RE: 3550 port-security and HSRP.

From: John Matus (john_matus@hotmail.com)
Date: Tue Jul 05 2005 - 19:21:25 GMT-3

minimal mac-addresses.....
well, you want to allow the virtual-mac address that the standby group
creates:
0000.0c07.ac01
as well as the mac addresses attached to the switch for the two routes.
if you say "max address 2" and sticky then you should be fine. the switch
will learn both the physical address as well as the virtual mac address and
disallow any others...but it all depends on the wording of the question.

>From: "ccie2be" <ccie2be@nyc.rr.com>
>Reply-To: "ccie2be" <ccie2be@nyc.rr.com>
>To: <hulbertj@comcast.net>, "Group Study" <ccielab@groupstudy.com>
>Subject: RE: 3550 port-security and HSRP.
>Date: Tue, 5 Jul 2005 18:05:53 -0400
>
>Jerry,
>
>I don't know the answer to your question but I can tell you it's not dumb
>at
>all.
>
>It's an interesting question.
>
>In fact, let's simplify the scenario a bit.
>
>Suppose, we have just R1 and R2, 1 standby group both rtr's belong to, and
>R1 is the active router.
>
>However, to reach some destinations, packets must go to R2.
>
>How does this work for hosts on the same vlan as hsrp?
>
>I assume based on your post that we have to override ip redirect. But,
>what
>happens when that's done?
>
>Does R1 redirect packets to R2's physical ip address and thus "bypass"
>hsrp?
>
>Or, is there something else going on?
>
>TIA, Tim
> _____
>
>From: hulbertj@comcast.net [mailto:hulbertj@comcast.net]
>Sent: Tuesday, July 05, 2005 5:47 PM
>To: ccie2be; 'Spyros Kranis'
>Cc: ccielab@groupstudy.com
>Subject: RE: 3550 port-security and HSRP.
>
>I have a quick (probably dumb) question on this topic.
>
>Suppose you have the following:
>Router A and B participating in an HSRP Group.
>Router A is the Active Router.
>Router B has an external link to Network X.X.X.X.
>Host #1 has a data flow destined for Network X.X.X.X
>
>When Router A receives this frame, he'll see the destination address and
>make
>a check of it's route table. The next hop for this destination is Router B
>via the
>same interface that he is receiving it on.
>
>Normally, Router A would send an ICMP redirect to Host #1, but since by
>default, Router A
>will not send a Redirect to a Router that is not the Active HSRP (standby)
>router.
>
>So if you override this by adding
>standby redirects
>standby 2 ip Y.Y.Y.Y - where this ip is a valid IP in the same subnet as
>standby 1.
>make Router B the active router.
>
>How would you still implement port-security with the below configs, and
>still allow for efficient
>switching/routing in your LAN, with minimal allowed MAC addresses?
>
>TIA
>Jerry
>
>-------------- Original message --------------
>
> > Thanks, Spyros. I figured that if the command, use-bia, is configured,
>only
> > 1 mac address is needed for port security.
> >
> > I assume that the switch side of the config is the same regardless of
> > whether the 2 routers are connected to the same switch or to 2 different
> > switches, right?
> >
> > R1 sw1 --- sw2 R2
> >
> >
> >
> > Do you know, by any chance, what happens during a failover from a host
>point
> > of view? IOW, when the standby router takes over, the virtual mac
>address
> > used will also change since now it will become the bia of the former
>standby
> > router which is now the active router.
> >
> > Wouldn't this cause the hosts to have a wrong entry in their arp table
>once
> > the standby router takes over? And, wouldn't tha! t cause any active
>sessions
> > to fail while waiting for the old arp table entries to age out on the
>hosts?
> >
> > I vaguely recall that during a failover, the newly active router might
>issue
> > a gratuitous arp which speeds up the process of the hosts updating their
>arp
> > table, but I'm not sure if I remember this correctly.
> >
> > Any thoughts?
