From: xprtofnet (xprtofnet@yahoo.com)
Date: Sat Mar 25 2006 - 10:27:40 GMT-3
keep in mind that port security will complain about
duplicate mac if hsrp uses same virtual-mac. so better
to hard-code the virtual-mac for hsrp or use bia so
that it is not same.
m2c.
--- "Schulz, Dave" <DSchulz@dpsciences.com> wrote:
> I was working through some different solutions with
> port-security with
> HSRP. If there is a requirement to lockdown a
> specific port connected
> to a router that is running HSRP, I see two
> different solutions.
>
> First one being, to put the command "standby
> use-bia" and force the
> router to use the bia (or configured mac for the
> virtual ip). Or, we
> can also use the following (adding a second mac to
> the switchport
> config). As below....
>
> Current configuration : 304 bytes
> !
> interface FastEthernet0/1
> switchport access vlan 10
> switchport mode access
> switchport port-security
> switchport port-security maximum 2
> switchport port-security mac-address sticky
> switchport port-security mac-address 0000.0c07.ac01
> <- router
> mac-address
> switchport port-security mac-address sticky
> 0008.a3fc.a661 <-virtual
> mac-address assigned by HSRP
> end
>
> Any reason why each of these would not be valid?
>
> Also, it appears that we can statically configure
> the mac, or, use the
> sticky (and save the config)....depending on the
> requirements.
>
>
> Dave Schulz
>
> Email: dschulz@dpsciences.com
> <mailto:dschulz@dpsciences.com >
>
>
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3