Re: Port-security with HSRP

From: Mushtaq A. Khan (mak.ccie2b@gmail.com)
Date: Sat Mar 25 2006 - 15:22:46 GMT-3

• Next message: Brent Foster: "Re: anycast (ip multicast question)"
• Previous message: david robin: "anycast (ip multicast question)"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: xprtofnet: "Re: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

All,
I was thinking another scenario where we are bound to use VRRP and allow
only one mac-address on the switch. What we do that in that case as I
couldn't find an option to use-bia in VRRP. I tried to make it work by hard
coding the virtual-mac generated by VRRP to the router but it didn't work.
Is there any other option?

Mushtaq

On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
>
> keep in mind that port security will complain about
> duplicate mac if hsrp uses same virtual-mac. so better
> to hard-code the virtual-mac for hsrp or use bia so
> that it is not same.
>
> m2c.
>
> --- "Schulz, Dave" <DSchulz@dpsciences.com> wrote:
>
> > I was working through some different solutions with
> > port-security with
> > HSRP. If there is a requirement to lockdown a
> > specific port connected
> > to a router that is running HSRP, I see two
> > different solutions.
> >
> > First one being, to put the command "standby
> > use-bia" and force the
> > router to use the bia (or configured mac for the
> > virtual ip). Or, we
> > can also use the following (adding a second mac to
> > the switchport
> > config). As below....
> >
> > Current configuration : 304 bytes
> > !
> > interface FastEthernet0/1
> > switchport access vlan 10
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 2
> > switchport port-security mac-address sticky
> > switchport port-security mac-address 0000.0c07.ac01
> > <- router
> > mac-address
> > switchport port-security mac-address sticky
> > 0008.a3fc.a661 <-virtual
> > mac-address assigned by HSRP
> > end
> >
> > Any reason why each of these would not be valid?
> >
> > Also, it appears that we can statically configure
> > the mac, or, use the
> > sticky (and save the config)....depending on the
> > requirements.
> >
> >
> > Dave Schulz
> >
> > Email: dschulz@dpsciences.com
> > <mailto:dschulz@dpsciences.com >
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Brent Foster: "Re: anycast (ip multicast question)"
• Previous message: david robin: "anycast (ip multicast question)"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: xprtofnet: "Re: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3