From: Mienbaikebi Patani (patmien@gmail.com)
Date: Wed Jun 28 2006 - 07:59:29 ART
You should not use the Sticky option of the Port-security command because
when you do that, a switch port learns the mac-addresses and when you save
the config, the learnt mac-addresses will always be associated to the
specific Switch Port on which they were learnt.
Look at the following sequence of events which clearly prohibits the use of
the command "switchport port-security mac-address sticky" for this case.
At time T1, let say Router A was the HSRP ACTIVE router and Router B is HSRP
STANDBY router, and at this time T1 the HSRP Mac-address will be learnt on
the Switch Port connecting Router A. At the same time T1, if the Sticky
Opiton of the Port Security command is used, and then you saved the config,
then the HSRP Mac-address is associated with the Switch Port connecting
Router A. Consider time T2, that Router A failed and Router B takes over to
become HSRP ACTIVE router. At this time T2 when Router B generates
information with the HSRP Mac-address and the switch receives it on the port
connected to Router B, the switch will reject the frame cos the frame is
coming from a different Port other than the Port connected to Router A which
is already having an association with the HSRP Mac-address, and the switch
will report an error condition. This will prevent successful communications.
Your best bet is specify only the Mac-addresses of the two HSRP routers
statically on the appropriate switch port and specify maximum mac-addresses
to be two, which will cause the switch to learn the HSRP Mac-address
dynamically. Do not associate the HSRP Mac-address statically to any port on
the switch. Then you can reduce the Port Security Mac-address time-out
period to minimum, and also reduce time-out of the switch global mac-address
table to an equivalent value for the vlan connecting the HSRP
Routers.Thisis all you need to do.
Hope that this has been informative to you. I am at your disposal.
On 6/28/06, Popgeorgiev Nikolay <nikolay.popgeorgiev@siemens.com> wrote:
>
> Hello group,
>
>
> I know that this topic had been discussed a lot. I had already read all
> posts about this topic and still no clear answer to the simple question:
>
>
> How to use port-security together with HSRP without using USE-BIA.
>
> There were some answers to the question which advices to allow on the
> switch two mac addresses instead of one and to write both the interface and
> the virtual mac address of the routers
> but the switch says that the same MAC address is already been used. And
> this is absolutely normal. So this is not an option.
>
> What about using this kind of solution ?
>
>
>
> R1
> interface FastEthernet0/0
> ip address 1.1.1.10 255.255.255.0
> standby 1 ip 1.1.1.1
> standby 1 priority 120
> standby 1 preempt
> standby 1 mac-address 4000.1000.1061
>
>
> R2
> interface FastEthernet0/0
> ip address 1.1.1.20 255.255.255.0
> duplex auto
> speed auto
> standby 1 ip 1.1.1.1
> standby 1 preempt
> standby 1 mac-address 4000.1000.1060
>
> SW
> interface FastEthernet0/2
> switchport access vlan 101
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address sticky
> switchport port-security mac-address sticky 0016.c876.44e8
> switchport port-security mac-address sticky 4000.1000.1060
> !
> interface FastEthernet0/5
> switchport access vlan 101
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address sticky
> switchport port-security mac-address sticky 0016.c876.6200
> switchport port-security mac-address sticky 4000.1000.1061
>
>
> Please guys tell me what do you think ?
>
>
> Best,
> Nick
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART