RE: 3550 port-security and HSRP.

From: hulbertj@comcast.net
Date: Tue Jul 05 2005 - 18:47:26 GMT-3

• Next message: ccie2be: "RE: 3550 port-security and HSRP."
• Previous message: ccie2be: "RE: BGP path selection process"
• Maybe in reply to: ccie2be: "RE: 3550 port-security and HSRP."
• Next in thread: ccie2be: "RE: 3550 port-security and HSRP."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have a quick (probably dumb) question on this topic.

Suppose you have the following:
Router A and B participating in an HSRP Group.
Router A is the Active Router.
Router B has an external link to Network X.X.X.X.
Host #1 has a data flow destined for Network X.X.X.X

When Router A receives this frame, he'll see the destination address and make
a check of it's route table. The next hop for this destination is Router B via the
same interface that he is receiving it on.

Normally, Router A would send an ICMP redirect to Host #1, but since by default, Router A
will not send a Redirect to a Router that is not the Active HSRP (standby) router.

So if you override this by adding
standby redirects
standby 2 ip Y.Y.Y.Y - where this ip is a valid IP in the same subnet as standby 1.
make Router B the active router.

How would you still implement port-security with the below configs, and still allow for efficient
switching/routing in your LAN, with minimal allowed MAC addresses?

TIA
Jerry

-------------- Original message --------------

> Thanks, Spyros. I figured that if the command, use-bia, is configured, only
> 1 mac address is needed for port security.
>
> I assume that the switch side of the config is the same regardless of
> whether the 2 routers are connected to the same switch or to 2 different
> switches, right?
>
> R1 sw1 --- sw2 R2
>
>
>
> Do you know, by any chance, what happens during a failover from a host point
> of view? IOW, when the standby router takes over, the virtual mac address
> used will also change since now it will become the bia of the former standby
> router which is now the active router.
>
> Wouldn't this cause the hosts to have a wrong entry in their arp table once
> the standby router takes over? And, wouldn't that cause any active sessions
> to fail while waiting for the old arp table entries to age out on the hosts?
>
> I vaguely recall that during a failover, the newly active router might issue
> a gratuitous arp which speeds up the process of the hosts updating their arp
> table, but I'm not sure if I remember this correctly.
>
> Any thoughts?
>
> Tim
>
> -----Original Message-----
> From: Spyros Kranis [mailto:skranis@algosystems.gr]
> Sent: Tuesday, July 05, 2005 1:06 PM
> To: 'ccie2be'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
>
> Tim ,
> I labed it up and the only thing that you need is the standby use-bia
> command at both routers and the following config to the switch
>
> Int fa0/1
> switchport mode access
> switchport port-security maximum 1 <-- it is default - the switch does not
> display it
>
> switchport port-security violation restrict
> switchport port-security mac-address 0050.3efa.f540 <-- this is the real mac
> address of the router interface.
>
> Int fa0/2
> switchport mode access
> switchport port-security maximum 1 <-- it is default - the switch does not
> display it
>
> switchport port-security violation restrict
> switchport port-security mac-address 0050.1adf.ccbc <-- this is the real mac
> address of the router interface.
>
>
>
>
> HTH
>
> skra
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Tuesday, July 05, 2005 7:25 PM
> To: 'Rajib Khan'; alsontra@hotmail.com; 'Lai, Ben'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
> Thanks Raj.
>
> By any chance, do you know if you have to allow a max of 2 addresses for
> HSRP to work with port security?
>
> I assume you do but if the command use-bia is configured, than why wouldn't
> just a max of one mac address work?
>
> Thanks again, Tim
>
> _____
>
> From: Rajib Khan [mailto:rajib56666@yahoo.com]
> Sent: Tuesday, July 05, 2005 12:13 PM
> To: ccie2be; alsontra@hotmail.com; 'Lai, Ben'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
> HI Tim,
>
> You don't need to configure "switchport port-security mac-address sticky
> 0050.3eef.6260" in order this to work
>
>
>
> with sticky and maximum 2 it wil learn 2 mac address dynamically
>
> But I don't know the answer of your question though. Use a etheral analyzer
> if you can
>
> Thanks
>
> Raj
>
> ccie2be wrote:
> Hi Guys,
>
> Can anybody explain why the below works and what happens when the active
> router fails and the standby router takes over as far as the mac addresses
> are concerned?
>
> With the config below, is a failover transparent to users on the attacked
> vlan?
>
> TIA, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> alsontra@hotmail.com
> Sent: Sunday, January 09, 2005 11:29 AM
