Re: HSRP + PORT SECURITY

From: Chris Lewis (chrlewiscsco@gmail.com)
Date: Wed Apr 05 2006 - 11:35:45 GMT-3

• Next message: Tony Schaffran: "RE: Poor-man's CCIE rack"
• Previous message: Brian McGahan: "RE: Poor-man's CCIE rack"
• Maybe in reply to: KC: "HSRP + PORT SECURITY"
• Next in thread: Anderson Mota Alves: "Re: HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

KC,

I think your problem is with configuring sticky on both switch ports. This
will give rise to an error message like this on the switch

04:01:12: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
caused by MAC address 0000.0c07.ac00 on port FastEthernet0/2.

Having one of the ports go err-disable could make it look like both routers
are in Active, as the one that was standby may go active after the port shut
down by the switch.

Try this (remembering to keep the switch ports shut down while you
configure).

interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address 4000.0000.0001
!
interface FastEthernet0/4
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address 4000.0000.0001

Connected routers
interface FastEthernet0/0
 ip address 12.12.12.3 255.255.255.0
 duplex auto
 speed auto
 standby ip 12.12.12.200
 standby mac-address 4000.0000.0001

interface FastEthernet0/0
 ip address 12.12.12.4 255.255.255.0
 duplex auto
 speed auto
 standby ip 12.12.12.200
 standby mac-address 4000.0000.0001

R5 is used to test

R5(config-if)#do ping 12.12.12.200

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5(config-if)#do ping 12.12.12.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R5(config-if)#do ping 12.12.12.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R5(config-if)#
If you test HSRP operation with this configuration by shutting down the
ethernet interface on the active router, while doing an extended ping from
R5, you will see the swap over as follows:

!!!!!!!!!!!!!!!!!!!!!!!.....!!!!!!!!!!!

Chris

Chris

On 4/5/06, Leigh Harrison <ccileigh@gmail.com> wrote:
>
> Hey there KC,
>
> I've done this a few times. Rather than use sticky mac, I found it was
> much better to type in the mac addresses for the ports and the virtual
> one.
>
> LH
>
> KC wrote:
> > Very strange to me, I requested 3 times to people to give me the config.
> of
> > HSRP Routers and Switch , but noone responded me with right solution .
> What
> > happened to you guys, i am stuck , ehlp me , this is the i guess last
> > question i am asking before lab
> >
> > On 4/4/06, KC <kanwal.chawla@gmail.com> wrote:
> >
> >> Hey Guys
> >>
> >> Whenever i configure this thing on one of Switchport, my both routers
> HSRP
> >> came up in Active states, noone is going standby
> >> switchport access vlan 10
> >> switchport mode access
> >> switchport port-security
> >> switchport port-security maximum 2
> >> switchport port-security mac-address sticky
> >> switchport port-security mac-address sticky 0000.0c07.ac01
> >> mac-address
> >> switchport port-security mac-address sticky 0008.a3fc.a661
> >>
> >>
> >> On 4/4/06, Chris Lewis <chrlewiscsco@gmail.com> wrote:
> >>
> >>> KC, I believe the answer to your question will only be found in the
> >>> exact wording of the question, which can take many, many forms.
> >>>
> >>> If you use BIA there will only be one MAC address associated with each
> >>> port, the downside of this is that traffic will be dropped as the
> switch
> >>> moves that MAC address from one port to another. You can test this
> easily
> >>> with an extended ping to the HSRP address, or to an address that is
> only
> >>> reachable via the HSRP setup.
> >>>
> >>> Remember the lab has nothing to do with what makes sense from a
> >>> deployment perspective, it is only tesing you on your ability to
> >>>
> > configure
> >
> >>> the equipment to do exactly what the question asks.
> >>>
> >>> Chris
> >>>
> >>> On 4/4/06, KC < kanwal.chawla@gmail.com> wrote:
> >>>
> >>>
> >>>> Hey Guys,
> >>>>
> >>> I know this question has been discussed lots of time , but i just hve
> >>> one
> >>> doubt, If we use ((standby use-bia) command in HSRP with Port security
> ,
> >>>
> >>> Router will use its burnt-in address rather to typically HSRP virtual
> >>> address. The problem is whenever standby router will become active,
> >>> the virtual mac_Address will be moved to diffrent router. Will it be
> >>> acceptable in Lab ??? Will the secodn router become active and failed
> >>> router
> >>> will become standby ???
> >>>
> >>> Any inputs please, i am clearifing becuase after 2 days i have a lab
> :D
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Tony Schaffran: "RE: Poor-man's CCIE rack"
• Previous message: Brian McGahan: "RE: Poor-man's CCIE rack"
• Maybe in reply to: KC: "HSRP + PORT SECURITY"
• Next in thread: Anderson Mota Alves: "Re: HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3