From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Wed Apr 05 2006 - 15:24:29 GMT-3
Sorry to stick my nose here, but this could be solved this, if we say
that the mac protected in the switch port security parameter is the BIA
of the Interface in HSRP in Question, and then use the standby use-bia
command to solve this situation.
Just my 2Cents
Anderson Mota Alves escribis:
> Hi Chris,
>
> I understood your configuration below but now I'm the one with a question
> :-) Imagine that I've been told that I need to configure switchport
> security in an environment that HSRP is in use and this configuration
> needs to be on the router in cause I need to reload it, I think the only
> way to accomplish this task is configuring switchport security with
> sticky no? Or if I configure as you said below would also work?
>
> Any comments are really appreciated !!
>
> Andy
>
> --------------------------------------------------------------------
>
> From: "Chris Lewis" <chrlewiscsco@gmail.com>
> Reply-To: "Chris Lewis" <chrlewiscsco@gmail.com>
> To: "Leigh Harrison" <ccileigh@gmail.com>
> CC: KC <kanwal.chawla@gmail.com>, "Group Study (E-mail)"
> <ccielab@groupstudy.com>
> Subject: Re: HSRP + PORT SECURITY
> Date: Wed, 5 Apr 2006 09:35:45 -0500
> >KC,
> >
> >I think your problem is with configuring sticky on both switch
> ports. This
> >will give rise to an error message like this on the switch
> >
> >04:01:12: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
> occurred,
> >caused by MAC address 0000.0c07.ac00 on port FastEthernet0/2.
> >
> >Having one of the ports go err-disable could make it look like both
> routers
> >are in Active, as the one that was standby may go active after the
> port shut
> >down by the switch.
> >
> >Try this (remembering to keep the switch ports shut down while you
> >configure).
> >
> >interface FastEthernet0/3
> > switchport access vlan 10
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 2
> > switchport port-security mac-address 4000.0000.0001
> >!
> >interface FastEthernet0/4
> > switchport access vlan 10
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 2
> > switchport port-security mac-address 4000.0000.0001
> >
> >Connected routers
> >interface FastEthernet0/0
> > ip address 12.12.12.3 255.255.255.0
> > duplex auto
> > speed auto
> > standby ip 12.12.12.200
> > standby mac-address 4000.0000.0001
> >
> >interface FastEthernet0/0
> > ip address 12.12.12.4 255.255.255.0
> > duplex auto
> > speed auto
> > standby ip 12.12.12.200
> > standby mac-address 4000.0000.0001
> >
> >R5 is used to test
> >
> >R5(config-if)#do ping 12.12.12.200
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.200, timeout is 2
> seconds:
> >!!!!!
> >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
> >R5(config-if)#do ping 12.12.12.3
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.3, timeout is 2 seconds:
> >.!!!!
> >Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
> >R5(config-if)#do ping 12.12.12.4
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.4, timeout is 2 seconds:
> >.!!!!
> >Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
> >R5(config-if)#
> >If you test HSRP operation with this configuration by shutting down
> the
> >ethernet interface on the active router, while doing an extended
> ping from
> >R5, you will see the swap over as follows:
> >
> >!!!!!!!!!!!!!!!!!!!!!!!.....!!!!!!!!!!!
> >
> >Chris
> >
> >
> >Chris
> >
> >On 4/5/06, Leigh Harrison <ccileigh@gmail.com> wrote:
> > >
> > > Hey there KC,
> > >
> > > I've done this a few times. Rather than use sticky mac, I found
> it was
> > > much better to type in the mac addresses for the ports and the
> virtual
> > > one.
> > >
> > > LH
> > >
> > > KC wrote:
> > > > Very strange to me, I requested 3 times to people to give me
> the config.
> > > of
> > > > HSRP Routers and Switch , but noone responded me with right
> solution .
> > > What
> > > > happened to you guys, i am stuck , ehlp me , this is the i
> guess last
> > > > question i am asking before lab
> > > >
> > > > On 4/4/06, KC <kanwal.chawla@gmail.com> wrote:
> > > >
> > > >> Hey Guys
> > > >>
> > > >> Whenever i configure this thing on one of Switchport, my both
> routers
> > > HSRP
> > > >> came up in Active states, noone is going standby
> > > >> switchport access vlan 10
> > > >> switchport mode access
> > > >> switchport port-security
> > > >> switchport port-security maximum 2
> > > >> switchport port-security mac-address sticky
> > > >> switchport port-security mac-address sticky 0000.0c07.ac01
> > > >> mac-address
> > > >> switchport port-security mac-address sticky 0008.a3fc.a661
> > > >>
> > > >>
> > > >> On 4/4/06, Chris Lewis <chrlewiscsco@gmail.com> wrote:
> > > >>
> > > >>> KC, I believe the answer to your question will only be found
> in the
> > > >>> exact wording of the question, which can take many, many
> forms.
> > > >>>
> > > >>> If you use BIA there will only be one MAC address associated
> with each
> > > >>> port, the downside of this is that traffic will be dropped as
> the
> > > switch
> > > >>> moves that MAC address from one port to another. You can test
> this
> > > easily
> > > >>> with an extended ping to the HSRP address, or to an address
> that is
> > > only
> > > >>> reachable via the HSRP setup.
> > > >>>
> > > >>> Remember the lab has nothing to do with what makes sense from
> a
> > > >>> deployment perspective, it is only tesing you on your ability
> to
> > > >>>
> > > > configure
> > > >
> > > >>> the equipment to do exactly what the question asks.
> > > >>>
> > > >>> Chris
> > > >>>
> > > >>> On 4/4/06, KC < kanwal.chawla@gmail.com> wrote:
> > > >>>
> > > >>>
> > > >>>> Hey Guys,
> > > >>>>
> > > >>> I know this question has been discussed lots of time , but i
> just hve
> > > >>> one
> > > >>> doubt, If we use ((standby use-bia) command in HSRP with Port
> security
> > > ,
> > > >>>
> > > >>> Router will use its burnt-in address rather to typically HSRP
> virtual
> > > >>> address. The problem is whenever standby router will become
> active,
> > > >>> the virtual mac_Address will be moved to diffrent router.
> Will it be
> > > >>> acceptable in Lab ??? Will the secodn router become active
> and failed
> > > >>> router
> > > >>> will become standby ???
> > > >>>
> > > >>> Any inputs please, i am clearifing becuase after 2 days i
> have a lab
> > > :D
> > > >>>
> > > >>>
> > >
> _______________________________________________________________________
> > > >>> Subscription information may be found at:
> > > >>> http://www.groupstudy.com/list/CCIELab.html
> > > >>>
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3