From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Sun Mar 26 2006 - 02:38:42 GMT-3
This shouldn't be an issue as I detailed at the beginning of this thread. Set the max addresses to 2, then hard-code them, right?
Dave Schulz
*** Sent from my Blackberry ***
-----Original Message-----
From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
To: xprtofnet <xprtofnet@yahoo.com>
CC: Schulz, Dave <DSchulz@dpsciences.com>; ccielab@groupstudy.com <ccielab@groupstudy.com>
Sent: Sun Mar 26 00:00:50 2006
Subject: Re: Port-security with HSRP
The problem here is that you are bound to use only one mac so no matter what mac address you use, the port security violation will occur as the switch detects the second mac (virutal mac add) generated by VRRP.
Mushtaq
On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
did you try different mac-addresses on the two routers
? it should work...!
--- "Mushtaq A. Khan" < mak.ccie2b@gmail.com> wrote:
> All,
> I was thinking another scenario where we are bound
> to use VRRP and allow
> only one mac-address on the switch. What we do that
> in that case as I
> couldn't find an option to use-bia in VRRP. I tried
> to make it work by hard
> coding the virtual-mac generated by VRRP to the
> router but it didn't work.
> Is there any other option?
>
> Mushtaq
>
> On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
> >
> > keep in mind that port security will complain
> about
> > duplicate mac if hsrp uses same virtual-mac. so
> better
> > to hard-code the virtual-mac for hsrp or use bia
> so
> > that it is not same.
> >
> > m2c.
> >
> > --- "Schulz, Dave" <DSchulz@dpsciences.com> wrote:
> >
> > > I was working through some different solutions
> with
> > > port-security with
> > > HSRP. If there is a requirement to lockdown a
> > > specific port connected
> > > to a router that is running HSRP, I see two
> > > different solutions.
> > >
> > > First one being, to put the command "standby
> > > use-bia" and force the
> > > router to use the bia (or configured mac for the
> > > virtual ip). Or, we
> > > can also use the following (adding a second mac
> to
> > > the switchport
> > > config). As below....
> > >
> > > Current configuration : 304 bytes
> > > !
> > > interface FastEthernet0/1
> > > switchport access vlan 10
> > > switchport mode access
> > > switchport port-security
> > > switchport port-security maximum 2
> > > switchport port-security mac-address sticky
> > > switchport port-security mac-address
> 0000.0c07.ac01
> > > <- router
> > > mac-address
> > > switchport port-security mac-address sticky
> > > 0008.a3fc.a661 <-virtual
> > > mac-address assigned by HSRP
> > > end
> > >
> > > Any reason why each of these would not be valid?
> > >
> > > Also, it appears that we can statically
> configure
> > > the mac, or, use the
> > > sticky (and save the config)....depending on the
> > > requirements.
> > >
> > >
> > > Dave Schulz
> > >
> > > Email: dschulz@dpsciences.com
> > > <mailto: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com> >
> > >
> > >
> >
>
_______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
> >
>
_______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
> >
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com <http://mail.yahoo.com>
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3