Re: Port-security with HSRP

From: Mushtaq A. Khan (mak.ccie2b@gmail.com)
Date: Sun Mar 26 2006 - 19:05:50 GMT-3

• Next message: Mushtaq A. Khan: "How to prioritize traffic using priroity list"
• Previous message: Alexei Monastyrnyi: "Re: How I learned to stop worrying and love the LAB"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: Schulz, Dave: "RE: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dave,

Even single port would have the issue whenever the router connected to that
port switchover to master, the switch will detect the virtual mac and
generate the port security violation messege (depending on the violation
option configured). This will not be an issue for HSRP because we can use
the use-bia option there.

Mushtaq

On 3/26/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
>
> I understand what you are saying. However, this would be the only if you
> are applying port security to both ports of VRRP grouping, right? This
> shouldn't be the issue for a single port, correct?
>
> Dave Schulz
> *** Sent from my Blackberry ***
>
> -----Original Message-----
> From: xprtofnet <xprtofnet@yahoo.com>
> To: Schulz, Dave <DSchulz@dpsciences.com>; mak.ccie2b@gmail.com <
> mak.ccie2b@gmail.com>
> CC: xprtofnet@yahoo.com <xprtofnet@yahoo.com>; ccielab@groupstudy.com <
> ccielab@groupstudy.com>
> Sent: Sun Mar 26 08:38:33 2006
> Subject: Re: Port-security with HSRP
>
> Mushtaq's concern is using same Mac addrs with port
> security and it states clearly in the doc that port
> security will complain about duplicate mac-addrs from
> different ports. so in my opinion using same-mac for
> vrrp/hsrp would not work with port-security (after
> switch reboots with the same config)
>
> m2c.
>
> --- "Schulz, Dave" <DSchulz@dpsciences.com> wrote:
>
> > Wouldn't indicating both the virtual and the
> > physical MAC address do it for us. It appears to
> > work for HSRP in the same way?
> >
> > Dave Schulz
> > *** Sent from my Blackberry ***
> >
> > -----Original Message-----
> > From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
> > To: Schulz, Dave <DSchulz@dpsciences.com>
> > CC: xprtofnet@yahoo.com <xprtofnet@yahoo.com>;
> > ccielab@groupstudy.com <ccielab@groupstudy.com>
> > Sent: Sun Mar 26 07:34:01 2006
> > Subject: Re: Port-security with HSRP
> >
> >
> > I am aware of this but as I mentioned earlier what
> > if you are bound to use only mac then it is kind of
> > limitation of VRRP as there is no option to use-bia
> > or may be I'm unable to find any other option.
> >
> > Mushtaq
> >
> >
> > On 3/26/06, Schulz, Dave <DSchulz@dpsciences.com>
> > wrote:
> >
> > This shouldn't be an issue as I detailed at the
> > beginning of this thread. Set the max addresses to
> > 2, then hard-code them, right?
> >
> > Dave Schulz
> > *** Sent from my Blackberry ***
> >
> >
> >
> > -----Original Message-----
> > From: Mushtaq A. Khan < mak.ccie2b@gmail.com
> > <mailto:mak.ccie2b@gmail.com> >
> > To: xprtofnet <xprtofnet@yahoo.com>
> > CC: Schulz, Dave < DSchulz@dpsciences.com
> > <mailto:DSchulz@dpsciences.com> >;
> > ccielab@groupstudy.com < ccielab@groupstudy.com
> > <mailto:ccielab@groupstudy.com> >
> > Sent: Sun Mar 26 00:00:50 2006
> > Subject: Re: Port-security with HSRP
> >
> > The problem here is that you are bound to use only
> > one mac so no matter what mac address you use, the
> > port security violation will occur as the switch
> > detects the second mac (virutal mac add) generated
> > by VRRP.
> >
> > Mushtaq
> >
> >
> > On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
> >
> > did you try different mac-addresses on the
> > two routers
> > ? it should work...!
> >
> > --- "Mushtaq A. Khan" <
> > mak.ccie2b@gmail.com <mailto:mak.ccie2b@gmail.com> >
