Re: Port-security with HSRP

From: xprtofnet (xprtofnet@yahoo.com)
Date: Sat Mar 25 2006 - 21:04:08 GMT-3

• Next message: Ravi Ramaswamy \(raramasw\): "RE: OT: how to filter out several VPNs from a MPLS backbone"
• Previous message: Olopade Olorunloba: "RE: OT: how to filter out several VPNs from a MPLS backbone"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: Mushtaq A. Khan: "Re: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

did you try different mac-addresses on the two routers
? it should work...!

--- "Mushtaq A. Khan" <mak.ccie2b@gmail.com> wrote:

> All,
> I was thinking another scenario where we are bound
> to use VRRP and allow
> only one mac-address on the switch. What we do that
> in that case as I
> couldn't find an option to use-bia in VRRP. I tried
> to make it work by hard
> coding the virtual-mac generated by VRRP to the
> router but it didn't work.
> Is there any other option?
>
> Mushtaq
>
> On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
> >
> > keep in mind that port security will complain
> about
> > duplicate mac if hsrp uses same virtual-mac. so
> better
> > to hard-code the virtual-mac for hsrp or use bia
> so
> > that it is not same.
> >
> > m2c.
> >
> > --- "Schulz, Dave" <DSchulz@dpsciences.com> wrote:
> >
> > > I was working through some different solutions
> with
> > > port-security with
> > > HSRP. If there is a requirement to lockdown a
> > > specific port connected
> > > to a router that is running HSRP, I see two
> > > different solutions.
> > >
> > > First one being, to put the command "standby
> > > use-bia" and force the
> > > router to use the bia (or configured mac for the
> > > virtual ip). Or, we
> > > can also use the following (adding a second mac
> to
> > > the switchport
> > > config). As below....
> > >
> > > Current configuration : 304 bytes
> > > !
> > > interface FastEthernet0/1
> > > switchport access vlan 10
> > > switchport mode access
> > > switchport port-security
> > > switchport port-security maximum 2
> > > switchport port-security mac-address sticky
> > > switchport port-security mac-address
> 0000.0c07.ac01
> > > <- router
> > > mac-address
> > > switchport port-security mac-address sticky
> > > 0008.a3fc.a661 <-virtual
> > > mac-address assigned by HSRP
> > > end
> > >
> > > Any reason why each of these would not be valid?
> > >
> > > Also, it appears that we can statically
> configure
> > > the mac, or, use the
> > > sticky (and save the config)....depending on the
> > > requirements.
> > >
> > >
> > > Dave Schulz
> > >
> > > Email: dschulz@dpsciences.com
> > > <mailto:dschulz@dpsciences.com >
> > >
> > >
> >
>

• Next message: Ravi Ramaswamy \(raramasw\): "RE: OT: how to filter out several VPNs from a MPLS backbone"
• Previous message: Olopade Olorunloba: "RE: OT: how to filter out several VPNs from a MPLS backbone"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: Mushtaq A. Khan: "Re: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3