> To: 'Lai, Ben'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
> All,
>
> Below is a 3550 configuration using bia-addresses. Anyone find a fault in
> the logic?
>
> R1
> !
> interface Ethernet0/0
> ip address 120.1.1.1 255.255.255.0
> half-duplex
> standby use-bia
> standby preempt
> standby 1 ip 120.1.1.254
> standby 1 priority 150
> standby 1 preempt
> end
>
> R1#sh stan
> Ethernet0/0 - Group 1
> State is Active
> 13 state changes, last state change 01:11:22
> Virtual IP address is 120.1.1.254
> Active virtual MAC address is 0050.3eef.6260
> Local virtual MAC address is 0050.3eef.6260 (bia)
> Hello time 3 sec, hold time 10 sec
> Next hello sent in 0.484 secs
> Preemption enabled
> Active router is local
> Standby router is 120.1.1.2, priority 100 (expires in 7.688 sec)
> Priority 150 (configured 150)
> IP redundancy name is "hsrp-Et0/0-1" (default)
>
> R2
>
> !
> interface Ethernet0/0
> ip address 120.1.1.2 255.255.255.0
> ip pim sparse-dense-mode
> half-duplex
> ipv6 address 2001::/64 eui-64
> standby use-bia
> standby 1 ip 120.1.1.254
> standby 1 preempt
> end
>
> R2#sh stan
> Ethernet0/0 - Group 1
> State is Standby
> 19 state changes, last state change 01:11:41
> Virtual IP address is 120.1.1.254
> Active virtual MAC address is 0050.3eef.6260
> Local virtual MAC address is 0050.3efa.f540 (bia)Hello time 3 sec, hold time
> 10 sec
> Next hello sent in 1.678 secs
> Preemption enabled
> Active router is 120.1.1.1, priority 150 (expires in 8.470 sec)
> Standby router is local
> Priority 100 (default 100)
> IP redundancy name is "hsrp-Et0/0-1" (default)
>
> 3550
> !
> interface FastEthernet0/1
> switchport mode access
> switchport port-security maximum 2
> switchport port-security aging time 1
> switchport port-security violation restrict
> switchport port-security mac-address sticky
> switchport port-security mac-address sticky 0050.3eef.6260
> no ip address
> !
> interface FastEthernet0/2
> switchport mode access
> switchport port-security maximum 2
> switchport port-security aging time 1
> switchport port-security violation restrict
> switchport port-security mac-address sticky
> switchport port-security mac-address sticky 0050.3efa.f540
> no ip address
>
> -----Original Message-----
> From: Lai, Ben [mailto:benlai_cn@hotmail.com]
> Sent: S! unday, January 09, 2005 10:03 PM
> To: 'Alsontra'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
> Firstly, can we use HSRP without a virtual MAC address for the virtual
> router?
> Secondly, I use sticky address because it is easy to copy the mac address of
> the attached device to the configuration.
>
> Rgds.
>
> -----Original Message-----
> From: Alsontra [mailto:alsontra@gmail.com]
> Sent: 2005e941f9f% 22:44
> To: 'Lai, Ben'
> Subject: RE: 3550 port-security and HSRP.
>
> Why are you using virtual MACs and also why are you using sticky address?
> Are these requirements?
>
> Al
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lai,
> Ben
> Sent: Sunday, January 09, 2005 7:51 PM
> To: ccielab@groupstudy.com
> Subject: 3550 port-security and HSRP.
>
> Hi all:
>
> Is there anybody used to configure PORT-SECURITY and HSRP?
>
>
>
> The scenario is: t! here are two router connected with a CAT 3550 switch,
> running HSRP,
>
> When I configuration HSRP on the two routers and PORT-SECURITY on the 3550
> switch, the problem occurs:
>
> The configuration of the 3550 switch is as follow:
>
>
>
> For example:
>
>
>
> interface FastEthernet0/1
>
> switchport access vlan 2
>
> switchport mode access
>
> switchport port-security
>
> switchport port-security maximum 2
>
> switchport port-security aging time 1
>
> switchport port-security violation restrict
>
> switchport port-security mac-address sticky 1111.1111.1111
>
> switchport port-security mac-address sticky AAAA.AAAA.AAAA(as the virtual
> mac of HSRP)
>
>
>
> interface FastEthernet0/3
>
> switchport access vlan 2
>
> switchport mode access
>
> switchport port-security
>
> switchport port-security maximum 2
>
> switchport port-security aging time 1
>
> switchport port-security violation restrict
>
> switchport port-security mac-address sticky 2222.2222.2222
>
>
>
> the switch prompts error message with the virtual MAC address of HSRP.
>
> How to deal with this?
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> _____
>
> Yahoo! Sports
> Rekindle
> > ysports.yahoo.com?ovchn=YAH&ovcpn=Integration&ovcrn=Mail+footer&ovrfd=YAH&ov
> tac=AD%20> the Rivalries. Sign up for Fantasy Football
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: ccie2be: "RE: 3550 port-security and HSRP."
• Previous message: ccie2be: "RE: BGP path selection process"
• Maybe in reply to: ccie2be: "RE: 3550 port-security and HSRP."
• Next in thread: ccie2be: "RE: 3550 port-security and HSRP."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3