> > wrote:
> >
> > > All,
> > > I was thinking another scenario where we
> > are bound
> > > to use VRRP and allow
> > > only one mac-address on the switch. What
> > we do that
> > > in that case as I
> > > couldn't find an option to use-bia in
> > VRRP. I tried
> > > to make it work by hard
> > > coding the virtual-mac generated by VRRP
> > to the
> > > router but it didn't work.
> > > Is there any other option?
> > >
> > > Mushtaq
> > >
> > > On 3/25/06, xprtofnet <
> > xprtofnet@yahoo.com <mailto:xprtofnet@yahoo.com> >
> > wrote:
> > > >
> > > > keep in mind that port security will
> > complain
> > > about
> > > > duplicate mac if hsrp uses same
> > virtual-mac. so
> > > better
> > > > to hard-code the virtual-mac for hsrp
> > or use bia
> > > so
> > > > that it is not same.
> > > >
> > > > m2c.
> > > >
> > > > --- "Schulz, Dave" <
> > DSchulz@dpsciences.com> wrote:
> > > >
> > > > > I was working through some different
> > solutions
> > > with
> > > > > port-security with
> > > > > HSRP. If there is a requirement to
> > lockdown a
> > > > > specific port connected
> > > > > to a router that is running HSRP, I
> > see two
> > > > > different solutions.
> > > > >
> > > > > First one being, to put the command
> > "standby
> > > > > use-bia" and force the
> > > > > router to use the bia (or configured
> > mac for the
> > > > > virtual ip). Or, we
> > > > > can also use the following (adding a
> > second mac
> > > to
> > > > > the switchport
> > > > > config). As below....
> > > > >
> > > > > Current configuration : 304 bytes
> > > > > !
> > > > > interface FastEthernet0/1
> > > > > switchport access vlan 10
> > > > > switchport mode access
> > > > > switchport port-security
> > > > > switchport port-security maximum 2
> > > > > switchport port-security mac-address
> > sticky
> > > > > switchport port-security mac-address
> > > 0000.0c07.ac01
> > > > > <- router
> > > > > mac-address
> > > > > switchport port-security mac-address
> > sticky
> > > > > 0008.a3fc.a661 <-virtual
> > > > > mac-address assigned by HSRP
> > > > > end
> > > > >
> > > > > Any reason why each of these would
> > not be valid?
> > > > >
> > > > > Also, it appears that we can
> > statically
> > > configure
> > > > > the mac, or, use the
> > > > > sticky (and save the
> > config)....depending on the
> > > > > requirements.
> > > > >
> > > > >
> > > > > Dave Schulz
> > > > >
> > > > > Email: dschulz@dpsciences.com
> > <mailto:dschulz@dpsciences.com>
> > > > > <
> > mailto: dschulz@dpsciences.com > >
> >
> <mailto:+dschulz@dpsciences.com+%3Cmailto:dschulz@dpsciences.com>
> >
> >
> > > > >
> > > > >
> > > >
> > >
> >
> >
> _______________________________________________________________________
> >
> > > > > Subscription information may be found
> > at:
> > > > >
> > http://www.groupstudy.com/list/CCIELab.html
> > <http://www.groupstudy.com/list/CCIELab.html>
> > > > >
> > > >
> > > >
> > > >
> > __________________________________________________
> > > > Do You Yahoo!?
> > > > Tired of spam? Yahoo! Mail has the
> > best spam
> > > protection around
> > > > http://mail.yahoo.com
> > <http://mail.yahoo.com/>
> > > >
> > > >
> > >
> >
> >
> _______________________________________________________________________
> > > > Subscription information may be found
> > at:
> >
> > > >
> > http://www.groupstudy.com/list/CCIELab.html <
> > http://www.groupstudy.com/list/CCIELab.html>
> >
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Mushtaq A. Khan: "How to prioritize traffic using priroity list"
• Previous message: Alexei Monastyrnyi: "Re: How I learned to stop worrying and love the LAB"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: Schulz, Dave: "RE: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3