mac address is needed for port security.
I assume that the switch side of the config is the same regardless of
whether the 2 routers are connected to the same switch or to 2 different
switches, right?
R1 sw1 --- sw2 R2
Do you know, by any chance, what happens during a failover from a host point
of view? IOW, when the standby router takes over, the virtual mac address
used will also change since now it will become the bia of the former standby
router which is now the active router.
Wouldn't this cause the hosts to have a wrong entry in their arp table once
the standby router takes over? And, wouldn't that cause any active sessions
to fail while waiting for the old arp table entries to age out on the hosts?
I vaguely recall that during a failover, the newly active router might issue
a gratuitous arp which speeds up the process of the hosts updating their arp
table, but I'm not sure if I remember this correctly.
Any thoughts?
Tim
-----Original Message-----
From: Spyros Kranis [mailto:skranis@algosystems.gr]
Sent: Tuesday, July 05, 2005 1:06 PM
To: 'ccie2be'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Tim ,
I labed it up and the only thing that you need is the standby use-bia
command at both routers and the following config to the switch
Int fa0/1
switchport mode access
switchport port-security maximum 1 <-- it is default - the switch does not
display it
switchport port-security violation restrict
switchport port-security mac-address 0050.3efa.f540 <-- this is the real mac
address of the router interface.
Int fa0/2
switchport mode access
switchport port-security maximum 1 <-- it is default - the switch does not
display it
switchport port-security violation restrict
switchport port-security mac-address 0050.1adf.ccbc <-- this is the real mac
address of the router interface.
HTH
skra
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Tuesday, July 05, 2005 7:25 PM
To: 'Rajib Khan'; alsontra@hotmail.com; 'Lai, Ben'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Thanks Raj.
By any chance, do you know if you have to allow a max of 2 addresses for
HSRP to work with port security?
I assume you do but if the command use-bia is configured, than why wouldn't
just a max of one mac address work?
Thanks again, Tim
_____
From: Rajib Khan [mailto:rajib56666@yahoo.com]
Sent: Tuesday, July 05, 2005 12:13 PM
To: ccie2be; alsontra@hotmail.com; 'Lai, Ben'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
HI Tim,
You don't need to configure "switchport port-security mac-address sticky
0050.3eef.6260" in order this to work
with sticky and maximum 2 it wil learn 2 mac address dynamically
But I don't know the answer of your question though. Use a etheral analyzer
if you can
Thanks
Raj
ccie2be <ccie2be@nyc.rr.com> wrote:
Hi Guys,
Can anybody explain why the below works and what happens when the active
router fails and the standby router takes over as far as the mac addresses
are concerned?
With the config below, is a failover transparent to users on the attacked
vlan?
TIA, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
alsontra@hotmail.com
Sent: Sunday, January 09, 2005 11:29 AM
To: 'Lai, Ben'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
All,
Below is a 3550 configuration using bia-addresses. Anyone find a fault in
the logic?
R1
!
interface Ethernet0/0
ip address 120.1.1.1 255.255.255.0
half-duplex
standby use-bia
standby preempt
standby 1 ip 120.1.1.254
standby 1 priority 150
standby 1 preempt
end
R1#sh stan
Ethernet0/0 - Group 1
State is Active
13 state changes, last state change 01:11:22
Virtual IP address is 120.1.1.254
Active virtual MAC address is 0050.3eef.6260
Local virtual MAC address is 0050.3eef.6260 (bia)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.484 secs
Preemption enabled
Active router is local
Standby router is 120.1.1.2, priority 100 (expires in 7.688 sec)
Priority 150 (configured 150)
IP redundancy name is "hsrp-Et0/0-1" (default)
R2
!
interface Ethernet0/0
ip address 120.1.1.2 255.255.255.0
ip pim sparse-dense-mode
half-duplex
ipv6 address 2001::/64 eui-64
standby use-bia
standby 1 ip 120.1.1.254
standby 1 preempt
end
R2#sh stan
Ethernet0/0 - Group 1
State is Standby
19 state changes, last state change 01:11:41
Virtual IP address is 120.1.1.254
Active virtual MAC address is 0050.3eef.6260
Local virtual MAC address is 0050.3efa.f540 (bia)Hello time 3 sec, hold time
10 sec
Next hello sent in 1.678 secs
Preemption enabled
Active router is 120.1.1.1, priority 150 (expires in 8.470 sec)
Standby router is local
Priority 100 (default 100)
IP redundancy name is "hsrp-Et0/0-1" (default)
3550
!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.3eef.6260
no ip address
!
interface FastEthernet0/2
switchport mode access
switchport port-security maximum 2
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.3efa.f540
no ip address
-----Original Message-----
From: Lai, Ben [mailto:benlai_cn@hotmail.com]
Sent: S! unday, January 09, 2005 10:03 PM
To: 'Alsontra'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
Firstly, can we use HSRP without a virtual MAC address for the virtual
router?
Secondly, I use sticky address because it is easy to copy the mac address of
the attached device to the configuration.
Rgds.