Re: HSRP + PORT SECURITY

From: Anderson Mota Alves (mota_anderson@hotmail.com)
Date: Wed Apr 05 2006 - 15:12:36 GMT-3

• Next message: Victor Cappuccio: "Re: HSRP + PORT SECURITY"
• Previous message: Sheahan, John: "OT: Sender ID"
• Maybe in reply to: KC: "HSRP + PORT SECURITY"
• Next in thread: Victor Cappuccio: "Re: HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Chris,

I understood your configuration below but now I'm the one with a question
:-) Imagine that I've been told that I need to configure switchport
security in an environment that HSRP is in use and this configuration
needs to be on the router in cause I need to reload it, I think the only
way to accomplish this task is configuring switchport security with
sticky no? Or if I configure as you said below would also work?

Any comments are really appreciated !!

Andy

  --------------------------------------------------------------------

  From: "Chris Lewis" <chrlewiscsco@gmail.com>
  Reply-To: "Chris Lewis" <chrlewiscsco@gmail.com>
  To: "Leigh Harrison" <ccileigh@gmail.com>
  CC: KC <kanwal.chawla@gmail.com>, "Group Study (E-mail)"
  <ccielab@groupstudy.com>
  Subject: Re: HSRP + PORT SECURITY
  Date: Wed, 5 Apr 2006 09:35:45 -0500
>KC,
>
>I think your problem is with configuring sticky on both switch
  ports. This
>will give rise to an error message like this on the switch
>
>04:01:12: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
  occurred,
>caused by MAC address 0000.0c07.ac00 on port FastEthernet0/2.
>
>Having one of the ports go err-disable could make it look like both
  routers
>are in Active, as the one that was standby may go active after the
  port shut
>down by the switch.
>
>Try this (remembering to keep the switch ports shut down while you
>configure).
>
>interface FastEthernet0/3
> switchport access vlan 10
> switchport mode access
> switchport port-security
> switchport port-security maximum 2
> switchport port-security mac-address 4000.0000.0001
>!
>interface FastEthernet0/4
> switchport access vlan 10
> switchport mode access
> switchport port-security
> switchport port-security maximum 2
> switchport port-security mac-address 4000.0000.0001
>
>Connected routers
>interface FastEthernet0/0
> ip address 12.12.12.3 255.255.255.0
> duplex auto
> speed auto
> standby ip 12.12.12.200
> standby mac-address 4000.0000.0001
>
>interface FastEthernet0/0
> ip address 12.12.12.4 255.255.255.0
> duplex auto
> speed auto
> standby ip 12.12.12.200
> standby mac-address 4000.0000.0001
>
>R5 is used to test
>
>R5(config-if)#do ping 12.12.12.200
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 12.12.12.200, timeout is 2
  seconds:
>!!!!!
>Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
>R5(config-if)#do ping 12.12.12.3
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 12.12.12.3, timeout is 2 seconds:
>.!!!!
>Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
>R5(config-if)#do ping 12.12.12.4
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 12.12.12.4, timeout is 2 seconds:
>.!!!!
>Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
>R5(config-if)#
>If you test HSRP operation with this configuration by shutting down
  the
>ethernet interface on the active router, while doing an extended
  ping from
>R5, you will see the swap over as follows:
>
>!!!!!!!!!!!!!!!!!!!!!!!.....!!!!!!!!!!!
>
>Chris
>
>
>Chris
>
>On 4/5/06, Leigh Harrison <ccileigh@gmail.com> wrote:
> >
> > Hey there KC,
> >
> > I've done this a few times. Rather than use sticky mac, I found
  it was
> > much better to type in the mac addresses for the ports and the
  virtual
> > one.
> >
> > LH
> >
> > KC wrote:
> > > Very strange to me, I requested 3 times to people to give me
  the config.
> > of
> > > HSRP Routers and Switch , but noone responded me with right
  solution .
> > What
> > > happened to you guys, i am stuck , ehlp me , this is the i
  guess last
> > > question i am asking before lab
> > >
> > > On 4/4/06, KC <kanwal.chawla@gmail.com> wrote:
> > >
> > >> Hey Guys
> > >>
> > >> Whenever i configure this thing on one of Switchport, my both
  routers
> > HSRP
> > >> came up in Active states, noone is going standby
> > >> switchport access vlan 10
> > >> switchport mode access
> > >> switchport port-security
> > >> switchport port-security maximum 2
> > >> switchport port-security mac-address sticky
> > >> switchport port-security mac-address sticky 0000.0c07.ac01
> > >> mac-address
> > >> switchport port-security mac-address sticky 0008.a3fc.a661
> > >>
> > >>
> > >> On 4/4/06, Chris Lewis <chrlewiscsco@gmail.com> wrote:
> > >>
> > >>> KC, I believe the answer to your question will only be found
  in the
> > >>> exact wording of the question, which can take many, many
  forms.
> > >>>
> > >>> If you use BIA there will only be one MAC address associated
  with each
> > >>> port, the downside of this is that traffic will be dropped as
  the
> > switch
> > >>> moves that MAC address from one port to another. You can test
  this
> > easily
> > >>> with an extended ping to the HSRP address, or to an address
  that is
> > only
> > >>> reachable via the HSRP setup.
> > >>>
> > >>> Remember the lab has nothing to do with what makes sense from
  a
> > >>> deployment perspective, it is only tesing you on your ability
  to
> > >>>
> > > configure
> > >
> > >>> the equipment to do exactly what the question asks.
> > >>>
> > >>> Chris
> > >>>
> > >>> On 4/4/06, KC < kanwal.chawla@gmail.com> wrote:
> > >>>
> > >>>
> > >>>> Hey Guys,
> > >>>>
> > >>> I know this question has been discussed lots of time , but i
  just hve
> > >>> one
> > >>> doubt, If we use ((standby use-bia) command in HSRP with Port
  security
> > ,
> > >>>
> > >>> Router will use its burnt-in address rather to typically HSRP
  virtual
> > >>> address. The problem is whenever standby router will become
  active,
> > >>> the virtual mac_Address will be moved to diffrent router.
  Will it be
> > >>> acceptable in Lab ??? Will the secodn router become active
  and failed
> > >>> router
> > >>> will become standby ???
> > >>>
> > >>> Any inputs please, i am clearifing becuase after 2 days i
  have a lab
> > :D
> > >>>
> > >>>
> >
  _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >
> > >
  _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Victor Cappuccio: "Re: HSRP + PORT SECURITY"
• Previous message: Sheahan, John: "OT: Sender ID"
• Maybe in reply to: KC: "HSRP + PORT SECURITY"
• Next in thread: Victor Cappuccio: "Re: HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3