> >
> > Tim
> >
> > -----Original Message-----
> > From: Spyros Kranis [mailto:skranis@algosystems.gr]
> > Sent: Tuesday, July 05, 2005 1:06 PM
> > To: 'ccie2be'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: 3550 port-security and HSRP.
> >
> >
> > Tim ,
> > I labed it up and the only thing that you need is the standby use-bia
> > command at both routers and the following config to the switch
> >
> > Int fa0/1
> > switchport mode access
> > switchport port-security maximum 1 <-- it is default - the! switch does
>not
> > display it
> >
> > switchport port -security violation restrict
> > switchport port-security mac-address 0050.3efa.f540 <-- this is the real
>mac
> > address of the router interface.
> >
> > Int fa0/2
> > switchport mode access
> > switchport port-security maximum 1 <-- it is default - the switch does
>not
>
> > display it
> >
> > switchport port-security violation restrict
> > switchport port-security mac-address 0050.1adf.ccbc <-- this is the real
>mac
> > address of the router interface.
> >
> >
> >
> >
> > HTH
> >
> > skra
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > ccie2be
> > Sent: Tuesday, July 05, 2005 7:25 PM
> > To: 'Rajib Khan'; alsontra@hotmail.com; 'Lai, Ben'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: 3550 port-security and HSRP.
> >
> > Thanks Raj.
> >
> > By a! ny chance, do you know if you have to allow a max of 2 addresses
>for
>
> > HSRP to work with port security?
> >
> > I assume you do but if the command use-bia is configured, than why
>wouldn't
> > just a max of one mac address work?
> >
> > Thanks again, Tim
> >
> > _____
> >
> > From: Rajib Khan [mailto:rajib56666@yahoo.com]
> > Sent: Tuesday, July 05, 2005 12:13 PM
> > To: ccie2be; alsontra@hotmail.com; 'Lai, Ben'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: 3550 port-security and HSRP.
> >
> > HI Tim,
> >
> > You don't need to configure "switchport port-security mac-address sticky
> > 0050.3eef.6260" in order this to work
> >
> >
> >
> > with sticky and maximum 2 it wil learn 2 mac address dynamically
> >
> > But I don't know the answer of your question though. Use a etheral
>analyzer
> > if you can
> >
> > Thanks
> >
> > Ra! j
> >
> > ccie2be wrote:
> > Hi Guy s,
> >
> > Can anybody explain why the below works and what happens when the active
> > router fails and the standby router takes over as far as the mac
>addresses
>
> > are concerned?
> >
> > With the config below, is a failover transparent to users on the
>attacked
> > vlan?
> >
> > TIA, Tim
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > alsontra@hotmail.com
> > Sent: Sunday, January 09, 2005 11:29 AM
> > To: 'Lai, Ben'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: 3550 port-security and HSRP.
> >
> > All,
> >
> > Below is a 3550 configuration using bia-addresses. Anyone find a fault
>in
> > the logic?
> >
> > R1
> > !
> > interface Ethernet0/0
> > ip address 120.1.1.1 255.255.255.0
> > half-duplex
> > standby use-bia
> > standby preempt
> > standby 1 ip 12! 0.1.1.254
> > standby 1 priority 150
> > standby 1 preempt
> > end
> >
> > R1#sh stan
> > Ethernet0/0 - Group 1
> > State is Active
> > 13 state changes, last state change 01:11:22
> > Virtual IP address is 120.1.1.254
> > Active virtual MAC address is 0050.3eef.6260
> > Local virtual MAC address is 0050.3eef.6260 (bia)
> > Hello time 3 sec, hold time 10 sec
> > Next hello sent in 0.484 secs
> > Preemption enabled
> > Active router is local
> > Standby router is 120.1.1.2, priority 100 (expires in 7.688 sec)
> > Priority 150 (configured 150)
> > IP redundancy name is "hsrp-Et0/0-1" (default)
> >
> > R2
> >
> > !
