Re: Hsrp and port-security

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Wed Jun 28 2006 - 08:05:58 ART

• Next message: Popgeorgiev Nikolay: "RE: Hsrp and port-security"
• Previous message: Mienbaikebi Patani: "Re: Hsrp and port-security"
• Maybe in reply to: Popgeorgiev Nikolay: "Hsrp and port-security"
• Next in thread: Popgeorgiev Nikolay: "RE: Hsrp and port-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

One may also use secure mac-address aging in this case,
though it's minimum 60 seconds...

2006/6/28, Mienbaikebi Patani <patmien@gmail.com>:
>
> You should not use the Sticky option of the Port-security command because
> when you do that, a switch port learns the mac-addresses and when you save
> the config, the learnt mac-addresses will always be associated to the
> specific Switch Port on which they were learnt.
>
> Look at the following sequence of events which clearly prohibits the use
> of
> the command "switchport port-security mac-address sticky" for this case.
>
> At time T1, let say Router A was the HSRP ACTIVE router and Router B is
> HSRP
> STANDBY router, and at this time T1 the HSRP Mac-address will be learnt on
> the Switch Port connecting Router A. At the same time T1, if the Sticky
> Opiton of the Port Security command is used, and then you saved the
> config,
> then the HSRP Mac-address is associated with the Switch Port connecting
> Router A. Consider time T2, that Router A failed and Router B takes over
> to
> become HSRP ACTIVE router. At this time T2 when Router B generates
> information with the HSRP Mac-address and the switch receives it on the
> port
> connected to Router B, the switch will reject the frame cos the frame is
> coming from a different Port other than the Port connected to Router A
> which
> is already having an association with the HSRP Mac-address, and the switch
> will report an error condition. This will prevent successful
> communications.
>
> Your best bet is specify only the Mac-addresses of the two HSRP routers
> statically on the appropriate switch port and specify maximum
> mac-addresses
> to be two, which will cause the switch to learn the HSRP Mac-address
> dynamically. Do not associate the HSRP Mac-address statically to any port
> on
> the switch. Then you can reduce the Port Security Mac-address time-out
> period to minimum, and also reduce time-out of the switch global
> mac-address
> table to an equivalent value for the vlan connecting the HSRP
> Routers.Thisis all you need to do.
>
> Hope that this has been informative to you. I am at your disposal.
>
>
> On 6/28/06, Popgeorgiev Nikolay <nikolay.popgeorgiev@siemens.com> wrote:
> >
> > Hello group,
> >
> >
> > I know that this topic had been discussed a lot. I had already read all
> > posts about this topic and still no clear answer to the simple question:
> >
> >
> > How to use port-security together with HSRP without using USE-BIA.
> >
> > There were some answers to the question which advices to allow on the
> > switch two mac addresses instead of one and to write both the interface
> and
> > the virtual mac address of the routers
> > but the switch says that the same MAC address is already been used. And
> > this is absolutely normal. So this is not an option.
> >
> > What about using this kind of solution ?
> >
> >
> >
> > R1
> > interface FastEthernet0/0
> > ip address 1.1.1.10 255.255.255.0
> > standby 1 ip 1.1.1.1
> > standby 1 priority 120
> > standby 1 preempt
> > standby 1 mac-address 4000.1000.1061
> >
> >
> > R2
> > interface FastEthernet0/0
> > ip address 1.1.1.20 255.255.255.0
> > duplex auto
> > speed auto
> > standby 1 ip 1.1.1.1
> > standby 1 preempt
> > standby 1 mac-address 4000.1000.1060
> >
> > SW
> > interface FastEthernet0/2
> > switchport access vlan 101
> > switchport mode access
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security violation restrict
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0016.c876.44e8
> > switchport port-security mac-address sticky 4000.1000.1060
> > !
> > interface FastEthernet0/5
> > switchport access vlan 101
> > switchport mode access
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security violation restrict
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0016.c876.6200
> > switchport port-security mac-address sticky 4000.1000.1061
> >
> >
> > Please guys tell me what do you think ?
> >
> >
> > Best,
> > Nick
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

• Next message: Popgeorgiev Nikolay: "RE: Hsrp and port-security"
• Previous message: Mienbaikebi Patani: "Re: Hsrp and port-security"
• Maybe in reply to: Popgeorgiev Nikolay: "Hsrp and port-security"
• Next in thread: Popgeorgiev Nikolay: "RE: Hsrp and port-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART