Re: Port-security with HSRP

From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Sun Mar 26 2006 - 10:34:03 GMT-3

• Next message: xprtofnet: "Re: Port-security with HSRP"
• Previous message: Petr Lapukhov: "Re: frame relay hub and spoke multicast"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: xprtofnet: "Re: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Wouldn't indicating both the virtual and the physical MAC address do it for us. It appears to work for HSRP in the same way?

Dave Schulz
*** Sent from my Blackberry ***

-----Original Message-----
From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
To: Schulz, Dave <DSchulz@dpsciences.com>
CC: xprtofnet@yahoo.com <xprtofnet@yahoo.com>; ccielab@groupstudy.com <ccielab@groupstudy.com>
Sent: Sun Mar 26 07:34:01 2006
Subject: Re: Port-security with HSRP

 
I am aware of this but as I mentioned earlier what if you are bound to use only mac then it is kind of limitation of VRRP as there is no option to use-bia or may be I'm unable to find any other option.
 
Mushtaq

 
On 3/26/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:

        This shouldn't be an issue as I detailed at the beginning of this thread. Set the max addresses to 2, then hard-code them, right?
        
        Dave Schulz
        *** Sent from my Blackberry ***

        
        
        -----Original Message-----
        From: Mushtaq A. Khan < mak.ccie2b@gmail.com <mailto:mak.ccie2b@gmail.com> >
        To: xprtofnet <xprtofnet@yahoo.com>
        CC: Schulz, Dave < DSchulz@dpsciences.com <mailto:DSchulz@dpsciences.com> >; ccielab@groupstudy.com < ccielab@groupstudy.com <mailto:ccielab@groupstudy.com> >
        Sent: Sun Mar 26 00:00:50 2006
        Subject: Re: Port-security with HSRP
        
        The problem here is that you are bound to use only one mac so no matter what mac address you use, the port security violation will occur as the switch detects the second mac (virutal mac add) generated by VRRP.
        
        Mushtaq
        
        
        On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
        
                did you try different mac-addresses on the two routers
                ? it should work...!
               
                --- "Mushtaq A. Khan" < mak.ccie2b@gmail.com <mailto:mak.ccie2b@gmail.com> > wrote:
               
> All,
> I was thinking another scenario where we are bound
> to use VRRP and allow
> only one mac-address on the switch. What we do that
> in that case as I
> couldn't find an option to use-bia in VRRP. I tried
> to make it work by hard
> coding the virtual-mac generated by VRRP to the
> router but it didn't work.
> Is there any other option?
>
> Mushtaq
>
> On 3/25/06, xprtofnet < xprtofnet@yahoo.com <mailto:xprtofnet@yahoo.com> > wrote:
> >
> > keep in mind that port security will complain
> about
> > duplicate mac if hsrp uses same virtual-mac. so
> better
> > to hard-code the virtual-mac for hsrp or use bia
> so
> > that it is not same.
> >
> > m2c.
> >
> > --- "Schulz, Dave" < DSchulz@dpsciences.com> wrote:
> >
> > > I was working through some different solutions
> with
> > > port-security with
> > > HSRP. If there is a requirement to lockdown a
> > > specific port connected
> > > to a router that is running HSRP, I see two
> > > different solutions.
> > >
> > > First one being, to put the command "standby
> > > use-bia" and force the
> > > router to use the bia (or configured mac for the
> > > virtual ip). Or, we
> > > can also use the following (adding a second mac
> to
> > > the switchport
> > > config). As below....
> > >
> > > Current configuration : 304 bytes
> > > !
> > > interface FastEthernet0/1
> > > switchport access vlan 10
> > > switchport mode access
> > > switchport port-security
> > > switchport port-security maximum 2
> > > switchport port-security mac-address sticky
> > > switchport port-security mac-address
> 0000.0c07.ac01
> > > <- router
> > > mac-address
> > > switchport port-security mac-address sticky
> > > 0008.a3fc.a661 <-virtual
> > > mac-address assigned by HSRP
> > > end
> > >
> > > Any reason why each of these would not be valid?
> > >
> > > Also, it appears that we can statically
> configure
> > > the mac, or, use the
> > > sticky (and save the config)....depending on the
> > > requirements.
> > >
> > >
> > > Dave Schulz
> > >
> > > Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com>
> > > <
        mailto: dschulz@dpsciences.com > > <mailto:+dschulz@dpsciences.com+%3Cmailto:dschulz@dpsciences.com>
        
> > >
> > >
> >
>
                _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com <http://mail.yahoo.com/>
> >
> >
>
                _______________________________________________________________________
> > Subscription information may be found at:
        
> > http://www.groupstudy.com/list/CCIELab.html < http://www.groupstudy.com/list/CCIELab.html>
        
> >
>
               
               
                __________________________________________________
                Do You Yahoo!?
                Tired of spam? Yahoo! Mail has the best spam protection around
        
                http://mail.yahoo.com <http://mail.yahoo.com/> < http://mail.yahoo.com <http://mail.yahoo.com/> >

• Next message: xprtofnet: "Re: Port-security with HSRP"
• Previous message: Petr Lapukhov: "Re: frame relay hub and spoke multicast"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: xprtofnet: "Re: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3