> > interface Ethernet0/0
> > ip address 120.1.1.2 255.255.255.0
> > ip pim sparse-dense-mode
> > half-duplex
> > ipv6 address 2001::/64 eui-64
> > standby use-bia
> > standby 1 ip 120.1.1.254
> > standby 1 preempt > end
> >
> > R2#sh stan
> > Ethernet0/0 - Group 1
> > State is Standby
> > 19 state changes, last state change 01:11:41
> > Virtual IP address is 120.1.1.254
> > Active virtual MAC address is 0050.3eef.6260
> > Local virtual MAC address is 0050.3efa.f540 (bia)Hello time 3 sec, hold
>time
> > 10 sec
> > Next hello sent in 1.678 secs
> > Preemption enabled
> > Active router is 120.1.1.1, priority 150 (expires in 8.470 sec)
> > Standby router is local
> > Priority 100 (default 100)
> > IP redundancy name is "hsrp-Et0/0-1" (default)
> >
> > 3550
> > !
> > interface FastEthernet0/1
> > switchport mode access
> > switchport port-security maximum 2
> > switchport port-security aging time 1
> > switchport port-security violation restrict
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0050.3eef.6260
> > no ip address
> > !
> > interface FastEthernet0/2
> > s! witchport mode access
> > switchport port-security maximum 2
> > switchport port-security aging time 1
> > switchport port-security violation restrict
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0050.3efa.f540
> > no ip address
> >
> > -----Original Message-----
> > From: Lai, Ben [mailto:benlai_cn@hotmail.com]
> > Sent: S! unday, January 09, 2005 10:03 PM
> > To: 'Alsontra'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: 3550 port-security and HSRP.
> >
> > Firstly, can we use HSRP without a virtual MAC address for the virtual
> > router?
> > Secondly, I use sticky address because it is easy to copy the mac
>address
>of
> > the attached device to the configuration.
> >
> > Rgds.
> >
> > -----Original Message-----
> > From: Alsontra [mailto:alsontra@gmail.com]
> > Sent: 2005e941f9f% 22:44
> > To: 'La! i, Ben'
> > Subject: RE: 3550 port-security and HSRP.
> > > Why are you using virtual MACs and also why are you using sticky
>address?
> > Are these requirements?
> >
> > Al
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Lai,
> > Ben
> > Sent: Sunday, January 09, 2005 7:51 PM
> > To: ccielab@groupstudy.com
> > Subject: 3550 port-security and HSRP.
> >
> > Hi all:
> >
> > Is there anybody used to configure PORT-SECURITY and HSRP?
> >
> >
> >
> > The scenario is: t! here are two router connected with a CAT 3550
>switch,
> > running HSRP,
> >
> > When I configuration HSRP on the two routers and PORT-SECURITY on the
>3550
>
> > switch, the problem occurs:
> >
> > The configuration of the 3550 switch is as follow:
> >
> >
> >
> > For example:
> >
> >
> >
> > interface FastEthernet0/1
> >
> > switchport acce! ss vlan 2
> >
> > switchport mode access
> >
> > switchport port-security
> >
> > switchport port-security maximum 2
> >
> > switchport port-security aging time 1
> >
> > switchport port-security violation restrict
> >
> > switchport port-security mac-address sticky 1111.1111.1111
> >
> > switchport port-security mac-address sticky AAAA.AAAA.AAAA(as the
>virtual
> > mac of HSRP)
> >
> >
> >
> > interface FastEthernet0/3
> >
> > switchport access vlan 2
> >
> > switchport mode access
> >
> > switchport port-security
> >
> > switchport port-security maximum 2
> >
> > switchport port-security aging time 1
> >
> > switchport port-security violation restrict
> >
> > switchport port-security mac-address sticky 2222.2222.2222
> >
> >
> >
> > the switch prompts error message with the virtual MAC addre! ss of HSRP.
> >
> > How to deal with this?
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
> >
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Ve! rsion: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > _____
> >
> > Yahoo! Sports
> > Rekindle
> >
> >
>ysports.yahoo.com?ovchn=YAH&ovcpn=Integration&ovcrn=Mail+footer&ovrfd=YAH&ov
>
> > tac=AD%20> the Rivalries. Sign up for Fantasy Football
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > ____!
>___________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3