From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Sun Mar 26 2006 - 20:11:46 GMT-3
Mushtaq -
I just labbed this up with vrrp and port-security on the switch and it appears
to work just fine....here is the config and status.....
R1 (vrrp master).....
!
hostname R1
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
vrrp 1 ip 10.1.1.10
vrrp 1 priority 105
!
R3 (vrrp backup)......
hostname R3
!
interface Ethernet0
ip address 10.1.1.3 255.255.255.0
vrrp 1 ip 10.1.1.10
!
Switch (R1 is connected to Fa0/1)....
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address 0000.5e00.0101 (this mac is the
virtual)
switchport port-security mac-address 0008.a3fc.a661 (this mac is the
physical of R1)
!
R1......
R1#show vrrp all
FastEthernet0/0 - Group 1
State is Master
Virtual IP address is 10.1.1.10
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 105
Master Router is 10.1.1.1 (local), priority is 105
Master Advertisement interval is 1.000 sec
Master Down interval is 3.589 sec
R1#sh int fa0/0
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 0008.a3fc.a661 (bia 0008.a3fc.a661)
Internet address is 10.1.1.1/24
________________________________
From: Mushtaq A. Khan [mailto:mak.ccie2b@gmail.com]
Sent: Sun 3/26/2006 5:05 PM
To: Schulz, Dave
Cc: xprtofnet@yahoo.com; Ccielab@groupstudy.com
Subject: Re: Port-security with HSRP
Dave,
Even single port would have the issue whenever the router connected to that
port switchover to master, the switch will detect the virtual mac and generate
the port security violation messege (depending on the violation option
configured). This will not be an issue for HSRP because we can use the use-bia
option there.
Mushtaq
On 3/26/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
I understand what you are saying. However, this would be the only if you are
applying port security to both ports of VRRP grouping, right? This shouldn't
be the issue for a single port, correct?
Dave Schulz
*** Sent from my Blackberry ***
-----Original Message-----
From: xprtofnet <xprtofnet@yahoo.com>
To: Schulz, Dave < DSchulz@dpsciences.com <mailto:DSchulz@dpsciences.com> >;
mak.ccie2b@gmail.com <mak.ccie2b@gmail.com>
CC: xprtofnet@yahoo.com <xprtofnet@yahoo.com>; ccielab@groupstudy.com
<ccielab@groupstudy.com>
Sent: Sun Mar 26 08:38:33 2006
Subject: Re: Port-security with HSRP
Mushtaq's concern is using same Mac addrs with port
security and it states clearly in the doc that port
security will complain about duplicate mac-addrs from
different ports. so in my opinion using same-mac for
vrrp/hsrp would not work with port-security (after
switch reboots with the same config)
m2c.
--- "Schulz, Dave" <DSchulz@dpsciences.com> wrote:
> Wouldn't indicating both the virtual and the
> physical MAC address do it for us. It appears to
> work for HSRP in the same way?
>
> Dave Schulz
> *** Sent from my Blackberry ***
>
> -----Original Message-----
> From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
> To: Schulz, Dave <DSchulz@dpsciences.com >
> CC: xprtofnet@yahoo.com <xprtofnet@yahoo.com>;
> ccielab@groupstudy.com <ccielab@groupstudy.com>
> Sent: Sun Mar 26 07:34:01 2006
> Subject: Re: Port-security with HSRP
>
>
> I am aware of this but as I mentioned earlier what
> if you are bound to use only mac then it is kind of
> limitation of VRRP as there is no option to use-bia
> or may be I'm unable to find any other option.
>
> Mushtaq
>
>
> On 3/26/06, Schulz, Dave < DSchulz@dpsciences.com>
> wrote:
>
> This shouldn't be an issue as I detailed at the
> beginning of this thread. Set the max addresses to
> 2, then hard-code them, right?
