Re: HSRP + PORT SECURITY

From: Chris Lewis (chrlewiscsco@gmail.com)
Date: Wed Apr 05 2006 - 16:42:36 GMT-3

• Next message: Schulz, Dave: "RE: protecting trunks from flooding"
• Previous message: Schulz, Dave: "RE: HSRP + PORT SECURITY"
• Maybe in reply to: KC: "HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My opinion is that this would work instead of sticky.

On 4/5/06, Anderson Mota Alves <mota_anderson@hotmail.com> wrote:
>
> Hi Chris,
>
> I understood your configuration below but now I'm the one with a question
> :-) Imagine that I've been told that I need to configure switchport
> security in an environment that HSRP is in use and this configuration
> needs to be on the router in cause I need to reload it, I think the only
> way to accomplish this task is configuring switchport security with
> sticky no? Or if I configure as you said below would also work?
>
> Any comments are really appreciated !!
>
> Andy
>
> --------------------------------------------------------------------
>
> From: "Chris Lewis" <chrlewiscsco@gmail.com>
> Reply-To: "Chris Lewis" <chrlewiscsco@gmail.com>
> To: "Leigh Harrison" <ccileigh@gmail.com>
> CC: KC <kanwal.chawla@gmail.com>, "Group Study (E-mail)"
> <ccielab@groupstudy.com>
> Subject: Re: HSRP + PORT SECURITY
> Date: Wed, 5 Apr 2006 09:35:45 -0500
> >KC,
> >
> >I think your problem is with configuring sticky on both switch
> ports. This
> >will give rise to an error message like this on the switch
> >
> >04:01:12: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
> occurred,
> >caused by MAC address 0000.0c07.ac00 on port FastEthernet0/2.
> >
> >Having one of the ports go err-disable could make it look like both
> routers
> >are in Active, as the one that was standby may go active after the
> port shut
> >down by the switch.
> >
> >Try this (remembering to keep the switch ports shut down while you
> >configure).
> >
> >interface FastEthernet0/3
> > switchport access vlan 10
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 2
> > switchport port-security mac-address 4000.0000.0001
> >!
> >interface FastEthernet0/4
> > switchport access vlan 10
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 2
> > switchport port-security mac-address 4000.0000.0001
> >
> >Connected routers
> >interface FastEthernet0/0
> > ip address 12.12.12.3 255.255.255.0
> > duplex auto
> > speed auto
> > standby ip 12.12.12.200
> > standby mac-address 4000.0000.0001
> >
> >interface FastEthernet0/0
> > ip address 12.12.12.4 255.255.255.0
> > duplex auto
> > speed auto
> > standby ip 12.12.12.200
> > standby mac-address 4000.0000.0001
> >
> >R5 is used to test
> >
> >R5(config-if)#do ping 12.12.12.200
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.200, timeout is 2
> seconds:
> >!!!!!
> >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
> >R5(config-if)#do ping 12.12.12.3
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.3, timeout is 2 seconds:
> >.!!!!
> >Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
> >R5(config-if)#do ping 12.12.12.4
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.4, timeout is 2 seconds:
> >.!!!!
> >Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
> >R5(config-if)#
> >If you test HSRP operation with this configuration by shutting down
> the
> >ethernet interface on the active router, while doing an extended
> ping from
> >R5, you will see the swap over as follows:
> >
> >!!!!!!!!!!!!!!!!!!!!!!!.....!!!!!!!!!!!
> >
> >Chris
> >
> >
> >Chris
> >
> >On 4/5/06, Leigh Harrison <ccileigh@gmail.com> wrote:
> > >
> > > Hey there KC,
> > >
> > > I've done this a few times. Rather than use sticky mac, I found
> it was
> > > much better to type in the mac addresses for the ports and the
> virtual
> > > one.
> > >
> > > LH
> > >
> > > KC wrote:
> > > > Very strange to me, I requested 3 times to people to give me
> the config.
> > > of
> > > > HSRP Routers and Switch , but noone responded me with right
> solution .
> > > What
> > > > happened to you guys, i am stuck , ehlp me , this is the i
> guess last
> > > > question i am asking before lab
> > > >
> > > > On 4/4/06, KC <kanwal.chawla@gmail.com> wrote:
> > > >
> > > >> Hey Guys
> > > >>
> > > >> Whenever i configure this thing on one of Switchport, my both
> routers
> > > HSRP
> > > >> came up in Active states, noone is going standby
> > > >> switchport access vlan 10
> > > >> switchport mode access
> > > >> switchport port-security
> > > >> switchport port-security maximum 2
> > > >> switchport port-security mac-address sticky
> > > >> switchport port-security mac-address sticky 0000.0c07.ac01
> > > >> mac-address
> > > >> switchport port-security mac-address sticky 0008.a3fc.a661
> > > >>
> > > >>
> > > >> On 4/4/06, Chris Lewis <chrlewiscsco@gmail.com> wrote:
> > > >>
> > > >>> KC, I believe the answer to your question will only be found
> in the
> > > >>> exact wording of the question, which can take many, many
> forms.
> > > >>>
> > > >>> If you use BIA there will only be one MAC address associated
> with each
> > > >>> port, the downside of this is that traffic will be dropped as
> the
> > > switch
> > > >>> moves that MAC address from one port to another. You can test
> this
> > > easily
> > > >>> with an extended ping to the HSRP address, or to an address
> that is
> > > only
> > > >>> reachable via the HSRP setup.
> > > >>>
> > > >>> Remember the lab has nothing to do with what makes sense from
> a
> > > >>> deployment perspective, it is only tesing you on your ability
> to
> > > >>>
> > > > configure
> > > >
> > > >>> the equipment to do exactly what the question asks.
> > > >>>
> > > >>> Chris
> > > >>>
> > > >>> On 4/4/06, KC < kanwal.chawla@gmail.com> wrote:
> > > >>>
> > > >>>
> > > >>>> Hey Guys,
> > > >>>>
> > > >>> I know this question has been discussed lots of time , but i
> just hve
> > > >>> one
> > > >>> doubt, If we use ((standby use-bia) command in HSRP with Port
> security
> > > ,
> > > >>>
> > > >>> Router will use its burnt-in address rather to typically HSRP
> virtual
> > > >>> address. The problem is whenever standby router will become
> active,
> > > >>> the virtual mac_Address will be moved to diffrent router.
> Will it be
> > > >>> acceptable in Lab ??? Will the secodn router become active
> and failed
> > > >>> router
> > > >>> will become standby ???
> > > >>>
> > > >>> Any inputs please, i am clearifing becuase after 2 days i
> have a lab
> > > :D
> > > >>>
> > > >>>
> > >
> _______________________________________________________________________
> > > >>> Subscription information may be found at:
> > > >>> http://www.groupstudy.com/list/CCIELab.html
> > > >>>
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Schulz, Dave: "RE: protecting trunks from flooding"
• Previous message: Schulz, Dave: "RE: HSRP + PORT SECURITY"
• Maybe in reply to: KC: "HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3