>
> Dave Schulz
> *** Sent from my Blackberry ***
>
>
>
> -----Original Message-----
> From: Mushtaq A. Khan < mak.ccie2b@gmail.com
> <mailto:mak.ccie2b@gmail.com> >
> To: xprtofnet <xprtofnet@yahoo.com>
> CC: Schulz, Dave < DSchulz@dpsciences.com
> <mailto:DSchulz@dpsciences.com> >;
> ccielab@groupstudy.com < ccielab@groupstudy.com
> <mailto:ccielab@groupstudy.com> >
> Sent: Sun Mar 26 00:00:50 2006
> Subject: Re: Port-security with HSRP
>
> The problem here is that you are bound to use only
> one mac so no matter what mac address you use, the
> port security violation will occur as the switch
> detects the second mac (virutal mac add) generated
> by VRRP.
>
> Mushtaq
>
>
> On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
>
> did you try different mac-addresses on the
> two routers
> ? it should work...!
>
> --- "Mushtaq A. Khan" <
> mak.ccie2b@gmail.com <mailto: mak.ccie2b@gmail.com
<mailto:mak.ccie2b@gmail.com> > >
> wrote:
>
> > All,
> > I was thinking another scenario where we
> are bound
> > to use VRRP and allow
> > only one mac-address on the switch. What
> we do that
> > in that case as I
> > couldn't find an option to use-bia in
> VRRP. I tried
> > to make it work by hard
> > coding the virtual-mac generated by VRRP
> to the
> > router but it didn't work.
> > Is there any other option?
> >
> > Mushtaq
> >
> > On 3/25/06, xprtofnet <
> xprtofnet@yahoo.com <mailto: xprtofnet@yahoo.com> >
> wrote:
> > >
> > > keep in mind that port security will
> complain
> > about
> > > duplicate mac if hsrp uses same
> virtual-mac. so
> > better
> > > to hard-code the virtual-mac for hsrp
> or use bia
> > so
> > > that it is not same.
> > >
> > > m2c.
> > >
> > > --- "Schulz, Dave" <
> DSchulz@dpsciences.com> wrote:
> > >
> > > > I was working through some different
> solutions
> > with
> > > > port-security with
> > > > HSRP. If there is a requirement to
> lockdown a
> > > > specific port connected
> > > > to a router that is running HSRP, I
> see two
> > > > different solutions.
> > > >
> > > > First one being, to put the command
> "standby
> > > > use-bia" and force the
> > > > router to use the bia (or configured
> mac for the
> > > > virtual ip). Or, we
> > > > can also use the following (adding a
> second mac
> > to
> > > > the switchport
> > > > config). As below....
> > > >
> > > > Current configuration : 304 bytes
> > > > !
> > > > interface FastEthernet0/1
> > > > switchport access vlan 10
> > > > switchport mode access
> > > > switchport port-security
> > > > switchport port-security maximum 2
> > > > switchport port-security mac-address
> sticky
> > > > switchport port-security mac-address
> > 0000.0c07.ac01
> > > > <- router
> > > > mac-address
> > > > switchport port-security mac-address
> sticky
> > > > 0008.a3fc.a661 <-virtual
> > > > mac-address assigned by HSRP
> > > > end
> > > >
> > > > Any reason why each of these would
> not be valid?
> > > >
> > > > Also, it appears that we can
> statically
> > configure
> > > > the mac, or, use the
> > > > sticky (and save the
> config)....depending on the
> > > > requirements.
> > > >
> > > >
> > > > Dave Schulz
> > > >
> > > > Email: dschulz@dpsciences.com
> <mailto:dschulz@dpsciences.com>
> > > > <
> mailto: dschulz@dpsciences.com > >
>
<mailto:+dschulz@dpsciences.com+%3Cmailto:dschulz@dpsciences.com>
>
>
> > > >
> > > >
> > >
> >
>
>
_______________________________________________________________________
>
> > > > Subscription information may be found
> at:
> > > >
> http://www.groupstudy.com/list/CCIELab.html
> < http://www.groupstudy.com/list/CCIELab.html
<http://www.groupstudy.com/list/CCIELab.html> >
> > > >
> > >
> > >
> > >
> __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the
> best spam
> > protection around
> > > http://mail.yahoo.com
> <http://mail.yahoo.com/>
> > >
> > >
> >
>
>
_______________________________________________________________________
> > > Subscription information may be found
> at:
>
> > >
> http://www.groupstudy.com/list/CCIELab.html <
> http://www.groupstudy.com/list/CCIELab.html>
>
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3